amass v2.9.2 releases: In-depth subdomain enumeration written in Go

The OWASP Amass tool suite obtains subdomain names by scraping data sources, recursive brute forcing, crawling web archives, permuting/altering names and reverse DNS sweeping. Additionally, Amass uses the IP addresses obtained during resolution to discover associated netblocks and ASNs. All the information is then used to build maps of the target networks.

Changelog v2.9.2

b3a3a6a #79 initial implementation of the metrics collector
564ed04 Add simple alteration test
6d54262 Added as a data source.
3b2fc2e DNS wildcard detection fixes
8588c52 Merge pull request #101 from architekton/static-wildcard
fce64b8 Merge pull request #102 from fork-while-fork/add_alteration_test
742f07c Merge pull request #103 from caffix/add-cayley-to-the-graph-handler
aa5bcff Merge pull request #104 from rbadguy/add-bufferover-data-source
31f35ab Merge pull request #105 from caffix/enhance-brute-forcing
6d92c65 added Cayley query optimizations
e1dcc3b added enumeration IDs to the Cayley DB
0bf59dd improved handling of DNS queries for brute forcing
99a6d7b improved the accuracy of the stats being collected
cc33ff9 initial implementation of default graph using Cayley
b66c580 initial set of changes to brute forcing
5628240 separate compareAnswers from dns service
910c65e slight change to DNS resolution timeouts
571b6ef static wildcard test, close #61
cc2491c version 2.9.2 release



The most basic use of the tool, which includes reverse DNS lookups and name alterations:

$ amass -d

Add some additional domains to the enumeration:

$ amass -d, -d

You can also provide the initial domain names via an input file:

$ amass -df domains.txt

Get amass to provide the sources that discovered the subdomain names and print summary information:

$ amass -v -d

13242 names discovered – scrape: 211, dns: 4709, archive: 126, brute: 169, alt: 8027

Have amass print IP addresses with the discovered names:

$ amass -ip -d

Have amass write the results to a text file:

$ amass -ip -o out.txt -d

Have all the data collected written to a file as individual JSON objects:

$ amass -json out.txt -d

Specify your own DNS resolvers on the command-line or from a file:

$ amass -v -d -r,

The resolvers file can be provided using the following command-line switch:

$ amass -v -d -rf data/resolvers.txt

If you would like to blacklist some subdomains:

$ amass -bl -d

The blacklisted subdomains can be specified from a text file as well:

$ amass -blf data/blacklist.txt -d

The amass feature that performs alterations on discovered names and attempt resolution can be disabled:

$ amass -noalts -d

Use active information gathering techniques to attempt DNS zone transfers on all discovered authoritative name servers and obtain TLS/SSL certificates for discovered hosts on all specified ports:

$ amass -active -d net -p 80,443,8080

Caution, this is an active technique that will reveal your IP address to the target organization.

Have amass perform brute force subdomain enumeration as well:

$ amass -brute -d

By default, amass performs recursive brute forcing on new subdomains; this can be disabled:

$ amass -brute -norecursive -d

If you would like to perform recursive brute forcing after enough discoveries have been made:

$ amass -brute -min-for-recursive 3 -d

Change the wordlist used during the brute forcing phase of the enumeration:

$ amass -brute -w wordlist.txt -d

Throttle the rate of DNS queries by number per minute:

$ amass -freq 120 -d

Allow amass to include additional domains in the search using reverse whois information:

$ amass -whois -d

You can have amass list all the domains discovered with reverse whois before performing the enumeration:

$ amass -whois -l -d

Only the first domain provided is used while performing the reverse whois operation.

Network/Infrastructure Options

Caution: If you use these options without specifying root domain names, amass will attempt to reach out to every IP address within the identified infrastructure and obtain names from TLS certificates. This is “loud” and can reveal your reconnaissance activities to the organization being investigated.

If you do provide root domain names on the command-line, these options will simply serve as constraints to the amass output.

All the flags are shown here require the ‘net’ subcommand to be specified first.

To discover all domains hosted within target ASNs, use the following option:

$ amass net -asn 13374,14618

To investigate within target CIDRs, use this option:

$ amass net -cidr,

To limit your enumeration to specific IPs or address ranges, use this option:

$ amass net -addr,

By default, port 443 will be checked for certificates, but the ports can be changed as follows:

$ amass net -cidr -p 80,443,8080

Using a Proxy (still under development)

The amass tool can send all its traffic through a proxy, such as socks4, socks4a, socks5, http, and https. Do not use this to send the traffic through Tor, since that network does not support UDP traffic.

$ amass -v -proxy socks5://user:password@

Copyright 2017 Jeff Foley. All rights reserved.