amass Cheatsheet
Type: Actively maintained subdomain discovery — extensive data sources & tool integrations
Installation
sudo apt install amass
# or
go install -v github.com/owasp-amass/amass/v4/...@master
# or
snap install amass
Subcommands
| Subcommand | Description |
|---|---|
enum |
Subdomain enumeration (main command) |
intel |
Collect intel about an organisation |
viz |
Visualise enumeration results |
track |
Track differences between enumerations |
db |
Interact with the graph database |
enum — Subdomain Enumeration
# Basic passive enumeration
amass enum -passive -d example.com
# Active enumeration (DNS resolution + brute force)
amass enum -active -d example.com
# Active with brute force
amass enum -brute -d example.com
# Brute force with wordlist
amass enum -brute -w wordlist.txt -d example.com
# Multiple domains
amass enum -d example.com -d example.org
# Domains from file
amass enum -df domains.txt
# Limit data sources
amass enum -passive -d example.com -src
# Output to file
amass enum -d example.com -o output.txt
# Output to JSON
amass enum -d example.com -json output.json
# Show data sources in results
amass enum -d example.com -src
# Verbose
amass enum -v -d example.com
# Set timeout (minutes)
amass enum -d example.com -timeout 30
# Use specific resolvers
amass enum -d example.com -r 8.8.8.8,1.1.1.1
# Use resolver list
amass enum -d example.com -rf resolvers.txt
# Exclude data sources
amass enum -d example.com -exclude CrtSearch
# Only specific data sources
amass enum -d example.com -include Wayback,CrtSearch
Common Flags (enum)
| Flag | Description |
|---|---|
-d <domain> |
Target domain |
-df <file> |
File with list of domains |
-passive |
Passive only (no DNS resolution) |
-active |
Active DNS (zone transfer, cert grabbing) |
-brute |
Enable brute force |
-w <wordlist> |
Wordlist for brute force |
-o <file> |
Output results to file |
-json <file> |
Output as JSON |
-src |
Show data source for each result |
-ip |
Show IP addresses |
-r <resolvers> |
Comma-separated resolver IPs |
-rf <file> |
File of resolver IPs |
-timeout <n> |
Timeout in minutes |
-v |
Verbose |
-config <file> |
Config file path |
-dir <path> |
Directory for output/database |
intel — Org Recon
# Find domains by organisation name
amass intel -org "Target Corp"
# Reverse whois
amass intel -whois -d example.com
# ASN lookup
amass intel -asn 12345
# Find domains from IP/CIDR
amass intel -ip 192.168.1.0/24
# Find ASN from domain
amass intel -d example.com -whois
Configuration File
Config file at ~/.config/amass/config.ini (or specify with -config):
[resolvers]
resolver = 8.8.8.8
resolver = 1.1.1.1
[bruteforce]
enabled = true
wordlist_file = /path/to/wordlist.txt
recursive = true
minimum_for_recursive = 1
[alterations]
enabled = true
[data_sources]
# API keys for passive data sources
[data_sources.Shodan]
[data_sources.Shodan.Credentials]
apikey = YOUR_KEY_HERE
Recommended Wordlists
/usr/share/seclists/Discovery/DNS/subdomains-top1million-5000.txt
/usr/share/seclists/Discovery/DNS/bitquark-subdomains-top100000.txt
# Amass also ships with its own wordlist:
# /usr/share/amass/wordlists/
Example Full Run
# Passive (fast, stealthy)
amass enum -passive -d example.com -src -o passive_results.txt
# Active + brute force (thorough)
amass enum -active -brute \
-w /usr/share/seclists/Discovery/DNS/subdomains-top1million-5000.txt \
-d example.com \
-src -ip \
-json amass_results.json \
-timeout 60