Appearance
OWASP Amass Network Mapping Tool Cheat Sheet
Overview
OWASP Amass is an open-source network mapping and external asset discovery tool that helps information security professionals discover assets belonging to their organization. It performs DNS enumeration, subdomain discovery, and network reconnaissance to map an organization's attack surface through various data sources and techniques.
⚠️ Warning: This tool is intended for authorized penetration testing and security assessments only. Ensure you have proper authorization before using against any target.
Installation
Go Installation
bash
# Install via Go
go install -v github.com/owasp-amass/amass/v4/...@master
# Verify installation
amass versionPackage Manager Installation
bash
# Ubuntu/Debian
sudo apt update
sudo apt install amass
# Arch Linux
sudo pacman -S amass
# macOS with Homebrew
brew install amass
# Kali Linux (pre-installed)
amass -hDocker Installation
bash
# Pull Docker image
docker pull caffix/amass
# Run with Docker
docker run -v OUTPUT_DIR_PATH:/.config/amass/ caffix/amass enum -d example.comManual Installation
bash
# Download latest release
wget https://github.com/OWASP/Amass/releases/download/v4.2.0/amass_Linux_amd64.zip
unzip amass_Linux_amd64.zip
sudo mv amass_Linux_amd64/amass /usr/local/bin/
# Make executable
sudo chmod +x /usr/local/bin/amassBasic Usage
Command Structure
bash
# Basic syntax
amass [subcommand] [options]
# Get help
amass -h
amass [subcommand] -h
# Check version
amass -versionAvailable Subcommands
| Subcommand | Description |
|---|---|
enum | Perform DNS enumeration and network mapping |
intel | Collect intelligence on the target organization |
viz | Generate visualizations of enumeration results |
track | Compare results across multiple enumerations |
db | Manage the graph database |
DNS Enumeration
Basic Enumeration
bash
# Basic subdomain enumeration
amass enum -d example.com
# Multiple domains
amass enum -d example.com,target.org
# Domain list from file
amass enum -df domains.txt
# Passive enumeration only
amass enum -passive -d example.com
# Active enumeration (includes DNS brute force)
amass enum -active -d example.comAdvanced Enumeration Options
bash
# Increase verbosity
amass enum -v -d example.com
# Set maximum DNS queries per minute
amass enum -d example.com -max-dns-queries 1000
# Set timeout for DNS queries
amass enum -d example.com -timeout 30
# Include IP addresses in output
amass enum -ip -d example.com
# Include CIDR ranges
amass enum -cidr 192.168.1.0/24 -d example.comOutput Options
bash
# Save results to file
amass enum -d example.com -o results.txt
# JSON output format
amass enum -d example.com -json results.json
# Directory for all output files
amass enum -d example.com -dir ./amass_output
# Log file location
amass enum -d example.com -log amass.logData Sources Configuration
API Keys Configuration
bash
# Create config file
mkdir ~/.config/amass
nano ~/.config/amass/config.ini
# Example config.ini content:
[data_sources]
[data_sources.AlienVault]
[data_sources.AlienVault.Credentials]
apikey = your_api_key_here
[data_sources.Censys]
[data_sources.Censys.Credentials]
api_id = your_api_id
secret = your_secret
[data_sources.Shodan]
[data_sources.Shodan.Credentials]
apikey = your_shodan_api_key
[data_sources.SecurityTrails]
[data_sources.SecurityTrails.Credentials]
apikey = your_securitytrails_api_key
[data_sources.VirusTotal]
[data_sources.VirusTotal.Credentials]
apikey = your_virustotal_api_keyData Source Management
bash
# List available data sources
amass enum -list
# Exclude specific data sources
amass enum -d example.com -exclude censys,shodan
# Include only specific data sources
amass enum -d example.com -include virustotal,securitytrails
# Show data source usage
amass enum -d example.com -srcIntelligence Gathering
Organization Intelligence
bash
# Gather intelligence on organization
amass intel -org "Example Corporation"
# Search by autonomous system number
amass intel -asn 12345
# Search by IP address
amass intel -addr 192.168.1.1
# Search by CIDR range
amass intel -cidr 192.168.1.0/24
# Reverse WHOIS lookup
amass intel -whois -d example.comAdvanced Intelligence Options
bash
