amass intel – Collect open source intel on an organisation like root domains and ASNs

The “amass intel” command is a feature of the Amass tool, which is designed to collect open-source intelligence (OSINT) on an organization. It focuses on gathering information about root domains and Autonomous System Numbers (ASNs) associated with the target organization. Here’s a more detailed explanation:

  • Open-Source Intelligence (OSINT) Collection: The “amass intel” command extends the capabilities of Amass to perform OSINT collection specifically on organizations. OSINT refers to information that is publicly available from open sources such as websites, social media platforms, public records, and more.
  • Root Domain Identification: The command aims to identify the root domains associated with the target organization. Root domains represent the primary domains owned or operated by the organization, providing insights into its online presence and infrastructure.
  • Autonomous System Number (ASN) Enumeration: The command also focuses on collecting information about ASNs related to the target organization. An ASN is a unique identifier assigned to a network or organization by the Internet Assigned Numbers Authority (IANA). Enumerating ASNs provides details about the organization’s network infrastructure and its Internet connectivity.
  • Comprehensive Data Sources: “amass intel” leverages various data sources and techniques to collect OSINT on the organization. It may utilize search engines, public DNS records, certificate transparency logs, and other public resources to gather information about root domains and ASNs.
  • Analysis of Metadata and Relationships: The command goes beyond basic enumeration and performs analysis on the collected data. It looks for metadata associated with the root domains and ASNs, such as IP addresses, registration information, associated organizations, and relationships between different entities. This analysis aids in building a more comprehensive understanding of the organization’s online presence.
  • Output Formats and Integration: “amass intel” provides flexible output options, allowing users to export the collected OSINT in various formats, including CSV (Comma-Separated Values), JSON (JavaScript Object Notation), or plain text. This facilitates integration with other tools or workflows for further analysis or processing.
  • Customization and Configuration: The command offers several configuration options to customize the OSINT collection process. Users can specify search engine preferences, define filters to exclude certain types of data, or set limits on the depth of enumeration.
  • Continuous Monitoring: “amass intel” can be used for regular or ongoing OSINT collection to monitor changes and updates related to the target organization. By performing periodic scans, it helps in staying updated on the organization’s online footprint and identifying any newly discovered root domains or ASNs.

The “amass intel” command in Amass enhances the tool’s capabilities by focusing on collecting OSINT specifically related to organizations. By identifying root domains and ASNs associated with the target, it assists security professionals, researchers, and analysts in gaining insights into an organization’s online presence, network infrastructure, and potential attack surface.

amass intel Command Examples

1. Find root domains in an IP address range:

# amass intel -addr 192.168.0.1-254

2. Use active recon methods:

# amass intel -active -addr 192.168.0.1-254

3. Find root domains related to a domain:

# amass intel -whois -d domain_name

4. Find ASNs belonging to an organisation:

# amass intel -org organisation_name

5. Find root domains belonging to a given Autonomous System Number:

# amass intel -asn asn

6. Save results to a text file:

# amass intel -o output_file -whois -d domain_name
Related Post