A free video course from the community, for the community ❤️
The amass tool and all the subcommands show options using the '-h' and '-help' flags:
bash
amass -help
Check the version by performing the following:
bash
amass -version
The most basic use of the tool for subdomain enumeration:
bash
amass enum -d example.com
Typical parameters for DNS enumeration:
bash
$ amass enum -brute -min-for-recursive 2 -d example.com
example.com (FQDN) --> node --> www.example.com (FQDN)
www.example.com (FQDN) --> a_record --> 123.456.789.01 (IPAddress)
...
By using the FUZZ keyword at the end of URL (-u):
ffuf -w /path/to/wordlist -u https://target/FUZZ
Assuming that the default virtualhost response size is 4242 bytes, we can filter out all the responses of that size (-fs 4242)while fuzzing the Host - header:
ffuf -w /path/to/vhost/wordlist -u https://target -H "Host: FUZZ" -fs 4242
GET parameter name fuzzing is very similar to directory discovery, and works by defining the FUZZ keyword as a part of the URL. This also assumes a response size of 4242 bytes for invalid GET parameter name.
ffuf -w /path/to/paramnames.txt -u https://target/script.php?FUZZ=test_value -fs 4242
If the parameter name is known, the values can be fuzzed the same way. This example assumes a wrong parameter value returning HTTP response code 401.
ffuf -w /path/to/values.txt -u https://target/script.php?valid_name=FUZZ -fc 401
This is a very straightforward operation, again by using the FUZZ keyword. This example is fuzzing only part of the POST request. We're again filtering out the 401 responses.
ffuf -w /path/to/postdata.txt -X POST -d "username=admin\&password=FUZZ" -u https://target/login.php -fc 401