APIs

360PassiveDNS, Ahrefs, AnubisDB, BinaryEdge, BufferOver, BuiltWith, C99, Chaos, CIRCL, Cloudflare, DNSDB, DNSRepo, Detectify, FOFA, FullHunt, GitHub, GitLab, Greynoise, HackerTarget, Hunter, IntelX, LeakIX, Maltiverse, Mnemonic, N45HT, PassiveTotal, PentestTools, Quake, Shodan, SonarSearch, Spamhaus, Spyse, Sublist3rAPI, ThreatBook, ThreatCrowd, ThreatMiner, Twitter, URLScan, VirusTotal, ZETAlytics, ZoomEye

Certificates

Active pulls (optional), Censys, CertSpotter, Crtsh, Digitorus, FacebookCT, GoogleCT

DNS

Brute forcing, Reverse DNS sweeping, NSEC zone walking, Zone transfers, FQDN alterations/permutations, FQDN Similarity-based Guessing

Routing

ARIN, BGPTools, BGPView, IPdata, IPinfo, NetworksDB, RADb, Robtex, ShadowServer, TeamCymru

Scraping

AbuseIPDB, Ask, Baidu, Bing, DNSDumpster, DuckDuckGo, Gists, HackerOne, HyperStat, IPv4Info, PKey, RapidDNS, Riddler, Searchcode, Searx, SiteDossier, Yahoo

Web Archives

ArchiveIt, Arquivo, CommonCrawl, HAW, UKWebArchive, Wayback

WHOIS

AlienVault, AskDNS, DNSlytics, ONYPHE, SecurityTrails, SpyOnWeb, Umbrella, WhoisXMLAPI

intel

收集开源情报以调查目标组织

enum

对暴露于Internet的系统执行DNS枚举和网络映射

viz

生成用于探索性分析的枚举可视化

track

将枚举结果与常见目标组织进行比较

db

管理存储枚举结果的图形数据库

-active

Enable active recon methods

amass intel -active -addr 192.168.2.1-64 -p 80,443,8080

-addr

IPs and ranges (192.168.1.1-254) separated by commas

amass intel -addr 192.168.2.1-64

-asn

ASNs separated by commas (can be used multiple times)

amass intel -asn 13374,14618

-cidr

CIDRs separated by commas (can be used multiple times)

amass intel -cidr 104.154.0.0/15

-config

Path to the INI configuration file

amass intel -config config.ini

-d

Domain names separated by commas (can be used multiple times)

amass intel -whois -d example.com

-demo

Censor output to make it suitable for demonstrations

amass intel -demo -whois -d example.com

-df

Path to a file providing root domain names

amass intel -whois -df domains.txt

-dir

Path to the directory containing the graph database

amass intel -dir PATH -cidr 104.154.0.0/15

-ef

Path to a file providing data sources to exclude

amass intel -whois -ef exclude.txt -d example.com

-exclude

Data source names separated by commas to be excluded

amass intel -whois -exclude crtsh -d example.com

-if

Path to a file providing data sources to include

amass intel -whois -if include.txt -d example.com

-include

Data source names separated by commas to be included

amass intel -whois -include crtsh -d example.com

-ip

Show the IP addresses for discovered names

amass intel -ip -whois -d example.com

-ipv4

Show the IPv4 addresses for discovered names

amass intel -ipv4 -whois -d example.com

-ipv6

Show the IPv6 addresses for discovered names

amass intel -ipv6 -whois -d example.com

-list

Print the names of all available data sources

amass intel -list

-log

Path to the log file where errors will be written

amass intel -log amass.log -whois -d example.com

-max-dns-queries

Maximum number of concurrent DNS queries

amass intel -max-dns-queries 200 -whois -d example.com

-o

Path to the text output file

amass intel -o out.txt -whois -d example.com

-org

Search string provided against AS description information

amass intel -org Facebook

-p

Ports separated by commas (default: 80, 443)

amass intel -cidr 104.154.0.0/15 -p 443,8080

-r

IP addresses of preferred DNS resolvers (can be used multiple times)

amass intel -r 8.8.8.8,1.1.1.1 -whois -d example.com

-rf

Path to a file providing preferred DNS resolvers

amass intel -rf data/resolvers.txt -whois -d example.com

-src

Print data sources for the discovered names

amass intel -src -whois -d example.com

-timeout

Number of minutes to execute the enumeration

amass intel -timeout 30 -d example.com

-whois

All discovered domains are run through reverse whois

amass intel -whois -d example.com

-active

Enable active recon methods

amass enum -active -d example.com -p 80,443,8080

-aw

Path to a different wordlist file for alterations

amass enum -aw PATH -d example.com

-bl

Blacklist of subdomain names that will not be investigated

amass enum -bl blah.example.com -d example.com

-blf

Path to a file providing blacklisted subdomains

amass enum -blf data/blacklist.txt -d example.com

-brute

Perform brute force subdomain enumeration

amass enum -brute -d example.com

-config

Path to the INI configuration file

amass enum -config config.ini

-d

Domain names separated by commas (can be used multiple times)

