Amass – Subdomain Enumeration Tool

Amass is the subdomain enumeration tool with the greatest number of disparate data sources that performs analysis of the resolved names in order to deliver the largest number of quality results.

Amass performs scraping of data sources, recursive brute forcing, crawling of web archives, permuting and altering of names, reverse DNS sweeping, and machine learning to obtain additional subdomain names. The architecture makes it easy to add new subdomain enumeration techniques as they are developed.

DNS name resolution is performed across many public servers so the authoritative server will see traffic coming from different locations.


Using the Tool

The most basic use of the tool, which includes reverse DNS lookups and name alterations:

$ amass -d example.com

If you need Amass to run faster and only use the passive data sources:

$ amass -nodns -d example.com

The example below is a good place to start with amass:

$ amass -v -ip -brute -min-for-recursive 3 -d example.com
[Google] www.example.com
[VirusTotal] ns.example.com
13139 names discovered - archive: 171, cert: 2671, scrape: 6290, brute: 991, dns: 250, alt: 2766

Add some additional domains to the enumeration:

$ amass -d example1.com,example2.com -d example3.com


Additional switches available through the amass CLI:

Flag Description Example
-active Enable active recon methods amass -active -d example.com net -p 80,443,8080
-bl Blacklist undesired subdomains from the enumeration amass -bl blah.example.com -d example.com
-blf Identify blacklisted subdomains from a file amass -blf data/blacklist.txt -d example.com
-brute Perform brute force subdomain enumeration amass -brute -d example.com
-df Specify the domains to be enumerated via text file amass -df domains.txt
-freq Throttle the rate of DNS queries by number per minute amass -freq 120 -d example.com
-h Show the amass usage information amass -h
-ip Print IP addresses with the discovered names amass -ip -d example.com
-json All discoveries written as individual JSON objects amass -json out.json -d example.com
-l List all the domains to be used during enumeration amass -whois -l -d example.com
-log Log all error messages to a file amass -log amass.log -d example.com
-min-for-recursive Discoveries required for recursive brute forcing amass -brute -min-for-recursive 3 -d example.com
-noalts Disable alterations of discovered names amass -noalts -d example.com
-nodns A purely passive mode of execution amass -nodns -d example.com
-norecursive Disable recursive brute forcing amass -brute -norecursive -d example.com
-o Write the results to a text file amass -o out.txt -d example.com
-oA Output to all available file formats with prefix amass -oA amass_scan -d example.com
-r Specify your own DNS resolvers amass -r, -d example.com
-rf Specify DNS resolvers with a file amass -rf data/resolvers.txt -d example.com
-v Output includes data source and summary information amass -v -d example.com
-version Print the version number of amass amass -version
-w Change the wordlist used during brute forcing amass -brute -w wordlist.txt -d example.com
-whois Search using reverse whois information amass -whois -d example.com


Have amass send all the DNS and infrastructure enumerations to the Neo4j graph database:

$ amass -neo4j neo4j:[email protected]:7687 -d example.com

Here are switches for outputting the DNS and infrastructure findings as a network graph:

Flag Description Example
-d3 Output a D3.js v4 force simulation HTML file amass -d3 network.html -d example
-gexf Output to Graph Exchange XML Format (GEXF) amass -gephi network.gexf -d example.com
-graphistry Output Graphistry JSON amass -graphistry network.json -d example.com
-visjs Output HTML that employs VisJS amass -visjs network.html -d example.com


Network/Infrastructure Options

Caution: If you use these options, amass will attempt to reach out to every IP address within the identified infrastructure and obtain names from TLS certificates. This is “loud” and can reveal your reconnaissance activities to the organization being investigated.

All the flags shown here require the ‘net’ subcommand to be specified first.

To discover all domains hosted within target ASNs, use the following option:

$ amass net -asn 13374,14618

To investigate within target CIDRs, use this option:

$ amass net -cidr,

For specific IPs or address ranges, use this option:

$ amass net -addr,

By default, port 443 will be checked for certificates, but the ports can be changed as follows:

$ amass net -cidr -p 80,443,8080


To Top

Pin It on Pinterest

Share This