amass

amass

Domain Name: Mode: Config File (optional):

Recursive IP Addresses ASN Information Brute Force

Output File (optional): JSON Output File (optional): Domain File (optional): Exclude Sources (comma-separated): Timeout (seconds): Max DNS Queries Per Second: Min for Recursion:

(Active Subdomain Enumerator)

amass is a powerful open-source tool used for discovering subdomains and performing DNS enumeration. It’s often used in reconnaissance phases of penetration testing to gather information about a target domain, including subdomains, DNS servers, and IP addresses. It supports both passive and active enumeration methods, making it versatile for different stages of security assessments.

Common amass Modes

Active: Performs active enumeration, which involves making direct requests to DNS servers to gather information about the target domain.
Passive: Collects information without making direct requests to the target domain, by gathering data from open sources such as DNS databases, WHOIS records, and search engines.
Brute Force: Attempts to discover subdomains by brute-forcing common subdomain names.

Additional Options

-d [domain]: Specifies the domain name to enumerate.
-config [file]: Specifies a configuration file to customize amass’ behavior (optional).
-o [file]: Saves the results to the specified output file.
-json [file]: Saves the output in JSON format, useful for structured data analysis.
-df [file]: Loads a file with a list of domains to enumerate.
-exclude [source]: Excludes specific data sources from being used, such as WHOIS, DNSDB, or Google.
-recursive: Enables recursive enumeration, going deeper into subdomains discovered during the scan.
-ip: Includes IP addresses associated with the discovered subdomains.
-asn: Includes ASN (Autonomous System Number) information for the subdomains.
-timeout [seconds]: Sets a timeout for requests, useful for limiting scan duration.
-max-dns-queries [num]: Limits the maximum number of DNS queries per second.
-min-for-recursion [num]: Defines the minimum number of subdomain names that must be resolved before recursive brute forcing starts.

Examples of amass Commands

Run a passive enumeration on example.com
This command uses only public data sources and doesn’t interact directly with DNS servers.
> amass enum -d example.com -passive
Run an active enumeration on example.com, saving the output to a file
This command queries DNS servers to actively find subdomains.
> amass enum -d example.com -active -o example_output.txt
Run a brute force enumeration on example.com
This command attempts to discover subdomains by trying common subdomain names.
> amass enum -d example.com -brute
Include IP addresses and ASN information for the discovered subdomains
This command includes the associated IP addresses and ASN data for each subdomain found.
> amass enum -d example.com -ip -asn
Run a passive scan with JSON output and exclude a specific data source (like WHOIS)
This command runs a passive scan and saves the results in JSON format, excluding WHOIS as a data source.
> amass enum -d example.com -passive -json example_output.json -exclude whois
Run a scan with a timeout of 30 seconds and limit DNS queries to 10 per second
This command sets the timeout and limits the DNS queries per second.
> amass enum -d example.com -timeout 30 -max-dns-queries 10