amass

Attack surface mapping and asset discovery. OWASP project.

Quickstart

# Passive enum (fast, no direct contact)
amass enum -passive -d target.com

# Active enum (DNS brute force)
amass enum -d target.com

# With config (API keys)
amass enum -d target.com -config config.ini

# Intel mode (find related domains)
amass intel -d target.com

Core Concepts

Concept	Description
enum	Subdomain enumeration
intel	OSINT/related domain discovery
passive	No direct target contact
active	DNS brute force, zone transfers

Syntax

amass enum [options] -d <domain>
amass intel [options] -d <domain>

Options

Enum Mode

Option	Description
-d <domain>	Target domain
-df <file>	Domains file
-passive	Passive only (no brute force)
-active	Active techniques
-brute	Brute force subdomain names
-w <file>	Wordlist for brute force
-ip	Show IP addresses
-ipv4	IPv4 only
-ipv6	IPv6 only
-src	Show data sources
-o <file>	Output file
-oA <base>	All output formats
-json <file>	JSON output
-config <file>	Config file

Intel Mode

Option	Description
-d <domain>	Target domain
-org <name>	Organization name
-asn <asn>	ASN number
-whois	Use WHOIS
-ip <ip>	Search by IP
-cidr <cidr>	Search by CIDR

Performance

Option	Description
-timeout <min>	Timeout in minutes
-max-dns-queries <n>	Max DNS queries
-rf <file>	Resolvers file

Recipes

Passive Enumeration

# Fast passive scan
amass enum -passive -d target.com

# With IP addresses
amass enum -passive -d target.com -ip

# Show sources
amass enum -passive -d target.com -src

# Multiple domains
amass enum -passive -df domains.txt

Active Enumeration

# Full enumeration
amass enum -d target.com

# With brute force
amass enum -brute -d target.com

# Custom wordlist
amass enum -brute -w wordlist.txt -d target.com

# Active techniques
amass enum -active -d target.com

Intel Mode

# Related domains
amass intel -d target.com

# By organization
amass intel -org "Target Company"

# By ASN
amass intel -asn 12345

# By IP/CIDR
amass intel -ip 10.10.10.10
amass intel -cidr 10.10.10.0/24

# WHOIS
amass intel -whois -d target.com

Output Formats

# Text output
amass enum -passive -d target.com -o subs.txt

# JSON output
amass enum -passive -d target.com -json results.json

# All formats
amass enum -passive -d target.com -oA results

# Creates: results.txt, results.json

With Config (API Keys)

# config.ini
[data_sources]

[data_sources.Shodan]
apikey = YOUR_SHODAN_KEY

[data_sources.Censys]
apikey = YOUR_CENSYS_ID
secret = YOUR_CENSYS_SECRET

[data_sources.VirusTotal]
apikey = YOUR_VT_KEY

[data_sources.SecurityTrails]
apikey = YOUR_ST_KEY

# Use config
amass enum -d target.com -config config.ini

Pipeline Integration

# amass → httpx
amass enum -passive -d target.com -o subs.txt
cat subs.txt | httpx -silent

# amass → naabu → httpx
amass enum -passive -d target.com | naabu -silent | httpx -silent

# Full pipeline
amass enum -passive -d target.com | \
  httpx -silent | \
  nuclei -t cves/

Custom Resolvers

# Use trusted resolvers
amass enum -d target.com -rf resolvers.txt

# resolvers.txt example:
# 8.8.8.8
# 1.1.1.1
# 9.9.9.9

Database

# Amass stores results in database
# List collected domains
amass db -names -d target.com

# Show graph
amass viz -d target.com -d3

# Track changes over time
amass track -d target.com

Output & Parsing

# JSON parsing
amass enum -passive -d target.com -json results.json
cat results.json | jq -r '.name'

# Count subdomains
amass enum -passive -d target.com | wc -l

# Unique sorted
amass enum -passive -d target.com | sort -u

Troubleshooting

Issue	Solution
Slow/no results	Use -passive, add API keys
DNS errors	Use custom resolvers -rf
Rate limited	Add -max-dns-queries
Timeout	Increase -timeout

References

• OWASP Amass
• Amass GitHub
• Amass User Guide