### Install Amass with Homebrew Source: https://github.com/owasp-amass/amass/wiki/Installation-Guide Installs Amass using Homebrew by first tapping the required repository and then installing the package. ```bash brew tap caffix/amass brew install amass ``` -------------------------------- ### Install Amass via Go Source: https://context7.com/owasp-amass/amass/llms.txt Installs the Amass binary using Go. Requires Go version 1.21 or later. Includes verification of the installation. ```bash # Requires Go >= 1.21 go install github.com/owasp-amass/amass/v5/...@latest # Verify the binary amass -version ``` -------------------------------- ### Install Amass with Snapcraft Source: https://github.com/owasp-amass/amass/wiki/Installation-Guide Installs Amass using Snap. This command requires sudo privileges. ```bash sudo snap install amass ``` -------------------------------- ### Download and Install Amass with Go Source: https://github.com/owasp-amass/amass/wiki/Installation-Guide Downloads and installs the Amass Go module and its dependencies. Ensure your Go environment is correctly configured. ```bash go get -v -u github.com/OWASP/Amass/v3/... ``` -------------------------------- ### Install Amass on FreeBSD Source: https://github.com/owasp-amass/amass/wiki/Installation-Guide Installs Amass on FreeBSD. This involves navigating to the ports directory, installing, and then using pkg to install the package. ```bash cd /usr/ports/dns/amass/ && make install clean pkg install amass ``` -------------------------------- ### Install Amass via Package Managers Source: https://context7.com/owasp-amass/amass/llms.txt Provides installation commands for Amass using Homebrew, Snap, and apt-get for Debian-based systems. ```bash # Homebrew (macOS / Linux) brew tap caffix/amass && brew install amass # Snap sudo snap install amass # Kali / Parrot / Debian apt-get update && apt-get install amass ``` -------------------------------- ### Example Amass Enum Sources List Source: https://github.com/owasp-amass/amass/wiki/Tutorial An example output showing the variety of data sources Amass can query for subdomain discovery and information gathering. ```text AlienVault,ArchiveIt,ArchiveToday,Arquivo,Ask,Baidu,BinaryEdge,Bing,BufferOver,Censys,CertSpotter,CIRCL,CommonCrawl,Crtsh,[...],ViewDNS,VirusTotal,Wayback,WhoisXML,Yahoo ``` -------------------------------- ### Install Amass on Kali Linux Source: https://github.com/owasp-amass/amass/wiki/Installation-Guide Installs Amass on Kali Linux using apt-get. It first updates the package list and then installs the amass package. ```bash apt-get update apt-get install amass ``` -------------------------------- ### Install Amass on Pentoo Linux Source: https://github.com/owasp-amass/amass/wiki/Installation-Guide Installs Amass on Pentoo Linux using emerge. This command installs the net-analyzer/amass package. ```bash sudo emerge net-analyzer/amass ``` -------------------------------- ### Install Amass with Nix or NixOS Source: https://github.com/owasp-amass/amass/wiki/Installation-Guide Installs Amass using the Nix package manager. This command installs the amass package from the nixpkgs channel. ```bash nix-env -f '' -iA amass ``` -------------------------------- ### Build and Run Amass via Docker Source: https://context7.com/owasp-amass/amass/llms.txt Builds a Docker image for Amass and runs it with a persistent output volume. The example demonstrates running the `enum` subcommand. ```bash # Build the image docker build -t amass https://github.com/owasp-amass/amass.git # Run with a persistent output volume docker run -v /local/amass-output:/.config/amass/ amass enum -d example.com ``` -------------------------------- ### Integrate Amass into Go Application Source: https://github.com/owasp-amass/amass/wiki/User-Guide This Go code demonstrates how to initialize Amass, configure it for a domain, start an enumeration, and extract the output. Ensure the pseudo-random number generator is seeded. ```go package main import ( "fmt" "math/rand" "time" "github.com/OWASP/Amass/v3/config" "github.com/OWASP/Amass/v3/datasrcs" "github.com/OWASP/Amass/v3/enum" "github.com/OWASP/Amass/v3/systems" ) func main() { // Seed the default pseudo-random number generator rand.Seed(time.Now().UTC().UnixNano()) sys, err := systems.NewLocalSystem(config.NewConfig()) if err != nil { return } sys.SetDataSources(datasrcs.GetAllSources(sys)) e := enum.NewEnumeration(sys) if e == nil { return } defer e.Close() // Setup the most basic amass configuration e.Config.AddDomain("example.com") e.Start() for _, o := range e.ExtractOutput(nil) { fmt.Println(o.Name) } } ``` -------------------------------- ### Complete Amass Configuration File Example (YAML) Source: https://context7.com/owasp-amass/amass/llms.txt This YAML configuration file demonstrates various settings for Amass, including scope definition (domains, ASNs, CIDRs), active mode, boundary enforcement, resolvers, data source credentials, database connection, and asset transformations. ```yaml # config.yaml — complete example # Scope: root domains to enumerate scope: domains: - example.com - example.org asns: - 15169 cidrs: - 192.168.1.0/24 ports: - 443 - 8443 blacklist: - dev.example.com - staging.example.com # Active mode: attempt zone transfers and TLS cert grabs active: true # Rigid boundary enforcement: drop out-of-scope discoveries rigid_boundaries: false # Brute-force settings (enabled via -brute flag or here) # (controlled via CLI flags; wordlist path set with -w) # Custom DNS resolvers resolvers: - 8.8.8.8 - 1.1.1.1 trusted_resolvers: - 8.8.4.4 # Data source API credentials options: datasources: /home/user/.config/amass/datasources.yaml # Graph database (PostgreSQL