Table of Contents
Master Amass Tool v5.0.1 for professional subdomain enumeration, bug bounty hunting, penetration testing, and OSINT reconnaissance. This guide covers installation, basic to advanced techniques, and real-world applications.
What is Amass Tool v5?
Amass is the industry-leading open-source reconnaissance tool developed by OWASP for subdomain enumeration and network mapping. Used by cybersecurity professionals, penetration testers, and bug bounty hunters worldwide.
Key Features
- 100+ Data Sources: DNS databases, search engines, certificate transparency logs, web archives
- Passive & Active Modes: Stealth reconnaissance or comprehensive scanning
- High Performance: Concurrent processing with intelligent rate limiting
- Graph Database: Track assets and changes over time
- Free & Open Source: Enterprise features at zero cost
Primary Use Cases
- Subdomain discovery for bug bounty programs
- Attack surface mapping for penetration testing
- OSINT reconnaissance for threat intelligence
- Digital asset management and monitoring
- Red team operations and security assessments
Installation Guide
Linux Installation
# Ubuntu/Debian/Kali
sudo apt update && sudo apt install amass -y
amass -version
# From source (latest)
go install github.com/owasp-amass/amass/v4/...@master
macOS Installation
brew tap caffix/amass
brew install amass
Windows Installation
# Download from: github.com/owasp-amass/amass/releases
# Extract and add to PATH
# Or use: go install github.com/owasp-amass/amass/v4/...@master
Docker Installation
docker pull caffix/amass
docker run caffix/amass enum -d example.com
Complete Amass Subcommands Reference
Amass v5 provides six powerful subcommands, each designed for specific reconnaissance tasks. Understanding these subcommands is essential for mastering the tool.
Command Structure:
amass [subcommand] [options]
Available Subcommands Overview
| Subcommand | Purpose | Common Use |
|---|---|---|
| enum | Interface with the engine that performs enumerations | Primary subdomain enumeration |
| subs | Analyze and present discovered subdomains and associated data | View existing enumeration results |
| assoc | Query the OAM along the walk defined by the triples | Advanced graph database queries |
| track | Analyze OAM data to identify newly discovered assets | Monitor changes over time |
| viz | Analyze OAM data to generate graph visualizations | Visual network mapping |
| engine | Run the Amass collection engine to populate the OAM database | Direct database population |
Note: OAM stands for “Open Asset Model” – Amass’s graph database that stores relationships between discovered assets.
1. ENUM Subcommand (Primary Tool)
Purpose: Interface with the engine that performs enumerations. The most commonly used and powerful subcommand for subdomain discovery, network mapping, and attack surface enumeration.
Key Point: The
enumsubcommand is your primary tool for subdomain discovery. It supports both passive and active reconnaissance techniques with 100+ data sources.
ENUM Command Overview:
# Basic syntax
Usage: amass enum [options] -d DOMAIN
When to Use ENUM:
Perfect for:
• Bug bounty reconnaissance: Initial subdomain discovery for targets
• Penetration testing: Attack surface identification
• Security assessments: Comprehensive asset inventory
• OSINT investigations: Passive intelligence gathering
• Infrastructure mapping: Network topology discovery
• Continuous monitoring: Track new assets over time
• Red team operations: Reconnaissance phase
How ENUM Works:
ENUM operates in multiple phases:
1. Data Source Collection:
• Queries 100+ passive data sources (Certificate Transparency, DNS databases, search engines)
• Uses API integrations when configured (Shodan, VirusTotal, SecurityTrails, etc.)
