Amass is one of the most popular open-source tools among cybersecurity practitioners for performing domain reconnaissance. This tool is developed by OWASP and is known to be effective for performing subdomain enumeration, network mapping, and gathering other important information. In this article, we will discuss the steps to use Amass on Kali Linux in detail.

What is Amass?

Amass is a framework designed to help collect data on target domains. This tool has the ability to:

• Collect subdomains.
• Find DNS (Domain Name System) footprints.
• Perform network mapping using information obtained from various sources.

Amass supports integration with public APIs, passive discovery, and active scanning techniques, making it a very flexible tool.

Installing Amass on Kali Linux

Before you start, make sure you have an updated Kali Linux. Amass is usually already installed on the latest Kali Linux, but if not, you can install it with the following steps:

1. Update Your System

sudo apt update && sudo apt upgrade -y

2. Install Amass

Amass can be installed via the APT package:

sudo apt install amass

3. Check Installation

Make sure Amass is successfully installed by running the following command:

amass -version

If the installation is successful, the installed version of Amass will be displayed.

Initial Configuration

Amass supports the use of APIs to increase the amount of data that can be retrieved. Some of the supported API services are:

• VirusTotal
• Shodan
• Censys
• PassiveTotal

To integrate the API, you need to create a configuration file:

nano ~/.config/amass/config.ini

Add the API key of the service you want to use. The format is usually like this:

[virustotal]
apikey = <Your VirusTotal API Key>

Save the file and proceed to the next step.

Using Amass for Data Collection

Here are some examples of Amass commands for various scenarios.

1. Subdomain Enumeration

To find subdomains of a domain, use the following command:

amass enum -d example.com

The output of this command is a list of the subdomains found.

2. Passive Search

Passive mode relies on publicly available data without performing active scanning. The command is:

amass enum -passive -d example.com

3. Active Scanning

If you want to perform active probing, use this command:

sudo amass enum -active -d example.com

Note: Active searching can trigger detection from the target, so use it with caution and make sure you have permissions to do so.

4. Output to File

To save the results to a file, add the -o flag:

amass enum -d example.com -o results.txt

Advanced Amass Features

1. Network Mapping

Amass can be used to map the target network structure:

amass viz -d example.com -g

This feature requires Graphviz to display visualizations.

2. Integration with OSINT Data

By integrating OSINT APIs, such as Shodan and Censys, Amass can provide more comprehensive results. Use the API configuration as described earlier to maximize this capability.

3. Scan Scheduling

You can schedule the enumeration process with a cron job. For example:

crontab -e

Add the following line to run Amass every day at 2am:

0 2 * * * amass enum -d example.com -o daily_results.txt

Tips and Tricks

• Use a VPN: When running Amass, especially in active mode, use a VPN to hide your IP address.
• Be Legal: Make sure you only use Amass on domains that you own or have permission to access.
• Optimize with API: Integrating APIs can increase the amount of information you can obtain.

Conclusion

Amass is a very useful tool for domain reconnaissance, especially in the context of security testing. With the steps above, you can easily use it on Kali Linux to collect subdomains, map networks, and identify other important information.

As a security practitioner, a deep understanding of the use of tools such as Amass can be a valuable asset to strengthen your ability to identify potential security vulnerabilities. Use them wisely and always comply with applicable ethics and laws!

That’s all the articles from Admin, hopefully useful… Thank you for stopping by…