example) database: - system: postgres host: localhost port: "5432" username: amass password: secret db_name: amass primary: true # Asset transformation pipeline transformations: "FQDN -> FQDN": ttl: 1440 confidence: 75 priority: 5 ``` -------------------------------- ### Go Client: client.NewClient() — Engine API Go Client Source: https://context7.com/owasp-amass/amass/llms.txt The `engine/api/client/v1` package provides a typed Go client for all Engine API operations. This example demonstrates how to initialize the client, perform a health check, create and manage sessions, poll statistics, query assets, and terminate a session. ```APIDOC ## Go Client: `client.NewClient()` — Engine API Go Client The `engine/api/client/v1` package provides a typed Go client for all Engine API operations, suitable for embedding Amass into Go programs or orchestration tools. ```go package main import ( "context" "fmt" "log" "github.com/owasp-amass/amass/v5/config" clientv1 "github.com/owasp-amass/amass/v5/engine/api/client/v1" oam "github.com/owasp-amass/open-asset-model" ) func main() { ctx := context.Background() client, err := clientv1.NewClient("http://localhost:4000") if err != nil { log.Fatal(err) } defer client.Close() // Verify the engine is reachable if !client.HealthCheck(ctx) { log.Fatal("engine not available") } // Build a config and create a session cfg := config.NewConfig() cfg.AddDomain("example.com") cfg.BruteForcing = false token, err := client.CreateSession(ctx, cfg) if err != nil { log.Fatalf("CreateSession: %v", err) } fmt.Println("Session token:", token) // List all active sessions tokens, err := client.ListSessions(ctx) if err != nil { log.Fatal(err) } fmt.Println("Active sessions:", len(tokens)) // Poll stats stats, err := client.SessionStats(ctx, token) if err != nil { log.Fatal(err) } fmt.Printf("Work items: %d / %d\n", stats.WorkItemsCompleted, stats.WorkItemsTotal) // Query in-scope FQDNs assets, err := client.SessionScope(ctx, token, oam.FQDN) if err != nil { log.Fatal(err) } for _, a := range assets { fmt.Println("In scope:", a) } // Terminate session if err := client.TerminateSession(ctx, token); err != nil { log.Fatal(err) } fmt.Println("Session terminated.") } ``` ``` -------------------------------- ### Start Amass Engine Source: https://context7.com/owasp-amass/amass/llms.txt Initializes the Amass engine, including the plugin registry, session manager, event dispatcher, and HTTP API server. The engine is ready to accept sessions via its REST API. ```go package main import ( "context" "fmt" "log/slog" "os" "github.com/owasp-amass/amass/v5/engine" ) func main() { logger := slog.New(slog.NewTextHandler(os.Stdout, &slog.HandlerOptions{ Level: slog.LevelInfo, })) eng, err := engine.NewEngine(logger) if err != nil { fmt.Fprintf(os.Stderr, "failed to start engine: %v\n", err) os.Exit(1) } defer eng.Shutdown() fmt.Println("Engine running. API available at http://localhost:4000/api/v1") // The engine is now ready to accept sessions via its REST API. // Plugins for DNS, WHOIS, brute-force, scrapers, and enrichment // are automatically loaded and registered. // Block until an external signal shuts it down ctx, cancel := context.WithCancel(context.Background()) defer cancel() <-ctx.Done() } ``` -------------------------------- ### Build Amass Docker Image Source: https://github.com/owasp-amass/amass/wiki/Installation-Guide Builds the Amass Docker image from the GitHub repository. Ensure Docker is installed and configured. ```bash docker build -t amass https://github.com/OWASP/Amass.git ``` -------------------------------- ### Rebuild Amass Binary from Source Source: https://github.com/owasp-amass/amass/wiki/Installation-Guide Navigates to the Amass source directory and rebuilds the binary. This command assumes you have already downloaded the source using 'go get'. ```bash cd $GOPATH/src/github.com/OWASP/Amass go install ./... ``` -------------------------------- ### List Amass Wordlists Source: https://github.com/owasp-amass/amass/wiki/Installation-Guide Lists the available wordlists for Amass in the examples directory. These can be used for DNS name alterations and brute-forcing. ```bash ls $GOPATH/src/github.com/OWASP/Amass/examples/wordlists/ ``` -------------------------------- ### Install Amass on DragonFly BSD Source: https://github.com/owasp-amass/amass/wiki/Installation-Guide Installs Amass on DragonFly BSD using the pkg package manager. It first upgrades existing packages and then installs Amass. ```bash pkg upgrade pkg install amass ``` -------------------------------- ### Check Amass Version Source: https://github.com/owasp-amass/amass/wiki/User-Guide Perform this action to check the installed version of the Amass tool. ```bash amass -version ``` -------------------------------- ### Amass Intel Enumerate from Seed Domains Source: https://context7.com/owasp-amass/amass/llms.txt Performs intelligence gathering starting from a list of seed domains provided in a file. Outputs results to a specified file and logs to another. ```bash # Enumerate from a list of seed domains and write to file amass intel -whois -df seed_domains.txt -o intel_results.txt -log intel.log ``` -------------------------------- ### Refresh Snap Packages Source: https://github.com/owasp-amass/amass/wiki/Installation-Guide Updates all installed snap packages, including Amass, to their latest available versions. This command requires sudo privileges. ```bash sudo snap refresh ``` -------------------------------- ### Track Amass Enumeration Results Source: https://github.com/owasp-amass/amass/wiki/Tutorial Compare the last two Amass enumerations for a given target by specifying the output directory and database. Focus on lines starting