amass - Advanced Attack Surface Mapping

amass is a powerful, open-source tool for attack surface mapping and asset discovery. It's designed to help security professionals and researchers discover and map the exposed attack surface of organizations.

🎯 Purpose

• Subdomain Discovery: Find subdomains through passive and active techniques
• Asset Discovery: Identify domains, IP addresses, and related infrastructure
• Attack Surface Mapping: Visualize the complete external attack surface
• OSINT Gathering: Collect intelligence from multiple data sources

🚀 Basic Usage

Basic Subdomain Enumeration

# Basic subdomain discovery
amass enum -d example.com

# Passive enumeration only (no active DNS queries)
amass enum -passive -d example.com

# Active enumeration with brute force
amass enum -active -d example.com

Multiple Domains

# Enumerate multiple domains
amass enum -d example.com,target.com,test.org

# From a file
amass enum -df domains.txt

🔧 Advanced Options

Output and Formatting

# Save results to file
amass enum -d example.com -o results.txt

# JSON output
amass enum -d example.com -json results.json

# Include IP addresses
amass enum -d example.com -ip

Source Configuration

# Use specific data sources
amass enum -src -d example.com

# Exclude certain sources
amass enum -d example.com -exclude source1,source2

# Use API keys for better results
amass enum -d example.com -config config.ini

Network Options

# Specify resolvers
amass enum -d example.com -r 8.8.8.8,1.1.1.1

# Set timeout
amass enum -d example.com -timeout 10

# Rate limiting
amass enum -d example.com -max-dns-queries 1000

🎯 Common Use Cases

Reconnaissance Phase

# Comprehensive passive reconnaissance
amass enum -passive -d target.com -o passive_recon.txt

# Active enumeration with visualization
amass enum -active -d target.com -dir ./amass_output
amass viz -d3 -dir ./amass_output

Bug Bounty Hunting

# Multi-domain enumeration for bug bounty
amass enum -d target.com -brute -w /usr/share/wordlists/subdomains.txt

# Monitor for new subdomains
amass track -d target.com

Infrastructure Mapping

# Map complete infrastructure
amass enum -active -d target.com -ip -dir ./infrastructure_map
amass viz -maltego -dir ./infrastructure_map

📁 Installation

Debian/Ubuntu

sudo apt update
sudo apt install amass

From Source

go install -v github.com/OWASP/Amass/v3/...@master

Using Snap

sudo snap install amass

⚙️ Configuration

Create a config file for API keys:

# ~/.config/amass/config.ini
[data_sources]
[data_sources.AlienVault]
[data_sources.AlienVault.Credentials]
apikey = your_api_key_here

[data_sources.Shodan]
[data_sources.Shodan.Credentials]
apikey = your_shodan_api_key

💡 Pro Tips

• Use API keys for better results from data sources
• Combine passive and active enumeration for comprehensive coverage
• Monitor regularly using the track function for ongoing assessment
• Visualize results using the built-in visualization tools
• Rate limit appropriately to avoid being blocked by target infrastructure

🚨 Important Notes

• Always ensure you have permission before scanning target domains
• Be mindful of rate limiting to avoid overwhelming target infrastructure
• Some data sources require API keys for full functionality
• Results quality depends on the data sources available and configured

---

Part of the HackerHub.me tool documentation series