AttackSurfaceMapper (ASM) : a new penetration testing tool


Recently at Blackhat, the cyber security firm Trustwave announced a new penetration testing tool called AttackSurfaceMapper (ASM) which has been developed in Python 3.x, is compatible with all major operating systems and helps one in doing just that.

The best part is that it saves the most valuable commodity that human beings can ever possess – time – making it highly efficient. How it does this is through a 3 step simplified process:

  1. The user enters the target domains, subdomains or IP addresses
  2. The tool uses the target identifier given in the previous stage to collect valuable intel available from a wide variety of public sources
  3. The collected data which may comprise of emails, linked IP addresses, usernames, breached passwords, phone numbers, social media presences and much more is displayed with the user having the option to export it in HTML, CSV and TXT files.

In the words of the developers themselves on their official Github page where it can also be downloaded, the entire process after step 1, is as follows:

“Once the target list is fully expanded it performs passive reconnaissance on them, taking screenshots of websites, generating visual maps, looking up credentials in public breaches, passive port scanning with Shodan and scraping employees from LinkedIn.

What this means is you’re left with hard actionable data gathered from these processes, targets to scan, websites to attack, email addresses to phish and credentials to brute force and spray,” wrote Trustwave in their blog post.

To conclude, AttackSurfaceMapper is one more tool which counts as a testimony to the huge advancements we’ve seen in the cybersecurity world over the past few years.

The only drawback tools like AttackSurfaceMapper have is that while white-hat hackers can definitely use them to enhance the defenses of their systems, at the same time black-hat hackers can also make use of such publicly available tools for malicious purposes.

The standardised penetration testing framework as described by OWASP and MITRE consists of seven phases with each framework using similar terminology.

The MITRE ATT&CK framework breaks down the attack simulation methodology to Recon, Weaponize, Deliver, Control, Execute and Maintain.

In this article, our focus will lie on the Reconnaissance stage, the first and arguably most critical.


A diagram depicting the MITRE ATT&CK framework.

Reconnaissance is an integral part of the penetration testing methodology which is often neglected.

In many cases, it was possible to gain foothold on the internal network by analysing and exploiting the wealth of information acquired during reconnaissance rather than weaponizing complex vulnerabilities.

The pre-engagement stage is usually split into active and passive processes.

The active part includes all standard enumeration techniques where the latter refers to the collection of Open Source INTelligence (OSINT) techniques that rely on the information publicly available on the internet.

Some of the most common OSINT techniques include querying APIs for related IPs, domains and subdomains to the target, using search engines to collect sensitive information exposed on the internet about a company, harvest employee email addresses from social networks etc.

What is AttackSurfaceMapper?

AttackSurfaceMapper (ASM) aims to greatly simplify the reconnaissance process by taking a single target domain or a list of IPv4 addresses as input, then analysing it using passive OSINT techniques and active reconnaissance methods.

What this means is that security professionals are left with hard actionable data; new targets to scan, websites to attack, email addresses to phish and credentials to brute force and spray.


Figure 1.0 – Actionable output generated by AttackSurfaceMapper

A penetration tester has a limited amount of time to plan and orchestrate an engagement aiming to uncover all possible vulnerabilities and attack surface of an enterprise.

In contrast, adversaries have unlimited time to methodically pinpoint a single weakness to exploit.

The more time a pen tester spends on mundane preparation such as manually performing reconnaissance, the less time they will have on the actual test.  

AttackSurfaceMapper greatly softens the burden by executing all the repetitive processes and generating a list of files that can be then imported in other tools to perform further enumeration, scanning and exploitation.


Figure 2.0 – AttackSurfaceMapper logo

The tool was developed using Python 3.x which allows compatibility with all major operating systems.

By using a list of free and premium APIs AtackSurfaceMapper aims to automate the reconnaissance phase and combine functionality from different tools.

In order to present only valid and accurate data the tool groups the IPv4 addresses by primary domain and presents the information in a user-friendly and meaningful way.

Two of the most powerful features of ASM supports are the “Expand” and “Stealth” modes.

When the “Expand” mode is enabled the tool attempts to aggressively identify additional IP address ranges and subdomains related to the target.

On the other hand, the “stealth” functionality, as the name suggests, does not generate any traffic to the target allowing the tester to collect data about the target without triggering any alerts.


Figure 3.0 – A screenshot showing all ASM modules

The tool’s execution flow is broken down to 3 different stages.