with 'Found' to identify new subdomains. ```bash # amass track -config /root/amass/config.ini -dir amass4owasp -d owasp.org -last 2 ``` -------------------------------- ### Initialize Amass Go Client and Perform Operations Source: https://context7.com/owasp-amass/amass/llms.txt Demonstrates how to initialize the Amass Go client, create a session, list sessions, poll statistics, query scoped assets, and terminate a session. Ensure the Amass engine is running locally. ```go package main import ( "context" "fmt" "log" "github.com/owasp-amass/amass/v5/config" clientv1 "github.com/owasp-amass/amass/v5/engine/api/client/v1" oam "github.com/owasp-amass/open-asset-model" ) func main() { ctx := context.Background() client, err := clientv1.NewClient("http://localhost:4000") if err != nil { log.Fatal(err) } defer client.Close() // Verify the engine is reachable if !client.HealthCheck(ctx) { log.Fatal("engine not available") } // Build a config and create a session cfg := config.NewConfig() cfg.AddDomain("example.com") cfg.BruteForcing = false token, err := client.CreateSession(ctx, cfg) if err != nil { log.Fatalf("CreateSession: %v", err) } fmt.Println("Session token:", token) // List all active sessions tokens, err := client.ListSessions(ctx) if err != nil { log.Fatal(err) } fmt.Println("Active sessions:", len(tokens)) // Poll stats stats, err := client.SessionStats(ctx, token) if err != nil { log.Fatal(err) } fmt.Printf("Work items: %d / %d\n", stats.WorkItemsCompleted, stats.WorkItemsTotal) // Query in-scope FQDNs assets, err := client.SessionScope(ctx, token, oam.FQDN) if err != nil { log.Fatal(err) } for _, a := range assets { fmt.Println("In scope:", a) } // Terminate session if err := client.TerminateSession(ctx, token); err != nil { log.Fatal(err) } fmt.Println("Session terminated.") } ``` -------------------------------- ### Get Amass Engine Session Statistics API Source: https://context7.com/owasp-amass/amass/llms.txt Fetches work-item progress counters for a specified Amass engine session. The example shows polling until completion. ```bash SESSION="3f6e8b12-1a2b-4c3d-9e0f-123456789abc" curl -s http://localhost:4000/api/v1/sessions/${SESSION}/stats # {"workItemsCompleted":1482,"workItemsTotal":2000} # Poll progress until complete (bash example) while true; do STATS=$(curl -s http://localhost:4000/api/v1/sessions/${SESSION}/stats) DONE=$(echo $STATS | jq .workItemsCompleted) TOTAL=$(echo $STATS | jq .workItemsTotal) echo "Progress: $DONE / $TOTAL" [ "$DONE" -ge "$TOTAL" ] && break sleep 5 done ``` -------------------------------- ### Create Default Amass Configuration using Go Source: https://context7.com/owasp-amass/amass/llms.txt The `config.NewConfig()` function in Go initializes a `*Config` object with safe defaults, including recursive brute-force, word/number flipping, default resolver QPS, and a minimum TTL for data source caching. This snippet demonstrates adding domains, checking scope membership, blacklisting subdomains, overriding the output directory, and loading settings from a YAML file. ```go package main import ( "fmt" "github.com/owasp-amass/amass/v5/config" ) func main() { cfg := config.NewConfig() // Set enumeration scope cfg.AddDomain("example.com") cfg.AddDomains("example.org", "example.net") // Check scope membership fmt.Println(cfg.IsDomainInScope("api.example.com")) // true fmt.Println(cfg.WhichDomain("api.example.com")) // "example.com" fmt.Println(cfg.IsDomainInScope("other.com")) // false // Blacklist noisy subdomains cfg.BlacklistSubdomain("mail.example.com") fmt.Println(cfg.Blacklisted("mail.example.com")) // true // Override output directory (avoids permission issues in CI) cfg.Dir = "/tmp/amass-run" // Load additional settings from a YAML file if err := cfg.LoadSettings("/etc/amass/config.yaml"); err != nil { fmt.Println("no config file:", err) } fmt.Println("Domains in scope:", cfg.Domains()) // Output: Domains in scope: [example.com example.org example.net] } ``` -------------------------------- ### Set up Git Remotes for Forking Source: https://github.com/owasp-amass/amass/blob/main/CONTRIBUTING.md Instructions for setting up Git remotes when forking the OWASP Amass repository. This involves renaming the original remote to 'upstream' and adding your fork as 'origin'. ```bash git remote rename origin upstream git remote add origin git@github.com:foo/amass.git ``` -------------------------------- ### Enable Go Modules for Amass Source: https://github.com/owasp-amass/amass/wiki/Installation-Guide Sets the GO111MODULE environment variable to 'on', which is required for building Go projects using modules. ```bash export GO111MODULE=on ``` -------------------------------- ### Get Session Scope Source: https://context7.com/owasp-amass/amass/llms.txt Retrieves in-scope assets for a given session, filtered by a specific Open Asset Model (OAM) asset type. ```APIDOC ## GET /api/v1/sessions/{token}/scope/{asset_type} ### Description Returns the in-scope assets for the given session filtered by Open Asset Model (OAM) asset type. Supported types: `fqdn`, `ipaddress`, `netblock`, `autonomoussystem`, `location`, `organization`. ### Method GET ### Endpoint /api/v1/sessions/{token}/scope/{asset_type} ### Parameters #### Path Parameters - **token** (string) - Required - The session token. - **asset_type** (string) - Required - The type of asset to retrieve (e.g., `fqdn`, `ipaddress`). ### Response #### Success Response (200) - **data** (array of objects) - A list of assets of the specified type. - **name** (string) - The name or value of the asset. ``` -------------------------------- ### Display Amass Help Information Source: https://github.com/owasp-amass/amass/wiki/User-Guide Use the -help