Amass is the subdomain enumeration tool with the greatest number of disparate data sources that performs analysis of the resolved names in order to deliver the largest number of quality results.
Amass performs scraping of data sources, recursive brute forcing, crawling of web archives, permuting and altering of names, reverse DNS sweeping, and machine learning to obtain additional subdomain names. The architecture makes it easy to add new subdomain enumeration techniques as they are developed.
DNS name resolution is performed across many public servers so the authoritative server will see traffic coming from different locations.
Using the Tool
The most basic use of the tool, which includes reverse DNS lookups and name alterations:
$ amass -d example.com
If you need Amass to run faster and only use the passive data sources:
$ amass -nodns -d example.com
The example below is a good place to start with amass:
$ amass -v -ip -brute -min-for-recursive 3 -d example.com [Google] www.example.com [VirusTotal] ns.example.com ... 13139 names discovered - archive: 171, cert: 2671, scrape: 6290, brute: 991, dns: 250, alt: 2766
Add some additional domains to the enumeration:
$ amass -d example1.com,example2.com -d example3.com
Additional switches available through the amass CLI:
| Flag | Description | Example |
|---|---|---|
| -active | Enable active recon methods | amass -active -d example.com net -p 80,443,8080 |
| -bl | Blacklist undesired subdomains from the enumeration | amass -bl blah.example.com -d example.com |
| -blf | Identify blacklisted subdomains from a file | amass -blf data/blacklist.txt -d example.com |
| -brute | Perform brute force subdomain enumeration | amass -brute -d example.com |
| -df | Specify the domains to be enumerated via text file | amass -df domains.txt |
| -freq | Throttle the rate of DNS queries by number per minute | amass -freq 120 -d example.com |
| -h | Show the amass usage information | amass -h |
| -ip | Print IP addresses with the discovered names | amass -ip -d example.com |
| -json | All discoveries written as individual JSON objects | amass -json out.json -d example.com |
| -l | List all the domains to be used during enumeration | amass -whois -l -d example.com |
| -log | Log all error messages to a file | amass -log amass.log -d example.com |
| -min-for-recursive | Discoveries required for recursive brute forcing | amass -brute -min-for-recursive 3 -d example.com |
| -noalts | Disable alterations of discovered names | amass -noalts -d example.com |
| -nodns | A purely passive mode of execution | amass -nodns -d example.com |
| -norecursive | Disable recursive brute forcing | amass -brute -norecursive -d example.com |
| -o | Write the results to a text file | amass -o out.txt -d example.com |
| -oA | Output to all available file formats with prefix | amass -oA amass_scan -d example.com |
| -r | Specify your own DNS resolvers | amass -r 8.8.8.8,1.1.1.1 -d example.com |
| -rf | Specify DNS resolvers with a file | amass -rf data/resolvers.txt -d example.com |
| -v | Output includes data source and summary information | amass -v -d example.com |
| -version | Print the version number of amass | amass -version |
| -w | Change the wordlist used during brute forcing | amass -brute -w wordlist.txt -d example.com |
| -whois | Search using reverse whois information | amass -whois -d example.com |
Have amass send all the DNS and infrastructure enumerations to the Neo4j graph database:
$ amass -neo4j neo4j:DoNotUseThisPassword@localhost:7687 -d example.com
Here are switches for outputting the DNS and infrastructure findings as a network graph:
| Flag | Description | Example |
|---|---|---|
| -d3 | Output a D3.js v4 force simulation HTML file | amass -d3 network.html -d example |
| -gexf | Output to Graph Exchange XML Format (GEXF) | amass -gephi network.gexf -d example.com |
| -graphistry | Output Graphistry JSON | amass -graphistry network.json -d example.com |
| -visjs | Output HTML that employs VisJS | amass -visjs network.html -d example.com |
Network/Infrastructure Options
Caution: If you use these options, amass will attempt to reach out to every IP address within the identified infrastructure and obtain names from TLS certificates. This is “loud” and can reveal your reconnaissance activities to the organization being investigated.
All the flags shown here require the ‘net’ subcommand to be specified first.
To discover all domains hosted within target ASNs, use the following option:
$ amass net -asn 13374,14618
To investigate within target CIDRs, use this option:
$ amass net -cidr 192.184.113.0/24,104.154.0.0/15
For specific IPs or address ranges, use this option:
$ amass net -addr 192.168.1.44,192.168.2.1-64
By default, port 443 will be checked for certificates, but the ports can be changed as follows:
$ amass net -cidr 192.168.1.0/24 -p 80,443,8080
