**Note: The content in this article is only for educational purposes and understanding of cybersecurity concepts. It should enable people and organizations to have a better grip on threats and know how to protect themselves against them. Please use this information responsibly.**
Amass is an open-source tool created through collaboration with OWASP (Open Web Application Security Project). This software helps cybersecurity experts map out a company’s online footprint. Amass comes in handy for various security tasks, like finding vulnerabilities, running penetration tests, and checking possible ways attackers could get into an organization’s digital setup. Security professionals use this tool to get a holistic view of a company’s internet-facing assets, which allows them to perform better security checks.
Key capabilities of Amass:
- Automated Asset Discovery: This tool makes it easier to gather info about an organization’s online presence. It finds domains, subdomains, IP addresses, SSL/TLS certificates, and mail servers.
- Comprehensive Data Aggregation: Amass can get information from various sources, both public and private. These sources include search engines, DNS databases, certificate transparency logs, cloud service providers, and social media platforms among others. This gives a complete picture of an entity’s digital assets.
- Vulnerability Surface Mapping: Amass helps to spot possible weak points in an organization’s digital setup that threat actors could take advantage of. It does this by finding rogue subdomains or exposed services.
- Flexible Output Options: The tool lets you export collected data in different formats. This makes it easy to use with other security tools and processes for further analysis.
OWASP Amass has three main functions through its subcommands:
- Intelligence Gathering: The ‘intel’ subcommand helps users gather public information to research the target organization.
- Network Discovery: Users can use the ‘enum’ subcommand to do a full DNS search and map out internet-facing systems linked to the target.
- Data Handling: The ‘db’ subcommand allows users to work with and maintain the graph databases that store the results from mapping activities.
Each of these subcommands plays a unique role in mapping and analyzing an organization’s online presence, from initial research to data storage and manipulation.
Installation
Enter the following command:
If you are not logged in as the root user, type sudo before the commands.
apt-get install amass
In Kali Linux, OWASP Amass comes pre-installed as part of the standard distribution. Users can manage and update it using the same package management tools and commands they would use for any other software included in Kali. This integration allows for seamless maintenance and ensures that Amass remains up to date alongside other security tools in the Kali ecosystem.
apt-get update
How To Use Amass
To know the proper syntax for using Amass use the command:
amass
or
amass –h
or
amass –help
All the possible options can be found similarly by typing:
“amass subcommand_name”
Performing Enumeration on a Target Using Amass
The basic command to perform enumeration on a target using OWASP Amass typically follows this structure:
amass enum -d <domain>
Where <domain> is replaced with the target domain you want to enumerate.
For example, to enumerate the domain “example.com”, you would use:
amass enum -d example.com
This command starts Amass’s search process, which finds subdomains and related details for the given domain.
Remember that this is just the simplest form of the command. Amass has many options and flags to tailor and boost the search process.
You can use these to add more sources, change how deep the search goes, pick output formats, and do other things.
This shows us all the domain and sub-domain details of the target domain.
The Amass enum command does more than just find domains.
It uses a full approach that includes all normal search methods and then takes extra steps to get more in-depth details.
This process has an impact on reaching out to the identified assets to get TLS certificates, trying DNS zone transfers where possible, using NSEC walking techniques, and conducting web crawling operations.
These advanced methods help to explore the target’s digital setup more by finding extra subdomains and related info that might not show up through simpler listing techniques.
Command for active enumeration on specific ports: –
amass enum -active -d domain_name -p port_num (For multiple ports separate using commas)
We can see that with this command we obtained information on various types of DNS records too.
You can use the -o option followed by the file name to save the output to the mentioned file name.
amass enum -d example.com -o file.txt
Performing Intelligence Gathering using amass
The intel subcommand in Amass helps in gathering open-source intelligence about an organization. It helps to find more root domain names connected to the target entity. This feature enables users to grasp a wider picture of the organization’s web presence.
To check out all the choices this subcommand offers, you can type it into your terminal. It shows a list of available settings and options letting you tailor and focus your intelligence-gathering work.
Using Intel subcommand to perform WHOIS Queries:
The Intel subcommand can use WHOIS queries to gather valuable information. These queries reveal facts about domain ownership, registration, and other connected data. This method helps build a complete picture of the target’s web presence. Enter this command:
amass intel –d domain_name -whois
Through these features, OWASP Amass aids security experts in evaluating an organization’s web presence. This boosts their ability to spot and tackle potential security risks and stay alert against changing digital threats.