flag to display all available options and subcommands for the Amass tool. ```bash amass -help ``` -------------------------------- ### Format Code with gofmt Source: https://github.com/owasp-amass/amass/blob/main/CONTRIBUTING.md Ensure code is formatted correctly using gofmt before committing. This command should be run from the project root directory. ```bash go fmt ./... ``` -------------------------------- ### Amass Engine Health Check API Source: https://context7.com/owasp-amass/amass/llms.txt Checks if the Amass engine process is reachable. Returns 'Amass Engine OK' on success. Use --fail for scripting to get a non-zero exit code if unreachable. ```bash curl -s http://localhost:4000/api/v1/health # {"result":"Amass Engine OK"} # Non-zero exit code if unreachable (for scripting) curl --fail -s http://localhost:4000/api/v1/health || echo "Engine not ready" ``` -------------------------------- ### DNS Enumeration with Parameters Source: https://github.com/owasp-amass/amass/wiki/User-Guide Typical parameters for DNS enumeration, including verbose output, source display, IP resolution, brute-forcing, and minimum score for recursion. ```bash $ amass enum -v -src -ip -brute -min-for-recursive 2 -d example.com [Google] www.example.com [VirusTotal] ns.example.com ... ``` -------------------------------- ### Automate Amass Discovery and Notifications Source: https://github.com/owasp-amass/amass/wiki/Tutorial This script automates Amass subdomain discovery, tracks new assets, and sends push notifications via Pushover. It requires API tokens for Pushover and uses local files for domain lists and scan results. Modify it based on specific requirements. ```bash 1. APP_TOKEN="$1" 2. USER_TOKEN="$2" 3. amass enum -src -active -df ./domains_to_monitor.txt -config ./regular_scan.ini -o ./amass_results.txt -dir ./regular_amass_scan -brute -norecursive 4. RESULT=$(amass track -df ./domains_to_monitor.txt -config ./regular_scan.ini -last 2 -dir ./regular_amass_scan | grep Found | awk '{print $2}') 5. FINAL_RESULT=$(while read -r d; do if grep --quiet "$d" ./all_domains.txt; then continue; else echo "$d"; fi; done <<< $RESULT) 6. if [[ -z "$FINAL_RESULT" ]] 7. FINAL_RESULT="No new subdomains were found" 8. else 9. echo "$FINAL_RESULT" >> ./all_domains.txt 10. fi 11. wget https://api.pushover.net/1/messages.json --post-data="token=$APP_TOKEN&user=$USER_TOKEN&message=$FINAL_RESULT&title=$TITLE" -qO- > /dev/null 2>&1 & ``` -------------------------------- ### Get Amass Engine Session Scope API Source: https://context7.com/owasp-amass/amass/llms.txt Retrieves in-scope assets for a session, filtered by Open Asset Model (OAM) asset type. Supported types include `fqdn`, `ipaddress`, `netblock`, `autonomoussystem`, `location`, and `organization`. ```bash SESSION="3f6e8b12-1a2b-4c3d-9e0f-123456789abc" # Get all FQDNs in scope curl -s http://localhost:4000/api/v1/sessions/${SESSION}/scope/fqdn # {"data":[{"name":"example.com"},{"name":"api.example.com"},...]} # Get IP addresses in scope curl -s http://localhost:4000/api/v1/sessions/${SESSION}/scope/ipaddress # Get ASNs in scope curl -s http://localhost:4000/api/v1/sessions/${SESSION}/scope/autonomoussystem ``` -------------------------------- ### Lint Code with golangci-lint Source: https://github.com/owasp-amass/amass/blob/main/CONTRIBUTING.md Use golangci-lint to check for errors and maintain code quality before committing. Run this command from the project root directory. ```bash golangci-lint run ./... ``` -------------------------------- ### Automation Script — Continuous Monitoring with Alerting Source: https://context7.com/owasp-amass/amass/llms.txt This Bash script demonstrates how to automate continuous subdomain monitoring using `amass enum` for enumeration and `amass track` for detecting new subdomains. It includes steps for running enumeration, identifying new subdomains, filtering against a cumulative list, and sending alerts via Slack. ```APIDOC ## Automation Script — Continuous Monitoring with Alerting End-to-end Bash example combining `amass enum`, `amass track`, and push notifications for continuous attack surface monitoring. ```bash #!/usr/bin/env bash # amass-monitor.sh — run daily via cron for continuous subdomain monitoring DOMAINS_FILE="./domains.txt" # one domain per line OUTPUT_DIR="./amass-output" CONFIG="./amass-config.yaml" ALL_DOMAINS="./all_discovered.txt" SLACK_WEBHOOK="https://hooks.slack.com/services/T000/B000/xxxx" # 1. Run a thorough active enumeration amass enum -active -df "${DOMAINS_FILE}" \ -config "${CONFIG}" \ -dir "${OUTPUT_DIR}" \ -src -ip -brute -norecursive \ -o "${OUTPUT_DIR}/latest.txt" # 2. Find subdomains new since last run NEW=$(amass track \ -df "${DOMAINS_FILE}" \ -config "${CONFIG}" \ -dir "${OUTPUT_DIR}" \ -last 2 | grep "^Found" | awk '{print $2}') # 3. Filter against the cumulative list NOVEL=$(while read -r d; do grep -qF "$d" "${ALL_DOMAINS}" || echo "$d" done <<< "${NEW}") # 4. Persist and notify if [ -n "${NOVEL}" ]; then echo "${NOVEL}" >> "${ALL_DOMAINS}" sort -u "${ALL_DOMAINS}" -o "${ALL_DOMAINS}" MSG="New subdomains discovered:\n${NOVEL}" curl -s -X POST "${SLACK_WEBHOOK}" \ -H "Content-Type: application/json" \ -d "{\"text\":\"${MSG}\"}" echo "Alert sent for: ${NOVEL}" else echo "No new subdomains found." fi ``` ``` -------------------------------- ### Generate Gephi-Compatible GEXF File with Amass Viz Source: https://context7.com/owasp-amass/amass/llms.txt Use the `amass viz -gexf` command to create a GEXF file compatible with Gephi for network graph analysis. This is useful for detailed visualization and analysis in Gephi. ```bash amass viz -gexf -dir ./amass-output -d example.com ``` -------------------------------- ### Fetch