Amass信息收集神器使用指南

OWASP Amass项目使用开源信息收集和主动侦察技术,对攻击面和外部资产发现进行网络映射。

原文视频链接

TechniqueData Sources

APIs360PassiveDNS, Ahrefs, AnubisDB, BinaryEdge,  BufferOver, BuiltWith,

C99, Chaos, CIRCL, Cloudflare, DNSDB, DNSRepo,  Detectify, FOFA,

FullHunt, GitHub, GitLab, Greynoise, HackerTarget,  Hunter, IntelX,

LeakIX, Maltiverse, Mnemonic, N45HT, PassiveTotal,  PentestTools, Quake,

Shodan, SonarSearch, Spamhaus, Spyse, Sublist3rAPI, ThreatBook,

ThreatCrowd, ThreatMiner, Twitter, URLScan, VirusTotal,  ZETAlytics,

ZoomEye

CertificatesActive pulls (optional), Censys, CertSpotter, Crtsh, Digitorus, FacebookCT, GoogleCT

DNSBrute forcing, Reverse DNS sweeping, NSEC zone walking, Zone

transfers, FQDN alterations/permutations, FQDN Similarity-based 

Guessing

RoutingARIN, BGPTools, BGPView, IPdata, IPinfo, NetworksDB, RADb, Robtex, ShadowServer, TeamCymru

ScrapingAbuseIPDB, Ask, Baidu, Bing, DNSDumpster, DuckDuckGo,  Gists,

HackerOne, HyperStat, IPv4Info, PKey, RapidDNS, Riddler,  Searchcode,

Searx, SiteDossier, Yahoo

Web ArchivesArchiveIt, Arquivo, CommonCrawl, HAW, UKWebArchive, Wayback

WHOISAlienVault, AskDNS, DNSlytics, ONYPHE, SecurityTrails, SpyOnWeb, Umbrella, WhoisXMLAPI

安装使用

https://github.com/OWASP/Amass/releases

vulab@sechelper:~/amass_linux_amd64$ ./amass -version

v3.19.3

枚举域名

amass enum -v -src -ip -brute -min-for-recursive 2 -d example.com

命令行用法信息

amass工具有几个子命令,如下所示,用于处理您的互联网曝光调查。

SubcommandDescription

intel收集开源情报以调查目标组织

enum对暴露于Internet的系统执行DNS枚举和网络映射

viz生成用于探索性分析的枚举可视化

track将枚举结果与常见目标组织进行比较

db管理存储枚举结果的图形数据库

子命令参数

intel

intel子命令可以帮助您发现与您正在调查的组织相关联的其他根域名。此子命令使用配置文件的数据源部分来获取被动情报,例如反向whois信息。

FlagDescriptionExample

-activeEnable active recon methodsamass intel -active -addr 192.168.2.1-64 -p 80,443,8080

-addrIPs and ranges (192.168.1.1-254) separated by commasamass intel -addr 192.168.2.1-64

-asnASNs separated by commas (can be used multiple times)amass intel -asn 13374,14618

-cidrCIDRs separated by commas (can be used multiple times)amass intel -cidr 104.154.0.0/15

-configPath to the INI configuration fileamass intel -config config.ini

-dDomain names separated by commas (can be used multiple times)amass intel -whois -dexample.com

-demoCensor output to make it suitable for demonstrationsamass intel -demo -whois -dexample.com

-dfPath to a file providing root domain namesamass intel -whois -df domains.txt

-dirPath to the directory containing the graph databaseamass intel -dir PATH -cidr 104.154.0.0/15

-efPath to a file providing data sources to excludeamass intel -whois -ef exclude.txt -dexample.com

-excludeData source names separated by commas to be excludedamass intel -whois -exclude crtsh -dexample.com

-ifPath to a file providing data sources to includeamass intel -whois -if include.txt -dexample.com

-includeData source names separated by commas to be includedamass intel -whois -include crtsh -dexample.com

-ipShow the IP addresses for discovered namesamass intel -ip -whois -dexample.com

-ipv4Show the IPv4 addresses for discovered namesamass intel -ipv4 -whois -dexample.com

-ipv6Show the IPv6 addresses for discovered namesamass intel -ipv6 -whois -dexample.com

-listPrint the names of all available data sourcesamass intel -list

-logPath to the log file where errors will be writtenamass intel -log amass.log -whois -dexample.com

-max-dns-queriesMaximum number of concurrent DNS queriesamass intel -max-dns-queries 200 -whois -dexample.com

