The OWASP Amass Project performs network mapping of attack surfaces and external asset discovery using open source information gathering and active reconnaissance techniques.

Amass comes installed in the latest Kali Linux, if you need to install it follow the official guide

https://github.com/owasp-amass/amass/blob/master/doc/install.md

https://github.com/owasp-amass/amass/blob/master/doc/user_guide.md

How to use

1. Display help menu

  • amass -h

2. Enumerate for sub domains

  • amass enum -d tesla.com

Amass Intel

1. The amass intel gathers basic information against the target using various other tools, It find IPv4 IPv6 addr and basic whois informations.

  • amass intel -d owasp.org -whois

2. Using Amass, you have the option to search for organizational names. This search can yield ASN IDs that have been assigned to the target.

  • amass intel -org 'google'

We can see that we have retrieved asn numbers, Let’s try using the asn id against the target. Here the -active mean it choose the way it want to scan the target. It can be the google index or webmaster index and much more.

  • amass intel -active -asn 44384 -ip

Amass Enum

1. The enum option in amass will enumerate DNS services and also mapping around the network.

  • amass enum -passive -d google.com -src

2. We can also brute force the subdomains and try to get in, Let’s see how to do that ???? For EDUCATIONAL purpose only.

  • amass enum -active -d google.com -brute -w /usr/share/wordlists/amass/all.txt

Sources

https://techyrick.com/amass-full-tutorial/

https://github.com/owasp-amass/amass/blob/master/doc/tutorial.md