# Include related domains
amass intel -org "Example Corporation" -max-depth 3
# Active intelligence gathering
amass intel -active -org "Example Corporation"
# Passive intelligence only
amass intel -passive -org "Example Corporation"
# Output to file
amass intel -org "Example Corporation" -o intel_results.txtBrute Force and Wordlists
DNS Brute Force
bash
# Enable brute force with default wordlist
amass enum -brute -d example.com
# Custom wordlist
amass enum -brute -w custom_wordlist.txt -d example.com
# Multiple wordlists
amass enum -brute -w wordlist1.txt,wordlist2.txt -d example.com
# Minimum word length for brute force
amass enum -brute -min-for-recursive 3 -d example.comWordlist Management
bash
# Common wordlist locations
/usr/share/amass/wordlists/
/usr/share/wordlists/amass/
~/.config/amass/wordlists/
# Create custom wordlist
echo -e "api\ndev\ntest\nstaging\nwww\nmail\nftp" > custom_subs.txt
# Use SecLists wordlists
amass enum -brute -w /usr/share/wordlists/SecLists/Discovery/DNS/subdomains-top1million-5000.txt -d example.comNetwork Mapping and Visualization
Network Discovery
bash
# Discover network infrastructure
amass enum -d example.com -ip -cidr 192.168.1.0/24
# Include ASN information
amass enum -d example.com -asn
# Discover related networks
amass intel -org "Example Corporation" -cidr 10.0.0.0/8
# Map network relationships
amass enum -d example.com -ip -asn -cidr 192.168.0.0/16Visualization
bash
# Generate DOT file for Graphviz
amass viz -d3 -d example.com
# Generate Gephi file
amass viz -gephi -d example.com
# Generate Maltego file
amass viz -maltego -d example.com
# Generate visualization from database
amass viz -d3 -d example.com -db amass.dbGraph Database Operations
bash
# Import previous results
amass db -import results.json
# Export database results
amass db -export results.json -d example.com
# Show database statistics
amass db -show -d example.com
# List domains in database
amass db -list
# Delete domain from database
amass db -delete -d example.comAdvanced Techniques
Recursive Enumeration
bash
# Recursive subdomain discovery
amass enum -d example.com -recursive
# Set recursion depth
amass enum -d example.com -recursive -max-depth 5
# Minimum subdomain length for recursion
amass enum -d example.com -recursive -min-for-recursive 2Rate Limiting and Performance
bash
# Limit DNS queries per minute
amass enum -d example.com -max-dns-queries 500
# Set number of concurrent goroutines
amass enum -d example.com -max-flow 1000
# Adjust timing between requests
amass enum -d example.com -freq 100ms
# Set overall timeout
amass enum -d example.com -timeout 60Filtering and Scope
bash
# Include subdomains matching pattern
amass enum -d example.com -include ".*\.prod\..*"
# Exclude subdomains matching pattern
amass enum -d example.com -exclude ".*\.test\..*"
# Blacklist specific subdomains
echo -e "test.example.com\ndev.example.com" > blacklist.txt
amass enum -d example.com -blacklist blacklist.txt
# Include only specific TLDs
amass enum -d example.com -include ".*\.com$"Integration with Other Tools
Nmap Integration
bash
# Export subdomains for Nmap scanning
amass enum -d example.com -o subdomains.txt
nmap -iL subdomains.txt -p 80,443,8080,8443 --open
# Combine with Nmap for service discovery
amass enum -d example.com -ip | grep -oE "\b([0-9]{1,3}\.){3}[0-9]{1,3}\b" | sort -u > ips.txt
nmap -iL ips.txt -sV -sCNuclei Integration
bash
# Use Amass results with Nuclei
amass enum -d example.com -o subdomains.txt
nuclei -l subdomains.txt -t /path/to/nuclei-templates/
# Combine with httpx for live subdomain detection
amass enum -d example.com | httpx -silent | nuclei -t /path/to/nuclei-templates/Subfinder Integration
bash
# Combine Amass with Subfinder
amass enum -passive -d example.com -o amass_results.txt
subfinder -d example.com -o subfinder_results.txt
cat amass_results.txt subfinder_results.txt | sort -u > combined_results.txtAutomation Scripts
Comprehensive Reconnaissance Script
bash
#!/bin/bash
DOMAIN=$1
OUTPUT_DIR="amass_recon_$(date +%Y%m%d_%H%M%S)"
if [ -z "$DOMAIN" ]; then
echo "Usage: $0 <domain>"
exit 1
fi
mkdir -p $OUTPUT_DIR
echo "[+] Starting comprehensive reconnaissance for $DOMAIN"
# Passive enumeration
echo "[+] Running passive enumeration..."
