amass-intel

Find root domains in an IP [addr]ess range

$ amass intel -addr [192.168.0.1-254]

$ amass intel -active -addr [192.168.0.1-254]

$ amass intel -whois -d [domain_name]

$ amass intel -org [organisation_name]

$ amass intel -asn [asn]

$ amass intel -o [output_file] -whois -d [domain_name]

$ amass intel -list

amass intel [options] {-d <domain> | -org <organization> | -addr <IP> | -asn <ASN> | -cidr <CIDR>}

-d <domain>
    Specify the target domain for intelligence gathering. This is one of the primary ways to define the target.

-org <organization>
    Specify the target organization name. Useful when you know the organization's name but not specific domains.

-addr <IP address>
    Provide an IP address related to the target to gather intelligence about its associated entities.

-asn <ASN>
    Provide an Autonomous System Number (ASN) to gather intelligence about entities within that ASN.

-cidr <CIDR>
    Provide a CIDR range to gather intelligence about IP addresses and associated entities within that range.

-active
    Enable active information gathering. This might involve more direct interactions and could be noisier.

-config <file>
    Specify a custom configuration file for Amass.

-dir <directory>
    Specify a directory for Amass to store its collected data and output.

-exclude <source>
    Exclude specific data sources from intelligence gathering (e.g., 'Google', 'Censys').

-include <source>
    Include specific data sources for intelligence gathering, overriding defaults.

-ip
    Include IP addresses in the output of the intelligence gathering process.

-json
    Output the results in JSON format, suitable for programmatic parsing.

-max-dns-queries <number>
    Set the maximum number of DNS queries per second to control network traffic.

-o <file>
    Output the results to a specified file.

-oA <basename>
    Output results to all available formats (JSON, TXT, etc.) using the provided basename.

-r <resolver>
    Specify a custom DNS resolver to use for queries (e.g., '8.8.8.8').

-timeout <duration>
    Set the maximum time allowed for queries to individual data sources (e.g., '10s', '5m').

-v
    Enable verbose output, providing more detailed information during the command's execution.

-whois
    Enable WHOIS lookups to gather registration information about domains and IPs.

The amass intel command, a subcommand of the OWASP Amass project, is a powerful tool designed for open-source intelligence (OSINT) gathering. It focuses on collecting publicly available information about a target organization or domain. This includes identifying associated domains, autonomous system numbers (ASNs), IP addresses, netblocks, email addresses, and other critical data points.

By querying numerous public data sources, certificate transparency logs, WHOIS databases, and various APIs, amass intel helps security professionals and penetration testers build a comprehensive external profile of a target's infrastructure before deeper enumeration or exploitation phases. It provides foundational intelligence to understand the attack surface.

The effectiveness and completeness of amass intel heavily rely on the availability and accuracy of publicly accessible data sources. Results may vary and could be outdated.

Using the -active option can generate noticeable network traffic and should be done with appropriate authorization. Always adhere to ethical hacking guidelines and ensure you have explicit permission to perform intelligence gathering on any target.

amass intel leverages a vast array of internet-facing data sources, including but not limited to, certificate transparency logs (e.g., CertSpotter, Censys), WHOIS databases, DNS records (e.g., PassiveTotal, Rapid7), public search engines (e.g., Google, Bing), various APIs (e.g., Shodan, VirusTotal), and more. This extensive network of sources allows it to aggregate diverse pieces of information for a holistic view of the target.

While amass intel gathers publicly available information, it's crucial to use it responsibly and ethically. Ensure that any intelligence gathering activities are performed within legal boundaries and with explicit authorization for the target in question. Avoid actions that could be interpreted as malicious or intrusive without proper consent.

The Amass project, developed by the OWASP Amass Project, began as a comprehensive tool for subdomain enumeration. As its capabilities grew, the need for distinct functionalities emerged, leading to the creation of subcommands like intel. The intel subcommand was specifically designed to separate and enhance the focus on passive and active open-source intelligence gathering, providing a dedicated module for collecting foundational information about a target's external footprint. Its development is ongoing, with continuous integration of new data sources and improved processing techniques.

amass(1), amass-enum(1), whois(1), dig(1), host(1), nmap(1)