How to Use Amass for Subdomain Enumeration and Recon Like a Pro
Let’s talk about Amass, this awesome open-source tool from OWASP that’s all about subdomain enumeration and attack surface discovery. Basically, it helps ya dig up hidden subdomains, map out infrastructure, and find potential weak spots for penetration testing or bug bounty hunting.
What sets Amass apart from your basic subdomain finders is how it mixes things up. It’s got passive OSINT tricks—like checking Certificate Transparency logs, hitting APIs like Shodan and Censys, and snooping public datasets. Then there’s the active side—DNS brute-forcin, throwin in permutations, scrapin, and doing reverse lookups. Plus, it maps stuff out with ASN discovery, WHOIS data, and even graph databases. Makes it a killer recon tool for ethical hackers, pen testers, and security researchers!
Why Security Researchers and Bug Hunters Use Amass
In bug bounty gigs, recon is everything. The more hidden stuff you uncover, the better your shot at finding vulnerabilities. Amass gives bug hunters a leg up ‘cause:
It finds forgotten subdomains like dev.example.com, staging.example.com, or vpn.example.com.
It widens the attack surface by mapping related domains and IPs.
It can go stealth with passive OSINT or get aggressive with active enumeration.
It hooks into APIs like Shodan, Censys, and SecurityTrails for some premium data.
You can track domain history to spot new assets popping up.
Installing Amass
Installation on Linux
Linux users can install Amass in multiple ways.
Method 1: Using apt (Debian/Ubuntu)
sudo apt update && sudo apt install amassMethod 2: Download Precompiled Binary
wget https://github.com/owasp-amass/amass/releases/latest/download/amass_linux_amd64.zip
unzip amass_linux_amd64.zip
sudo mv amass /usr/local/bin/Method 3: Install via Go (latest version)
go install github.com/owasp-amass/amass/v4/...@masterInstallation on macOS
brew install amassInstallation on Windows
- Download the latest amass_windows_amd64.zip from GitHub
- Extract the zip
- Add amass.exe to your PATH
Understanding the Core Functionalities
Subdomain enumeration — passive (OSINT) & active (DNS bruteforce, scraping)
This is all about finding hostnames under a target domain, like api.example.com or staging.example.com. Those hidden subdomains are gold for attackers—think staging panels, old admin pages, or test APIs.
How Amass Does It:
Passive: It quietly checks Certificate Transparency logs (crt.sh), public datasets, DNSDB-like sources, APIs like Censys and SecurityTrails, search engines, GitHub, and other OSINT spots. Super low-key, no one notices.
Active: It fires off DNS queries (A/AAAA/CNAME), guesses with wordlists, mixes up permutations, and even crawls pages to snag more names.
Passive only:
amass enum -passive -d example.com -o passive.txtDefault enum (mix):
amass enum -d example.com -o amass_all.txtBrute forcing (explicit):
amass enum -d example.com -brute -w /path/to/wordlist.txt -o brute.txtInclude source metadata:
amass enum -d example.com -src -o with_sources.txtDNS resolution & validation — verifies discovered names resolve
This is about making sure those hostnames you find actually point to IP addresses or legit DNS records—like A, AAAA, CNAME, MX, or TXT. It saves you from chasing dead ends, ‘cause a name that don’t resolve ain’t worth testing right off.
It’s got built-in resolution when you enumerate—just add -ip to see the resolved IPs. Plus, you can use a custom resolver list with -r resolvers.txt to speed things up and dodge public DNS limits.
amass enum -d example.com -ip -o resolved.txtamass enum -d example.com -r resolvers.txt -o resolved_custom.txtAfter Amass resolution, run httpx or nmap to confirm services:
cat resolved.txt | cut -f1 -d " " | httpx -silent -o live.txtBrute forcing & permutations — custom wordlists + alterations
This is guessing subdomains with wordlists and throwing in prefixes, suffixes, or inserts to find names that ain’t public. Lots of staging or dev hosts don’t show up in CT logs, so you gotta guess common ones to uncover ‘em.