and Rebase from Upstream Source: https://github.com/owasp-amass/amass/blob/main/CONTRIBUTING.md Commands to fetch updates from the original OWASP Amass repository (upstream) and rebase your local branch onto it. ```bash git fetch upstream git rebase upstream/main ``` -------------------------------- ### Run Amass Docker with Wordlist Source: https://github.com/owasp-amass/amass/wiki/Installation-Guide Executes the Amass Docker container, mounting a volume and specifying a wordlist for brute-forcing. Ensure the wordlist path is correct within the container. ```bash docker run -v OUTPUT_DIR_PATH:/.config/amass/ amass enum -brute -w /wordlists/all.txt -d example.com ``` -------------------------------- ### Amass Enum: List Available Data Sources Source: https://github.com/owasp-amass/amass/wiki/User-Guide Use the -list flag to print the names of all available data sources that Amass can query. ```bash amass enum -list ``` -------------------------------- ### Acquire Amass Configuration Source: https://context7.com/owasp-amass/amass/llms.txt Loads Amass configuration from standard OS paths, environment variables, or an explicit file. It also auto-detects database and engine API settings. ```go package main import ( "fmt" "log" "github.com/owasp-amass/amass/v5/config" ) func main() { cfg := config.NewConfig() // dir="" uses the OS default; file="" triggers auto-discovery if err := config.AcquireConfig("", "", cfg); err != nil { log.Printf("config not loaded (using defaults): %v", err) } // Or load from an explicit path and directory cfg2 := config.NewConfig() if err := config.AcquireConfig("/tmp/amass-data", "/etc/amass/config.yaml", cfg2); err != nil { log.Fatal(err) } fmt.Println("Output dir:", config.OutputDirectory("")) // Linux: /home/user/.config/amass // macOS: /Users/user/Library/Application Support/amass // Windows: C:\Users\user\AppData\Roaming\amass fmt.Printf("Loaded %d domain(s)\n", len(cfg2.Domains())) } ``` -------------------------------- ### Generate VisJS HTML Visualization with Amass Viz Source: https://context7.com/owasp-amass/amass/llms.txt Use the `amass viz -visjs` command to generate an HTML visualization using the VisJS library. This provides an alternative interactive visualization for network data. ```bash amass viz -visjs -dir ./amass-output -d example.com ``` -------------------------------- ### Show Subdomains with Source Attribution using Amass Subs Source: https://context7.com/owasp-amass/amass/llms.txt Include the `-src` flag with `amass subs` to show the data source for each discovered subdomain. This helps in understanding how the subdomain information was obtained. ```bash amass subs -d example.com -dir ./amass-output -src ``` -------------------------------- ### Amass Intel List Available Data Sources Source: https://context7.com/owasp-amass/amass/llms.txt Lists all available data sources that can be utilized by the `amass intel` subcommand for OSINT-driven target discovery. ```bash # Show which data sources are available amass intel -list ``` -------------------------------- ### Basic Subdomain Enumeration Source: https://github.com/owasp-amass/amass/wiki/User-Guide The most basic use of the tool for subdomain enumeration against a target domain. ```bash amass enum -d example.com ``` -------------------------------- ### Amass Enum: Show Data Sources Source: https://github.com/owasp-amass/amass/wiki/User-Guide Use the -src flag to display the data sources from which each discovered name was obtained. ```bash amass enum -src -d example.com ``` -------------------------------- ### Amass Enum: Include Data Sources by Name Source: https://github.com/owasp-amass/amass/wiki/User-Guide Use the -include flag to specify data source names, separated by commas, to be included in enumeration. ```bash amass enum -include crtsh -d example.com ``` -------------------------------- ### Amass Enum: Specify File with Preferred DNS Resolvers Source: https://github.com/owasp-amass/amass/wiki/User-Guide Use the -rf flag to provide a path to a file containing a list of preferred DNS resolvers. ```bash amass enum -rf data/resolvers.txt -d example.com ``` -------------------------------- ### Generate D3.js Interactive HTML Force Graph with Amass Viz Source: https://context7.com/owasp-amass/amass/llms.txt Use the `amass viz -d3` command to generate an interactive D3.js HTML force graph from discovered network data. This visualization helps in exploratory analysis of the network topology. ```bash amass viz -d3 -dir ./amass-output -d example.com ``` -------------------------------- ### Amass Enum Expected Output Format Source: https://context7.com/owasp-amass/amass/llms.txt Illustrates the expected output format when using the `-src` and `-ip` flags during enumeration, showing data source, subdomain, and IP address. ```text # Expected output (with -src -ip flags): # [Crtsh] www.example.com 93.184.216.34 # [VirusTotal] api.example.com 93.184.216.34 # [BinaryEdge] mail.example.com 93.184.216.200 ``` -------------------------------- ### Stream Session Logs via WebSocket (Go Client) Source: https://context7.com/owasp-amass/amass/llms.txt Subscribes to real-time log messages from a session using the Go client library. Ensure the client is initialized with the correct API endpoint and session token. ```go // Subscribe via the Go client package main import ( "context" "fmt" "log" clientv1 "github.com/owasp-amass/amass/v5/engine/api/client/v1" "github.com/google/uuid" ) func main() { client, err := clientv1.NewClient("http://localhost:4000") if err != nil { log.Fatal(err) } defer client.Close() token := uuid.MustParse("3f6e8b12-1a2b-4c3d-9e0f-123456789abc") logs, err := client.Subscribe(context.Background(), token) if