AMASS

OWASP Amass is an open-source, versatile Attack Surface Intelligence platform designed to comprehensively map an organization’s footprint. Built for flexibility and depth, Amass combines advanced data collection, network mapping, and OSINT capabilities to deliver detailed insights into physical and digital assets.

Overview

Amass extends far beyond basic subdomain enumeration, offering a comprehensive, automated approach to information gathering that reveals the full scope of an organization’s infrastructure. Since the initial release, AMASS supports and promotes the Open Asset Model (OAM), which you can learn about on this Phillip Wylie Show episode.

Description

Documentation

• Amass user guide
• Amass GitHub project
• The Amass tutorial
• Daniel Miessler post on using Amass

Components

Setup

Running AMASS in Docker

AMASS runs in a single docker container.

1. OLD WAY Pull the Docker image by ~~running `docker pull caffix/amass:latest
2. NEW Amass now maintains Dockerfile and docker compose methods for operating with Docker, so use this from the official repositories

Configuration

The configuration file is used to store common settings, defaults, and API keys.

• The sample config file from the project's GitHub repo provides a starting point.
• Create a copy of this file and copy it to ~/.config/amass/amass.ini
• Specify the config on the command line with -config

Wordlists

Wordlists are used for efficient subdomain enumeration

• If running on Kali, you can install the wordlists with sudo apt install wordlists
• Wordlists are located in /usr/share/wordlists/amass on Kali and Debian-based installations.

Updating

Docker

You have one of two options:
3. Use the official docker image and update it with
docker pull caffix/amass:latest
4. Pull the latest files from the GitHub repository and build the image yourself with docker build . inside the repo

Kali

Amass is installed via apt on #Kali. Since Kali is a rolling distro, use apt update && apt upgrade to install new versions.

Detailed information about the currently-installed version can be viewed with apt info amass. See an example in the examples folder of the Amass repository.

Using Snapd

1. sudo apt install snapd
Once that is done then you will check to see if the snapd service is running :

1. Start the snapd service
2. service snapd start

Now install using snap
sudo snap install

When executing, make sure to use the snap environment
/snap/bin/

Configuration

Prior to version 4.x, Amass used/supported an .ini file. For versions 4 and later, the tool's configuration file has moved to a #YAML format for the configuration. If you have an older Amass configuration, use the oam_i2y tool to convert the .ini to .yml.

• Example configuration file from the official repository.
• See the official Amass config repository for more details.

Usage

Running via Docker
3. Run docker run -v OUTPUT_DIR_PATH:/.config/amass/ caffix/amass enum -d example.com

Tips and tricks

• Some data sources tend to timeout and excluding them will speed up the queries, e.g. -exclude CommonCrawl,BufferOver,SiteDossier

Getting Started

Examples

amass -dir ~/Documents/amass -config ~/.config/amass/amass.ini -w l /usr/share/wordlists/amass/subdomains-top1mil-20000.txt -d example.com

Docker with custom config file and wordlists on host
docker run -it --rm -v /home/ktneely/Nextcloud/Documents/Investigations/amass/:/.config/amass -v /home/ktneely/dev/amass/examples/wordlists/:/usr/share/amass/wordlists/ amass:latest enum -config /.config/amass/amass.ini -d siliconvalleybank.xyz

No docker custom config and data directory
amass enum -config /mnt/c/Users/ktnee/Nextcloud/Documents/Investigations/2023-03-13-SVB/amass.ini -dir /mnt/c/Users/ktnee/Nextcloud/Documents/Investigations/2023-03-13-SVB/ -rqps 5 -dns-qps 160 -exclude CommonCrawl,BufferOver -df /mnt/c/Users/ktnee/Nextcloud/Documents/Investigations/2023-03-13-SVB/svb-domains.list

amass enum -dir /mnt/c/Users/ktnee/Nextcloud/Documents/Investigations/2023-03-13-SVB/ -brute -w /usr/share/wordlists/amass/fierce_hostlist.txt -rqps 5 -dns-qps 160 -exclude CommonCrawl,BufferOver -df /mnt/c/Users/ktnee/Nextcloud/Documents/Investigations/2023-03-13-SVB/svb-domains.list

How Amass fits in an Intel workflow

Use-case 1: Research an organization

Amass lets you start from scratch. Really from scratch, allowing the researcher to simply enter the organization's name on the command line. The intel subcommand enables the researcher to quickly broaden their investigation surface area.

amass intel -config ~/.config/amass/amass.ini -org uber

Use-case 2: Research an interesting domain for other uses

While ressearching, the analyst may want to understand the breadth of use for a domain of interest.

4. Generate some intel about the domain
   amass intel -config ~/.config/amass/amass.ini -d example.com
5. Run the domain through Amass' enum function
   amass enum -config ~/.config/amass/amass.ini -d example.com
6. Review the results
   • Local install: amass db -config ~/.config/amass/amass.ini -d example.com -show
   • Docker
7. Print out all the discovered FQDNs related to the domain of interest
   • Local install:
   • Docker: docker run -it --rm -v ~/Documents/Investigations/amass/:/.config/amass -v ~/home/ktneely~/dev/amass/examples/wordlists/:/usr/share/amass/wordlists/ caffix/amass:latest db -config /.config/amass/amass.ini -d siliconvalleybank.xyz -names

Use-case 3: Run discovered domains through Nuclei

8. Perform the steps in Use-case 2
9. Save the names to a file
   amass db -config ~/.config/amass/amass.ini -d example.com -names -nocolor > sites.lst
10. Run Nuclei against the list of FQDNs
    nuclei --tags tech,takeovery

Reference Articles

• OWASP Amass
• How to use OWASP Amass - dionach
• AAT quick tutorial tutorial and examples.