In our this guide we are going to cover an awesome information gathering tool called Amass originally created by Jeff Foley, later it adopted by OWASP and Jeff is Amass project leader now.

Amass is a command line open-source tool that helps information security professionals to perform network mapping of attack surfaces and perform external asset discovery using open source information gathering and active reconnaissance techniques.

In order to do this, Amass heavily focuses on DNS, HTTP and SSL/TLS data discovering and collecting. Amass uses its own internal mechanism and it also integrates perfectly with some external services (SecurityTrails, AlienVault, Shodan etc) to increase the efficiency and power of it’s results.

In our detailed guide we are going to learn how to install & use Amass on Kali Linux. So without wasting any more time lets get started.

How to Install Amass on Kali Linux

If we are using an updated version of Kali Linux large, then we don’t need to install Amass on our system, it comes pre-installed. But if Amass doesn’t present on our Kali Linux system then we can easily install it by simply using following command:

sudo apt install amass-common

How to use Amass on Kali Linux

Before starting using any tool we should check it’s help options. We are also doing the same for Amass also. To check it’s help we run following command on our terminal window:

amass -h

In the following screenshot we can see the output of our applied command:

In the above help menu we can see that Amass have some options. Let’s have a look on to them:

• intel: Collect intelligence on the target in order to determine our starting point.
• evum: Perform enumeration & mapping of our target to determine possible attacks.
• viz: Show the results on a visual formats with analysis and future research.
• track: Compare results across enumerations to see changes in their attack surface.
• db: Manage the graph databases storing the enumeration results.
• dns: Resolve DNS names at high performance.

Getting Subdomains using Amass Enum

Enough talking about Amass. Let’s use it. The most basic use of it is “subdomain enumeration”. We can do it by applying following command:

amass enum -d oswap.org

Here we have used -d flag to specify our target domain. In the following screenshot we can see the output of our applied command:

That is the basic subdomain discovery. We can get better results using following command:

amass enum -d example.com -active -cidr 1.2.3.4/24,4.3.2.1/24 -asn 12345

Getting Information using Intel

We can do a lot of tings with Amass. For an example we are looking for an organization using “google” in their name. We can use following command to do this:

amass intel -org "google"

After applying the above command we need to give couple of minutes to find it. We can see it on the following screenshot:

We can also reverse whois data. By this way we can grab the details from the specified domain’s whois records, and then tries to find other domains with the similar whois records. That way we can know about a website owner have other websites. We can use following command to do this:

amass intel -d oswap.org -whois

The output shows in the following screenshot:

These all domains have similar whois information as Google.com, so there is high chance that Google owns them.

SSL Certificate Grabbing

If we know IP addresses and feed it to Amass using -active flag, Amass will pull the SSL certificate from every IP address within the IP range and then spits back the domain that the SSL cert is associated with. For an example we use the following command:

amass intel -active -cidr 173.0.84.0/24

In the following screenshot we can see that it is running on a well known Paypal-owned CIDR range.

Tracking using Amass

Our every scan done with amass is automatically stored on our system that we ran it on. Then, if we run the same scan again, amass will track any changes that have taken place since your last scan. The most perfect way to use this feature is to discover which new subdomains have appeared since our last scan. For example, We had scanned oswap.org on the morning, so I ran the following command to track that.

amass track -d oswap.org

In the following screenshot we can see there are no changes. If we got some new subdomains that means that might be vulnerable.

Visualization on Amass

Frankly speaking we are not fan of this. During the information gathering we love to see the results on a text based format, but visualization on Amass looks really cool. We need to use viz for that, as we did in the following screenshot:

This viz subcommand on Amass allow us to visualize all the gathered information of target (stored in the Amass graph database) for a target in a number of ways. Results can also be imported into Maltego for more OSINT analysis.

Amass Database

Amass Database (db) is a Amass subcommand that is useful to view the recon data for every scan that we had ever done.
To list all of the details of all of our previous scans, we need to simply run command like amass db show, If we want to see details of a specific domain, then we just need to add the -d flag like following,

amass db -show -d oswap.org

If we prefer a nice clean, plain output, we can output the discovered domains or subdomains using the -names flag instead of -show. The outputs are shown in the following screenshot:

In the above screenshot we just have the subdomains, because we did not gather more information on oswap.org, but if we have it will show us.

Amass Scripting Engine

Like Nmap scripting engine Amass also have scripting engine which can be used to add our own data sources on Amass. Like we have an updated API which Amass doesn’t integrated yet, so we don’t need to wait for Amass adds it. We can add it on Amass and use it. For more details we can check this manual.

