Amass

Amass is the OWASP project’s powerful tool for discovering the attack surface of your target organization through subdomain enumeration, passive reconnaissance, and active DNS queries. It integrates with dozens of OSINT data sources and can perform deep ASN enumeration and organization discovery.

Installation

APT (Debian/Ubuntu)

apt-get update
apt-get install -y amass

Snap

snap install amass

Homebrew (macOS)

brew install amass

Go Install

go install -v github.com/owasp-amass/amass/v4/cmd/amass@latest

Docker

docker pull ghcr.io/owasp-amass/amass:latest
docker run -v "$(pwd):/work" ghcr.io/owasp-amass/amass:latest enum -d example.com -o /work/results.txt

Download from GitHub

Download the latest release from https://github.com/owasp-amass/amass/releases and extract the binary.

Subcommands Overview

Subcommand	Purpose
`enum`	Main enumeration command for subdomain discovery
`intel`	OSINT and organization intelligence gathering
`db`	Database operations to query cached results
`dns`	DNS resolution verification and lookups
`track`	Track changes and track differences between enumeration runs

Passive Enumeration

Passive enumeration queries OSINT data sources without sending traffic to the target’s DNS servers. No DNS brute-forcing is performed.

Basic Passive Enumeration

amass enum -passive -d example.com

Passive Enumeration with Output

amass enum -passive -d example.com -o results.txt

Multiple Domains

amass enum -passive -d example.com -d example.org -d example.net

Data Sources Used in Passive Mode

Amass queries dozens of passive data sources including:

Certificate Transparency logs (Crt.sh, Google CT logs)
DNS records and zone file repositories
Search engines (Bing)
OSINT databases (Shodan, Censys)
DNS history services (SecurityTrails)
Archive sites and historical records

Passive with Source Filtering

# List available data sources
amass enum -list

# Use specific sources
amass enum -passive -d example.com -src "Certspotter,Crtsh,Shodan"

Active Enumeration

Active enumeration performs DNS resolution and queries against the target’s infrastructure. This sends traffic to the target’s DNS servers.

Basic Active Enumeration

amass enum -active -d example.com

Active with Zone Transfer Attempts

# Zone transfers are attempted automatically during active enumeration
amass enum -active -d example.com

Certificate Grabbing

# Grab certificates during active reconnaissance
amass enum -active -d example.com

Increased Timeout for Slow Networks

amass enum -active -d example.com -timeout 30

Brute Force Subdomain Discovery

Brute force DNS enumeration tests potential subdomain names against the target’s nameservers.

Basic Brute Force

amass enum -brute -d example.com

Brute Force with Custom Wordlist

amass enum -brute -d example.com -w /path/to/wordlist.txt

Brute Force with Wordlist Mutations

# Apply mutations to wordlist entries
amass enum -brute -d example.com -w /path/to/wordlist.txt -wm

Limit DNS Name Length

# Minimum length of 3, maximum length of 25 characters
amass enum -brute -d example.com -min-for-recursive 3 -max-dns-names 25

Performance Tuning

# Maximum concurrent DNS queries (default: 10000)
amass enum -brute -d example.com -max-dns-queries 5000

# Set timeout for DNS responses
amass enum -brute -d example.com -timeout 15

Brute Force Specific Nameservers

amass enum -brute -d example.com -ns 8.8.8.8 -ns 1.1.1.1

Intel Subcommand

The intel subcommand gathers organizational intelligence through WHOIS, ASN discovery, and reverse lookups.

Domain Organization Search

amass intel -d example.com

Reverse WHOIS Lookup

# Find all domains registered to an organization
amass intel -d example.com -whois

Organization-Based Search

# Enumerate all domains for an organization
amass intel -org "Example Corporation"

ASN Enumeration

# Find ASNs associated with the domain
amass intel -d example.com -asn

# Enumerate all domains in an ASN
amass intel -asn 12345

Combined Intel Operations

amass intel -d example.com -whois -asn -o intel_results.txt

DNS Subcommand

The dns subcommand verifies DNS resolution and performs DNS-specific operations.

