In-depth Attack Surface Mapping and Asset Discovery.



sudo snap install amass


docker build -t amass


amass intel|enum|viz|track|db [options]


Usage: amass intel|enum|viz|track|db [options]

  -h    Show the program usage message
        Show the program usage message
        Print the version number of this Amass binary


    amass intel - Discover targets for enumerations
    amass enum  - Perform enumerations and network mapping
    amass viz   - Visualize enumeration results
    amass track - Track differences between enumerations
    amass db    - Manipulate the Amass graph database

The user's guide can be found here:

An example configuration file can be found here:

Amass Intel

Reverse whois

This method is invoked using the -whois flag. Essentially it takes the details from the specified domain’s whois records, and then tries to find other domains with similar whois records.

$ amass intel -d -whois

SSL Certificate Grabbing

If you feed IP addresses to Amass and give it the -active flag, it pulls the SSL certificate from every IP address within the IP range and then spits back the domain that the SSL cert is associated with. For example, running it on a well known Paypal-owned CIDR range:

$ amass intel -active -cidr

Using ASNs (Autonomous System Number)

$ amass intel -org "Tesla"
394161, TESLA - Tesla

I don’t know what TESLATEL-AS is, but that last one looks like it is probably Tesla (the Elon Musk owned Electric Car company). Now we can use that ASN number (394161) to get some more domains, like this:

$ amass intel -active -asn 394161

I’m not sure about, but the other domains look like they’re probably owned by Tesla. So now we have 4 root domains to investigate. Nice!

Putting Amass intel techniques together recursively

Amass works recursively. It will take the results that it gets from one method, and feed it into the other method. It will continue to do this until no new results are returned. So, for example, we can do this:

$ amass intel -asn 394161 -whois -d

Amass Enum

$ amass enum -d

OWASP Amass v3.10.1                     
2 names discovered - cert: 2
ASN: 15133 - EDGECAST - MCI Communications Services, Inc. d/b/a Verizon Business
      2606:2800:220::/48      2    Subdomain Name(s)         2    Subdomain Name(s)

The enumeration has finished
Discoveries are being migrated into the local database

Amass DB

Show domains in database

$ amass db -names

Show specific domain from database

$ amass db -show -d
Could take a moment while acquiring AS network information

OWASP Amass v3.10.1                     
2 names discovered - scrape: 2
ASN: 3549 - HP-INTERNET-AS Hewlett Packard Europe S.
      ::/0                    2    Subdomain Name(s)
ASN: 15133 - EDGECAST - MCI Communications Services, Inc. d/b/a Verizon Business         2    Subdomain Name(s)

URL List