For more detailed guide we can suggest some awesome sources to learn more about Amass:

1. Official Amass Tutorial
2. Amass Extensive Tutorial

Amass is really a great tool for information gathering and recon works. In this article we saw that how we can use Amass on our Kali Linux system.

Love our articles? Make sure to follow us on Twitter and GitHub, we post article updates there. To join our KaliLinuxIn family, join our Telegram Group. We are trying to build a community for Linux and Cybersecurity. For anything we always happy to help everyone on the comment section. As we know our comment section is always open to everyone. We read each and every comment and we always reply.

Nmap comes pre-installed with Kali Linux. Not just Kali Linux Nmap comes pre-installed with every security focused operating system. We have already discussed how to use Nmap for active reconnaissance in our previous article “NMAP — The Network Mapper“.

But cybersecurity experts don’t just use Nmap for scanning ports and services running on the target system, Nmap also can be used for vulnerability assessment and much more using NSE (Nmap Scripting Engine).

The Nmap Scripting Engine (NSE) has revolutionized the possibilities of a port scanner by allowing users to write scripts that perform custom tasks using the host information collected by Nmap. As of September 2021, when we are writing this article, Nmap has over 600+ scripts on Nmap version 7.91.

Penetration testers uses Nmap’s most powerful and flexible features, which allows them to to write their own scripts and automate various tasks. NSE (Nmap Scripting Engine) was developed for following reasons:

• Network Discovery:- This is the primary purpose that most of the people utilize Nmap for network port discovery, which we had learned in our “Nmap – The Network Mapper” article.
• Classier version detection of a service:- There are tons of services with multiple version details for the same service, so Nmap makes it more easy to identify the service.
• Backdoor detection:- Some of the Nmap scripts are written to identify the pattern of backdoors. If there are any worms or malicious program infecting the network, it makes the attacker’s job easy to short down and focus on taking over the machine remotely.
• Vulnerability Scanning:- Pen testers also uses Nmap for exploitation in combination with other tools such as Metasploit or write a custom reverse shell code and combine Nmap’s capability with them for exploitation.

Before jumping in to finding vulnerabilities using Nmap we must need to update the database of scripts, so newer scripts will be added on our database. Then we are ready to scan for vulnerabilities with all Nmap scripts. To update the Nmap scripts database we need to apply following command on our terminal window:

sudo nmap --script-updatedb

In the following screenshot we can see that we have an updated Nmap scripts database.

Now we are ready to scan any target for vulnerabilities. Well we can use following command to run all vulnerability scanning scripts against a target.

nmap -sV --script vuln <target>

As we can see in the following screenshot:

When we are talking about Nmap Scripts then we need to know that, not only vulnerability scanning (vuln) there are lots of categories of Nmap scripts those are following:

• auth: This categorized scripts related to user authentication.
• broadcast: This is a very interesting category of scripts that use broadcast petitions to gather information. 
• brute: This category is for scripts that help conduct brute-force password auditing.
• default: This category is for scripts that are executed when a script scan is executed ( -sC ).
• discovery: This category is for scripts related to host and service discovery.
• dos: This category is for scripts related to denial of service attacks.
• exploit: This category is for scripts that exploit security vulnerabilities.
• external: This category is for scripts that depend on a third-party service. 
• fuzzer: This category is for Nmap scripts that are focused on fuzzing.
• intrusive: These scripts might crash system by generate lot of network noise, sysadmins considers it intrusive.
• malware: This category is for scripts related to malware detection.
• safe: This category is for scripts that are considered safe in all situations.
• version: This category is for NSE scripts that are used for advanced versioning.
• vuln: This category is for scripts related to security vulnerabilities.

So we can see that we can do various tasks using Nmap using Nmap Scripting Engine scripts. When we need to run all the scripts against single target we can use following command:

nmap -sV --script all <target>

In the following screenshot we can see that all scripts are using against one target, but here every script will run so it will consume good amount of time.

That is all for this article. We will back again with Nmap. Hope this article helps our fellow Kali Linux users. Love our articles? Make sure to follow us on Twitter and GitHub, we post article updates there. To join our KaliLinuxIn family, join our Telegram Group. We are trying to build a community for Linux and Cybersecurity. For anything we always happy to help everyone on the comment section. As we know our comment section is always open to everyone. We read each and every comment and we always reply.