DNS Resolution Verification

amass dns -d example.com

Resolve a Specific Subdomain

amass dns -d sub.example.com

Custom Nameservers

amass dns -d example.com -ns 8.8.8.8 -ns 1.1.1.1

Output DNS Records

amass dns -d example.com -o dns_records.txt

Track Subcommand

Track changes between enumeration runs to identify newly discovered subdomains.

Track Enumeration Changes

amass track -d example.com

Track with Previous Database

# Compare against previous enumeration stored in database
amass track -d example.com

View Tracked Changes

amass track -d example.com -show

Database Subcommand

Query and manage results stored in Amass’s local database from previous enumerations.

Show All Results for Domain

amass db -show -d example.com

List All Discovered Names

amass db -show -d example.com -names

List All Discovered IPs

amass db -show -d example.com -ip

Summary Statistics

amass db -show -d example.com -summary

Export from Database

amass db -show -d example.com -o exported_results.txt

Database Location

By default, the database is stored in the user’s home directory at ~/.config/amass/.

Configuration File

Create a config.yaml file to persist settings and API credentials for data sources.

Basic Configuration Structure

# Data source API keys
datasources:
  credentials:
    - name: shodan
      keys:
        - "YOUR_SHODAN_API_KEY"
    - name: censys
      keys:
        - "YOUR_CENSYS_API_KEY"
    - name: securitytrails
      keys:
        - "YOUR_SECURITYTRAILS_API_KEY"

# Scope definition
scope:
  domains:
    - example.com
    - example.org

# Brute forcing settings
brute_forcing:
  enabled: true
  wordlist: /path/to/wordlist.txt
  minimum_for_recursive: 3

# DNS alterations and mutations
alterations:
  enabled: true
  flip_words: true
  flip_numbers: true
  add_words: true
  add_numbers: true

# Performance settings
max_dns_queries: 10000

Using the Configuration File

amass enum -config /path/to/config.yaml

Data Source Configuration

Amass supports integration with multiple OSINT data sources via API keys. Configure these in your config file or environment.

Shodan API Key

datasources:
  credentials:
    - name: shodan
      keys:
        - "YOUR_SHODAN_API_KEY"

Censys API Key

datasources:
  credentials:
    - name: censys
      keys:
        - "YOUR_CENSYS_API_KEY"

SecurityTrails API Key

datasources:
  credentials:
    - name: securitytrails
      keys:
        - "YOUR_SECURITYTRAILS_API_KEY"

VirusTotal API Key

datasources:
  credentials:
    - name: virustotal
      keys:
        - "YOUR_VIRUSTOTAL_API_KEY"

PassiveTotal API Key

datasources:
  credentials:
    - name: passivetotal
      keys:
        - "YOUR_PASSIVETOTAL_API_KEY"

Adding Multiple API Keys

datasources:
  credentials:
    - name: shodan
      keys:
        - "API_KEY_1"
        - "API_KEY_2"
        - "API_KEY_3"

Output Options

Control how Amass outputs and saves discovered results.

Output to Text File

amass enum -passive -d example.com -o results.txt

JSON Output

amass enum -passive -d example.com -json -o results.json

Output Directory (Multiple Formats)

amass enum -passive -d example.com -dir ./output/

All Output Formats

# Saves results in all available formats
amass enum -passive -d example.com -oA results

Verbose Output

amass enum -passive -d example.com -v

Very Verbose (Debug)

amass enum -passive -d example.com -vv

Scripting Engine

Amass supports custom data source scripts written in Lua for extending functionality.

Script Location

Place custom scripts in ~/.config/amass/scripts/.

