OWASP Amass - Quick Tutorial & Example Usage

Amass is an intelligent tool used for information gathering and enhancement of the attack surface. This open-source tool helps in identifying hidden resources/targets through DNS enumeration and network mapping. Refer to other passive reconnaissance and active reconnaissance techniques to understand reconnaissance methods. Tool support rate-limiting (-max-dns-queries flag), DNS wildcard detection, DNS name alteration, etc. In this article, I have covered a quick tutorial & example usage of the OWASP Amass tool.

Following are the inputs to give output based on enumeration:

  • IP Range (x.x.x.x/24)
  • URL ( *.example.com)
  • Company name ( XYZ)
  • ASN number (AS 12312)

Note: This is not an exhaustive list of inputs.


OWASP Amass can be installed on Linux-based OS by using the below command:

go get -u http://github.com/OWASP/Amass/…
amass enum –list

For Mac OS,

brew tap caffix/amass
brew install amass
amass enum –list

To check whether amass is installed properly or not,

amass -h
amass -version

Amass Core Modules

amass intelDiscover targets for enumeration
amass enumDNS enumeration and network mapping
amass vizVisual enumeration results
amass trackIdentify differences between output results
amass dbUse graph database

Top Example Usage of OWASP Amass

(1) Basic Command to enum target

amass enum -d <URL>

(2) Mention ports for the scan

amass enum -d <URL> -p 443,8080

(3) Combining different options to get more refined results. -d options enable users to enter multiple URLs and -active options use active recon methods.

amass enum -d <URL1>,<URL2> -active 

(4) Perform brute force by using - brute option for subdomain enumeration. -src option display data sources for the discovered names and -demo option display results in a presentable manner

amass enum -brute -src -d <URL> -demo

(5) To do passive reconnaissance

amass enum -passive -d <URL> -src

Additional available options with an enum:

(6) Identify domains by using -whois option

amass intel -d <url> -whois

(7) Enable active recon method

amass intel -active -cidr

(8) Search based on ASN

amass intel -asn 23314,81323

(9) Search string based on AS description information

amass intel -org "google"

Additional available options with intel:

(10) Basic command using track option

amass track -d example.com

(11) Path to a file providing root domain names

amass track -df target.txt

Additional available options with the track:

(12) Basic command using viz. -d option enables users to enter multiple URLs and -d3 option output a D3.js v4 force simulation HTML file.

amass viz -d3 -d <URL>

Additional available options with viz:


Amass is a powerful tool for enumeration and the more you use it, the more options you are familiar with the tool. I hope you like this article, if I miss anything, let me know in the comments.

Subscribe us to receive more such articles updates in your email.

If you have any questions, feel free to ask in the comments section below. Nothing gives me greater joy than helping my readers!

Disclaimer: This tutorial is for educational purpose only. Individual is solely responsible for any illegal act.

You may also like...

Leave a Reply

Your email address will not be published. Required fields are marked *