Listen to this Post
Introduction
Subdomain enumeration is a critical phase in reconnaissance for bug bounty hunters and penetration testers. The Amass tool, developed by OWASP, is a powerful open-source tool for mapping attack surfaces by discovering subdomains, IPs, and ASN data. This guide dives deep into advanced Amass techniques, including ASN discovery, data source configuration, and result filtering, to maximize efficiency in security assessments.
Learning Objectives
- Learn how to use Amass in intel mode for ASN discovery.
- Configure custom data sources for enhanced subdomain enumeration.
- Filter and refine results to eliminate noise and false positives.
1. Installing and Setting Up Amass
Command (Linux/macOS):
sudo apt install amass Debian/Ubuntu brew install amass macOS
Step-by-Step Guide:
1. Install Amass using your package manager.
2. Verify installation with:
amass -version
3. Update Amass databases for the latest intelligence:
sudo amass -update
2. Discovering ASN Numbers with Intel Mode
Command:
amass intel -asn <ASN_NUMBER> -whois -d example.com
Step-by-Step Guide:
- Find the Autonomous System Number (ASN) of a target using:
amass intel -org "Company Name"
- Use the discovered ASN to map all associated subdomains:
amass intel -asn 12345 -d example.com
- Combine with `-whois` for additional domain ownership insights.
3. Configuring Data Sources for Enumeration
Command:
amass enum -config config.ini -d example.com
Step-by-Step Guide:
- Create a `config.ini` file with API keys for Shodan, VirusTotal, and PassiveDNS.
[bash] Shodan = YOUR_API_KEY VirusTotal = YOUR_API_KEY
2. Run enumeration with the config file:
amass enum -config config.ini -d example.com -o results.txt
4. Filtering Results for High-Value Targets
Command:
amass enum -d example.com -exclude ".cloudfront.net" -o filtered_results.txt
Step-by-Step Guide:
1. Exclude common CDN subdomains to reduce noise:
amass enum -d example.com -exclude ".akamai.net,.cloudflare.com"
2. Use `-active` flag for DNS resolution to confirm live hosts:
amass enum -active -d example.com
5. Automating Amass with Bash Scripting
Command:
!/bin/bash for domain in $(cat domains.txt); do amass enum -d $domain -o $domain.txt done
Step-by-Step Guide:
1. Save target domains in `domains.txt`.
2. Run the script to automate subdomain discovery.
3. Merge results:
cat .txt > final_report.txt
What Undercode Say:
- Key Takeaway 1: Amass is indispensable for bug bounty hunters, offering deep reconnaissance capabilities.
- Key Takeaway 2: Proper data source configuration drastically improves enumeration accuracy.
Analysis:
Amass outperforms traditional tools like Sublist3r by leveraging multiple OSINT sources and ASN intelligence. However, ethical hackers must avoid aggressive scanning to prevent IP blocking. Future integrations with AI-driven reconnaissance could further enhance automation.
Prediction:
As organizations expand their attack surfaces, automated subdomain discovery will become a standard in red teaming. Expect Amass integrations with Burp Suite & Nessus for seamless vulnerability assessment workflows.
For the full guide, check Mayank Kumar Prajapati’s blog: Amass Tool Deep Dive.
Tags: security bugbounty hacking pentesting
🎯Let’s Practice For Free:
IT/Security Reporter URL:
Reported By: Mayank Kumar – Hackers Feeds
Extra Hub: Undercode MoN
Basic Verification: Pass ✅