err != nil { log.Fatal(err) } for msg := range logs { fmt.Println(msg) } } ``` -------------------------------- ### Create a Session Source: https://context7.com/owasp-amass/amass/llms.txt Creates a new enumeration session. Accepts a JSON-serialized configuration and returns a unique session token for subsequent API calls. ```APIDOC ## POST /api/v1/sessions ### Description Creates a new enumeration session from a JSON-serialized `config.Config`. Returns a UUID session token used in all subsequent API calls. ### Method POST ### Endpoint /api/v1/sessions ### Parameters #### Request Body - **scope** (object) - Required - The scope of the enumeration, including domains. - **domains** (array of strings) - Required - List of domains to enumerate. - **brute_force** (boolean) - Optional - Enables brute-force enumeration. - **active** (boolean) - Optional - Enables active enumeration techniques. - **resolvers** (array of strings) - Optional - List of DNS resolvers to use. ### Request Example ```bash curl -s -X POST http://localhost:4000/api/v1/sessions \ -H "Content-Type: application/json" \ -d '{ "scope": { "domains": ["example.com"] }, "brute_force": true, "active": false, "resolvers": ["8.8.8.8", "1.1.1.1"] }' ``` ### Response #### Success Response (200) - **sessionToken** (string) - The unique token for the created session. ``` -------------------------------- ### Execute Amass via Docker Source: https://github.com/owasp-amass/amass/wiki/User-Guide Executing the Amass tool using its Docker image. Ensure to map a local directory for persistent storage and output access. ```bash docker run -v OUTPUT_DIR_PATH:/.config/amass/ caffix/amass:latest enum --list ``` -------------------------------- ### Perform Active Subdomain Enumeration with Amass Source: https://github.com/owasp-amass/amass/wiki/Tutorial Use this command for active subdomain discovery, specifying a wordlist, output directory, and configuration file. It includes source and IP resolution data. ```bash # amass enum -active -d owasp.org -brute -w /root/dns_lists/deepmagic.com-top50kprefixes.txt -src -ip -dir amass4owasp -config /root/amass/config.ini -o amass_results_owasp.txt ``` -------------------------------- ### Automate Amass Enumeration and Alert on New Subdomains Source: https://context7.com/owasp-amass/amass/llms.txt This Bash script automates subdomain discovery using `amass enum` and `amass track`. It sends notifications via Slack for any newly discovered subdomains. Ensure Slack webhook URL and file paths are correctly configured. ```bash #!/usr/bin/env bash # amass-monitor.sh — run daily via cron for continuous subdomain monitoring DOMAINS_FILE="./domains.txt" # one domain per line OUTPUT_DIR="./amass-output" CONFIG="./amass-config.yaml" ALL_DOMAINS="./all_discovered.txt" SLACK_WEBHOOK="https://hooks.slack.com/services/T000/B000/xxxx" # 1. Run a thorough active enumeration amass enum -active -df "${DOMAINS_FILE}" \ -config "${CONFIG}" \ -dir "${OUTPUT_DIR}" \ -src -ip -brute -norecursive \ -o "${OUTPUT_DIR}/latest.txt" # 2. Find subdomains new since last run NEW=$(amass track \ -df "${DOMAINS_FILE}" \ -config "${CONFIG}" \ -dir "${OUTPUT_DIR}" \ -last 2 | grep "^Found" | awk '{print $2}') # 3. Filter against the cumulative list NOVEL=$(while read -r d; do grep -qF "$d" "${ALL_DOMAINS}" || echo "$d" done <<< "${NEW}") # 4. Persist and notify if [ -n "${NOVEL}" ]; then echo "${NOVEL}" >> "${ALL_DOMAINS}" sort -u "${ALL_DOMAINS}" -o "${ALL_DOMAINS}" MSG="New subdomains discovered:\n${NOVEL}" curl -s -X POST "${SLACK_WEBHOOK}" \ -H "Content-Type: application/json" \ -d "{\"text\":\"${MSG}\"}" echo "Alert sent for: ${NOVEL}" else echo "No new subdomains found." fi ``` -------------------------------- ### Stream Session Logs via WebSocket (Bash) Source: https://context7.com/owasp-amass/amass/llms.txt Connects to a WebSocket endpoint to stream real-time log messages from a running session. Requires a tool like `websocat`. The server sends periodic ping frames to keep the connection alive. ```bash # Using websocat (https://github.com/vi/websocat) SESSION="3f6e8b12-1a2b-4c3d-9e0f-123456789abc" websocat "ws://localhost:4000/api/v1/sessions/${SESSION}/ws/logs" # [INFO] DNS query: www.example.com -> 93.184.216.34 # [INFO] New FQDN discovered: api.example.com # ... ``` -------------------------------- ### Amass Enum: File with Known Subdomain Names Source: https://github.com/owasp-amass/amass/wiki/User-Guide Use the -nf flag to provide a path to a file containing subdomain names already known from other sources. ```bash amass enum -nf names.txt -d example.com ``` -------------------------------- ### Amass Enum: Specify File with Root Domains Source: https://github.com/owasp-amass/amass/wiki/User-Guide Use the -df flag to provide a path to a file containing root domain names. ```bash amass enum -df domains.txt ``` -------------------------------- ### Amass Enum: Specify Configuration File Source: https://github.com/owasp-amass/amass/wiki/User-Guide Use the -config flag to specify the path to an alternative INI configuration file. ```bash amass enum -config config.ini ``` -------------------------------- ### Amass Enum: Specify File to Exclude Data Sources Source: https://github.com/owasp-amass/amass/wiki/User-Guide Use the -ef flag to provide a path to a file containing data sources to exclude from enumeration. ```bash amass enum -ef exclude.txt -d example.com ``` -------------------------------- ### Amass Enum: Blacklist File for Subdomains Source: https://github.com/owasp-amass/amass/wiki/User-Guide Use the -blf flag to provide a path to a file containing a list of subdomain names to be blacklisted. ```bash amass enum -blf data/blacklist.txt -d example.com ``` -------------------------------- ### Amass Enum: Specify File to Include Data Sources Source: https://github.com/owasp-amass/amass/wiki/User-Guide Use the -if flag to provide a path to a file containing data sources to include in enumeration. ```bash amass enum -if include.txt -d example.com ``` -------------------------------- ### Add Single Asset to Session (Bash) Source: https://context7.com/owasp-amass/amass/llms.txt Submits a single OAM asset object to a session for processing. Ensure the correct asset type is specified in the URL path. ```bash SESSION="3f6e8b12-1a2b-4c3d-9e0f-123456789abc" # Add an FQDN asset curl -s -X POST \ http://localhost:4000/api/v1/sessions/${SESSION}/assets/fqdn \ -H "Content-Type: application/json" \ -d '{"name": "api.example.com"}' # {"entityID":"e7f3a9b2-..."