AmassAdvanced Recon Mastery: Attack Surface Ko Poora Expose Karo! (Hinglish Mein)

AmassAdvanced Recon Mastery: Attack Surface Ko Poora Expose Karo! (Hinglish Mein) | by Hacker MD - Freedium Milestone: 20GB Reached We’ve reached 20GB of stored data — thank you for helping us grow! Patreon Ko-fi Liberapay Close < Go to the original AmassAdvanced Recon Mastery: Attack Surface Ko Poora Expose Karo! (Hinglish Mein) Series: Bug Bounty Zero se Hero 🦸 | Article #7 By HackerMD | 18 min read Hacker MD Follow ~9 min read · April 2, 2026 (Updated: April 2, 2026) · Free: Yes Aaj Kya Seekhenge? Amass kya hai Subfinder se kaise alag hai Install karna step by step Config file setup API keys ke saath Passive vs Active recon ka fark Basic se Elite tak saare commands ASN Enumeration elite technique Graph database visual attack map Amass + Subfinder combo workflow Kyun zaroori hai? Subfinder sirf subdomains dhundta hai Amass poora attack surface map karta hai! DNS records, ASN numbers, IP ranges, related domains sab kuch ek saath! Elite hackers dono tools combo mein use karte hain! Amass vs Subfinder Kya Fark Hai? 🔍 SUBFINDER: → Fast passive subdomain discovery → 26+ sources → Simple aur quick → Best for: Rapid subdomain listing 🕸️ AMASS: → Deep recon engine → DNS brute forcing bhi karta hai → ASN + IP range enumeration → Graph database — visual maps → Certificate transparency deep dive → Best for: Complete attack surface mapping 🏆 ELITE HACKERS: → Dono tools saath use karte hain! → Subfinder → Quick results → Amass → Deep analysis → Combine karo → Maximum coverage Installation Kali Linux Pe Method 1: apt se sudo apt update sudo apt install amass -y # Verify karo amass -version Method 2: Go se (Latest Version Recommended) # Go install hona chahiye pehle go install -v github.com/owasp-amass/amass/v4/...@master # PATH mein add karo export PATH=$PATH:~/go/bin echo 'export PATH=$PATH:~/go/bin' >> ~/.bashrc source ~/.bashrc # Version check amass -version ✅ Method 3: Docker se # Docker pull karo docker pull caffix/amass # Run karo docker run -v OUTPUT_DIR_PATH:/.config/amass \ caffix/amass enum -d example.com Amass Ka Poora Structure Samjho Amass mein multiple sub-commands hain: amass ├── enum → Subdomain enumeration (main command) ├── intel → Organization info dhundna ├── viz → Visual graph banana ├── track → Changes track karna └── db → Database operations Har ek ko deeply samjhenge ek ek karke! Config File Setup MUST DO! Bina config ke Amass 30% kaam karta hai API keys ke saath 100%! Step 1: Config File Create Karo # Config directory banao mkdir -p ~/.config/amass # Config file create karo nano ~/.config/amass/config.yaml Step 2: Config File Content # ~/.config/amass/config.yaml # ─── API KEYS ────────────────────────────── datasources: - name: AlienVault apikey: YOUR_ALIENVAULT_KEY - name: BinaryEdge apikey: YOUR_BINARYEDGE_KEY - name: Censys username: YOUR_CENSYS_ID password: YOUR_CENSYS_SECRET - name: GitHub apikey: YOUR_GITHUB_TOKEN - name: SecurityTrails apikey: YOUR_SECURITYTRAILS_KEY - name: Shodan apikey: YOUR_SHODAN_KEY - name: VirusTotal apikey: YOUR_VIRUSTOTAL_KEY - name: URLScan apikey: YOUR_URLSCAN_KEY - name: WhoisXML apikey: YOUR_WHOISXML_KEY # ─── RESOLVERS ───────────────────────────── resolvers: - 8.8.8.8 # Google DNS - 8.8.4.4 # Google DNS 2 - 1.1.1.1 # Cloudflare DNS - 1.0.0.1 # Cloudflare DNS 2 - 9.9.9.9 # Quad9 DNS # ─── SETTINGS ────────────────────────────── scope: ports: - 80 - 443 - 8080 - 8443 💡 Free API Keys kahan se lein: SecurityTrails → securitytrails.com (free 50/month) VirusTotal → virustotal.com (free) GitHub → github.com/settings/tokens (free) URLScan → urlscan.io (free) WhoisXML → whoisxmlapi.com (free 500/month) PART 1: amass enum Main Command Basic 1: Simple Passive Scan # Sirf passive sources — target ko touch nahi karega amass enum -passive -d example.com # Output file mein save karo amass enum -passive -d