-oPath to the text output fileamass intel -o out.txt -whois -dexample.com

-orgSearch string provided against AS description informationamass intel -org Facebook

-pPorts separated by commas (default: 80, 443)amass intel -cidr 104.154.0.0/15 -p 443,8080

-rIP addresses of preferred DNS resolvers (can be used multiple times)amass intel -r 8.8.8.8,1.1.1.1 -whois -dexample.com

-rfPath to a file providing preferred DNS resolversamass intel -rf data/resolvers.txt -whois -dexample.com

-srcPrint data sources for the discovered namesamass intel -src -whois -dexample.com

-timeoutNumber of minutes to execute the enumerationamass intel -timeout 30 -dexample.com

-whoisAll discovered domains are run through reverse whoisamass intel -whois -dexample.com

参考:

whois反查

enum

此子命令将在填充选定的图形数据库时执行DNS枚举和网络映射。配置文件中的所有可用设置都与此子命令相关。以下标志可用于配置:

FlagDescriptionExample

-activeEnable active recon methodsamass enum -active -dexample.com-p 80,443,8080

-awPath to a different wordlist file for alterationsamass enum -aw PATH -dexample.com

-blBlacklist of subdomain names that will not be investigatedamass enum -blblah.example.com-dexample.com

-blfPath to a file providing blacklisted subdomainsamass enum -blf data/blacklist.txt -dexample.com

-brutePerform brute force subdomain enumerationamass enum -brute -dexample.com

-configPath to the INI configuration fileamass enum -config config.ini

-dDomain names separated by commas (can be used multiple times)amass enum -dexample.com

-demoCensor output to make it suitable for demonstrationsamass enum -demo -dexample.com

-dfPath to a file providing root domain namesamass enum -df domains.txt

-dirPath to the directory containing the graph databaseamass enum -dir PATH -dexample.com

-efPath to a file providing data sources to excludeamass enum -ef exclude.txt -dexample.com

-excludeData source names separated by commas to be excludedamass enum -exclude crtsh -dexample.com

-ifPath to a file providing data sources to includeamass enum -if include.txt -dexample.com

-includeData source names separated by commas to be includedamass enum -include crtsh -dexample.com

-ipShow the IP addresses for discovered namesamass enum -ip -dexample.com

-ipv4Show the IPv4 addresses for discovered namesamass enum -ipv4 -dexample.com

-ipv6Show the IPv6 addresses for discovered namesamass enum -ipv6 -dexample.com

-jsonPath to the JSON output fileamass enum -json out.json -dexample.com

-listPrint the names of all available data sourcesamass enum -list

-logPath to the log file where errors will be writtenamass enum -log amass.log -dexample.com

-max-dns-queriesDeprecated flag to be replaced by dns-qps in version 4.0amass enum -max-dns-queries 200 -dexample.com

-dns-qpsMaximum number of DNS queries per second across all resolversamass enum -dns-qps 200 -dexample.com

-rqpsMaximum number of DNS queries per second for each untrusted resolveramass enum -rqps 10 -dexample.com

-trqpsMaximum number of DNS queries per second for each trusted resolveramass enum -trqps 20 -dexample.com

-min-for-recursiveSubdomain labels seen before recursive brute forcing (Default: 1)amass enum -brute -min-for-recursive 3 -dexample.com

-max-depthMaximum number of subdomain labels for brute forcingamass enum -brute -max-depth 3 -dexample.com

-nfPath to a file providing already known subdomain names (from other tools/sources)amass enum -nf names.txt -dexample.com

-noaltsDisable generation of altered namesamass enum -noalts -dexample.com

-norecursiveTurn off recursive brute forcingamass enum -brute -norecursive -dexample.com

-oPath to the text output fileamass enum -o out.txt -dexample.com

-oAPath prefix used for naming all output filesamass enum -oA amass_scan -dexample.com

-passiveA purely passive mode of executionamass enum --passive -dexample.com

-pPorts separated by commas (default: 443)amass enum -dexample.com-p 443,8080

-rIP addresses of untrusted DNS resolvers (can be used multiple times)amass enum -r 8.8.8.8,1.1.1.1 -dexample.com

-trIP addresses of trusted DNS resolvers (can be used multiple times)amass enum -tr 8.8.8.8,1.1.1.1 -dexample.com

-rfPath to a file providing untrusted DNS resolversamass enum -rf data/resolvers.txt -dexample.com

-trfPath to a file providing trusted DNS resolversamass enum -trf data/trusted.txt -dexample.com

