The OWASP Amass Project has developed a tool to help information security professionals perform network mapping of attack surfaces and perform external asset discovery using open source information gathering and active reconnaissance techniques.
Information Gathering Techniques Used:
- DNS: Basic enumeration, Brute forcing (upon request), Reverse DNS sweeping, Subdomain name alterations/permutations, Zone transfers (upon request)
- Scraping: Ask, Baidu, Bing, CommonCrawl, DNSDumpster, DNSTable, Dogpile, Exalead, FindSubdomains, Google, HackerOne, IPv4Info, Netcraft, PTRArchive, Riddler, SiteDossier, ViewDNS, Yahoo
- Certificates: Active pulls (upon request), Censys, CertDB, CertSpotter, Crtsh, Entrust
- APIs: AlienVault, BinaryEdge, BufferOver, CIRCL, DNSDB, HackerTarget, Mnemonic, NetworksDB, PassiveTotal, RADb, Robtex, SecurityTrails, ShadowServer, Shodan, Sublist3rAPI, TeamCymru, ThreatCrowd, Twitter, Umbrella, URLScan, VirusTotal
- Web Archives: ArchiveIt, ArchiveToday, Arquivo, LoCArchive, OpenUKArchive, UKGovArchive, Wayback
Use the Installation Guide to get started.
Go to the User's Guide for additional information.
This project improves thanks to all the people who contribute:
- Collaborating with the Crowd – Recapping LevelUp 0X04
- Subdomain Enumeration: 2019 Workflow
- REMOTE CODE EXECUTION ! 😜 Recon Wins
- Where You’ll Find Us: An Overview of SecurityTrails Integrations
- Web tools, or where to start a pentester?
- Tool for detailed DNS enumeration and creation of network infrastructure maps
- Top 7 Subdomain Scanner Tools: Find Subdomains in Seconds
- Cyber Talent Gap: How to Do More With Less
- My Recon Process — DNS Enumeration
- Week in OSINT #2019–16: From OSINT for pentesting, to OCR and OWASP
- Stop Using Python for Subdomain Enumeration
- My Personal OSINT Techniques, Part 1 of 2: Key & Layer, Contingency Seeding
- Subdomain Enumeration Tools – 2019 Update
- Leaked Salesforce API access token at IDEA.com
- Week in OSINT #2019–11: This time a collection of mostly tools and sites
- Bug Hunting Methodology (part-1)
- 100 ways to discover (part 1)
- Pose a Threat: How Perceptual Analysis Helps Bug Hunters
- A penetration tester’s guide to subdomain enumeration
- Abusing access control on a large online e-commerce site to register as supplier
- Black Hat Training, Making the Cloud Rain Shells!: Discovery and Recon
- Subdomains Enumeration Cheat Sheet
- Search subdomains and build graphs of network structure with Amass
- Getting started in Bug Bounty
- Source code disclosure via exposed .git folder
- Amass, the best application to search for subdomains
- Subdomain Takeover: Finding Candidates
- Paul's Security Weekly #564: Technical Segment - Bug Bounty Hunting
- The Bug Hunters Methodology v3(ish)
- Doing Recon the Correct Way
- Discovering subdomains
- Asset Discovery: Doing Reconnaissance the Hard Way
- Project Sonar: An Underrated Source of Internet-wide Data
- Top Five Ways the Red Team breached the External Perimeter