CyberCheatsheets

Amass Cheat Sheet

In-depth attack surface mapping and subdomain enumeration via passive and active techniques.

Reconnaissance & OSINTattack-surfacednsosintsubdomainUpdated 2026-06-02

Overview

OWASP Amass discovers subdomains and related assets using passive OSINT, DNS brute force, scraping, and API data sources. It builds a graph of the target’s external footprint for bug bounty and external pentests.

Authorized testing only. Passive mode still queries third-party APIs; active modes send DNS/traffic to the target. Configure API keys per RoE and legal constraints.

Install

sudo apt install -y amass
go install -v github.com/owasp-amass/amass/v4/...@master
amass -version

Essential commands

Passive enum (no direct DNS brute to target)

amass enum -passive -d target.example.com -o amass_passive.txt

Active enum

amass enum -active -d target.example.com -o amass_active.txt

Intel / ASN view

amass intel -asn 13335 -whois

Common workflows

Config with API keys (~/.config/amass/config.ini) —

amass enum -passive -d target.example.com -config ~/.config/amass/config.ini -dir amass_out/

Brute + wordlist —

amass enum -brute -d target.example.com -w /usr/share/seclists/Discovery/DNS/subdomains-top1million-5000.txt

JSON and visualization —

amass enum -d target.example.com -json amass.json
amass viz -d3 -dir amass_out/

Multiple domains —

amass enum -passive -df domains.txt -o subs.txt

Flags: amass enum

-d example.com

Target domain

-passive

Passive sources only

-active

Active DNS brute/zone transfer

-brute

Brute-force subdomains

-w wordlist.txt

Wordlist for brute

-o subs.txt

Output file

-dir amass_out

Output directory (graph DB, logs)

Flags: amass intel

-asn 13335

Enumerate by ASN

-ip 1.2.3.0/24

Enumerate by IP range

-whois example.com

WHOIS discovery

-org "Example Inc"

Search by organization name

Flags: amass viz

-d3

Export D3.js graph visualization

-dir amass_out

Graph database directory

Flags: amass (global)

-config config.ini

Custom config file

-silent

Minimal output

-timeout 30

Per-DNS query timeout (minutes)

-max-dns-queries 0

Cap DNS queries (0 = unlimited)

Tips

  • Populate API keys (VirusTotal, SecurityTrails, etc.) for dramatically better passive results.
  • Deduplicate against subfinder/assetfinder before httpx.
  • -dir preserves SQLite graph—useful for large programs.
  • Respect API rate limits; use -max-dns-queries on active scans.

References

Aide-mémoires similaires