The -brute flag works with a -w wordlist, and its alterations feature adds predefined or custom rules to mix up variants. You can even turn on recursion to dig into nested subdomains.
amass enum -d example.com -brute -w /usr/share/wordlists/subdomains-top1million.txt -o brute.txtamass enum -d example.com -brute -w words.txt -dir ./project -o results.txtUse focused, curated lists—like company-specific words—instead of huge ones for faster, quieter results. Keep recursion shallow, and only brute-force when it’s in-scope or you got permission.
Reverse WHOIS and ASN lookups — find hosts in a target’s AS
This is about finding Autonomous System Numbers (ASNs) and reversing IP ranges or WHOIS records to spot related infrastructure. Companies spread stuff across IPs and third-party hosts, so ASN lookups can reveal extra domains that might be useful.
amass intel -asn 13335 -whois -o asn_info.txtamass enum -d example.com -asn -o asn_enum.txtAmass intel takes ASN input to map IP space and domains, and it parses WHOIS to get ownership hints.Use ASN lookups to pivot into IP scans, but only after matching with CT logs or CNAMEs. Go for smaller, company-owned ASNs for better results, you know?
Infrastructure mapping — graph DB & relationships
This is building a graph that links domains to subdomains, IPs, ASNs, certs, and providers. Context is key—a list of subdomains is cool, but seeing patterns like shared IPs or CNAMEs helps you prioritize targets.
Use -dir to save results and DB files. amass viz makes D3/graph visuals, and amass track spots changes between runs.
amass enum -d example.com -dir ~/amass_data/example -o out.txtamass viz -dir ~/amass_data/example -o graph.htmlamass track -d example.com -dir ~/amass_data/example -o changes.txtExport to Neo4j for fancy queries (via CSV or supported formats). Throw visuals in reports—they tell the story quick and easy!
Basic Usage of Amass
Simple domain enumeration
Get a baseline list of candidate subdomains.
amass enum -d example.com -o example.txtThis runs default enumeration (mix of passive + best-effort active depending on config).
Passive enumeration
Stealthy discovery with no direct DNS or bruteforce activity.
amass enum -passive -d example.com -o passive_results.txtcollect passive results first and store them in -dir before further actions.
Active enumeration
Deeper discovery via DNS probing and bruteforce.
amass enum -d example.com -brute -w /path/to/wordlist.txt -o active_results.txtAmass Modes
enum — Subdomain enumeration
amass enum is the go-to discovery engine. It pulls subdomains from passive OSINT sources, hits ‘em with active DNS probing, brute forcing, and permutations/alterations, then checks the results. Think of it like Amass’s swiss-army knife for buildin that solid subdomain list.
amass enum -d example.com -brute -w wordlist.txt -dir ./example_db -src -o enum.txtviz — Data Visualization
amass viz turns the Amass graph DB into cool visuals—like interactive D3/HTML or Graphviz formats. It lets you spot connections, like which subdomains share IPs, where CNAMEs point, and how ASNs tie domains together.
amass viz -dir ./example_db -o graph.htmlintel — Gathering Target Intelligence
amass intel digs up high-level target intel—stuff like ASNs, WHOIS info, related domains from certificate transparency and passive sources, IP blocks, and sometimes even contact or ownership hints.
amass intel -d example.com -o intel.txtamass intel -asn 15169 -whois -o google_intel.txttrack — Monitoring Changes in Assets
amass track compares a fresh enumeration run against the Amass DB stored in -dir and flags new or removed nodes. It’s like a change detector for your attack surface.
amass track -d example.com -dir ./example_db -o changes.txtdb — Interacting with Amass Database
amass db gives you commands to check out, export, and manage the internal graph DB where Amass keeps all its objects and relationships.
amass db -dir ./example_db -export -o export.jsonConfiguration & API Keys (how to get best results)
API keys unlock premium/paid sources that significantly boost passive discovery coverage (more certs, historical data, device fingerprints).
