235 lines
8.3 KiB
HTML
235 lines
8.3 KiB
HTML
<!DOCTYPE html>
|
|
<html lang="en">
|
|
<head>
|
|
<meta charset="UTF-8">
|
|
<meta name="viewport" content="width=device-width, initial-scale=1.0">
|
|
<meta http-equiv="Content-Security-Policy" content="default-src 'self'; script-src 'self'; style-src 'self'; font-src 'self' data:; img-src 'self' data:; connect-src 'self'; base-uri 'self'; form-action 'self' https://defcon.social https://bsky.app;">
|
|
<meta http-equiv="X-Content-Type-Options" content="nosniff">
|
|
<link rel="stylesheet" href="../assets/css/style.css">
|
|
<link rel="icon" type="image/x-icon" href="../favicon.ico">
|
|
<script>
|
|
// Apply theme immediately to prevent flash
|
|
(function() {
|
|
const theme = localStorage.getItem('theme') ||
|
|
(window.matchMedia && window.matchMedia('(prefers-color-scheme: dark)').matches ? 'dark' : 'light');
|
|
document.documentElement.setAttribute('data-theme', theme);
|
|
})();
|
|
</script>
|
|
<title>amass Cheatsheet - Cheatsheets - Launch Pad</title>
|
|
</head>
|
|
<body>
|
|
<button class="theme-toggle" id="themeToggle" aria-label="Toggle dark mode">
|
|
<svg class="theme-icon theme-icon-moon" xmlns="http://www.w3.org/2000/svg" width="24" height="24" viewBox="0 0 24 24" fill="none" stroke="currentColor" stroke-width="2" stroke-linecap="round" stroke-linejoin="round"><path d="M21 12.79A9 9 0 1 1 11.21 3 7 7 0 0 0 21 12.79z"></path></svg>
|
|
<svg class="theme-icon theme-icon-sun" xmlns="http://www.w3.org/2000/svg" width="24" height="24" viewBox="0 0 24 24" fill="none" stroke="currentColor" stroke-width="2" stroke-linecap="round" stroke-linejoin="round" style="display: none;"><circle cx="12" cy="12" r="5"></circle><line x1="12" y1="1" x2="12" y2="3"></line><line x1="12" y1="21" x2="12" y2="23"></line><line x1="4.22" y1="4.22" x2="5.64" y2="5.64"></line><line x1="18.36" y1="18.36" x2="19.78" y2="19.78"></line><line x1="1" y1="12" x2="3" y2="12"></line><line x1="21" y1="12" x2="23" y2="12"></line><line x1="4.22" y1="19.78" x2="5.64" y2="18.36"></line><line x1="18.36" y1="5.64" x2="19.78" y2="4.22"></line></svg>
|
|
</button>
|
|
<br/><br/>
|
|
<div class="name">
|
|
__ _______________________ _________._________________________
|
|
\_ _____/ \______ \ / _ \ / _____/ / _____/ | | \_ _____/
|
|
| __) | _/ / /_\ \ / \ ___ / \ ___ | | | __)_
|
|
| \ | | \ / | \ \ \_\ \ \ \_\ \ | |___ | \
|
|
\___ / |____|_ / \____|__ / \______ / \______ / |_______ \ /_______ /
|
|
\/ \/ \/ \/ \/ \/ \/
|
|
</div>
|
|
<div class="blog-page-header">
|
|
<div class="blog-header-content">
|
|
<a href="/cheatsheets" class="back-link" title="Back to Cheatsheets">
|
|
<svg xmlns="http://www.w3.org/2000/svg" width="42" height="42" viewBox="0 0 24 24" class="home-icon"><path fill="currentColor" d="M10 20v-6h4v6h5v-8h3L12 3 2 12h3v8z"/></svg>
|
|
</a>
|
|
<h1 class="blog-page-title">amass Cheatsheet</h1>
|
|
</div>
|
|
</div>
|
|
<div class="blog-post-container">
