freeBuf
主站

分类

漏洞 工具 极客 Web安全 系统安全 网络安全 无线安全 设备/客户端安全 数据安全 安全管理 企业安全 工控安全

特色

头条 人物志 活动 视频 观点 招聘 报告 资讯 区块链安全 标准与合规 容器安全 公开课

官方公众号企业安全新浪微博

FreeBuf.COM网络安全行业门户,每日发布专业的安全资讯、技术剖析。

FreeBuf+小程序

FreeBuf+小程序

Amass信息收集神器使用指南
2022-09-26 12:05:13
所属地 北京

OWASP Amass项目使用开源信息收集和主动侦察技术,对攻击面和外部资产发现进行网络映射。

TechniqueData Sources
APIs360PassiveDNS, Ahrefs, AnubisDB, BinaryEdge, BufferOver, BuiltWith, C99, Chaos, CIRCL, Cloudflare, DNSDB, DNSRepo, Detectify, FOFA, FullHunt, GitHub, GitLab, Greynoise, HackerTarget, Hunter, IntelX, LeakIX, Maltiverse, Mnemonic, N45HT, PassiveTotal, PentestTools, Quake, Shodan, SonarSearch, Spamhaus, Spyse, Sublist3rAPI, ThreatBook, ThreatCrowd, ThreatMiner, Twitter, URLScan, VirusTotal, ZETAlytics, ZoomEye
CertificatesActive pulls (optional), Censys, CertSpotter, Crtsh, Digitorus, FacebookCT, GoogleCT
DNSBrute forcing, Reverse DNS sweeping, NSEC zone walking, Zone transfers, FQDN alterations/permutations, FQDN Similarity-based Guessing
RoutingARIN, BGPTools, BGPView, IPdata, IPinfo, NetworksDB, RADb, Robtex, ShadowServer, TeamCymru
ScrapingAbuseIPDB, Ask, Baidu, Bing, DNSDumpster, DuckDuckGo, Gists, HackerOne, HyperStat, IPv4Info, PKey, RapidDNS, Riddler, Searchcode, Searx, SiteDossier, Yahoo
Web ArchivesArchiveIt, Arquivo, CommonCrawl, HAW, UKWebArchive, Wayback
WHOISAlienVault, AskDNS, DNSlytics, ONYPHE, SecurityTrails, SpyOnWeb, Umbrella, WhoisXMLAPI

安装使用

https://github.com/OWASP/Amass/releases

Amass


vulab@sechelper:~/amass_linux_amd64$ ./amass -version
v3.19.3

枚举域名

amass enum -v -src -ip -brute -min-for-recursive 2 -d example.com

命令行用法信息

amass工具有几个子命令,如下所示,用于处理您的互联网曝光调查。

SubcommandDescription
intel收集开源情报以调查目标组织
enum对暴露于Internet的系统执行DNS枚举和网络映射
viz生成用于探索性分析的枚举可视化
track将枚举结果与常见目标组织进行比较
db管理存储枚举结果的图形数据库

子命令参数

intel

intel子命令可以帮助您发现与您正在调查的组织相关联的其他根域名。此子命令使用配置文件的数据源部分来获取被动情报,例如反向whois信息。

FlagDescriptionExample
-activeEnable active recon methodsamass intel -active -addr 192.168.2.1-64 -p 80,443,8080
-addrIPs and ranges (192.168.1.1-254) separated by commasamass intel -addr 192.168.2.1-64
-asnASNs separated by commas (can be used multiple times)amass intel -asn 13374,14618
-cidrCIDRs separated by commas (can be used multiple times)amass intel -cidr 104.154.0.0/15
-configPath to the INI configuration fileamass intel -config config.ini
-dDomain names separated by commas (can be used multiple times)amass intel -whois -d example.com
-demoCensor output to make it suitable for demonstrationsamass intel -demo -whois -d example.com
-dfPath to a file providing root domain namesamass intel -whois -df domains.txt
-dirPath to the directory containing the graph databaseamass intel -dir PATH -cidr 104.154.0.0/15
-efPath to a file providing data sources to excludeamass intel -whois -ef exclude.txt -d example.com
-excludeData source names separated by commas to be excludedamass intel -whois -exclude crtsh -d example.com
-ifPath to a file providing data sources to includeamass intel -whois -if include.txt -d example.com
-includeData source names separated by commas to be includedamass intel -whois -include crtsh -d example.com
-ipShow the IP addresses for discovered namesamass intel -ip -whois -d example.com
-ipv4Show the IPv4 addresses for discovered namesamass intel -ipv4 -whois -d example.com
-ipv6Show the IPv6 addresses for discovered namesamass intel -ipv6 -whois -d example.com
-listPrint the names of all available data sourcesamass intel -list
-logPath to the log file where errors will be writtenamass intel -log amass.log -whois -d example.com
-max-dns-queriesMaximum number of concurrent DNS queriesamass intel -max-dns-queries 200 -whois -d example.com
-oPath to the text output fileamass intel -o out.txt -whois -d example.com
-orgSearch string provided against AS description informationamass intel -org Facebook
-pPorts separated by commas (default: 80, 443)amass intel -cidr 104.154.0.0/15 -p 443,8080
-rIP addresses of preferred DNS resolvers (can be used multiple times)amass intel -r 8.8.8.8,1.1.1.1 -whois -d example.com
-rfPath to a file providing preferred DNS resolversamass intel -rf data/resolvers.txt -whois -d example.com
-srcPrint data sources for the discovered namesamass intel -src -whois -d example.com
-timeoutNumber of minutes to execute the enumerationamass intel -timeout 30 -d example.com
-whoisAll discovered domains are run through reverse whoisamass intel -whois -d example.com

