A Comprehensive Guide to Using Amass for Subdomain Enumeration

Amass is a powerful tool widely used for subdomain enumeration, helping security professionals discover potential vulnerabilities in web applications. In this guide, we’ll walk through setting up Amass, configuring it without specifying domains in the configuration file, running scans on targeted domains like hackerone.com, and addressing common errors encountered during the process.

Table of Contents

1. Introduction to Amass
2. Installation
3. Configuration
4. Setting API Keys
5. Running Scans
6. Avoiding Configured Domains
7. Common Errors and Resolutions
8. Conclusion

Introduction to Amass

Amass is a network mapping tool that performs DNS enumeration, subdomain discovery, and other reconnaissance activities. It can leverage various data sources, both passive and active, to find subdomains associated with a target domain.

Installation

Before using Amass, ensure you have it installed on your system. You can install it via go get or by downloading the binary from the official GitHub repository.

go install -v github.com/OWASP/Amass/v3/...@latest

Or download the latest release:

wget https://github.com/OWASP/Amass/releases/latest/download/amass_linux_amd64.zip
unzip amass_linux_amd64.zip
sudo mv amass /usr/local/bin/

Configuration

Amass uses a configuration file, typically located at ~/.config/amass/config.ini or ~/.config/amass/config.yaml. This file can be customized to suit your needs, such as adding API keys for various data sources.

Setting API Keys

To set API keys in config.ini, open the file and locate the relevant data source section. For example:

[data_sources.VirusTotal]
apikey = your_virustotal_api_key

Make sure to uncomment the lines containing apikey and fill in your keys.

Example Configuration File

Here’s a basic example of what your config.yaml might look like:

data_sources:
  VirusTotal:
    Credentials:
      apikey: your_virustotal_api_key

  Censys:
    Credentials:
      apikey: your_censys_api_key
      secret: your_censys_secret_key

  BeVigil:
    Credentials:
      apikey: your_bevigil_api_key

  SecurityTrails:
    Credentials:
      apikey: your_securitytrails_api_key

  Shodan:
    Credentials:
      apikey: your_shodan_api_key

  # Uncomment any additional data sources you want to use
  # Ahrefs:
  #   Credentials:
  #     apikey: your_ahrefs_api_key

scope:
  domains:
    # Uncomment the domains you want to scan
    # - example.com
    # - anotherdomain.com

  blacklisted:
    # Specify any blacklisted subdomains
    # subdomain: example.com

# Uncomment and configure as needed
# resolvers:
#   resolver: 1.1.1.1
#   resolver: 8.8.8.8

Running Scans

To run a scan on a specific domain, use the -d flag followed by the domain name. For example, to scan hackerone.com, you can run:

amass enum -d hackerone.com

By default, this will use the configuration file without requiring any additional flags.

Avoiding Configured Domains

To avoid scanning domains already specified in your configuration file, you can comment them out directly in your config.yaml. This allows you to control which domains are active without permanently removing them.

Example of Commenting Out Domains

In your config.yaml, simply comment out the domains you want to avoid:

# scope:
#   domains:
#     - example.com
#     - anotherdomain.com

Using a Domain File

Alternatively, you can create a simple text file containing just the target domain:

1. Create a file (e.g., target_domains.txt):

• hackerone.com

2. Run Amass using this file:

amass enum -df target_domains.txt -config ~/.config/amass/config.yaml

Example Full Command

Here’s an example of using the domain file method:

echo "hackerone.com" > target_domains.txt
amass enum -df target_domains.txt -config ~/.config/amass/config.yaml

Common Errors and Resolutions

During the configuration and execution of Amass, you might encounter several common errors. Here are some of the issues faced and how they were resolved:

1. Configuration File Errors

Error: Failed to load the configuration file: error mapping configuration settings to internal values: yaml: unmarshal errors

Resolution: Ensure your YAML file does not contain tabs and is formatted correctly. Replace any tabs with spaces and check for proper indentation.

2. Domain Scanning Errors

Error: Configuration error: No root domain names were provided

Resolution: Make sure to specify root domains in the configuration file. If you want to avoid scanning predefined domains, comment them out as shown earlier.

3. Default Domain Usage

Error: Scanning of predefined domains in the config file even after commenting them out.

Resolution: Ensure domains are properly commented out in config.yaml. You can also create a separate text file with only the domains you wish to scan, as demonstrated above.

4. No Results Found

Error: No results returned during the scan.

Resolution: Verify your API keys are set correctly and that your internet connection is active. Also, check if the target domain is valid and has associated subdomains.

Conclusion

Amass is an essential tool for anyone involved in security research or web application security. By following this guide, you can efficiently set up Amass, configure it according to your needs, and run targeted scans while avoiding interference from predefined domains.

Whether you’re a beginner or an experienced professional, mastering Amass can significantly enhance your reconnaissance capabilities in the ever-evolving landscape of cybersecurity.