example.com -o passive_subs.txt Basic 2: Active Scan DNS Resolution ke Saath # Active = DNS queries bhi karega directly amass enum -active -d example.com -o active_subs.txt # Warning: Active scan target ke DNS server se baat karta hai # Bug bounty mein check karo — active scanning allowed hai ya nahi! Basic 3: Config File Use Karo # Apni config file ke saath — API keys use hoge amass enum -d example.com \ -config ~/.config/amass/config.yaml \ -o subs_with_api.txt Basic 4: Multiple Domains # Domains file banao cat > domains.txt << EOF example.com example.net example.org EOF # Scan karo amass enum -df domains.txt -o all_subs.txt PART 2: Advanced enum Commands Advanced 1: Brute Force Mode Hidden Subdomains # DNS Brute forcing — wordlist se subdomains try karo amass enum -brute -d example.com \ -w /usr/share/wordlists/amass/subdomains-top1mil-5000.txt \ -o brute_subs.txt # Custom wordlist use karo amass enum -brute -d example.com \ -w ~/wordlists/best_subdomains.txt \ -o brute_results.txt Why Brute Force? Passive sources woh subdomains dhundti hain jo publicly indexed hain brute force woh dhundta hai jo intentionally hidden rakhe gaye hain! Dev, staging, internal portals yahan milte hain high severity bugs! Advanced 2: Recursive Brute Force # Subdomains ke andar aur subdomains dhundho amass enum -brute -d example.com \ -w wordlist.txt \ -recursive \ -min-for-recursive 2 \ -o recursive_results.txt # min-for-recursive 2 = 2 valid subdomains milne ke baad # recursively us subdomain ko bhi brute force karega Advanced 3: IP Range Scan ASN Se # Pehle ASN number dhundho (PART 3 mein detail hai) # Phir us ASN ki poori IP range scan karo amass enum -active -d example.com \ -asn 15169 \ -o asn_results.txt # Multiple ASNs amass enum -active -asn 15169,13335 -o multi_asn.txt Advanced 4: Timeout aur Rate Control # Timeout set karo (minutes mein) amass enum -d example.com -timeout 30 # Verbose output amass enum -d example.com -v # Maximum DNS queries per second amass enum -d example.com -max-dns-queries 200 Advanced 5: Exclude Sources # Specific sources exclude karo amass enum -d example.com \ -exclude Shodan,BinaryEdge \ -o filtered_results.txt # Sources list dekho amass enum -list PART 3: amass intel ELITE TECHNIQUE! Yeh woh technique hai jo elite hackers use karte hain beginners bilkul nahi jaante! amass intel se tum company ka poora digital footprint dhundh sakte ho sirf domain naam se nahi, balki company ke naam, IP, ASN se bhi! Intel 1: Company Ke Naam Se Domains Dhundho # Company name se related domains dhundho amass intel -org "Example Corporation" # Output: # example.com # examplecorp.com # example.net # example-inc.com # ... (company ke saare registered domains!) Why Powerful? Bug bounty scope mein *.example.com hota hai — lekin company ke 10 aur domains bhi hote hain jo scope mein nahi listed lekin related hain! Intel se tumhe pata chalega — phir program se clarification maango! Intel 2: IP Address Se Domain Dhundho # Ek IP se related sabhi domains dhundho (Reverse IP) amass intel -ip 93.184.216.34 # CIDR range se amass intel -cidr 93.184.216.0/24 Intel 3: ASN Se Poora IP Range # ASN number se company ki poori IP range amass intel -asn 15169 # ASN dhundna pehle: # whois 8.8.8.8 | grep -i "originas\|asn\|as " # Ya: bgp.he.net pe IP search karo Intel 4: Reverse Whois ELITE! # Ek email ya naam se registered sabhi domains amass intel -d example.com -whois # Output mein milega: # Registrant email se registered other domains # Jabardast technique affiliate programs dhundne ke liye! Real Elite Workflow Intel Use Kaise Karte Hain: # Step 1: Company name se ASN dhundho amass intel -org "Target Company" > company_info.txt # Step 2: ASN numbers extract karo grep "AS[0-9]" company_info.txt | \ awk '{print $1}' > asn_numbers.txt # Step 3: ASN se IP ranges nikalo while read asn; do amass intel -asn $asn >> ip_ranges.txt done < asn_numbers.txt # Step 4: IP ranges se domains dhundho amass intel -cidr $(cat ip_ranges.txt) > related_domains.txt # Step 5: Ab in domains pe enum karo! amass enum -df related_domains.txt \ -config ~/.config/amass/config.yaml \ -o final_subs.txt echo "Total subdomains: $(wc -l < final_subs.txt)" Yeh complete attack surface discovery hai — company ke saare digital assets! 