Amass is a powerful open-source reconnaissance tool designed for network mapping and information gathering. It is widely used by security professionals and researchers to map out external network space and discover assets that belong to a target organization.
The tool uses a range of techniques to gather information about the target network, including:
- DNS enumeration: Amass queries DNS servers to gather information about the target’s domain name system.
- Scraping data from search engines: The tool crawls search engines and collects information about the target’s online presence, including websites, social media accounts, and other online platforms.
- Web crawling: Amass scans the target’s web pages to identify potential attack vectors, such as vulnerable web applications.
- Reverse IP lookups: The tool checks which other domains are hosted on the same IP address as the target, potentially uncovering additional attack vectors.
Once Amass has collected this information, it consolidates it into a graph database, which can be used to visualize the target’s network and identify potential attack vectors.
Amass can be used to perform a wide range of tasks, such as identifying subdomains, discovering open ports, and mapping out the network topology. The tool is highly configurable, with a wide range of options and settings that can be customized to suit the specific needs of the user.
Using Amass, security professionals and researchers can gain a deep understanding of the target’s network and identify potential vulnerabilities that could be exploited by attackers. The tool is also useful for defensive security operations, enabling organizations to identify and remediate potential security risks before they can be exploited.
In conclusion, Amass is a powerful tool for network reconnaissance and can be a valuable asset for both offensive and defensive security operations.
Cheat Sheet:
Here is a cheat sheet for using Amass:
- To perform passive DNS enumeration on a target domain:
amass enum -passive -norecursive -noalts -d target.com -o sub-list.txt- To perform an active DNS enumeration on a target domain:
amass enum -active -d target.com -o sub-list.txt- To discover IP addresses associated with a domain name:
amass intel -ip -d target.com- To discover domain names associated with a specific IP address:
amass intel -whois -addr <target IP address>- To discover all known subdomains associated with a target domain:
amass enum -d target.com -o sub-list.txt- To discover web pages and other online assets associated with a target domain:
amass intel -include <target domain name> -whois -src -active -o online-assets.txt- To visualize the discovered subdomains and assets in a graph format:
amass viz -d target.com -o target.png- To configure Amass settings:
amass configNote: Replace “target.com” with the actual target domain name or IP address.
In summary, the Amass tool is a powerful and flexible option for network reconnaissance and information gathering. Whether you are performing offensive or defensive security operations, Amass can provide you with valuable insights into the target network’s topology and potential vulnerabilities.
For more information, visit this github.
