0x0FB0
commented
4 years ago All OWASP Amass community data sources (no commercial APIs by default)
As per OWASP Amass documentation:
Information Gathering Techniques Used:
DNS: Basic enumeration, Brute forcing (optional), Reverse DNS sweeping, Subdomain name alterations/permutations, Zone transfers (optional) Scraping: Ask, Baidu, Bing, DNSDumpster, DNSTable, Dogpile, Exalead, Google, HackerOne, IPv4Info, Netcraft, PTRArchive, Riddler, SiteDossier, ViewDNS, Yahoo Certificates: Active pulls (optional), Censys, CertSpotter, Crtsh, Entrust, GoogleCT APIs: AlienVault, BinaryEdge, BufferOver, CIRCL, CommonCrawl, DNSDB, GitHub, HackerTarget, IPToASN, Mnemonic, NetworksDB, PassiveTotal, Pastebin, RADb, Robtex, SecurityTrails, ShadowServer, Shodan, Spyse (CertDB & FindSubdomains), Sublist3rAPI, TeamCymru, ThreatCrowd, Twitter, Umbrella, URLScan, VirusTotal, WhoisXML Web Archives: ArchiveIt, ArchiveToday, Arquivo, LoCArchive, OpenUKArchive, UKGovArchive, Wayback
You can also look into amass.ini config file for more details.
Pulsar custom sources:
- Domains from previous scans are pushed to Amass creating a discovery feedback loop
- Custom plugin for reverse dns through RipeSTAT API
- Custom plugin for TLD explansion (dictionary attack & verification)
mrdavi5
Hey! What methods does this tool use for Sub Domain enumeration?