Hello everyone, in this article, we will learn how to enumerate root domains using amass.
If you are new to our website, then check out the resources we have on our website. We post articles about topics that are very useful to cyber security. And we do have beautiful Account takeover labs. And the best part is, they are all free and you will definitely feel happy while completing the labs and all the labs are real-based scenarios.
Account takeover labs: https://bepractical.tech/account-takeover-labs/
Now, let’s go back to the topic.
In this article, we are going to use amass tool to find root domains. And before going into the process to find, let’s discuss what is known as root domains.
Actually, before telling you about root domains. Let me tell you, what is a domain.
What is a domain?
A domain means, giving a name to the company on the internet. Suppose, if we take Google for example. Google is a company and google.com is a domain name.
And to be precise, every domain name is resolved into an IP address. We as humans can’t remember all those numbers, because there would be different IP addresses for different subdomains, and there would subdomains of the subdomains. So, they introduced a system known as the domain name system.
that’s how the domain name.
OK! What are root domains?
Root domain means, the combination of the domain name and top-level domain. I will give you an example,
combining the domain name and the top-level domain is known as the root domain.
There are different top-level domains. And they are:
.tech and etc….
I guess if someone is new to these things. They might have understood this thing. If not, Feel free to comment below.
Now! The fun part begins.
How to enumerate the root domains using amass?
As I said before, we will be using amass tool to find root domains.
Amass is a good tool to find subdomains.
For example, I am choosing Microsoft as my target domain. Try to do the same with your target domain.
The command to be used for this is:
amass intel -d microsoft.com -whois -v
After giving the command, just wait for some time.
In the meantime, we will discuss why we used only the specific command to enumerate the root domains.
the command looks like this: amass intel -d microsoft.com -whois -v
amass >> it is the tool, we are using.
intel >> in amass its purpose is to discover targets for enumeration. As you can see below.
-d >> for specifying the domain name
-whois >> All provided domains are run through reverse whois.
-v >> verbose. it means it will show the working of the tool.
Yeah, the output looks like this.
This is how the output looks after the enumeration completes.
Sometimes, the amass could give you some false results. so we can check that through a website.
Website link: https://www.whoxy.com/
in the search field, try to search for something that you had got in the output.
let’s take microsoft.com >
The registrant company is Microsoft, so it means the domain belongs to Microsoft.
let’s take another from the output.
Again, as you can see the registrant company is Microsoft. So it is actually owned by Microsoft itself.
As I said earlier, the tool may give you some false outputs, the output is large for Microsoft. So I took 2 from the output and showed you the process for verification.
I hope you understand the process of finding the root domains and how to validate them too.
Before, completing this. @faiyazahmad had already uploaded a video on how to find root domains using amass. The same things are mentioned here too.
I would suggest you take a look at the youtube video too.
I hope, you got to know. How to find the root domains of your target.
If you have any doubts, please let us know in the comments section.