How to use the command 'amass enum' (with examples)
The ‘amass enum’ command is a tool provided by Amass, an open-source reconnaissance tool developed by OWASP. The command is used to find subdomains of a domain. It can passively discover subdomains, actively verify them by attempting to resolve the found subdomains, or perform a brute force search. The results can be saved to a text file or stored in a database.
Use case 1: Passively find subdomains of a domain
Code:
amass enum -passive -d domain_name
Motivation: In this use case, the command is used to passively find subdomains of a domain. This means that Amass will gather subdomains without sending any requests to the target domain’s infrastructure. Instead, it uses available data sources such as certificates and search engines to discover subdomains.
Explanation:
-passive: This argument enables the passive mode of subdomain enumeration.-d domain_name: Specifies the target domain name.
Example output:
subdomain1.example.com
subdomain2.example.com
subdomain3.example.com
Use case 2: Find subdomains of a domain and actively verify them attempting to resolve the found subdomains
Code:
amass enum -active -d domain_name -p 80,443,8080
Motivation: In this use case, the command is used to actively find and verify subdomains of a domain. Amass will send DNS resolution requests to the found subdomains in order to verify their existence. Additionally, by specifying the -p argument with a list of ports, Amass will perform port scanning on the found subdomains.
Explanation:
-active: This argument enables the active mode of subdomain enumeration.-d domain_name: Specifies the target domain name.-p 80,443,8080: Specifies the ports to be used for active verification and port scanning. In this example, ports 80, 443, and 8080 will be used.
Example output:
subdomain1.example.com
subdomain2.example.com
subdomain3.example.com
Use case 3: Do a brute force search for subdomains
Code:
amass enum -brute -d domain_name
Motivation: In this use case, the command is used to perform a brute force search for subdomains. Amass will generate a list of possible subdomains by combining different words and phrases and then check their availability.
Explanation:
-brute: This argument enables the brute force mode of subdomain enumeration.-d domain_name: Specifies the target domain name.
Example output:
subdomain1.example.com
subdomain2.example.com
subdomain3.example.com
Use case 4: Save the results to a text file
Code:
amass enum -o output_file -d domain_name
Motivation: In this use case, the command is used to save the subdomain enumeration results to a text file. This can be useful for later analysis or as a backup of the discovered subdomains.
Explanation:
-o output_file: Specifies the output file where the results will be saved.-d domain_name: Specifies the target domain name.
Example output:
The results have been saved to output_file.txt.
Use case 5: Save the results to a database
Code:
amass enum -o output_file -dir path/to/database_directory
Motivation: In this use case, the command is used to save the subdomain enumeration results to a database. By saving the results to a database, it becomes easier to manage and query the discovered subdomains.
Explanation:
-o output_file: Specifies the output file where the results will be saved. Usually, this will be a text file containing a list of subdomains.-dir path/to/database_directory: Specifies the directory where the database will be stored. The directory should exist prior to running the command.
Example output:
The results have been saved to the database directory: path/to/database_directory.
Conclusion:
The ‘amass enum’ command is a powerful tool for subdomain enumeration. It provides various modes of operation and options to customize the enumeration process. Whether you need to passively find subdomains, actively verify them, or perform a brute force search, Amass has got you covered. Additionally, the ability to save the results to a text file or database makes it convenient for further analysis and management.