-srcPrint data sources for the discovered namesamass enum -src -dexample.com

-timeoutNumber of minutes to execute the enumerationamass enum -timeout 30 -dexample.com

-wPath to a different wordlist fileamass enum -brute -w wordlist.txt -dexample.com

viz

创建具有启发性的网络图形可视化,为收集的信息添加结构。此子命令仅利用配置文件中的output_directory和远程图形数据库设置。

为可视化而生成的文件在当前工作目录中创建,名为amass_TYPE

将DNS和基础结构结果输出为网络图的交换机:

FlagDescriptionExample

-configPath to the INI configuration fileamass viz -config config.ini -d3

-dDomain names separated by commas (can be used multiple times)amass viz -d3 -dexample.com

-d3Output a D3.js v4 force simulation HTML fileamass viz -d3 -dexample.com

-dfPath to a file providing root domain namesamass viz -d3 -df domains.txt

-dirPath to the directory containing the graph databaseamass viz -d3 -dir PATH -dexample.com

-enumIdentify an enumeration via an index from the db listingamass viz -enum 1 -d3 -dexample.com

-oPath to a pre-existing directory that will hold output filesamass viz -d3 -o OUTPATH -dexample.com

-oAPrefix used for naming all output filesamass viz -d3 -oA example -dexample.com

-gexfOutput to Graph Exchange XML Format (GEXF)amass viz -gexf -dexample.com

-graphistryOutput Graphistry JSONamass viz -graphistry -dexample.com

-iPath to the Amass data operations JSON input fileamass viz -d3 -dexample.com

-maltegoOutput a Maltego Graph Table CSV fileamass viz -maltego -dexample.com

track

显示包含相同目标的枚举之间的差异,以监视目标的攻击面。此子命令仅利用配置文件中的“output_directory”和远程图形数据库设置。用于跨图形数据库中的枚举执行Internet暴露监视的标志:

FlagDescriptionExample

-configPath to the INI configuration fileamass track -config config.ini

-dDomain names separated by commas (can be used multiple times)amass track -dexample.com

-dfPath to a file providing root domain namesamass track -df domains.txt

-dirPath to the directory containing the graph databaseamass track -dir PATH

-historyShow the difference between all enumeration pairsamass track -history

-lastThe number of recent enumerations to include in the trackingamass track -last NUM

-sinceExclude all enumerations before a specified date (format: 01/02 15:04:05 2006 MST)amass track -since DATE

db

执行图形数据库的查看和操作。此子命令仅利用配置文件中的“output_directory”和远程图形数据库设置。与图形数据库中的枚举结果交互的标志包括:

FlagDescriptionExample

-configPath to the INI configuration fileamass db -config config.ini

-dDomain names separated by commas (can be used multiple times)amass db -dexample.com

-demoCensor output to make it suitable for demonstrationsamass db -demo -dexample.com

-dfPath to a file providing root domain namesamass db -df domains.txt

-dirPath to the directory containing the graph databaseamass db -dir PATH

-enumIdentify an enumeration via an index from the listingamass db -enum 1 -show

-importImport an Amass data operations JSON file to the graph databaseamass db -import PATH

-ipShow the IP addresses for discovered namesamass db -show -ip -dexample.com

-ipv4Show the IPv4 addresses for discovered namesamass db -show -ipv4 -dexample.com

-ipv6Show the IPv6 addresses for discovered namesamass db -show -ipv6 -dexample.com

-jsonPath to the JSON output file or ‘-’amass db -names -silent -json out.json -dexample.com

-listPrint enumerations in the database and filter on domains specifiedamass db -list

-namesPrint just discovered namesamass db -names -dexample.com

-nocolorDisable colorized outputamass db -names -nocolor -dexample.com

-oPath to the text output fileamass db -names -o out.txt -dexample.com

-showPrint the results for the enumeration index + domains providedamass db -show

-silentDisable all output during executionamass db -names -silent -json out.json -dexample.com

-srcPrint data sources for the discovered namesamass db -show -src -dexample.com

-summaryPrint just ASN table summaryamass db -summary -dexample.com

输出结果保存

mass在枚举过程中输出多个文件(例如日志文件)。如果您没有使用数据库服务器来存储网络图形信息,那么Amass会在输出目录中创建一个基于文件的图形数据库。在未来的枚举过程中,以及在利用跟踪和可视化等功能时,将再次使用这些文件。