amass enum -passive -d $DOMAIN -o "$OUTPUT_DIR/passive_subdomains.txt"
# Active enumeration with brute force
echo "[+] Running active enumeration with brute force..."
amass enum -active -brute -d $DOMAIN -o "$OUTPUT_DIR/active_subdomains.txt"
# Intelligence gathering
echo "[+] Gathering intelligence..."
amass intel -d $DOMAIN -o "$OUTPUT_DIR/intelligence.txt"
# Combine results
echo "[+] Combining results..."
cat "$OUTPUT_DIR/passive_subdomains.txt" "$OUTPUT_DIR/active_subdomains.txt" | sort -u > "$OUTPUT_DIR/all_subdomains.txt"
# Generate visualization
echo "[+] Generating visualization..."
amass viz -d3 -d $DOMAIN -o "$OUTPUT_DIR/visualization.html"
# Extract IP addresses
echo "[+] Extracting IP addresses..."
grep -oE "\b([0-9]{1,3}\.){3}[0-9]{1,3}\b" "$OUTPUT_DIR/all_subdomains.txt" | sort -u > "$OUTPUT_DIR/ip_addresses.txt"
echo "[+] Reconnaissance complete. Results saved in $OUTPUT_DIR/"
echo "[+] Found $(wc -l < "$OUTPUT_DIR/all_subdomains.txt") unique subdomains"
echo "[+] Found $(wc -l < "$OUTPUT_DIR/ip_addresses.txt") unique IP addresses"Continuous Monitoring Script
bash
#!/bin/bash
DOMAIN=$1
INTERVAL=3600 # 1 hour
BASELINE_FILE="baseline_$DOMAIN.txt"
ALERT_EMAIL="security@company.com"
if [ -z "$DOMAIN" ]; then
echo "Usage: $0 <domain>"
exit 1
fi
# Create baseline if it doesn't exist
if [ ! -f "$BASELINE_FILE" ]; then
echo "[+] Creating baseline for $DOMAIN"
amass enum -passive -d $DOMAIN -o $BASELINE_FILE
fi
while true; do
TIMESTAMP=$(date +%Y%m%d_%H%M%S)
CURRENT_FILE="current_${DOMAIN}_${TIMESTAMP}.txt"
echo "[+] Running enumeration at $(date)"
amass enum -passive -d $DOMAIN -o $CURRENT_FILE
# Compare with baseline
NEW_SUBDOMAINS=$(comm -13 <(sort $BASELINE_FILE) <(sort $CURRENT_FILE))
if [ ! -z "$NEW_SUBDOMAINS" ]; then
echo "[!] New subdomains discovered:"
echo "$NEW_SUBDOMAINS"
# Send alert email
echo "New subdomains discovered for $DOMAIN: $NEW_SUBDOMAINS" | \
mail -s "Amass Alert: New Subdomains for $DOMAIN" $ALERT_EMAIL
# Update baseline
cat $BASELINE_FILE $CURRENT_FILE | sort -u > temp_baseline.txt
mv temp_baseline.txt $BASELINE_FILE
fi
# Clean up
rm $CURRENT_FILE
echo "[+] Sleeping for $INTERVAL seconds..."
