DEV Community

Cover image for OWASP Amass
Stefan Alfbo
Stefan Alfbo

Posted on

OWASP Amass

The first step in the ATT&CK Matrix for Enterprise is the reconnaissance phase.

The Amass tool is a perfect fit for the sub-techniques in the Search Open Technical Databases category which is part of the reconnaissance phase from the matrix above.

Here is a summary of the Amass tool from their GitHub page:

The OWASP Amass Project performs network mapping of attack surfaces and external asset discovery using open source information gathering and active reconnaissance techniques.

Information gathering techniques used by the tool are:

  • APIs
  • Certificates
  • DNS
  • Routing
  • Scraping
  • Web Archives
  • WHOIS

To install it on an Ubuntu machine you can use this command.



snap install amass


Enter fullscreen mode Exit fullscreen mode

amass

To learn more about each sub-command, (intel|enum|viz|track|db), enter this command in the terminal window:



amass intel -h


Enter fullscreen mode Exit fullscreen mode

And replace intel with the sub-command of choice. To get started with the tool you can try out the most basic tool and enumerate subdomains.



amass enum -d example.com


Enter fullscreen mode Exit fullscreen mode

This will take a minute or two to run, depending on the domain, replace the example.com domain with the actual domain you want to find subdomains to.

When it has finished you will get a list all the findings, which can be visualized with this command.



amass viz -d3


Enter fullscreen mode Exit fullscreen mode

This will create a html file in the same directory as the command was executed in. Look for a file called, amass.html. Open it with the command:



open amass.html


Enter fullscreen mode Exit fullscreen mode

There you have a nice presentation of the findings of the domain enumeration.

To learn more about the tool I highly recommend their tutorial.

This is a great and easy tool to use and it's not only for red teams. It's always good to know your digital footprints and the potential services that might be exploited. There is almost always something interesting that turns up in the findings.

Happy searching!

Top comments (0)