Common APIs
Configuring config.yaml
Typical location: ~/.config/amass/config.yaml or a custom path passed with -config.
data_sources:
securitytrails:
apikey: "SECURITYTRAILS_APIKEY"
censys:
id: "CENSYS_ID"
secret: "CENSYS_SECRET"
shodan:
apikey: "SHODAN_APIKEY"How to use
amass enum -d example.com -config ~/.config/amass/config.yaml -o out.txtCombine techniques
Combining passive & active enumeration
- Passive:
amass enum -passive -d example.com -dir ./db - Merge additional passive tools:
subfinder,crt.sh,assetfinder - Active: run
amass enum -brute -d example.com -w wordlist.txt -dir ./dbon the deduped list
subfinder -d example.com -silent > subfinder.txt
cat ./db/passive.txt subfinder.txt | sort -u > merged.txt
amass enum -df merged.txt -d example.com -brute -w words.txt -dir ./db -o final.txtAdvanced Amass Commands
Recursive brute forcing
amass enum -d example.com -brute -w large_wordlist.txt -dir ./db_recursiveUsing alterations for discovering variations
amass enum -d example.com -brute -w words.txt -alter -o altered.txtASN-based discovery
amass intel -asn 15169 -whois -o asn_google.txtThen run enumeration on discovered domains.
Discovering related domains (certificate correlation)
Pull CT logs and search for matching SANs.
amass intel -d example.com will collect cert-linked domains.
Integrating Amass with other tools (MassDNS, Subfinder, httpx, nuclei)
subfinder and Amass merge
subfinder -d example.com -silent > subfinder.txtamass enum -df subfinder.txt -d example.com -o merged.txtmassdns for fast resolution
massdns -r resolvers.txt -t A -o S -w resolved.txt merged.txthttpx to probe for live services
cat resolved.txt | cut -f1 -d " " | httpx -silent -o live.txtnuclei/ffuf for vuln scanning
cat live.txt | nuclei -t ~/nuclei-templates/ -o vulns.txtFiltering results with flags (-exclude, -include)
amass enum -d example.com -exclude amazonaws.com -o filtered.txtCustom DNS resolvers
Create resolvers.txt (examples: 1.1.1.1, 8.8.8.8, OpenDNS) and use:
amass enum -d example.com -r resolvers.txt -o via_resolvers.txtReal-World Bug Bounty Use
Finding hidden assets & forgotten subdomains
- Look for
dev,staging,test,uat,internal,admin,portalsuffixes/prefixes. - Use permutations and company-product wordlists.
Expanding attack surface during reconnaissance
- Use Amass to feed downstream scanners (httpx, Nmap) to find live hosts, open ports, and services quickly.
Chaining Amass results with Nmap, Httpx, and Aquatone
httpxfor live HTTP serversnmapfor deeper port/service fingerprintingaquatonefor screenshots and manual review
Pipeline snippet:
cat merged.txt | httpx -silent -threads 200 -o live.txt
masscan or nmap -iL live.txt -p- -oA nmap_outputAutomating reconnaissance pipelines
- Cron/CI to run
amass enumnightly ->amass track-> alert on new nodes. - Slack/email webhook integration for new findings.
Scripting & Automation with Amass
Writing bash scripts with Amass
#!/usr/bin/env bash
TARGET="$1"
OUTDIR="$HOME/recon/$TARGET"
mkdir -p "$OUTDIR"
amass enum -passive -d $TARGET -dir $OUTDIR -o $OUTDIR/passive.txt
httpx -l $OUTDIR/passive.txt -silent -o $OUTDIR/live.txtUsing Amass in CI/CD pipelines
- Run Amass during build/deploy to detect leaked public assets.
- Fail pipelines if new public domains appear unexpectedly.
Automating with cron jobs
0 2 * * * /usr/local/bin/amass enum -passive -d example.com -dir /data/amass/example >/var/log/amass.log 2>&1The Amass tool is a beast when it comes to coverage, context, and persistence. It’s a must-have for modern bug bounty recon and penetration testing ‘cause it digs up more assets and helps you figure out how domains, IPs, and services are connected. Pair it with massdns, httpx, and nuclei to whip up a fast, solid pipeline that turns raw OSINT into test targets you can actually use.