} # Add an IP address asset curl -s -X POST \ http://localhost:4000/api/v1/sessions/${SESSION}/assets/ipaddress \ -H "Content-Type: application/json" \ -d '{"address": "93.184.216.34", "type": "IPv4"}' # {"entityID":"d2c4b1a0-..."} # Add a netblock asset curl -s -X POST \ http://localhost:4000/api/v1/sessions/${SESSION}/assets/netblock \ -H "Content-Type: application/json" \ -d '{"cidr": "93.184.216.0/24", "type": "IPv4"}' ``` -------------------------------- ### List Amass DB Enumerations Source: https://github.com/owasp-amass/amass/wiki/Tutorial Lists all performed enumerations for given domains stored in the specified graph database. Use the '-dir' flag to specify the database directory. ```bash # amass db -dir amass4owasp -list ``` -------------------------------- ### Add Snap Bin Directory to PATH Source: https://github.com/owasp-amass/amass/wiki/Installation-Guide Adds the Amass snap binary directory to your system's PATH environment variable, allowing you to run Amass commands directly. ```bash export PATH=$PATH:/snap/bin ``` -------------------------------- ### Amass Enum: Minimum Labels for Recursive Brute Force Source: https://github.com/owasp-amass/amass/wiki/User-Guide Use the -min-for-recursive flag to set the minimum number of subdomain labels required before initiating recursive brute forcing. Default is 1. ```bash amass enum -brute -min-for-recursive 3 -d example.com ``` -------------------------------- ### Bulk Asset Ingestion to Session (Bash) Source: https://context7.com/owasp-amass/amass/llms.txt Submits up to 5,000 OAM assets of the same type in a single request. The `items` array contains raw OAM JSON objects without a `type` field. Note the error case for exceeding the item limit. ```bash SESSION="3f6e8b12-1a2b-4c3d-9e0f-123456789abc" curl -s -X POST \ "http://localhost:4000/api/v1/sessions/${SESSION}/assets/fqdn:bulk" \ -H "Content-Type: application/json" \ -d '{ \ "items": [ \ {"name": "www.example.com"}, \ {"name": "api.example.com"}, \ {"name": "mail.example.com"}, \ {"name": "vpn.example.com"} \ ] \ }' # {"ingested":4,"stored":4,"failed":0} # Error case: too many items (>5000) # HTTP 413 {"code":413,"error":"too many items in bulk request","details":"max items exceeded"} ``` -------------------------------- ### Generate Maltego Graph Table CSV with Amass Viz Source: https://context7.com/owasp-amass/amass/llms.txt Use the `amass viz -maltego` command to export discovered network data as a CSV file suitable for import into Maltego. This facilitates integration with Maltego's graph analysis capabilities. ```bash amass viz -maltego -dir ./amass-output -d example.com ``` -------------------------------- ### Amass Enum: Show IP Addresses Source: https://github.com/owasp-amass/amass/wiki/User-Guide Use the -ip flag to display the IP addresses associated with discovered names. ```bash amass enum -ip -d example.com ``` -------------------------------- ### Amass Intel Discover Domains from CIDR Range Source: https://context7.com/owasp-amass/amass/llms.txt Enumerates domains within a specified CIDR IP address range. Allows specifying target ports for active scanning. ```bash # Discover domains from a CIDR range amass intel -cidr 104.154.0.0/15 -p 443,8443 ``` -------------------------------- ### Amass Enum: Text Output File Source: https://github.com/owasp-amass/amass/wiki/User-Guide Use the -o flag to specify the path for plain text output. ```bash amass enum -o out.txt -d example.com ``` -------------------------------- ### Amass Intel Command Usage Source: https://github.com/owasp-amass/amass/wiki/Tutorial Displays the available options for the amass intel subcommand. Use this to understand the various parameters for intelligence gathering. ```bash $ amass intel [...] Usage: amass intel [options] [-whois -d DOMAIN] [-addr ADDR -asn ASN -cidr CIDR] -active Attempt certificate name grabs -addr value IPs and ranges (192.168.1.1-254) separated by commas -asn value ASNs separated by commas (can be used multiple times) [...] ``` -------------------------------- ### Amass Enum: Include Unresolvable DNS Names Source: https://github.com/owasp-amass/amass/wiki/User-Guide Use the -include-unresolvable flag to output DNS names that could not be resolved. ```bash amass enum -include-unresolvable -d example.com ``` -------------------------------- ### Run Amass Docker Container Source: https://github.com/owasp-amass/amass/wiki/Installation-Guide Runs the Amass Docker image, mounting a volume for persistent data and output. Replace OUTPUT_DIR_PATH with your desired host directory. ```bash docker run -v OUTPUT_DIR_PATH:/.config/amass/ amass enum --list ``` -------------------------------- ### Create Amass Engine Session API Source: https://context7.com/owasp-amass/amass/llms.txt Creates a new enumeration session by sending a JSON-serialized config.Config. A UUID session token is returned for