🔥 PART 4: amass viz Visual Graph! Amass ek visual graph bana sakta hai poora attack surface ek picture mein! # Pehle scan karo aur database mein save karo amass enum -d example.com \ -config ~/.config/amass/config.yaml # Phir graph generate karo amass viz -d3 -d example.com -o example_graph.html # Browser mein open karo firefox example_graph.html Graph mein dikhega: Subdomains → IPs → ASNs ka connection Related domains Infrastructure relationships Visual attack paths Use Case: Bug bounty report mein yeh graph add karo — company ko pata chalta hai kitna bada attack surface exposed hai! Impact badhata hai = Bounty badhti hai! PART 5: amass trackChanges Monitor Karo # Pehli scan — baseline amass enum -d example.com \ -config ~/.config/amass/config.yaml # Kuch din baad dobara scan amass enum -d example.com \ -config ~/.config/amass/config.yaml # Differences dekho amass track -d example.com # Output: # NEW: newfeature.example.com ← Naya subdomain! 🎯 # REMOVED: old.example.com ← Purana hata diya Elite Strategy: amass track ko cron job mein lagao — jab bhi naya subdomain add ho → turant scan karo → fresh bugs milne ka chance maximum! ELITE COMBO WORKFLOW Subfinder + Amass #!/bin/bash # ultimate_recon.sh — Elite Recon Script TARGET=$1 DATE=$(date +%Y%m%d_%H%M) DIR="recon_${TARGET}_${DATE}" mkdir -p $DIR echo "═══════════════════════════════════" echo "🔥 ULTIMATE RECON: $TARGET" echo "═══════════════════════════════════" # ─── PHASE 1: Subfinder (Fast) ────────── echo "" echo "⚡ Phase 1: Subfinder (Fast Passive)..." subfinder -d $TARGET -all -silent \ -o $DIR/subfinder_subs.txt echo "✅ Subfinder: $(wc -l < $DIR/subfinder_subs.txt) subdomains" # ─── PHASE 2: Amass Passive ───────────── echo "" echo "🕸️ Phase 2: Amass (Deep Passive)..." amass enum -passive -d $TARGET \ -config ~/.config/amass/config.yaml \ -o $DIR/amass_passive.txt echo "✅ Amass Passive: $(wc -l < $DIR/amass_passive.txt) subdomains" # ─── PHASE 3: Amass Brute Force ───────── echo "" echo "💪 Phase 3: Amass Brute Force..." amass enum -brute -d $TARGET \ -w /usr/share/wordlists/amass/subdomains-top1mil-5000.txt \ -o $DIR/amass_brute.txt echo "✅ Amass Brute: $(wc -l < $DIR/amass_brute.txt) subdomains" # ─── PHASE 4: Combine + Deduplicate ───── echo "" echo "🔀 Phase 4: Combining & Deduplicating..." cat $DIR/subfinder_subs.txt \ $DIR/amass_passive.txt \ $DIR/amass_brute.txt | \ sort -u > $DIR/all_subs_unique.txt echo "✅ Total Unique: $(wc -l < $DIR/all_subs_unique.txt) subdomains" # ─── PHASE 5: Live Filter ──────────────── echo "" echo "🌐 Phase 5: Live Hosts Filtering..." cat $DIR/all_subs_unique.txt | \ httpx -silent -status-code -title \ -tech-detect -content-length \ -o $DIR/live_hosts.txt echo "✅ Live Hosts: $(wc -l < $DIR/live_hosts.txt)" # ─── PHASE 6: Vulnerability Scan ───────── echo "" echo "🎯 Phase 6: Nuclei Scanning..." cat $DIR/live_hosts.txt | awk '{print $1}' | \ nuclei -t ~/nuclei-templates/exposures/ \ -t ~/nuclei-templates/misconfiguration/ \ -t ~/nuclei-templates/takeovers/ \ -severity medium,high,critical \ -o $DIR/vulnerabilities.txt echo "🔥 Potential Vulns: $(wc -l < $DIR/vulnerabilities.txt)" # ─── SUMMARY ───────────────────────────── echo "" echo "═══════════════════════════════════" echo "📊 RECON SUMMARY" echo "═══════════════════════════════════" echo "Total Subdomains : $(wc -l < $DIR/all_subs_unique.txt)" echo "Live Hosts : $(wc -l < $DIR/live_hosts.txt)" echo "Potential Vulns : $(wc -l < $DIR/vulnerabilities.txt)" echo "Results saved in : $DIR/" echo "═══════════════════════════════════" # Usage: # chmod +x ultimate_recon.sh # ./ultimate_recon.sh example.com Amass Cheat Sheet Quick Reference # ─── ENUM ──────────────────────────────── amass enum -d example.com # Basic amass enum -passive -d example.com # Passive only amass enum -active -d example.com # Active DNS amass enum -brute -d example.com -w list.txt # Brute force amass enum -d example.com -recursive # Recursive amass enum -d example.com -timeout 30 # 30 min timeout amass enum -df domains.txt # Multiple domains amass enum -config config.yaml -d example.com # With config # ─── INTEL ─────────────────────────────── amass intel -org "Company Name" # By company amass intel -ip 1.2.3.4 # By IP amass intel -cidr 1.2.3.0/24 # By CIDR amass intel -asn 15169 # By ASN amass intel -d example.com -whois # Reverse whois # ─── VIZ ───────────────────────────────── amass viz -d3 -d example.com -o graph.html # Visual graph # ─── TRACK ─────────────────────────────── amass track -d example.com # Show changes # ─── DB ────────────────────────────────── amass db -d example.com -show # DB contents amass db -d example.com -summary # Summary Real Bug Bounty Scenario # Target: bigcorp.com # Step 1: Intel — ASN dhundha amass intel -org "Big Corporation" # Output: AS12345 bigcorp.com, bigcorp.net, bigcorp.io # Step 2: ASN se IP ranges amass intel -asn 12345 # Output: 192.0.2.0/24, 198.51.100.0/24 # Step 3: Deep enum with brute force amass enum -brute -d bigcorp.com \ -config ~/.config/amass/config.yaml \ -recursive -o subs.txt # 1,247 subdomains mile! # Step 4: httpx se filter cat subs.txt | httpx -silent > live.txt # 389 live hosts # Step 5: Interesting find: # dev-internal.bigcorp.com [200] # Manually check kiya → No authentication! # Internal employee portal exposed! # Bounty: $1,500 🎉 Aaj Ka Homework # 1. Amass install + verify karo amass -version # 2. Config file banao + GitHub token add karo # 3. Passive scan karo (safe, legal): amass enum -passive -d hackerone.com \ -o h1_amass.txt cat h1_amass.txt | wc -l # 4. Subfinder results se compare karo: # (Article #6 ka homework yaad hai?) comm -13 <(sort h1_subfinder.txt) \ <(sort h1_amass.txt) > amass_only.txt echo "Amass exclusive: $(wc -l < amass_only.txt)" # 5. Intel command try karo: amass intel -org "HackerOne" # Kya kya mila? Comment mein batao! Quick Revision 🕸️ Amass = Deep recon engine (Subfinder se powerful) 📡 enum = Subdomain discovery (passive + active + brute) 🏢 intel = Company ke saare domains + ASN + IPs 📊 viz = Visual graph — attack surface map 🔄 track = Naye subdomains monitor karo 🔑 Config/Keys = 10x better results 🤝 Combo = Subfinder + Amass = Maximum Coverage 💰 Bug Types = Forgotten portals, Old servers, Internal tools exposed, Subdomain takeover Meri Baat… Ek baar maine amass intel -org run kiya ek company pe scope mein sirf *.main-site.com tha Intel ne dikhaya company ke 4 aur domains jo scope mein mention nahi the but same company ke the Maine program mein message kiya "Kya yeh domains bhi in scope hain?" Company ne kaha "Yes! Thanks for asking, they're now added to scope." Aur un mein se ek pe Critical SSRF mili $2,000 bounty! Lesson: Tools sirf hack karne ke liye nahi sahi sawaal poochne ke liye bhi use hote hain! Agle article mein HTTPX + DNSX live hosts filter karna aur DNS records se secrets nikalna! 🔥 HackerMD — Bug Bounty Hunter | Cybersecurity Researcher GitHub: BotGJ16 | Medium: @HackerMD Previous: Article #6 Subfinder Elite Guide Next: Article #8 HTTPX + DNSX: Live Hosts Filter Karo! #Amass #Recon #BugBounty #EthicalHacking #Hinglish #SubdomainEnumeration #ASN #HackerMD #reconnaissance #bug-bounty #ethical-hacking #cybersecurity #pentesting Reporting a Problem Sometimes we have problems displaying some Medium posts. If you have a problem that some images aren't loading - try using VPN. Probably you have problem with access to Medium CDN (or fucking Cloudflare's bot detection algorithms are blocking you).