In the ever-evolving landscape of cybersecurity, information gathering and asset discovery are crucial for staying ahead of potential threats. Amass is a powerful tool designed to streamline these processes, making it easier for security professionals to map out digital assets and uncover vulnerabilities.
Amass offers a wide range of features, but some users may not be familiar with how to utilize the new version effectively. When attempting tasks like subdomain enumeration or brute forcing, Amass provides a wealth of information, including Fully Qualified Domain Names (FQDNs), IP addresses, net blocks, and more. Like this…..
Don’t worry — I’m here to help. Today, I’ll walk you through a few steps to solve this problem.
First, install the latest version of Amass amd oam_subs ..
go install -v github.com/owasp-amass/amass/v4/...@master- cd
$GOPATH/bin - sudo cp amass /usr/bin/
Steps
1. Start Using Amass
Run a basic subdomain enumeration command: amass enum -d example.com. If you want to save the subdomain results to a specific directory, specify the output directory using the -dir option, so you can easily locate the results. Otherwise, the output will be saved in $HOME/.config/amass/ by default.
2. One-Line Commands
If you want to retrieve only the subdomains with a one-line command, use the following:
amass enum -d example.com |awk '{print $1} | grep -i "example.com" | sort -u
Alternatively, you can use:
amass enum -d example.com | grep -Eo '([a-zA-Z0-9.-])+\.com \(FQDN\)' | awk '{print $1}' | anew out.txt
To retrieve both subdomains and IP addresses, use:
amass enum -d example.com | tee >(grep -Eo '([a-zA-Z0-9.-])+\.com | awk '{print $1}') >(grep -Eo '([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)' | awk '{print $1}')
3. SQLite3 Command
Navigate to your Amass output directory. You will find four types of files: amass.log, amass.sqlite, amass.txt, and bgptools.jsonl. We will focus on the amass.sqlite file.
To retrieve all FQDNs or Subdomains:
sqlite3 amass.sqlite "select content->>'name' from assets where type ='FQDN'"
Retrieve all of IP addresses:
sqlite3 amass.sqlite "select content->>'address' from assets where type ='IPAddress'"
Retrieve all of Netblocks:
sqlite3 amass.sqlite "select content->>'cidr' from assets where type ='Netblock'"
These commands use sqlite3 to query the SQLite database file and extract the relevant data. Each command targets a specific type of asset and retrieves the desired information.
4. Oam_tools
The tool oam_subs, officially developed by OWASP, is designed to analyze collected OAM assets. It can retrieve and analyze various types of information from your Amass data, providing insights into your gathered assets.
With oam_subs, you can efficiently analyze and interpret the collected data to enhance your security assessments.
Installations:
go install -v github.com/owasp-amass/oam-tools/cmd/oam_subs@master && c cd $GOPATH/bin && sudo cp oam_subs /usr/bin/
First, run Amass and specify the output directory where you want to save the results.:
amass enum -d example.com -dir amass_output
After completing the enumeration, run the oam_subs tool.
oam_subs -d example.com -dir amass_output -show
This command will provide you with all types of results separately, including names, IP addresses, and ASNs.
Lastly, if you encounter compatibility issues with any of these steps, consider using a previous version of Amass.
go install -v github.com/owasp-amass/amass/v3/...@master
Note: Replace “target.com” with the actual target domain name
In this guide, we’ve explored the steps to effectively use Amass V4.x.x for subdomain enumeration and data retrieval. We covered installing Amass, running basic and advanced commands, and analyzing results with tools like oam_subs. By following these procedures, you can efficiently gather and analyze domain assets to enhance your security assessments. Remember, if you encounter any compatibility issues, reverting to a previous version of Amass may be a viable solution.