|
|
<div class="blog-posts-container" style="max-width: 900px; margin: 0 auto;">
|
|
<div class="blog-post">
|
|
<div class="blog-post-content">
|
|
<p><a href="index.html">← Back to cheatsheets</a></p>
|
|
<p><a href="../index.html">← Home</a></p>
|
|
<hr>
|
|
<p>Amass is an OWASP project for in-depth attack surface mapping and asset discovery using open source information gathering and active reconnaissance techniques.</p>
|
|
<hr>
|
|
<h2>Subcommands</h2>
|
|
<ul>
|
|
<li>amass intel - Discover targets for enumeration</li>
|
|
</ul>
|
|
<ul>
|
|
<li>amass enum - Perform subdomain enumeration</li>
|
|
</ul>
|
|
<ul>
|
|
<li>amass viz - Visualize enumeration results</li>
|
|
</ul>
|
|
<ul>
|
|
<li>amass track - Track differences between enumerations</li>
|
|
</ul>
|
|
<ul>
|
|
<li>amass db - Manage the graph database</li>
|
|
</ul>
|
|
<hr>
|
|
<h2>Intel Subcommand</h2>
|
|
<ul>
|
|
<li>amass intel -d <domain> - Basic intel gathering</li>
|
|
</ul>
|
|
<ul>
|
|
<li>amass intel -whois -d <domain> - Reverse WHOIS lookup</li>
|
|
</ul>
|
|
<ul>
|
|
<li>amass intel -org <organization> - Find ASNs by organization</li>
|
|
</ul>
|
|
<ul>
|
|
<li>amass intel -asn <asn> - Get info about an ASN</li>
|
|
</ul>
|
|
<ul>
|
|
<li>amass intel -ip <ip> - Discover domains from IP</li>
|
|
</ul>
|
|
<ul>
|
|
<li>amass intel -cidr <cidr> - Discover domains from CIDR</li>
|
|
</ul>
|
|
<hr>
|
|
<h2>Enum Subcommand - Basic</h2>
|
|
<ul>
|
|
<li>amass enum -d <domain> - Basic passive enumeration</li>
|
|
</ul>
|
|
<ul>
|
|
<li>amass enum -passive -d <domain> - Passive only (no DNS resolution)</li>
|
|
</ul>
|
|
<ul>
|
|
<li>amass enum -active -d <domain> - Active enumeration (zone transfers, etc.)</li>
|
|
</ul>
|
|
<ul>
|
|
<li>amass enum -brute -d <domain> - Brute force subdomain enumeration</li>
|
|
</ul>
|
|
<ul>
|
|
<li>amass enum -d <domain> -o output.txt - Save results to file</li>
|
|
</ul>
|
|
<hr>
|
|
<h2>Enum Subcommand - Advanced</h2>
|
|
<ul>
|
|
<li>amass enum -d <domain> -src - Show data sources</li>
|
|
</ul>
|
|
<ul>
|
|
<li>amass enum -d <domain> -ip - Show IP addresses</li>
|
|
</ul>
|
|
<ul>
|
|
<li>amass enum -d <domain> -ipv4 - Show only IPv4 addresses</li>
|
|
</ul>
|
|
<ul>
|
|
<li>amass enum -d <domain> -ipv6 - Show only IPv6 addresses</li>
|
|
</ul>
|
|
<ul>
|
|
<li>amass enum -d <domain> -r <resolver> - Use custom resolver</li>
|
|
</ul>
|
|
<ul>
|
|
<li>amass enum -d <domain> -rf resolvers.txt - Use resolver file</li>
|
|
</ul>
|
|
<ul>
|
|
<li>amass enum -d <domain> -w wordlist.txt - Custom wordlist for brute</li>
|
|
</ul>
|
|
<ul>
|
|
<li>amass enum -d <domain> -max-dns-queries 200 - Limit DNS queries/sec</li>
|
|
</ul>
|
|
<hr>
|
|
<h2>Configuration</h2>
|
|
<ul>
|
|
<li>amass enum -config config.ini -d <domain> - Use config file</li>
|
|
</ul>
|
|
<ul>
|
|
<li>amass enum -list - List all data sources</li>
|
|
</ul>
|
|
<h3>Config File Location</h3>
