Discovering Subdomains with 'amass enum' (with examples)
The amass enum command is an integral part of the OWASP Amass project, designed to conduct in-depth DNS enumeration. It assists security professionals and researchers in discovering subdomains related to a target domain. Such enumeration is crucial in security assessments, allowing the identification of potential attack surfaces within a domain’s network.
Use case 1: Find (passively) subdomains of a domain
Code:
amass enum -d domain_name
Motivation:
Efficiently discovering subdomains of a domain can unveil hidden services and potential security weak points. Passive discovery leverages existing data without direct interaction with the domain, minimizing detection risks.
Explanation:
-d domain_name: This argument specifies the target domain for which you want to find subdomains. Amass gathers subdomain information passively by utilizing multiple data sources and search engines, ensuring a broad and inclusive discovery result while reducing noise and unnecessary interactions with the domain’s DNS infrastructure.
Example Output:
secure.domain_name.com
beta.domain_name.com
mail.domain_name.com
These results demonstrate potential subdomains associated with domain_name, which might indicate services or applications hosted by that organization.
Use case 2: Find subdomains of a domain and actively verify them attempting to resolve the found subdomains
Code:
amass enum -active -d domain_name -p 80,443,8080
Motivation:
Active verification provides a higher confidence level that the discovered subdomains are valid and currently accessible, offering tangible insights into the operational status of these domains. This can be critical in scenarios where precise network mapping is required.
Explanation:
-active: This flag instructs Amass to actively engage with the subdomains by sending queries to confirm their existence.-d domain_name: Specifies the domain of interest.-p 80,443,8080: Designates specific ports (80 for HTTP, 443 for HTTPS, and 8080 for alternative HTTP) to check for service activity at the subdomain.
Example Output:
194.67.0.1:80 domain_name.com Up
194.67.0.2:443 secure.domain_name.com Up
These results provide verified subdomains with designated open ports, indicating active services.
Use case 3: Do a brute force search for subdomains
Code:
amass enum -brute -d domain_name
Motivation:
Brute force enumeration is crucial when initial data collection is insufficient or when seeking to find less common subdomains that might not be listed in passive datasets. It attempts to uncover subdomains by trying numerous domain permutations.
Explanation:
-brute: Enables brute-force searching, deploying a dictionary of common subdomain names to identify any that exist under the specified domain.-d domain_name: Indicates the domain under analysis.
Example Output:
shop.domain_name.com
dev.domain_name.com
test.domain_name.com
This output suggests subdomains potentially missed during passive enumeration, requiring validation for further use.
Use case 4: Save the results to a text file
Code:
amass enum -o output_file -d domain_name
Motivation:
Storing results externally offers flexibility, allowing for later review, sharing with team members, or integrating into broader analysis projects.
Explanation:
-o output_file: Specifies file path where results will be saved. Organizing outputs provides structured data presentation.-d domain_name: Names the domain being enumerated.
Example Output:
The specified file will contain something akin to:
secure.domain_name.com
beta.domain_name.com
Use case 5: Save terminal output to a file and detailed output to a directory
Code:
amass enum -o output_file -dir path/to/directory -d domain_name
Motivation:
This ensures comprehensive data capture—both simplified for quick reference and detailed for in-depth analysis—supporting a varied scope of reporting needs.
Explanation:
-o output_file: Directs where the primary output should be stored.-dir path/to/directory: Saves extensive metadata within the specified directory, crucial for detailed audits.-d domain_name: The domain to target.
Example Output:
Two outputs are generated:
output_file: Contains basic enumeration results.path/to/directory: Stores detailed interaction data and context.
Use case 6: List all available data sources
Code:
amass enum -list
Motivation:
Understanding which data sources Amass utilizes can guide customization and strategic adjustment of enumeration tactics, especially for focused investigations or when troubleshooting results.
Explanation:
-list: N/A as it does not require additional parameters. It simply initiates a command that lists sources Amass taps into, revealing the backbone of its enumeration abilities.
Example Output:
SecurityTrails
Censys
BinaryEdge
...
This provides insight into the diversity of resources utilized in Amass’s subdomain discovery process.
Conclusion:
The amass enum command is a robust tool essential for professionals involved in cybersecurity and network analysis, expanding visibility into the domain’s internet footprint. From passive discovery to active verification and comprehensive result documentation, Amass offers flexible, powerful utilities for ensuring a domain’s subdomains are thoroughly understood and assessed.
