Using OWASP Amass with Netlas Module

OWASP Amass is a powerful utility for reconnaissance and building an attack surface, which is used by many penetration testers and bug bounty hunters. It allows you to brute-force domains, conduct open-source exploration, visualize search results in a graph, and much more.

Netlas has been integrated into Amass for a long time as one of the additional sources for subdomain search, and in this article, I will briefly describe how to install and configure OWASP Amass to use Netlas search results.

Installing

There are many ways to install Amass: download a pre-built package, use Docker or Homebrew, and others. They are described in detail in the OWASP Amass documentation, the repository, and on the official project page. Below are the most common options.

Installing With Pre-Built Package

1. The first step in the installation is to download the package itself. Go to the OWASP Amass repository and open the latest release. Find the version that suits you and download the appropriate archive.

2. Next, you need to unpack the downloaded archive into the folder where you want to launch Amass.

3. Update PATH to be able to run the utility with the amass command.

4. After that, run the utility. On the first run, Amass creates its configuration files in the default OS-specific configuration directory. We will return to it in the next section.

Installing From Source

You can also install Amass from source using the command:

go install -v github.com/owasp-amass/amass/v5/...@latest

Installing With Homebrew

For macOS users, the utility can be installed via Homebrew:

brew tap owasp-amass/amass
brew install amass

These and other methods are described in more detail in the documentation.

Configuration for Using Netlas Module

Once Amass has been installed, it must be configured to get results from the Netlas API. This requires several steps:

Make sure you have one of these folders:

• For Debian-based: $HOME/.config/amass
• For macOS: $HOME/Library/Application Support/amass
• For Windows: %AppData%\amass\

To use Netlas searches, you need to add your Netlas API key to datasources.yaml. In the existing datasources: list, enter your key and then uncomment the corresponding Netlas block.

- name: Netlas    
  creds:
    account:
      apikey: null # <-- Replace null with your key

This completes the setup of the configuration file. You can also activate other tools in it if you have the necessary accounts, set up allowed and prohibited sources, and so on, but this is beyond the scope of this article.

Usage

Netlas is currently integrated into Amass as a source for subdomain enumeration, so the main command we will use is amass enum.

To see how the integration works, start with a simple test against example.com and limit the enumeration to Netlas only:

amass enum -d example.com -include Netlas

This command asks Amass to enumerate subdomains for example.com using only Netlas data. This is the easiest way to confirm that your Netlas API key is configured correctly and to understand what this source can return on its own.

When the command is finished, you can check the results with:

amass subs -d example.com -names

If Netlas returned any subdomains, this command will print them to stdout.

After that, you can run the same enumeration without the -include filter:

amass enum -d example.com -o all-sources.txt

In this mode, Amass uses Netlas together with the other enabled sources from your configuration and writes the output to all-sources.txt.

I can show you how deep the Internet really goes

Discover exposed assets, infrastructure links, and threat surfaces across the global Internet.

Request Free Trial Explore Free Plan