Amass - In-depth Subdomain Enumeration

The Amass tool performs scraping of data sources, recursive brute forcing, crawling of web archives, permuting and altering of names and reverse DNS sweeping to obtain additional subdomain names. Additionally, Amass uses the IP addresses obtained during resolution to discover associated netblocks and ASNs. All the information is then used to build maps of the target networks.

How to Install

A precompiled version is available for each release.
If your operating environment supports Snap, you can click here to install, or perform the following from the command-line:
$ sudo snap install amass
If you would like snap to get you the latest unstable build of amass, type the following command:
$ sudo snap install --edge amass

From Source
If you would prefer to build your own binary from the latest version of the source code, make sure you have a correctly configured Go >= 1.10 environment. More information about how to achieve this can be found on the golang website. Then, take the following steps:
  1. Download amass:
$ go get -u
At this point, the amass binary should be in $GOPATH/bin.
  1. Several wordlists can be found in the following directory:
$ ls $GOPATH/src/

Using the Tool
The most basic use of the tool, which includes reverse DNS lookups and name alterations:
$ amass -d
Add some additional domains to the enumeration:
$ amass -d, -d
Run Amass in a purely passive mode of execution that does not perform DNS resolution:
$ amass -nodns -d
You can also provide the initial domain names via an input file:
$ amass -df domains.txt
Get amass to provide the sources that discovered the subdomain names and print summary information:
$ amass -v -ip -brute -min-for-recursive 3 -d
13139 names discovered - archive: 171, cert: 2671, scrape: 6290, brute: 991, dns: 250, alt: 2766
Have amass print IP addresses with the discovered names:
$ amass -ip -d
Have amass write the results to a text file:
$ amass -ip -o out.txt -d
Log all error messages to a text file:
$ amass -log amass.log -d
Have all the data collected written to a file as individual JSON objects:
$ amass -json out.txt -d
Have amass output the DNS and infrastructure findings as a network graph:
$ amass -visjs vis.html -d
Output a file for Graphistry containing the data set in JSON format:
$ amass -graphistry network.json -d
Output a Graph Exchange XML Format (GEXF) file for Gephi:
$ amass -gephi network.gexf -d
Have amass output to all the available file formats using a provided file name prefix:
$ amass -v -ip -oA amass_scan -d
Have amass send all the DNS and infrastructure enumerations to the Neo4j graph database:
$ amass -neo4j neo4j:DoNotUseThisPassword@localhost:7687 -d
Specify your own DNS resolvers on the command-line or from a file:
$ amass -v -d -r,
The resolvers file can be provided using the following command-line switch:
$ amass -v -d -rf data/resolvers.txt
If you would like to blacklist some subdomains:
$ amass -bl -d
The blacklisted subdomains can be specified from a text file as well:
$ amass -blf data/blacklist.txt -d
The amass feature that performs alterations on discovered names can be disabled:
$ amass -noalts -d
Use active information gathering techniques to attempt DNS zone transfers on all discovered authoritative name servers and obtain TLS/SSL certificates for discovered hosts on all specified ports:
$ amass -active -d net -p 80,443,8080
Caution, this is an active technique that will reveal your IP address to the target organization.
Have amass perform brute force subdomain enumeration as well:
$ amass -brute -d
By default, amass performs recursive brute forcing on new subdomains; this can be disabled:
$ amass -brute -norecursive -d
If you would like to perform recursive brute forcing after enough discoveries have been made:
$ amass -brute -min-for-recursive 3 -d
Change the wordlist used during the brute forcing phase of the enumeration:
$ amass -brute -w wordlist.txt -d
Throttle the rate of DNS queries by number per minute:
$ amass -freq 120 -d
Allow amass to include additional domains in the search using reverse whois information:
$ amass -whois -d
You can have amass list all the domains discovered with reverse whois before performing the enumeration:
$ amass -whois -l -d
Only the first domain provided is used while performing the reverse whois operation.

Network/Infrastructure Options
Caution: If you use these options, amass will attempt to reach out to every IP address within the identified infrastructure and obtain names from TLS certificates. This is "loud" and can reveal your reconnaissance activities to the organization being investigated.
All the flags shown here require the 'net' subcommand to be specified first.
To discover all domains hosted within target ASNs, use the following option:
$ amass net -asn 13374,14618
To investigate within target CIDRs, use this option:
$ amass net -cidr,
For specific IPs or address ranges, use this option:
$ amass net -addr,
By default, port 443 will be checked for certificates, but the ports can be changed as follows:
$ amass net -cidr -p 80,443,8080

Integrating Amass into Your Work
If you are using the amass package within your own Go code, be sure to properly seed the default pseudo-random number generator:


func main() {
    output := make(chan *amass.AmassOutput)

    go func() {
        for result := range output {

    // Seed the default pseudo-random number generator

    // Setup the most basic amass configuration
    config := amass.CustomConfig(&amass.AmassConfig{Output: output})

    // Begin the enumeration process

Settings for the Amass Maltego Local Transform
  1. Setup a new local transform within Maltego:

  1. Configure the local transform to properly execute the go program:

  1. Go into the Transform Manager, and disable the debug info option:

Amass - In-depth Subdomain Enumeration Amass - In-depth Subdomain Enumeration Reviewed by Zion3R on 10:09 AM Rating: 5