sleep $INTERVAL
doneMulti-Domain Assessment
bash
#!/bin/bash
DOMAINS_FILE=$1
OUTPUT_BASE="multi_domain_$(date +%Y%m%d_%H%M%S)"
if [ -z "$DOMAINS_FILE" ]; then
echo "Usage: $0 <domains_file>"
exit 1
fi
mkdir -p $OUTPUT_BASE
echo "[+] Starting multi-domain assessment"
while read domain; do
if [ ! -z "$domain" ]; then
echo "[+] Processing $domain"
domain_dir="$OUTPUT_BASE/$domain"
mkdir -p "$domain_dir"
# Passive enumeration
amass enum -passive -d $domain -o "$domain_dir/passive.txt"
# Active enumeration
amass enum -active -d $domain -o "$domain_dir/active.txt"
# Intelligence gathering
amass intel -d $domain -o "$domain_dir/intel.txt"
# Combine results
cat "$domain_dir/passive.txt" "$domain_dir/active.txt" | sort -u > "$domain_dir/all_subdomains.txt"
echo "[+] Found $(wc -l < "$domain_dir/all_subdomains.txt") subdomains for $domain"
fi
done < $DOMAINS_FILE
# Generate summary report
echo "[+] Generating summary report..."
echo "Multi-Domain Assessment Summary" > "$OUTPUT_BASE/summary.txt"
echo "===============================" >> "$OUTPUT_BASE/summary.txt"
echo "" >> "$OUTPUT_BASE/summary.txt"
for domain_dir in $OUTPUT_BASE/*/; do
domain=$(basename "$domain_dir")
if [ -f "$domain_dir/all_subdomains.txt" ]; then
count=$(wc -l < "$domain_dir/all_subdomains.txt")
echo "$domain: $count subdomains" >> "$OUTPUT_BASE/summary.txt"
fi
done
echo "[+] Multi-domain assessment complete. Results in $OUTPUT_BASE/"Performance Optimization
Resource Management
bash
# Optimize for large-scale enumeration
amass enum -d example.com -max-dns-queries 2000 -max-flow 2000
# Reduce memory usage
amass enum -d example.com -passive -max-dns-queries 500
# Optimize for speed
amass enum -d example.com -active -brute -max-dns-queries 5000 -timeout 10Configuration Tuning
bash
# Create performance-optimized config
cat > ~/.config/amass/config.ini << EOF
[scope]
[scope.domains]
example.com = true
[scope.blacklisted]
test.example.com = true
[bruteforce]
enabled = true
recursive = true
min_for_recursive = 1
[alterations]
enabled = true
minimum = 1
[settings]
max_dns_queries = 2000
max_flow = 2000
EOFTroubleshooting
Common Issues
bash
# DNS resolution issues
amass enum -d example.com -r 8.8.8.8,1.1.1.1
# Rate limiting issues
amass enum -d example.com -max-dns-queries 100 -freq 1s
# Memory issues
amass enum -d example.com -passive -max-flow 500
# Timeout issues
amass enum -d example.com -timeout 120Debug Mode
bash
# Enable debug output
amass enum -d example.com -debug
# Verbose logging
amass enum -d example.com -v -log debug.log
# Show data sources being used
amass enum -d example.com -src -vConfiguration Validation
bash
# Test configuration file
amass enum -config ~/.config/amass/config.ini -list
# Validate API keys
amass enum -d example.com -src -v | grep -i "api\|key\|auth"
# Check data source availability
amass enum -list | grep -E "(Available|Enabled)"Best Practices
Reconnaissance Strategy
- Start with passive enumeration: Minimize detection risk
- Use multiple data sources: Combine different intelligence sources
- Implement rate limiting: Avoid overwhelming target infrastructure
- Regular monitoring: Set up continuous subdomain monitoring
- Validate results: Verify discovered assets are legitimate
Operational Security
bash
# Use VPN or proxy for reconnaissance
export HTTP_PROXY=http://proxy:8080
export HTTPS_PROXY=http://proxy:8080
amass enum -d example.com
# Rotate API keys
# Use different API keys for different assessments
# Implement delays
amass enum -d example.com -freq 2s -max-dns-queries 100Data Management
bash
# Regular database maintenance
amass db -show
amass db -delete -d old_domain.com
# Backup important results
cp ~/.config/amass/amass.db backup_$(date +%Y%m%d).db
# Export results in multiple formats
amass db -export json_results.json -d example.com
amass viz -d3 -d example.com -o visualization.htmlResources
- OWASP Amass GitHub Repository
- Amass Documentation
- OWASP Amass Project Page
- Amass Tutorial Videos
- Bug Bounty Methodology
This cheat sheet provides a comprehensive reference for using OWASP Amass. Always ensure you have proper authorization before conducting network reconnaissance and asset discovery.