OWASP Amass

The first step in the ATT&CK Matrix for Enterprise is the reconnaissance phase.

The Amass tool is a perfect fit for the sub-techniques in the Search Open Technical Databases category which is part of the reconnaissance phase from the matrix above.

Here is a summary of the Amass tool from their GitHub page:

The OWASP Amass Project performs network mapping of attack surfaces and external asset discovery using open source information gathering and active reconnaissance techniques.

Information gathering techniques used by the tool are:

• APIs
• Certificates
• DNS
• Routing
• Scraping
• Web Archives
• WHOIS

To install it on an Ubuntu machine you can use this command.

snap install amass

To learn more about each sub-command, (intel|enum|viz|track|db), enter this command in the terminal window:

amass intel -h

And replace intel with the sub-command of choice. To get started with the tool you can try out the most basic tool and enumerate subdomains.

amass enum -d example.com

This will take a minute or two to run, depending on the domain, replace the example.com domain with the actual domain you want to find subdomains to.

When it has finished you will get a list all the findings, which can be visualized with this command.

amass viz -d3

This will create a html file in the same directory as the command was executed in. Look for a file called, amass.html. Open it with the command:

open amass.html

There you have a nice presentation of the findings of the domain enumeration.

To learn more about the tool I highly recommend their tutorial.

This is a great and easy tool to use and it's not only for red teams. It's always good to know your digital footprints and the potential services that might be exploited. There is almost always something interesting that turns up in the findings.

Happy searching!