amass v2.8.4 releases: In-depth subdomain
enumeration written in GoAmass is the subdomain enumeration tool with the greatest number of disparate data sources that performs analysis of the resolved names in order to deliver the largest number of quality results.
Amass performs scraping of data sources, recursive brute forcing, crawling of web archives, permuting and altering of names, reverse DNS sweeping, and machine learning to obtain additional subdomain names. The architecture makes it easy to add new subdomain enumeration techniques as they are developed.
DNS name resolution is performed across many public servers so the authoritative server will see traffic coming from different locations.
UseThe most basic use of the tool, which includes reverse DNS lookups and name alterations:
Add some additional domains to the enumeration:$ amass -d example.com
You can also provide the initial domain names via an input file:$ amass -d example1.com,example2.com -d example3.com
Get amass to provide the sources that discovered the subdomain names and print summary information:$ amass -df domains.txt
Have amass print IP addresses with the discovered names:
Have amass write the results to a text file:$ amass -ip -d example.com
Have all the data collected written to a file as individual JSON objects:$ amass -ip -o out.txt -d example.com
Specify your own DNS resolvers on the command-line or from a file:$ amass -json out.txt -d example.com
The resolvers file can be provided using the following command-line switch:$ amass -v -d example.com -r 18.104.22.168,22.214.171.124
If you would like to blacklist some subdomains:$ amass -v -d example.com -rf data/resolvers.txt
The blacklisted subdomains can be specified from a text file as well:$ amass -bl blah.example.com -d example.com
The amass feature that performs alterations on discovered names and attempt resolution can be disabled:$ amass -blf data/blacklist.txt -d example.com
Use active information gathering techniques to attempt DNS zone transfers on all discovered authoritative name servers and obtain TLS/SSL certificates for discovered hosts on all specified ports:$ amass -noalts -d example.com
Caution, this is an active technique that will reveal your IP address to the target organization.$ amass -active -d example.com net -p 80,443,8080
Have amass perform brute force subdomain enumeration as well:
By default, amass performs recursive brute forcing on new subdomains; this can be disabled:$ amass -brute -d example.com
If you would like to perform recursive brute forcing after enough discoveries have been made:$ amass -brute -norecursive -d example.com
Change the wordlist used during the brute forcing phase of the enumeration:$ amass -brute -min-for-recursive 3 -d example.com
Throttle the rate of DNS queries by number per minute:$ amass -brute -w wordlist.txt -d example.com
Allow amass to include additional domains in the search using reverse whois information:$ amass -freq 120 -d example.com
You can have amass list all the domains discovered with reverse whois before performing the enumeration:$ amass -whois -d example.com
Only the first domain provided is used while performing the reverse whois operation.$ amass -whois -l -d example.com
Network/Infrastructure OptionsCaution: If you use these options without specifying root domain names, amass will attempt to reach out to every IP address within the identified infrastructure and obtain names from TLS certificates. This is “loud” and can reveal your reconnaissance activities to the organization being investigated.
If you do provide root domain names on the command-line, these options will simply serve as constraints to the amass output.
All the flags are shown here require the ‘net’ subcommand to be specified first.
To discover all domains hosted within target ASNs, use the following option:
To investigate within target CIDRs, use this option:$ amass net -asn 13374,14618
To limit your enumeration to specific IPs or address ranges, use this option:$ amass net -cidr 126.96.36.199/24,188.8.131.52/15
By default, port 443 will be checked for certificates, but the ports can be changed as follows:$ amass net -addr 192.168.1.44,192.168.2.1-64
$ amass net -cidr 192.168.1.0/24 -p 80,443,8080
Using a Proxy (still under development)The amass tool can send all its traffic through a proxy, such as socks4, socks4a, socks5, http, and https. Do not use this to send the traffic through Tor, since that network does not support UDP traffic.
Source: https://github.com/caffix/$ amass -v -proxy socks5://user:email@example.com:5050 example.com