默认情况下,输出目录是在操作系统默认根目录中创建的,用于用户特定的配置数据,名为*amass*。如果这不适合您的需要,那么可以指示子命令使用**-dir**标志在其他位置创建输出目录。

如果您决定使用Amass配置文件,当将其放入输出目录并命名为config.ini时,将自动发现它。

关注至察助安 ,专注网络安全优质知识分享,无优质,不分享。

©著作权归作者所有,转载或内容合作请联系作者
  • 序言:七十年代末,一起剥皮案震惊了整个滨河市,随后出现的几起案子,更是在滨河造成了极大的恐慌,老刑警刘岩,带你破解...
    沈念sama阅读 212,294评论 6 493
  • 序言:滨河连续发生了三起死亡事件,死亡现场离奇诡异,居然都是意外死亡,警方通过查阅死者的电脑和手机,发现死者居然都...
    沈念sama阅读 90,493评论 3 385
  • 文/潘晓璐 我一进店门,熙熙楼的掌柜王于贵愁眉苦脸地迎上来,“玉大人,你说我怎么就摊上这事。” “怎么了?”我有些...
    开封第一讲书人阅读 157,790评论 0 348
  • 文/不坏的土叔 我叫张陵,是天一观的道长。 经常有香客问我,道长,这世上最难降的妖魔是什么? 我笑而不...
    开封第一讲书人阅读 56,595评论 1 284
  • 正文 为了忘掉前任,我火速办了婚礼,结果婚礼上,老公的妹妹穿的比我还像新娘。我一直安慰自己,他们只是感情好,可当我...
    茶点故事阅读 65,718评论 6 386
  • 文/花漫 我一把揭开白布。 她就那样静静地躺着,像睡着了一般。 火红的嫁衣衬着肌肤如雪。 梳的纹丝不乱的头发上,一...
    开封第一讲书人阅读 49,906评论 1 290
  • 那天,我揣着相机与录音,去河边找鬼。 笑死,一个胖子当着我的面吹牛,可吹牛的内容都是我干的。 我是一名探鬼主播,决...
    沈念sama阅读 39,053评论 3 410
  • 文/苍兰香墨 我猛地睁开眼,长吁一口气:“原来是场噩梦啊……” “哼!你这毒妇竟也来了?” 一声冷哼从身侧响起,我...
    开封第一讲书人阅读 37,797评论 0 268
  • 序言:老挝万荣一对情侣失踪,失踪者是张志新(化名)和其女友刘颖,没想到半个月后,有当地人在树林里发现了一具尸体,经...
    沈念sama阅读 44,250评论 1 303
  • 正文 独居荒郊野岭守林人离奇死亡,尸身上长有42处带血的脓包…… 初始之章·张勋 以下内容为张勋视角 年9月15日...
    茶点故事阅读 36,570评论 2 327
  • 正文 我和宋清朗相恋三年,在试婚纱的时候发现自己被绿了。 大学时的朋友给我发了我未婚夫和他白月光在一起吃饭的照片。...
    茶点故事阅读 38,711评论 1 341
  • 序言:一个原本活蹦乱跳的男人离奇死亡,死状恐怖,灵堂内的尸体忽然破棺而出,到底是诈尸还是另有隐情,我是刑警宁泽,带...
    沈念sama阅读 34,388评论 4 332
  • 正文 年R本政府宣布,位于F岛的核电站,受9级特大地震影响,放射性物质发生泄漏。R本人自食恶果不足惜,却给世界环境...
    茶点故事阅读 40,018评论 3 316
  • 文/蒙蒙 一、第九天 我趴在偏房一处隐蔽的房顶上张望。 院中可真热闹,春花似锦、人声如沸。这庄子的主人今日做“春日...
    开封第一讲书人阅读 30,796评论 0 21
  • 文/苍兰香墨 我抬头看了看天上的太阳。三九已至,却和暖如春,着一层夹袄步出监牢的瞬间,已是汗流浃背。 一阵脚步声响...
    开封第一讲书人阅读 32,023评论 1 266
  • 我被黑心中介骗来泰国打工, 没想到刚下飞机就差点儿被人妖公主榨干…… 1. 我叫王不留,地道东北人。 一个月前我还...
    沈念sama阅读 46,461评论 2 360
  • 正文 我出身青楼,却偏偏与公主长得像,于是被迫代替她去往敌国和亲。 传闻我的和亲对象是个残疾皇子,可洞房花烛夜当晚...
    茶点故事阅读 43,595评论 2 350

推荐阅读更多精彩内容