How to Use the Command 'amass intel' (with Examples)

The amass intel command is part of the Amass suite, a powerful tool for open-source intelligence (OSINT) gathering. It is widely used in cybersecurity to collect a variety of intelligence about networked systems, such as root domains and Autonomous System Numbers (ASNs). Amass leverages information from different data sources, both public and private, to create a comprehensive dossier on a target organization or entity. This command can be vital for security professionals looking to conduct reconnaissance, as it helps identify assets that may not be immediately visible. Below, we illustrate several use cases that showcase the versatility and power of amass intel.

Use case 1: Find root domains in an IP address range

Code:

amass intel -addr 192.168.0.1-254

Motivation: Knowing the root domains associated with a specific IP address range is crucial for network administrators and cybersecurity analysts. It allows them to understand which domains are hosted within a particular range, potentially identifying misconfigured or unauthorized sites. This intelligence helps in securing networks and ensuring compliance with organizational policies.

Explanation:

• amass: Invokes the Amass tool.
• intel: Subcommand used for the intelligence gathering aspects within Amass.
• -addr: Specifies the IP address range to be analyzed.
• 192.168.0.1-254: The range of IP addresses to be scanned for associated root domains.

Example output:

Found root domains:
- example1.com
- example2.org
- example3.net

Use case 2: Use active recon methods

Code:

amass intel -active -addr 192.168.0.1-254

Motivation: Active reconnaissance involves directly interacting with target systems in ways that might not be passive or stealthy. This can allow for a more exhaustive exploration of systems, discovering assets that might be missed during passive reconnaissance. It’s ideal for detailed analysis and when the security posture of the network allows for direct probing.

Explanation:

• -active: Enables active reconnaissance methods which may include direct DNS requests and probing the network.
• The rest of the command remains as previously explained for capturing the IP range.

Example output:

Active recon found additional domains:
- additional1.com (extra insight)
- additional2.org (not visible in passive recon)

Use case 3: Find root domains related to a domain

Code:

amass intel -whois -d domain_name

Motivation: Domain administrators and cybersecurity professionals often need to identify all root domains that are linked to a particular domain for security audits or compliance checks. Discovering affiliated domains can highlight potential threats from similar or spoofed domains, providing a fuller understanding of the domain ecosystem.

Explanation:

• -whois: Utilizes WHOIS data to find related domains.
• -d: Specifies the target domain name to query.

Example output:

Domains related to 'domain_name':
- domain_name.com
- domain_alias.com
- sub_domain.domain_name.com

Use case 4: Find ASNs belonging to an organization

Code:

amass intel -org organisation_name

Motivation: Understanding which ASNs an organization controls is essential for network management, threat intelligence, and ensuring alignment with regulatory standards. ASNs reveal a lot about how an organization’s internet traffic is routed and can expose potential network vulnerabilities.

Explanation:

• -org: Specifies the target organization’s name to search for related ASNs.

Example output:

ASNs for organisation_name:
- 12345 (ASN of main data center)
- 67890 (regional office ASN)

Use case 5: Find root domains belonging to a given Autonomous System Number

Code:

amass intel -asn asn

Motivation: Associating root domains with a specific ASN can provide insight into the assets managed within that network. This information can be useful for mapping out the digital footprint of an ASN, which is particularly beneficial in cybersecurity incident investigations.

Explanation:

• -asn: Specifies the Autonomous System Number to query against.

Example output:

Root domains for ASN 12345:
- corpnetwork.net
- businesshub.org

Use case 6: Save results to a text file

Code:

amass intel -o output_file -whois -d domain_name

Motivation: Saving results to a text file is helpful for record-keeping or further analysis. It allows security teams to document findings, share insights with stakeholders, and maintain audit trails for compliance purposes.

Explanation:

• -o: Specifies the file path where results should be stored.
• The WHOIS and domain options work similarly as previously described.

Example output (saved to output_file):

Results for domain_name stored in output_file.

Use case 7: List all available data sources

Code:

amass intel -list

Motivation: Knowing the data sources available for intelligence gathering is critical for assessing the thoroughness of your information gathering efforts. It helps in auditing and selecting the most relevant sources for a given operation, ensuring that the data is reliable and comprehensive.

Explanation:

• -list: Lists all data sources that Amass can utilize for gathering intelligence.

Example output:

Data sources:
1. Rapid7
2. Shodan 
3. DNS DB
...

Conclusion

The amass intel command offers a diverse range of features that bolster OSINT capabilities, making it an invaluable tool for cybersecurity practitioners. Whether you’re mapping domain associations, identifying network infrastructure, or conducting active reconnaissance, Amass provides the resources necessary to gather critical intelligence efficiently. Understanding these use cases allows professionals to tailor their reconnaissance efforts to meet specific needs, ensuring a robust security posture.