  1. Reconnaissance:
  • Find IPs from associated ASNs and IPv4 prefixes.
  • Passively discover Subdomains
  • Brute Force Subdomains
  • Port Scanning
  • Hostname Discovery
  • Passive & Active DNS Record capturing
  • Collect WHOIS records
  • Take screenshots of web portals
  1. Intel Extraction:
  • Scrap LinkedIn Employee Names & Email addresses
  • Check for credentials in Public Data Breaches
  • Download Interesting Files (e.g. PDF and XML)
  • Find AWS buckets
  1. Presentation:
  • Present useful information on the terminal.
  • Export gathered information in HTML, CSV and TXT files.

Figure 4.0 – A snippet from the output generated by ASM.

While the tool’s modules are running, the attack surface will further expand as it discovers new subdomains, related ASNs and IPv4 addresses.

It performs a recursive analysis and expansion of the IPv4 prefixes so that if new targets are found, it will feed them back and perform the full OSINT analysis cycle on them.

Lastly, it should be noted that the tool was designed with a modular architecture in mind. Each discrete module executes independently and returns data back to main data structure.

Along with the flexibility of having output in the terminal CSV and text file formats. AttackSurfaceMapper will be the first tool of choice for mapping and evaluating a large corporate external network.


Successfully scanning and footprinting the attack surface can assist red teamers and pen testers in crafting precise attacks and can help blue teams identify weak spots or areas of improvement.

It is also a practical way for enterprises to assess and quantify the amount of public information available on the internet.

There are several great tools available for performing specific testing tasks well, however, there is not a single framework where you can set as targets multiple IPs and domains and leave it running for automatic discovery.

ASM has been released to fill that gap and assist security professionals to complete the reconnaissance process much quicker, more efficiently and more accurately.

It gathers and processes a trove of information about exposed assets which is already available to malicious actors in an effort to discover the “true” attack surface and level the playing field.

By providing a level of automation AttackSurfaceMapper is an open-source solution for the security community in evaluating the exposure of infrastructure on the internet and take drastic measures to strengthen it.

This means that you can plug in a target, make a cup of tea and come back later to collect:

  • Email Addresses & Usernames
  • Public Data Breach Credentials & Hashes
  • Employees’ Social Network Presences
  • Subdomains
  • Associated ASNs and IP Addresses
  • Open Ports & Possible Vulnerabilities
  • Visual DNS map of the attack surface
  • Web Screenshots

As mentioned above, the tool’s modular design allows the integration of additional functionality and support for more third-party APIs in the future.

The next version of ASM will include new features such as graphical HTML report generation support for IPv6 targets and multi-threading to boost the efficiency. Once publicly released, it is expected that the security community will embrace this initiative and contribute to further develop and improve its capabilities.

To download AttackSurfaceMapper from GitHub visit:

AttackSurfaceMapper will also be presented on the 7th of August at Black Hat Arsenal USA in Las Vegas and on the 11thof at DEFCON 27 – Recon Village [][].


Alt text

Getting Started

These instructions will show you the requirements for and how to use Attack Surface Mapper.


As this is a Python based tool, it should theoretically run on Linux, ChromeOS (Developer Mode), macOS and Windows.

[1] Download and Install Attack Surface Mapper

$ git clone
$ cd AttackSurfaceMapper
$ python3 -m pip install --no-cache-dir -r requirements.txt

[2] Provide Attack Surface Mapper with optional API keys to enable more data gathering

Open keylist.asm and enter the API Keys.

Optional Parameters

Additional optional parameters can also be set to choose to include active reconnaissance modules in addition to the default passive modules.

|<------ AttackSurfaceMapper - Help Page ------>|

positional arguments:
  targets               Sets the path of the target IPs file.

optional arguments:
  -h, --help            show this help message and exit
  -f FORMAT, --format FORMAT
                        Choose between CSV and TXT output file formats.
  -o OUTPUT, --output OUTPUT
                        Sets the path of the output file.
  -sc, --screen-capture
                        Capture a screen shot of any associated Web Applications.
  -sth, --stealth       Passive mode allows reconaissaince using OSINT techniques only.
  -t TARGET, --target TARGET
                        Set a single target IP.
  -V, --version         Displays the current version.
  -w WORDLIST, --wordlist WORDLIST
                        Specify a list of subdomains.
  -sw SUBWORDLIST, --subwordlist SUBWORDLIST
                        Specify a list of child subdomains.
  -e, --expand          Expand the target list recursively.
  -ln, --linkedinner    Extracts emails and employees details from linkedin.
  -v, --verbose         Verbose ouput in the terminal window.

Authors: Andreas Georgiou (@superhedgy)
	 Jacob Wilkin (@greenwolf)```


Please enter your comment!
Please enter your name here

Questo sito usa Akismet per ridurre lo spam. Scopri come i tuoi dati vengono elaborati.