How to use the command "amass intel" (with examples)
The “amass intel” command is a powerful tool in the Amass tool suite used for collecting open source intelligence on an organization. It allows users to find root domains, Autonomous System Numbers (ASNs), and other valuable information related to a target organization or IP address range. This article will provide examples of various use cases for the “amass intel” command.
Use case 1: Find root domains in an IP address range
Code:
amass intel -addr 192.168.0.1-254
Motivation: By searching for root domains in a specific IP address range, you can discover additional domains that may be associated with a target organization. This can help to expand your knowledge of their online presence and potential attack vectors.
Explanation: The “-addr” flag specifies the IP address range to search for root domains. In this example, we are searching for root domains in the IP address range from 192.168.0.1 to 192.168.0.254.
Example output:
example.com
subdomain.example.com
test.example.com
Use case 2: Use active recon methods
Code:
amass intel -active -addr 192.168.0.1-254
Motivation: Active reconnaissance methods allow you to gather more accurate and up-to-date information about a target organization. By using active recon methods with the “amass intel” command, you can perform active DNS enumeration and improve the quality of your intelligence.
Explanation: The “-active” flag enables active reconnaissance methods. In conjunction with the “-addr” flag, the command will perform active DNS enumeration in the specified IP address range.
Example output:
example.com
subdomain.example.com
test.example.com
Use case 3: Find root domains related to a domain
Code:
amass intel -whois -d domain_name
Motivation: When targeting a specific domain, it can be valuable to find additional root domains that may be related to it. By utilizing the “amass intel” command with the “-whois” flag, you can discover these associated root domains.
Explanation: The “-whois” flag enables conducting a WHOIS lookup on the specified domain name ("-d" flag). This allows the command to gather additional information about the domain and find other related root domains.
Example output:
example.com
subdomain.example.com
test.example.com
Use case 4: Find ASNs belonging to an organization
Code:
amass intel -org organization_name
Motivation: Autonomous System Numbers (ASNs) are valuable pieces of information when assessing an organization’s internet infrastructure. By using the “amass intel” command with the “-org” flag, you can discover the ASNs belonging to a specific organization.
Explanation: The “-org” flag specifies the name of the target organization. The command will then search for ASNs associated with that organization.
Example output:
AS1234
AS5678
AS9012
Use case 5: Find root domains belonging to a given ASN
Code:
amass intel -asn asn
Motivation: If you have identified a specific Autonomous System Number (ASN) that is of interest, you can use the “amass intel” command with the “-asn” flag to find root domains associated with that ASN. This can help you understand the organization’s online presence and possible attack vectors.
Explanation: The “-asn” flag specifies the target Autonomous System Number. The command will search for root domains belonging to the specified ASN.
Example output:
example.com
subdomain.example.com
test.example.com
Use case 6: Save results to a text file
Code:
amass intel -o output_file -whois -d domain_name
Motivation: Saving the results of the “amass intel” command to a text file allows for further analysis and offline reviewing. By using the “-o” flag to specify an output file, you can easily store the gathered intelligence for later use.
Explanation: The “-o” flag specifies the output file where the results will be saved. In this example, we are also using the “-whois” flag and the “-d” flag to specify the target domain name to gather root domains related to it.
Example output: The results of this command will be saved in the specified output file.
Conclusion:
The “amass intel” command is a versatile tool for collecting open source intelligence on organizations. By leveraging its various flags and arguments, you can easily find root domains, ASNs, and other valuable information related to a target. Whether you are performing reconnaissance or conducting security assessments, the “amass intel” command is an essential part of your toolkit.