subsequent API calls. ```bash # Create a session scoped to example.com with brute-force enabled curl -s -X POST http://localhost:4000/api/v1/sessions \ -H "Content-Type: application/json" \ -d '{ "scope": { "domains": ["example.com"] }, "brute_force": true, "active": false, "resolvers": ["8.8.8.8", "1.1.1.1"] }' # {"sessionToken":"3f6e8b12-1a2b-4c3d-9e0f-123456789abc"} SESSION="3f6e8b12-1a2b-4c3d-9e0f-123456789abc" ``` -------------------------------- ### Brute-Force Subdomains with Hashcat Masks in Amass Source: https://github.com/owasp-amass/amass/wiki/Tutorial Leverage Amass's hashcat-style wordlist mask feature to brute-force subdomain combinations. Disable recursive enumeration and alterations for quicker results focused on the mask. ```bash # amass enum -d owasp.org -norecursive -noalts -wm "zzz-?l?l?l" -dir amass4owasp ``` -------------------------------- ### Amass Enum: Specify Graph Database Directory Source: https://github.com/owasp-amass/amass/wiki/User-Guide Use the -dir flag to specify the path to the directory where the graph database will be stored. ```bash amass enum -dir PATH -d example.com ``` -------------------------------- ### Amass Enum: Output File Prefix Source: https://github.com/owasp-amass/amass/wiki/User-Guide Use the -oA flag to specify a path prefix for naming all output files generated by the enumeration. ```bash amass enum -oA amass_scan -d example.com ``` -------------------------------- ### Amass Enum Brute-force and Recursive Expansion Source: https://context7.com/owasp-amass/amass/llms.txt Utilizes brute-force subdomain discovery with a custom wordlist and enables recursive subdomain expansion. Requires specifying minimum subdomains for recursion. ```bash # Brute-force with a custom wordlist and recursive subdomain expansion amass enum -brute -w /usr/share/wordlists/dns/deepmagic.txt \ -min-for-recursive 2 -d example.com -o results.txt ``` -------------------------------- ### Push Changes to Fork Source: https://github.com/owasp-amass/amass/blob/main/CONTRIBUTING.md Push your local development branch to your fork on GitHub. This is typically done after creating a development branch on your fork. ```bash git push -u origin develop ``` -------------------------------- ### Convert Amass Data to Maltego CSV Source: https://github.com/owasp-amass/amass/wiki/User-Guide Use this command to convert Amass enumeration results into a CSV file format compatible with Maltego for import. ```bash amass viz -maltego ``` -------------------------------- ### Amass Enum: Show IPv6 Addresses Source: https://github.com/owasp-amass/amass/wiki/User-Guide Use the -ipv6 flag to display only the IPv6 addresses for discovered names. ```bash amass enum -ipv6 -d example.com ``` -------------------------------- ### Amass Enum: Show IPv4 Addresses Source: https://github.com/owasp-amass/amass/wiki/User-Guide Use the -ipv4 flag to display only the IPv4 addresses for discovered names. ```bash amass enum -ipv4 -d example.com ``` -------------------------------- ### Export Subdomain List to File with Amass Subs Source: https://context7.com/owasp-amass/amass/llms.txt Use the `-o` flag with `amass subs` to export the list of discovered subdomains to a specified text file. This is useful for saving or processing the subdomain list externally. ```bash amass subs -d example.com -dir ./amass-output -o subdomains.txt ``` -------------------------------- ### Amass Intel Discover Domains from ASN Source: https://context7.com/owasp-amass/amass/llms.txt Discovers domains associated with a specific ASN, optionally including IP address information. Supports active certificate grabbing. ```bash # Discover domains from a known ASN with active cert grabbing amass intel -active -asn 15169 -ip ``` -------------------------------- ### List All Subdomains with Amass Subs Source: https://context7.com/owasp-amass/amass/llms.txt Use the `amass subs -d` command to list all subdomains for a given domain that are stored in the graph database. This is a fundamental query for retrieving discovered subdomains. ```bash amass subs -d example.com -dir ./amass-output ``` -------------------------------- ### Show Subdomains with IP Addresses using Amass Subs Source: https://context7.com/owasp-amass/amass/llms.txt Add the `-ip` flag to `amass subs` to display discovered subdomains along with their associated IP addresses. This provides more detailed information about each subdomain. ```bash amass subs -d example.com -dir ./amass-output -ip ``` -------------------------------- ### Amass Enum: Specify Preferred DNS Resolvers Source: https://github.com/owasp-amass/amass/wiki/User-Guide Use the -r flag to specify IP addresses of preferred DNS resolvers. This flag can be used multiple times. ```bash amass enum -r 8.8.8.8,1.1.1.1 -d example.com ``` -------------------------------- ### Amass Enum: Specify Ports Source: https://github.com/owasp-amass/amass/wiki/User-Guide Use the -p flag to specify a comma-separated list of ports to scan during active enumeration. Default is 443. ```bash amass enum -d example.com -p 443,8080 ``` -------------------------------- ### Amass Enum: Log File for Errors Source: https://github.com/owasp-amass/amass/wiki/User-Guide Use the -log flag to specify the path to a file where errors will be written. ```bash amass enum -log amass.log -d example.com ``` -------------------------------- ### Amass Intel ASN and IP Search Source: https://github.com/owasp-amass/amass/wiki/Tutorial Retrieves parent domains for a specified ASN ID and returns them along with their resolved IP addresses. The '-active' flag attempts certificate name grabs. ```bash $ amass intel -active -asn 222222 -ip some-example-ltd-domain.com 127.0.0.1 [...] ```