Activity: Amass passive reconnaissance activity

A hands-on activity exploring passive domain reconnaissance with Amass

From the command line in Kali Linux, run the amass command to do reconnaissance against a target.

Intel module — Collect intelligence

  1. Look for organizations with “uber” in their name:

    amass intel -org uber
  2. Look up domains for a given IP range:

    amass intel -ip -src -cidr
  3. Reverse whois:

    This method is invoked using the -whois flag. Essentially it takes the details from the specified domain’s whois records, and then tries to find other domains with similar whois records.

    This is a great method for discovering root domains that may be owned by an organisation. (source)

    amass intel -whois -d
  4. ASN search

    amass intel -asn 63086

Enum module — Enumerate and map targets

  1. Determine how many subdomains exist for a given domain:

    amass enum -ip -d

Find more options

Look at the Amass Users’ Guide for more options: