Skip to main content

Amass tool installation guide and usage

 Installation guide:

https://github.com/owasp-amass/amass/blob/master/doc/install.md

Usage:

https://github.com/owasp-amass/amass/blob/master/doc/tutorial.md

External Attack surface monitoring using Owasp Amass project. This is also called reconnaissance or information gathering phase to more than 80 sources. It an wonderful tool to use. Results are almost accurate. But you should check if you see a result that is not familiar to you. Because amass taking data from the third party db. So there is a possibility that, that of db giving amass fake data. Though amass apply dns enumeration for better result but still it is worth checking for weird informations. 

Comes with 3 subcommands. amass intel|enum|db


amass intel -- Discover target namespaces for enumerations i.e. target is associated with how many domains!!!!

amass enum -- Perform enumerations and network mapping of those domains and sub-domains.

amass db -- Manipulate the Amass graph database


Amass Intel

amass intel   (It will tell you what are the other related commands options are available)

-active option is for ssl cert verification and zone transfer checking. 

amass intel -d owasp.org   (It will query to every possible database that it is configure to search)


https://viewdns.info/reversewhois/?q=summitcommunications.net    (Reverse dns lookup site) 


amass intel -d owasp.org -whois  (It will query only to whois database for the intel)


amass intel -org 'Example Ltd'  (You can also look for organizational names with Amass which could return ASN IDs assigned to the target)


amass intel -active -asn 222222 -ip   (Retrieved ASNs could then be fed back into Amass. The below command attempts to retrieve registered domains found    within the specified ASN and return them along with the IP address they resolve to.)


----------------------------------------------------------------------------------------------------------------

Amass Enum


This enumeration findings are stored in a graph db, which is located in default amass output folder. You can change the output directory using -dir command options. 


You can use amass enum in active mode and passive mode. Passive mode is quicker and does not validate dns informations. If you need quick result, specific restriction from the target org that you cannot perform active recon, and you need all the domain info irrespective of correct and incorrect; then you can use this mode. Active mode enables zone transfer and port scanning, extract info from ssl tls certificate to find domain and sub-domain names.


amass enum -passive -d owasp.org -o amass_results_owasp.txt


amass enum -active -d owasp.org -o amass_results_owasp.txt

amass enum -active -d owasp.org -brute -w /root/dns_lists/deepmagic.com-top50kprefixes.txt -ip -dir amass4owasp -config /root/amass/config.yaml -o amass_results_owasp.txt


-dir amass4owasp ---- meaning logs and graph db will be stored here. (./amass4owasp)

-ip ------ We have also asked Amass to display the IP address(es) it resolves names to with the "-ip" flag.

deepmagic dns wordlist is also given. https://github.com/danielmiessler/SecLists/tree/master/Discovery/DNS

-config and -o are self explanatory. Config file given to tell amass that what dns resolver it should use to check. If not specified then it will check default one which is mentioned in its code.

-r if you want to mention resolver ip in the command. 

-rf if you want to mention resolver ip address one by one in a file. 

Command line option is more preferable than config file. 

By default it is perform recursive dns lookup unless you specified -norecursive options.



Hashcat style domain brute force:


To conclude this section in a more interesting way, let's assume that for some reason the OWASP organization tends to create subdomains with "zzz" prefixes, such as zzz-dev.owasp.org. You can leverage the Amass' hashcat-style wordlist mask feature to brute-force all the combinations of "zzz-[a-z][a-z][a-z].owasp.org" using the following command:


amass enum -d owasp.org -norecursive -wm "zzz-?l?l?l" -dir amass4owasp


Finally, you can always check the Amass log file within the output directory to ensure your configuration is working as expected.



---------------------------------------------------------------------------------------------------


Alert:

At this point, you should also keep in mind that if you are performing multiple Amass operations within short periods of time from the same IP, the IP may be permanently blocked from some sources that Amass is scraping such as the Google/Yahoo search engines. That means google and yahoo will think amass is malicious bot and block it. 

 


-----------------------------------------------------------------------------------------------

Amass DB

You can use this subcommand in order to interact with an Amass graph database, either the default or the one specified with the "-dir" flag.


For example, the below command would list all the names discovered during enumerations you have performed against owasp.org and stored in the "amass4owasp" graph databas.


amass db -dir amass4owasp -names -d owasp.org



Next, with a similar command, you could retrieve the complete output for owasp.org and stored in the "amass4owasp" graph database:


amass db -dir amass4owasp -d owasp.org -show -ip


Avi

---------------------------------------------------------------------------------------------------

Comments

Post a Comment

Popular posts from this blog

Install Nessus from docker

Docker installation. Give the below commands one by one. apt install docker-cli or apt install docker.io After the installation is complete, if you are inside wsl then give this command to start docker, because inside wsl systemd (systemctl) does not work: service docker start WSL troubleshooting : If the above command " service docker start " does not work then use below command: dockerd (It may not work if any previous docker process is running. It will show you pid of that process. Use this command to kill that process " kill -9 pid " and run dockerd command again) If " docker ps -a " giving error like " Cannot connect to the Docker daemon at unix:///run/podman/podman.sock. Is the docker daemon running? " This is because you may installed podman-docker package. If you remove the package still you will get this error but you should remove the package. Then issue this command: env | grep -i docker DOCKER_HOST=unix:///run/podman/podman.sock   --...
Post a Comment
Read more

Installtion of SQLMutant tool

This tool is perfectly works on ubuntu 24 system. And I found it is not working properly in kali linux 24 version.   https://github.com/blackhatethicalhacking/SQLMutant/tree/main This tool need to use along with sqlmap tool. Showing this cheat sheet for kali or debian based system.  This tool actually analyze everything and give you the vulnerable url where sql injection is possible. You just need to use then sqlmap to exploit that.   Prerequisite: apt install pipx -y (for ubuntu) pip3 install uro or pipx install uro pipx ensurepath pipx completions  (not needed)  source ~/.bashrc   or restart system If go tool is not installed then run the below two commands first ( golang-go ) or follow this link to install go (https://mahimfiroj.blogspot.com/2024/12/installing-nuclei-in-kali.html) otherwise skip this step.   dpkg -l | grep packagename (Using this command you can check package is installed or not) apt install gccgo-go -y or apt install gol...
Post a Comment
Read more

net command cheat sheet

  To see what users present in the system: net user To see local groups in the system: net localgroup To see domain groups. This should be run on a domain controller: net group To see the details of a user along with his/her group membership: net user mahim To see who are the members of a particular group (local machine): net localgroup "administrators"    (These are not case sensitive. You can use administrators or Administrators. Both will give you same result. To see who are the members of a particular group (domain machine): net group "domain admins" Create a local user: net user localuser1 MyP@ssw0rd /add Create a domain user: net user domainuser1 MyP@ssw0rd /add /domain Add the local user to local admin group: net localgroup Administrators localuser1 /add Add the user to domain admin group: net group "Domain Admins" domainuser1 /add /domain Avi
Post a Comment
Read more