# amass ## Basic Usage A common subdomain enumeration command: `amass enum -v -src -ip -brute -min-for-recursive 2 -oA amass_results -d burmat.co,example.com` * `-src` will print data sources for discovered names * `-ip` will print the corresponding IP address * `-brute` will perform a brute-force subdomain check * `-min-for-recursive` is the number of subdomain levels seen before recursive brute-forcing (default is `1`) the "database" file is located here, in case you want to clear it out: * `~/.config/amass/amass.json` User Guide: [OWASP/Amass](https://github.com/OWASP/Amass/blob/master/doc/user_guide.md) ## Comparing Discovered Subdomains to Existing IP Scope The client provided domains that they would like their subdomains discovered for, as well as the \~9K IPs they provided. * `amass enum -v -src -ip -brute -min-for-recursive 2 -oA amass_results -d burmat.co,example.com,target.net` You can get a rough idea of the hosts with: * `cat amass_results.json | jq '.name, .addresses[] .ip'` But because a lot of these were already in scope for the assessment (defined in the IP scope of 9K hosts), I used the following Python code to parse out the IP addresses that were NOT located in the defined scope and wrote the subdomains to a new file: {% code overflow="wrap" %} ```python # - data.json is the output from amass (you have to comma seperate the lines and surrond with []) # - for each entry, grab the associated IP addresses # - check to see if the IP address is already listed in our IP scope # - if it is NOT, echo out the hostname so we scan it import json f = open('data.json') data = json.load(f) for d in data: subdomain = d['name'] ips = d['addresses'] for i in ips: r = open('ip_scope.txt', 'r').read().find(i['ip']) if r == -1: print(subdomain) f.close() ``` {% endcode %} (make sure you de-dupe the resulting subdomain list) ## **Chaining Tools via File Output** We can output the results to a text file with the `-o` flag. This is useful because we can save this information for later and feed this output into other tools/scripts. We are going to use docker's `-v` switch to share the "/shared" directory between the host environment and the container's environment, hence anything we store in the "/shared" directory will still be accessible even after the docker container has finished running: ```sh amass -o /shared/results_subdomains_amass.txt -d burmat.co ``` We can now view the content of the text file with the cat command, even though the docker container using amass is no longer running. ```sh cat /shared/results_subdomains_amass.txt ``` --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://burmat.gitbook.io/security/hacking/tools-and-services/amass.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.