参考:

whois反查

enum

此子命令将在填充选定的图形数据库时执行DNS枚举和网络映射。配置文件中的所有可用设置都与此子命令相关。以下标志可用于配置:

FlagDescriptionExample
-activeEnable active recon methodsamass enum -active -d example.com-p 80,443,8080
-awPath to a different wordlist file for alterationsamass enum -aw PATH -d example.com
-blBlacklist of subdomain names that will not be investigatedamass enum -bl blah.example.com-d example.com
-blfPath to a file providing blacklisted subdomainsamass enum -blf data/blacklist.txt -d example.com
-brutePerform brute force subdomain enumerationamass enum -brute -d example.com
-configPath to the INI configuration fileamass enum -config config.ini
-dDomain names separated by commas (can be used multiple times)amass enum -d example.com
-demoCensor output to make it suitable for demonstrationsamass enum -demo -d example.com
-dfPath to a file providing root domain namesamass enum -df domains.txt
-dirPath to the directory containing the graph databaseamass enum -dir PATH -d example.com
-efPath to a file providing data sources to excludeamass enum -ef exclude.txt -d example.com
-excludeData source names separated by commas to be excludedamass enum -exclude crtsh -d example.com
-ifPath to a file providing data sources to includeamass enum -if include.txt -d example.com
-includeData source names separated by commas to be includedamass enum -include crtsh -d example.com
-ipShow the IP addresses for discovered namesamass enum -ip -d example.com
-ipv4Show the IPv4 addresses for discovered namesamass enum -ipv4 -d example.com
-ipv6Show the IPv6 addresses for discovered namesamass enum -ipv6 -d example.com
-jsonPath to the JSON output fileamass enum -json out.json -d example.com
-listPrint the names of all available data sourcesamass enum -list
-logPath to the log file where errors will be writtenamass enum -log amass.log -d example.com
-max-dns-queriesDeprecated flag to be replaced by dns-qps in version 4.0amass enum -max-dns-queries 200 -d example.com
-dns-qpsMaximum number of DNS queries per second across all resolversamass enum -dns-qps 200 -d example.com
-rqpsMaximum number of DNS queries per second for each untrusted resolveramass enum -rqps 10 -d example.com
-trqpsMaximum number of DNS queries per second for each trusted resolveramass enum -trqps 20 -d example.com
-min-for-recursiveSubdomain labels seen before recursive brute forcing (Default: 1)amass enum -brute -min-for-recursive 3 -d example.com
-max-depthMaximum number of subdomain labels for brute forcingamass enum -brute -max-depth 3 -d example.com
-nfPath to a file providing already known subdomain names (from other tools/sources)amass enum -nf names.txt -d example.com
-noaltsDisable generation of altered namesamass enum -noalts -d example.com
-norecursiveTurn off recursive brute forcingamass enum -brute -norecursive -d example.com
-oPath to the text output fileamass enum -o out.txt -d example.com
-oAPath prefix used for naming all output filesamass enum -oA amass_scan -d example.com
-passiveA purely passive mode of executionamass enum --passive -d example.com
-pPorts separated by commas (default: 443)amass enum -d example.com-p 443,8080
-rIP addresses of untrusted DNS resolvers (can be used multiple times)amass enum -r 8.8.8.8,1.1.1.1 -d example.com
-trIP addresses of trusted DNS resolvers (can be used multiple times)amass enum -tr 8.8.8.8,1.1.1.1 -d example.com
-rfPath to a file providing untrusted DNS resolversamass enum -rf data/resolvers.txt -d example.com
-trfPath to a file providing trusted DNS resolversamass enum -trf data/trusted.txt -d example.com
-srcPrint data sources for the discovered namesamass enum -src -d example.com
-timeoutNumber of minutes to execute the enumerationamass enum -timeout 30 -d example.com
-wPath to a different wordlist fileamass enum -brute -w wordlist.txt -d example.com

viz

创建具有启发性的网络图形可视化,为收集的信息添加结构。此子命令仅利用配置文件中的output_directory和远程图形数据库设置。

为可视化而生成的文件在当前工作目录中创建,名为amass_TYPE

将DNS和基础结构结果输出为网络图的交换机:

