Hakluke’s Guide to Amass — How to Use Amass More Effectively for Bug Bounties
Amass has a lot of features. It’s a bit of a weird tool because despite being synonymous with bug bounty recon, and despite being extremely well known, most people don’t know how to use it to it’s full advantage. Most people that I see using Amass are just doing this:
amass enum -d clicktheclapbutton50timesplz.com
Amass hums away for a few minutes doing its thing, skulking around the slums of the internet, begging for subdomains from anyone that will listen and then sending them back to you, the hacker. You get your loot and walk away, happy with your bucketload subdomains, feeling as though you’ve achieved something great.
There’s a problem though. You’ve got the same damn subdomains that everyone else has because like most other people, you only used one Amass feature! You know how competitive bounties are right? You don’t want to put yourself at a disadvantage by not understanding the features of one of the greatest recon tools in existence do you? Having said this, amass has a lot of features and you probably won’t use most of them. This blog post outlines how I personally use amass. I’m going to highlight the features that I find to be most useful and ignore the rest.
So here are a few ways to use Amass betterererer.
Get Your API Keys Sorted
Right now, 30% of you are thinking “does this guy think I’m stupid?”, 50% are thinking “yeah I really should sort that out”, 19% are thinking “amass uses API keys?” and the other 1% are bots that made it past the paywall.
Using Amass without setting up API keys is like eating sand. It tastes bland and is bad for your health.
Amass has a lot of data sources, but the ones that require API keys are:
AlienVault, BinaryEdge, BufferOver, BuiltWith, C99, Censys, Chaos, CIRCL, DNSDB, DNSTable, FacebookCT, GitHub, HackerOne, HackerTarget, NetworksDB, PassiveTotal, RapidDNS, Riddler, SecurityTrails, Shodan, SiteDossier, Spyse, Twitter, Umbrella, URLScan, VirusTotal, WhoisXML, ZETAlytics, Cloudflare