Buenas Underc0ders,
En esta ocasion voy a presentaros una herramienta para enumeracion de subdominios que tiene algunas caracteristicas interesantes que la diferencian del resto.
La herramienta en cuestion es Amass (https://github.com/caffix/amass)
(https://i.imgur.com/ed0soTt.png)
La herramienta puede ser instalada como se indica en el readme del proyecto, no tiene perdida.
Una vez isntalada con el comando -h nos lista todas las opciones disponibles:
Usage: amass [options] <-d domain> | <net>
-active
Turn on active information gathering methods
-bl value
Blacklist of subdomain names that will not be investigated
-blf string
Path to a file providing blacklisted subdomains
-brute
Execute brute forcing after searches
-d value
Domain names separated by commas (can be used multiple times)
-df string
Path to a file providing root domain names
-freq int
Sets the number of max DNS queries per minute
-h Show the program usage message
-ip
Show the IP addresses for discovered names
-json string
Path to the JSON output file
-l List all domains to be used in an enumeration
-min-for-recursive int
Number of subdomain discoveries before recursive brute forcing
-noalts
Disable generation of altered names
-norecursive
Turn off recursive brute forcing
-o string
Path to the output file
-proxy string
The URL used to reach the proxy
-r value
IP addresses of preferred DNS resolvers (can be used multiple times)
-rf string
Path to a file providing preferred DNS resolvers
-v Print the data source and summary information
-version
Print the version number of this amass binary
-w string
Path to a different wordlist file
-whois
Include domains discoverd with reverse whois
Flags for the 'net' subcommand:
-addr value
IPs and ranges separated by commas (can be used multiple times)
-asn value
ASNs separated by commas (can be used multiple times)
-cidr value
CIDRs separated by commas (can be used multiple times)
-p value
Ports used to discover TLS certs (can be used multiple times)
Algunos usos de la herramienta:
amass -d dominio.es
Si no se especifica lo contrario amass usa alteraciones sobre los subdominios y recursividad, por tanto para una enumeracion pasiva pura el comando adecuado seria:
amass -d dominio.es -noalts -norecursive
Amass permite encontrar nuevos subdominios a traves del whois de los subdominios que va descubriendo
amass -whois -d ejemplo.es
Ademas permite descubrir nuevos subdominios a traves de ASNs y CIDR
amass net -cidr 192.184.1.0/24
amass net -asn 14618