Unlocking the Full Potential of Amass [Part-2]

This is the second article in the series about Amass Configuration.

If you haven’t checked out Part-1 yet, please do so and follow the steps outlined.

As I have mentioned, I will provide a list of domains that offer free API keys. You will need to implement these in your datasources.yaml file.

First let us Discuss Why are these API keys important, and what are these domains?

Let’s consider a scenario: Suppose you have a target domain, for example, target.com, and you need to gather as many subdomains as possible. You might have tools like Subfinder and Assetfinder, which have limited functionalities. However, There are other websites like VirusTotal, URLScan, and SecurityTrails that also provide subdomain information for particular domains.

In this case, if the user wants to find more valuable subdomains, they would typically need to manually visit these websites and collect the data. This is where Amass comes into play. Amass offers a functionality where it uses API keys from authenticated users to gather as much information as possible from multiple domains. This means the user doesn’t need to manually check all the domains and gather subdomains; Amass will handle all the work automatically. I hope this clarifies the process.

Below, I have provided a list of domains along with their web addresses. Simply go to the respective websites, sign up with your account, and obtain your API key. Add the key to the file, and you will be good to go.

asnlookup          https://asnlookup.com/
virustotal         https://virustotal.com/
urlscan.io         https://urlscan.io/
bevigil            https://bevigil.com/
bigdatacloud       https://www.bigdatacloud.com
BinaryEdge         https://app.binaryedge.io             
BuiltWith          https://api.builtwith.com                                  
CENSYS             https://censys.com/
Chaos              https://cloud.projectdiscovery.io/ 
CertCentral        https://www.digicert.com/        
FullHunt           https://fullhunt.io/     
github             https://github.com/             
intelx             https://intelx.io/              
IPdata             https://dashboard.ipdata.co/                 
ipinfo             https://ipinfo.io/                            
LeakIX             https://leakix.net/                      
Netlas             https://app.netlas.io/                       
networksdb         https://networksdb.io/                  
psbdmp.ws          https://thecatapi.com/                
PublicWWW          https://publicwww.com/                          
shodan             https://shodan.io/                                 
alienvault         https://alienvault.com/
BufferOver         https://bufferover.run/   

#Domains that require business email addresses, But are Highly Recommended..!
Securitytrails     https://securitytrails.com/  [Bussiness-Mail Required] [Preffered]   
Hunter             https://hunter.io/     [Bussiness-Mail Required] [Preffered]         
WhoisXMLAPI        https://whoisxmlapi.com/   [Bussiness-Mail Required] [Preffered]  

I’m sharing this straight from my secure and private notes, so I deserve a follow and a clap from you! :) jk

Anyways, You just need to visit these sites and sign up one by one. I recommend you Take NOTES of this as it will help you in the future as well. After obtaining the API keys and pasting them into your notes, just open the datasources.yaml file.

Mousepad as an Text editor.

datasources.yaml file with API keys

As you can see, I have pasted all the API keys into my datasources.yaml file, Save It.! You should do the same process, and you'll be good to go :)

Now run the following command to check whether Amass is configured successfully or not.

amass enum -list

Cross-check the result with the datasources.yaml file to ensure they match.

If you find the same result as me, Congratulations!

Your Amass has been configured successfully. :)

The domains that don’t contain asterisks (*) mostly require a premium subscription to use, but you don’t need to worry about it.

Through this configuration, I was able to get over 35,000 subdomains of Google within 8 hours. It’s an evident that this tool is both robust and efficient.

How to RUN?

I know You guys are Pro.. but still im sharing steps :)

amass enum -d target.com | tee output.txt

it will produce ugly output ik :(

Now run this.

cat output.txt | awk '{print $1}' | grep 'target_name' | tee final.txt

You will get the Absolute domain names which you are looking for.

Do let me know in the comments if you want to know my recon methodology :)

Thanks for your patience.

Sahil Shah.

Get in touch with me here:

Linkedin: https://www.linkedin.com/in/sahilshah3276/

Twitter: https://x.com/sahil3276

Github: https://github.com/sahil3276