Amass — Attack Surface Mapping & Subdomain Enum

In-depth attack surface mapping and external asset discovery using multiple data sources.

What is Amass?

Amass is an advanced open-source intelligence (OSINT) and attack surface mapping tool maintained by OWASP. It performs in-depth DNS enumeration and subdomain discovery by querying over 50 passive data sources — including certificate transparency logs, DNS datasets, search engines, WHOIS records, and threat intelligence feeds — as well as conducting active probing techniques like brute-forcing and zone transfers. The result is a comprehensive map of an organization's external attack surface, making it the go-to tool for bug bounty recon and authorized external assessments.

⚠ Legal Notice

Only use this tool on systems you own or have explicit written authorization to test. Unauthorized use is a criminal offense under Pakistan's PECA 2016 and similar laws worldwide.

Installation

# Install via apt (Kali Linux)
sudo apt update && sudo apt install amass -y

# OR install latest via Go (recommended for most up-to-date version)
go install -v github.com/owasp-amass/amass/v4/...@master

# Verify
amass version

Basic Usage

Amass is organized into subcommands. The most used is enum for subdomain enumeration.

# Passive enumeration only (no direct contact with target)
amass enum -passive -d example.com

# Active enumeration (DNS brute-force + passive sources combined)
amass enum -active -d example.com

# Save results to a text file
amass enum -passive -d example.com -o subdomains.txt

# Enumerate multiple domains at once
amass enum -passive -df domains.txt -o results.txt

# Use API keys config file for more data sources (recommended)
amass enum -passive -d example.com -config ~/.config/amass/config.ini

# Show the network graph of discovered assets
amass viz -d3 -d example.com -o graph.html

# Check what data sources are configured and available
amass enum -list

Key Subcommands

amass enum — Core subdomain and asset enumeration (passive + active modes)
amass intel — Gather ASN, CIDR, and org info to discover root domains from an IP range
amass db — Interact with the local Amass graph database of past results
amass viz — Generate visual network graphs (D3.js, Gephi, GraphML formats)
amass track — Compare results across multiple scans to detect new or removed assets

Boosting Results with API Keys

Amass can query dozens of third-party data sources when configured with API keys. Edit ~/.config/amass/config.ini to add keys for services like Shodan, VirusTotal, SecurityTrails, Censys, and PassiveTotal. Free-tier keys for most services are available and dramatically increase subdomain coverage.

Common Use Cases

Bug bounty reconnaissance — mapping the full external attack surface of a target program
Authorized external penetration testing engagements
CTF (Capture The Flag) challenges involving subdomain discovery
Continuous attack surface monitoring using amass track

Tips & Best Practices

Always start with -passive mode before moving to active — passive leaves no footprint on the target. Pipe results into httpx or httprobe to quickly identify which discovered subdomains have live web servers. Use amass intel with a company name or IP range to discover root domains you may not have known were in scope before running enum.

Practice on legal targets like TryHackMe, HackTheBox, or hackzia.site labs before using in live engagements.