search

owasp-amass / amass

In-depth attack surface mapping and asset discovery
https://owasp.org/www-project-amass/
Other
11.63k stars 1.85k forks source link

Feature Enhancement: From an ASN/CIDR/IP, enumerate the partent domains hosted on those systems #2

Closed kerberosmansour closed 5 years ago

kerberosmansour commented 6 years ago

So we can now scan by ASN/CIDR/IP and find FQDNs/Subdomains on those systems. I would like to take it a step further and find out there else are these domains hosted.

Example: I run amass on a network range, it finds the following FQDNs:

mail.example1.com
ftp.example2.com
vpn.example3.com
origin.example4.com

I want a command that lets Amass scan the domains above (example1.com, example2.com, example3.com, example4.com). So I know where the rest of those domains are hosted.

caffix commented 5 years ago

The network infrastructure features have now been moved into the amass.netnames command-line program within the tool suite. It returns the base domains within the identified network ranges, ASNs, etc. From those domain names, the amass proper tool can discover where else they reside on the Internet.

kerberosmansour commented 5 years ago

ok so I can daisy chain to two tools to get all the results. And they can all end-up in Neo4j?

caffix commented 5 years ago

That is correct.

The amass.netnames tool will give you the domains discovered within the target network infrastructure.

All those domains can be provided to the amass subdomain enumeration tool using the ‘-df’ flag, and the information gathered is output using the ‘-do’ flag.

Finally, amass.db inserts the saved findings into Neo4j.

It appears that the feature was implemented as a side effect of the refactoring. Thoughts?