amass enum -d example.com

-demo

Censor output to make it suitable for demonstrations

amass enum -demo -d example.com

-df

Path to a file providing root domain names

amass enum -df domains.txt

-dir

Path to the directory containing the graph database

amass enum -dir PATH -d example.com

-ef

Path to a file providing data sources to exclude

amass enum -ef exclude.txt -d example.com

-exclude

Data source names separated by commas to be excluded

amass enum -exclude crtsh -d example.com

-if

Path to a file providing data sources to include

amass enum -if include.txt -d example.com

-include

Data source names separated by commas to be included

amass enum -include crtsh -d example.com

-ip

Show the IP addresses for discovered names

amass enum -ip -d example.com

-ipv4

Show the IPv4 addresses for discovered names

amass enum -ipv4 -d example.com

-ipv6

Show the IPv6 addresses for discovered names

amass enum -ipv6 -d example.com

-json

Path to the JSON output file

amass enum -json out.json -d example.com

-list

Print the names of all available data sources

amass enum -list

-log

Path to the log file where errors will be written

amass enum -log amass.log -d example.com

-max-dns-queries

Deprecated flag to be replaced by dns-qps in version 4.0

amass enum -max-dns-queries 200 -d example.com

-dns-qps

Maximum number of DNS queries per second across all resolvers

amass enum -dns-qps 200 -d example.com

-rqps

Maximum number of DNS queries per second for each untrusted resolver

amass enum -rqps 10 -d example.com

-trqps

Maximum number of DNS queries per second for each trusted resolver

amass enum -trqps 20 -d example.com

-min-for-recursive

Subdomain labels seen before recursive brute forcing (Default: 1)

amass enum -brute -min-for-recursive 3 -d example.com

-max-depth

Maximum number of subdomain labels for brute forcing

amass enum -brute -max-depth 3 -d example.com

-nf

Path to a file providing already known subdomain names (from other tools/sources)

amass enum -nf names.txt -d example.com

-noalts

Disable generation of altered names

amass enum -noalts -d example.com

-norecursive

Turn off recursive brute forcing

amass enum -brute -norecursive -d example.com

-o

Path to the text output file

amass enum -o out.txt -d example.com

-oA

Path prefix used for naming all output files

amass enum -oA amass_scan -d example.com

-passive

A purely passive mode of execution

amass enum --passive -d example.com

-p

Ports separated by commas (default: 443)

amass enum -d example.com -p 443,8080

-r

IP addresses of untrusted DNS resolvers (can be used multiple times)

amass enum -r 8.8.8.8,1.1.1.1 -d example.com

-tr

IP addresses of trusted DNS resolvers (can be used multiple times)

amass enum -tr 8.8.8.8,1.1.1.1 -d example.com

-rf

Path to a file providing untrusted DNS resolvers

amass enum -rf data/resolvers.txt -d example.com

-trf

Path to a file providing trusted DNS resolvers

amass enum -trf data/trusted.txt -d example.com

-src

Print data sources for the discovered names

amass enum -src -d example.com

-timeout

Number of minutes to execute the enumeration

amass enum -timeout 30 -d example.com

-w

Path to a different wordlist file

amass enum -brute -w wordlist.txt -d example.com

-config

Path to the INI configuration file

amass viz -config config.ini -d3

-d

Domain names separated by commas (can be used multiple times)

amass viz -d3 -d example.com

-d3

Output a D3.js v4 force simulation HTML file

amass viz -d3 -d example.com

-df

Path to a file providing root domain names

amass viz -d3 -df domains.txt

-dir

Path to the directory containing the graph database

amass viz -d3 -dir PATH -d example.com

-enum

Identify an enumeration via an index from the db listing

amass viz -enum 1 -d3 -d example.com

-o

Path to a pre-existing directory that will hold output files

amass viz -d3 -o OUTPATH -d example.com

-oA

Prefix used for naming all output files

amass viz -d3 -oA example -d example.com

-gexf

Output to Graph Exchange XML Format (GEXF)

amass viz -gexf -d example.com

-graphistry

Output Graphistry JSON

amass viz -graphistry -d example.com

-i

Path to the Amass data operations JSON input file

amass viz -d3 -d example.com

-maltego

Output a Maltego Graph Table CSV file

amass viz -maltego -d example.com

-config

Path to the INI configuration file

amass track -config config.ini

-d

Domain names separated by commas (can be used multiple times)

amass track -d example.com

-df

Path to a file providing root domain names

amass track -df domains.txt

-dir

Path to the directory containing the graph database

amass track -dir PATH

-history

Show the difference between all enumeration pairs

amass track -history

-last

The number of recent enumerations to include in the tracking

amass track -last NUM

-since

Exclude all enumerations before a specified date (format: 01/02 15:04:05 2006 MST)

amass track -since DATE

-config

Path to the INI configuration file

amass db -config config.ini

-d

Domain names separated by commas (can be used multiple times)

amass db -d example.com

-demo

Censor output to make it suitable for demonstrations

amass db -demo -d example.com

-df

Path to a file providing root domain names

amass db -df domains.txt

-dir

Path to the directory containing the graph database

amass db -dir PATH

-enum

Identify an enumeration via an index from the listing

amass db -enum 1 -show

-import

Import an Amass data operations JSON file to the graph database

amass db -import PATH

-ip

Show the IP addresses for discovered names

amass db -show -ip -d example.com

-ipv4

Show the IPv4 addresses for discovered names

amass db -show -ipv4 -d example.com

-ipv6

Show the IPv6 addresses for discovered names

amass db -show -ipv6 -d example.com

-json

Path to the JSON output file or ‘-’

amass db -names -silent -json out.json -d example.com

-list

Print enumerations in the database and filter on domains specified

amass db -list

-names

Print just discovered names

amass db -names -d example.com

-nocolor

Disable colorized output

amass db -names -nocolor -d example.com

-o

Path to the text output file

amass db -names -o out.txt -d example.com

-show

Print the results for the enumeration index + domains provided

amass db -show

-silent

Disable all output during execution

amass db -names -silent -json out.json -d example.com

-src

Print data sources for the discovered names

amass db -show -src -d example.com

-summary

Print just ASN table summary

amass db -summary -d example.com