FlagDescriptionExample
-configPath to the INI configuration fileamass viz -config config.ini -d3
-dDomain names separated by commas (can be used multiple times)amass viz -d3 -d example.com
-d3Output a D3.js v4 force simulation HTML fileamass viz -d3 -d example.com
-dfPath to a file providing root domain namesamass viz -d3 -df domains.txt
-dirPath to the directory containing the graph databaseamass viz -d3 -dir PATH -d example.com
-enumIdentify an enumeration via an index from the db listingamass viz -enum 1 -d3 -d example.com
-oPath to a pre-existing directory that will hold output filesamass viz -d3 -o OUTPATH -d example.com
-oAPrefix used for naming all output filesamass viz -d3 -oA example -d example.com
-gexfOutput to Graph Exchange XML Format (GEXF)amass viz -gexf -d example.com
-graphistryOutput Graphistry JSONamass viz -graphistry -d example.com
-iPath to the Amass data operations JSON input fileamass viz -d3 -d example.com
-maltegoOutput a Maltego Graph Table CSV fileamass viz -maltego -d example.com

track

显示包含相同目标的枚举之间的差异,以监视目标的攻击面。此子命令仅利用配置文件中的“output_directory”和远程图形数据库设置。用于跨图形数据库中的枚举执行Internet暴露监视的标志:

FlagDescriptionExample
-configPath to the INI configuration fileamass track -config config.ini
-dDomain names separated by commas (can be used multiple times)amass track -d example.com
-dfPath to a file providing root domain namesamass track -df domains.txt
-dirPath to the directory containing the graph databaseamass track -dir PATH
-historyShow the difference between all enumeration pairsamass track -history
-lastThe number of recent enumerations to include in the trackingamass track -last NUM
-sinceExclude all enumerations before a specified date (format: 01/02 15:04:05 2006 MST)amass track -since DATE

db

执行图形数据库的查看和操作。此子命令仅利用配置文件中的“output_directory”和远程图形数据库设置。与图形数据库中的枚举结果交互的标志包括:

FlagDescriptionExample
-configPath to the INI configuration fileamass db -config config.ini
-dDomain names separated by commas (can be used multiple times)amass db -d example.com
-demoCensor output to make it suitable for demonstrationsamass db -demo -d example.com
-dfPath to a file providing root domain namesamass db -df domains.txt
-dirPath to the directory containing the graph databaseamass db -dir PATH
-enumIdentify an enumeration via an index from the listingamass db -enum 1 -show
-importImport an Amass data operations JSON file to the graph databaseamass db -import PATH
-ipShow the IP addresses for discovered namesamass db -show -ip -d example.com
-ipv4Show the IPv4 addresses for discovered namesamass db -show -ipv4 -d example.com
-ipv6Show the IPv6 addresses for discovered namesamass db -show -ipv6 -d example.com
-jsonPath to the JSON output file or ‘-’amass db -names -silent -json out.json -d example.com
-listPrint enumerations in the database and filter on domains specifiedamass db -list
-namesPrint just discovered namesamass db -names -d example.com
-nocolorDisable colorized outputamass db -names -nocolor -d example.com
-oPath to the text output fileamass db -names -o out.txt -d example.com
-showPrint the results for the enumeration index + domains providedamass db -show
-silentDisable all output during executionamass db -names -silent -json out.json -d example.com
-srcPrint data sources for the discovered namesamass db -show -src -d example.com
-summaryPrint just ASN table summaryamass db -summary -d example.com

输出结果保存

mass在枚举过程中输出多个文件(例如日志文件)。如果您没有使用数据库服务器来存储网络图形信息,那么Amass会在输出目录中创建一个基于文件的图形数据库。在未来的枚举过程中,以及在利用跟踪和可视化等功能时,将再次使用这些文件。

默认情况下,输出目录是在操作系统默认根目录中创建的,用于用户特定的配置数据,名为*amass*。如果这不适合您的需要,那么可以指示子命令使用**-dir**标志在其他位置创建输出目录。

如果您决定使用Amass配置文件,当将其放入输出目录并命名为config.ini时,将自动发现它。

# 网络安全 # web安全 # 系统安全 # 数据安全 # 网络安全技术
本文为 独立观点,未经允许不得转载,授权请联系FreeBuf客服小蜜蜂,微信:freebee2022
被以下专辑收录,发现更多精彩内容
+ 收入我的专辑
+ 加入我的收藏
相关推荐
  • 0 文章数
  • 0 关注者
文章目录