|
|
<ul>
|
|
<li>~/.config/amass/config.yaml - Default config location</li>
|
|
<li>~/.config/amass/datasources.yaml - Data sources config</li>
|
|
</ul>
|
|
<h3>Example datasources.yaml</h3>
|
|
<pre><code>datasources:
|
|
- name: SecurityTrails
|
|
creds:
|
|
apikey: your_api_key_here
|
|
- name: Shodan
|
|
creds:
|
|
apikey: your_api_key_here</code></pre>
|
|
<hr>
|
|
<h2>Database Operations</h2>
|
|
<ul>
|
|
<li>amass db -list - List all enumerations</li>
|
|
</ul>
|
|
<ul>
|
|
<li>amass db -d <domain> -show - Show stored data for domain</li>
|
|
</ul>
|
|
<ul>
|
|
<li>amass db -d <domain> -names - List discovered names</li>
|
|
</ul>
|
|
<ul>
|
|
<li>amass db -d <domain> -ip - Show IP addresses</li>
|
|
</ul>
|
|
<hr>
|
|
<h2>Visualization</h2>
|
|
<ul>
|
|
<li>amass viz -d <domain> -d3 - Generate D3.js visualization</li>
|
|
</ul>
|
|
<ul>
|
|
<li>amass viz -d <domain> -gexf - Generate GEXF file (Gephi)</li>
|
|
</ul>
|
|
<ul>
|
|
<li>amass viz -d <domain> -graphistry - Generate Graphistry JSON</li>
|
|
</ul>
|
|
<ul>
|
|
<li>amass viz -d <domain> -maltego - Generate Maltego output</li>
|
|
</ul>
|
|
<hr>
|
|
<h2>Tracking Changes</h2>
|
|
<ul>
|
|
<li>amass track -d <domain> - Track differences between runs</li>
|
|
</ul>
|
|
<ul>
|
|
<li>amass track -d <domain> -history - Show enumeration history</li>
|
|
</ul>
|
|
<ul>
|
|
<li>amass track -d <domain> -since "2024-01-01" - Changes since date</li>
|
|
</ul>
|
|
<hr>
|
|
<h2>Common Examples</h2>
|
|
<h3>Full Passive Enumeration</h3>
|
|
<pre><code>amass enum -passive -d example.com -src -ip -o results.txt</code></pre>
|
|
<p>Passive enumeration showing sources and IPs.</p>
|
|
<h3>Aggressive Active Scan</h3>
|
|
<pre><code>amass enum -active -brute -d example.com -w wordlist.txt -o results.txt</code></pre>
|
|
<p>Active scan with brute forcing.</p>
|
|
<h3>Quick Reconnaissance</h3>
|
|
<pre><code>amass intel -whois -d example.com</code></pre>
|
|
<p>Discover related domains via WHOIS.</p>
|
|
<hr>
|
|
<h2>Tips</h2>
|
|
<ul>
|
|
<li>Use API keys in config for better results (SecurityTrails, Shodan, etc.)</li>
|
|
</ul>
|
|
<ul>
|
|
<li>Start with passive enumeration to avoid detection</li>
|
|
</ul>
|
|
<ul>
|
|
<li>Use -src to understand where data comes from</li>
|
|
</ul>
|
|
<ul>
|
|
<li>Combine with other tools like subfinder for comprehensive coverage</li>
|
|
</ul>
|
|
<ul>
|
|
<li>Use custom resolvers to avoid rate limiting</li>
|
|
</ul>
|
|
<ul>
|
|
<li>The database persists data between runs for tracking</li>
|
|
</ul>
|
|
<ul>
|
|
<li>Always get authorization before scanning targets you don't own</li>
|
|
</ul>
|
|
<hr>
|
|
<p><a href="index.html">← Back to cheatsheets</a></p>
|
|
<p><a href="../index.html">← Home</a></p>
|
|
</div>
|
|
</div>
|
|
</div>
|
|
</div>
|
|
<script async type="text/javascript" src="../blog/analytics.js"></script>
|
|
<script src="../theme.js"></script>
|
|
</body>
|
|
</html>
|