OWASP Amass项目使用开源信息收集和主动侦察技术,对攻击面和外部资产发现进行网络映射。
Technique | Data Sources |
---|---|
APIs | 360PassiveDNS, Ahrefs, AnubisDB, BinaryEdge, BufferOver, BuiltWith, C99, |
Chaos, CIRCL, Cloudflare, DNSDB, DNSRepo, Detectify, FOFA, FullHunt, GitHub, | |
GitLab, Greynoise, HackerTarget, Hunter, IntelX, LeakIX, Maltiverse, Mnemonic, | |
N45HT, PassiveTotal, PentestTools, Quake, Shodan, SonarSearch, Spamhaus, | |
Spyse, Sublist3rAPI, ThreatBook, ThreatCrowd, ThreatMiner, Twitter, URLScan, | |
VirusTotal, ZETAlytics, ZoomEye | |
Certificates | Active pulls (optional), Censys, CertSpotter, Crtsh, Digitorus, |
FacebookCT, GoogleCT | |
DNS | Brute forcing, Reverse DNS sweeping, NSEC zone walking, Zone transfers, |
FQDN alterations/permutations, FQDN Similarity-based Guessing | |
Routing | ARIN, BGPTools, BGPView, IPdata, IPinfo, NetworksDB, RADb, Robtex, |
ShadowServer, TeamCymru | |
Scraping | AbuseIPDB, Ask, Baidu, Bing, DNSDumpster, DuckDuckGo, Gists, |
HackerOne, HyperStat, IPv4Info, PKey, RapidDNS, Riddler, Searchcode, Searx, | |
SiteDossier, Yahoo | |
Web Archives | ArchiveIt, Arquivo, CommonCrawl, HAW, UKWebArchive, Wayback |
WHOIS | AlienVault, AskDNS, DNSlytics, ONYPHE, SecurityTrails, SpyOnWeb, |
Umbrella, WhoisXMLAPI |
安装使用
https://github.com/OWASP/Amass/releases
vulab@sechelper:~/amass_linux_amd64$ ./amass -version
v3.19.3
枚举域名
amass enum -v -src -ip -brute -min-for-recursive 2 -d example.com
命令行用法信息
amass工具有几个子命令,如下所示,用于处理您的互联网曝光调查。
Subcommand | Description |
---|---|
intel | 收集开源情报以调查目标组织 |
enum | 对暴露于Internet的系统执行DNS枚举和网络映射 |
viz | 生成用于探索性分析的枚举可视化 |
track | 将枚举结果与常见目标组织进行比较 |
db | 管理存储枚举结果的图形数据库 |
子命令参数
intel
intel子命令可以帮助您发现与您正在调查的组织相关联的其他根域名。此子命令使用配置文件的数据源部分来获取被动情报,例如反向whois信息。
Flag | Description | Example |
---|---|---|
-active | Enable active recon methods | amass intel -active -addr 192.168.2.1-64 -p 80,443,8080 |
-addr | IPs and ranges (192.168.1.1-254) separated by commas | amass intel -addr 192.168.2.1-64 |
-asn | ASNs separated by commas (can be used multiple times) | amass intel -asn 13374,14618 |
-cidr | CIDRs separated by commas (can be used multiple times) | amass intel -cidr 104.154.0.0/15 |
-config | Path to the INI configuration file | amass intel -config config.ini |
-d | Domain names separated by commas (can be used multiple times) | amass intel -whois -d example.com |
-demo | Censor output to make it suitable for demonstrations | amass intel -demo -whois -d example.com |
-df | Path to a file providing root domain names | amass intel -whois -df domains.txt |
-dir | Path to the directory containing the graph database | amass intel -dir PATH -cidr 104.154.0.0/15 |
-ef | Path to a file providing data sources to exclude | amass intel -whois -ef exclude.txt -d example.com |
-exclude | Data source names separated by commas to be excluded | amass intel -whois -exclude crtsh -d example.com |
-if | Path to a file providing data sources |