OSINT Tools: Amass
What is Amass?
Amass is an open-source OSINT tool developed by OWASP (Open Web Application Security Project). It is designed to help penetration testers, security professionals, and researchers discover subdomains, associated domains, and other information about a target domain or organization. Amass integrates multiple data sources and techniques to provide a comprehensive view of the target’s digital footprint.
Installation
Amass can be installed on various platforms, including Linux, macOS, and Windows. Here’s how to set it up:
1. Linux and macOS
- Open a terminal window.
- Ensure you have Go (Golang) installed. If not, you can download it from the official website: Go Downloads.
- Use the following command to install Amass:bash
go get -v github.com/OWASP/Amass/v3/...
- Once the installation is complete, you can run Amass with the
amass
command.
2. Windows
- Download the latest Windows binary release of Amass from the official GitHub repository: Amass Releases.
- Extract the downloaded ZIP file to a directory of your choice.
- Open a Command Prompt or PowerShell window and navigate to the directory where you extracted Amass.
- You can now use Amass by running the
amass.exe
executable.
Using Amass
Now that you have Amass installed, let’s explore some common use cases.
1. Basic Subdomain Enumeration
To perform a basic subdomain enumeration, simply run Amass with the target domain as an argument:
bash
amass enum -d example.com
Amass will start querying various data sources and DNS records to discover subdomains associated with the target domain.
2. Enumerating Subdomains with Output
You can save the results to a file using the -o
flag:
bash
amass enum -d example.com -o output.txt
This will create a text file (output.txt
) containing the discovered subdomains.
3. Using API Keys
Amass can leverage API keys for certain data sources, such as Shodan and Censys. To use an API key, use the -config
flag to specify a configuration file containing the key:
bash
amass enum -d example.com -config ~/path/to/config.ini
Your config.ini
file should contain your API keys in the following format:
ini
[shodan] key = YOUR_SHODAN_API_KEY [censys] key = YOUR_CENSYS_API_KEY
4. Extensive Enumeration
For a more comprehensive scan, you can include additional sources and services:
bash
amass enum -d example.com -active -brute -w ~/wordlists/your-wordlist.txt
In this example, Amass performs active enumeration, brute-forcing subdomains, and using a custom wordlist.
5. Customizing Output
Amass provides multiple output formats, including JSON, CSV, and others. Use the -o
flag followed by the desired output format:
bash
amass enum -d example.com -o json -o output.json
Conclusion
Amass is a versatile and powerful OSINT tool for subdomain enumeration and information gathering. Whether you’re a cybersecurity professional, penetration tester, or researcher, understanding how to use and install Amass can significantly enhance your ability to assess and secure digital assets. Remember to use Amass responsibly and within the bounds of applicable laws and regulations. Happy hunting!
To learn more about Amass and explore its advanced features, be sure to check out the official documentation on GitHub: Amass GitHub Repository.