Basic Lua Script Template

name = "CustomSource"
type = "api"

function vertical(ctx, domain)
  -- Your custom enumeration logic here
  return {}
end

Using Custom Scripts

amass enum -passive -d example.com

Custom scripts are automatically loaded and executed alongside built-in data sources.

Scope Management

Define and control the scope of your enumeration to include or exclude specific targets.

Include Unresolvable Names

amass enum -passive -d example.com -include-unresolvable

Filter by IP Address Range

amass enum -passive -d example.com -ip 192.168.0.0/16

Specify CIDR Ranges

amass enum -passive -d example.com -cidr 10.0.0.0/8

Blacklist Domains

amass enum -passive -d example.com -bl example-test.com -bl test-env.com

Blacklist from File

# Create a file with one domain per line
amass enum -passive -d example.com -blf /path/to/blacklist.txt

Whitelist Domains

amass enum -passive -d example.com -include example.com -include app.example.com

Performance Optimization

Tune Amass performance based on network conditions and target infrastructure.

Maximum DNS Queries

# Limit concurrent DNS queries (default: 10000)
amass enum -brute -d example.com -max-dns-queries 5000

DNS Query Timeout

# Timeout in seconds for DNS responses
amass enum -brute -d example.com -timeout 30

Active Concurrency

# Control concurrent requests during active enumeration
amass enum -active -d example.com

Memory-Constrained Environments

# Use fewer concurrent operations
amass enum -passive -d example.com -max-dns-queries 500

Distributed Enumeration

# Run multiple instances with different wordlist portions
amass enum -brute -d example.com -w wordlist_part1.txt
amass enum -brute -d example.com -w wordlist_part2.txt

Troubleshooting

DNS Resolution Issues

# Test with custom nameservers
amass enum -passive -d example.com -ns 8.8.8.8

API Key Problems

Check that your API keys are correctly set in the config file and have appropriate permissions. Run Amass with verbose output to see which sources are failing.

Rate Limiting

If you encounter rate limiting, reduce the number of concurrent queries and increase timeouts:

amass enum -brute -d example.com -max-dns-queries 1000 -timeout 30

Memory Issues

For large-scale enumerations, reduce data source use or split the enumeration across multiple runs.

Database Corruption

Clear the database and start fresh:

rm -rf ~/.config/amass/
amass enum -passive -d example.com

Best Practices

Start with Passive Enumeration: Always begin with passive techniques to avoid detection. Add active DNS queries only when needed for validation.
Use Configuration Files: Store API credentials and scope definitions in a configuration file to maintain consistency across runs and avoid command-line credential exposure.
Combine Multiple Data Sources: Leverage multiple OSINT sources (Shodan, Censys, SecurityTrails) to maximize coverage. Each source often reveals different subdomains.
Track Changes Over Time: Use the track subcommand to identify newly discovered subdomains and monitor your attack surface changes.
Implement Scope Management: Use blacklists and whitelists to focus enumeration on relevant targets and avoid noise from unrelated domains.
Validate Actively: After passive enumeration, use active DNS resolution to confirm that discovered subdomains actually resolve to IP addresses.
Export for Further Analysis: Export results in JSON format for parsing and further processing with other tools or scripts.
Monitor Rate Limits: Be aware of API rate limits from data sources. Use API keys when available to increase quotas.
Schedule Regular Enumerations: Run periodic enumerations to detect newly registered subdomains and changes in your attack surface.
Combine with Other Tools: Use Amass output as input for vulnerability scanning, port scanning, or further reconnaissance with tools like Nmap.

Tool	Purpose
Subfinder	Fast passive subdomain enumeration using multiple sources
SecurityTrails	Online OSINT database for domain and subdomain history
DNSRecon	DNS reconnaissance and enumeration tool
Fierce	DNS scanning tool for discovering non-contiguous IP space
Sublist3r	Subdomain enumeration using multiple search engines
Nmap	Network mapping and port scanning
Shodan	Search engine for internet-connected devices
Censys	Search engine for internet scanning and certificate data