• Scrapes public records and historical data2. Active Reconnaissance (if enabled):
• Attempts DNS zone transfers on target nameservers
• Performs certificate grabbing from discovered hosts
• Queries authoritative DNS servers directly3. DNS Brute Forcing (if enabled):
• Tests wordlist entries against target DNS
• Supports recursive brute forcing for multi-level subdomains
• Generates patterns using hashcat-style masks4. Name Alterations (if enabled):
• Creates permutations of discovered subdomains
• Applies custom mutation wordlists
• Tests variations (dev→dev1, dev2, dev-api, etc.)5. Graph Database Storage:
• Stores all findings in persistent graph database
• Tracks relationships between assets (FQDNs, IPs, ASNs)
• Enables historical tracking and change detection
What You Get from ENUM:
| Scan Mode | Duration | Typical Results | Detection Risk | Authorization |
|---|---|---|---|---|
| Passive Only | 2-5 minutes | 50-200 subdomains | None (Undetectable) | Not required |
| Active | 10-30 minutes | 200-500 subdomains | High (Logged) | Required |
| Active + Brute | 1-3 hours | 500-2000+ subdomains | Very High | Required |
| Comprehensive | 3-6 hours | 2000-5000+ subdomains | Maximum | Required |
Quick Start Examples:
# EXAMPLE 1: Simple passive scan (safest, no authorization needed)
amass enum -d target.com -o results.txt
# Result: ~100 subdomains in 3 minutes, zero detection
# EXAMPLE 2: Active reconnaissance (requires authorization)
amass enum -d target.com -active -dir ./pentest
# Result: ~300 subdomains in 20 minutes, detectable
# EXAMPLE 3: Maximum coverage (comprehensive assessment)
amass enum -d target.com -active -brute -alts \
-w /usr/share/wordlists/dns-brute.txt \
-config ~/.config/amass/config.yaml \
-dir ./comprehensive
# Result: 1000+ subdomains in 2+ hours, heavy traffic
# EXAMPLE 4: Stealth reconnaissance (bug bounty)
amass enum -d target.com -passive \
-include crtsh,virustotal,alienvault \
-o stealth_results.txt
# Result: High-quality results, completely undetectable
# EXAMPLE 5: Multiple domains from file
cat > targets.txt << EOF
target1.com
target2.com
target3.com
EOF
amass enum -df targets.txt -dir ./multi_scan -oA all_targets
ENUM Best Practices:
DO’s:
Start with passive mode to assess target size
Use -config with API keys for 300-500% more results
Enable -src to track which sources find subdomains
Use -dir for persistent storage and change tracking
Configure -dns-qps to control scan speed/stealth
Save results with timestamps for historical comparison
DON’Ts:
Don’t use -active or -brute without written authorization
Don’t skip rate limiting on aggressive scans
Don’t ignore the -timeout setting for automation
Don’t forget to blacklist CDN/uninteresting subdomains with -bl
Don’t run multiple aggressive scans simultaneously
Common ENUM Scenarios:
| Scenario | Command | Result |
|---|---|---|
| Bug Bounty Initial Recon | amass enum -d target.com -config ~/.config/amass/config.yaml -o recon.txt | Fast passive discovery with API integration |
| Pentest Engagement Day 1 | amass enum -d target.com -active -dir ./pentest_day1 | Comprehensive active enumeration with storage |
| Continuous Monitoring | amass enum -d target.com -dir ./daily_$(date +%Y%m%d) | Daily tracking for new asset discovery |
| Maximum Coverage | amass enum -d target.com -active -brute -alts -w wordlist.txt | Every possible subdomain using all techniques |
| ASN Infrastructure Mapping | amass enum -asn 15169 -active -dir ./org_infrastructure | Complete organizational network discovery |
ENUM Key Options Summary:
Essential Options You’ll Use Most:
• -d domain.com – Target domain (REQUIRED)
• -active – Enable active reconnaissance
• -brute – DNS brute forcing
• -passive – Passive only (now default, DEPRECATED)
• -dir ./path – Output directory with database
• -o file.txt – Save results to file
• -config file.yaml – Configuration with API keys
• -dns-qps 100 – Query rate limit
• -timeout 60 – Max scan duration (minutes)
• -w wordlist.txt – Custom brute force wordlist
• -alts – Enable name alterations
• -src – Show data source for each result
• -ip – Include IP addresses in output
2. SUBS Subcommand (Results Analysis)
Purpose: Analyze and present discovered subdomains and associated data from previous enumerations stored in the graph database.
Key Point: Use
substo view and analyze results from previously completed enumerations without running a new scan.
# View all subdomains for a domain
amass subs -d example.com -dir ./amass_output
# Show subdomains with IP addresses
amass subs -d example.com -ip -dir ./amass_output
# Show only discovered names (clean output)
amass subs -d example.com -names -dir ./amass_output
# Display ASN summary table
amass subs -d example.com -summary -dir ./amass_output
SUBS Options Reference:
| Option | Description | Example |
|---|---|---|
-d | Domain names separated by commas | -d example.com,test.com |
-df | Path to file with domain names (one per line) | -df domains.txt |
-dir | Path to directory containing the graph database | -dir ./amass_output |
-ip | Show IP addresses for discovered names | -ip |
-ipv4 | Show only IPv4 addresses | -ipv4 |
-ipv6 | Show only IPv6 addresses | -ipv6 |
-names | Print just discovered names (clean list) | -names |
-summary | Print ASN table summary | -summary |
-show | Print results for enumeration index + domains | -show |
-o | Path to text file containing stdout/stderr | -o output.txt |
-config | Path to YAML configuration file | -config config.yaml |
-demo | Censor output for demonstrations | -demo |
-silent | Disable all output during execution | -silent |
-nocolor | Disable colorized output | -nocolor |
When to Use SUBS:
- View results without re-running enumeration
- Quickly check previously discovered subdomains
- Generate reports from historical data
- Filter and format existing results
- Analyze ASN distribution of discovered assets
3. ASSOC Subcommand (Graph Database Queries)
Purpose: Query the OAM (Open Asset Model) database using relationship “triples” to discover connected assets through graph traversal.
Advanced Feature: This subcommand is for advanced users who understand graph database concepts and relationship triples.
# Query using a single triple
amass assoc -t1 "fqdn,domain,example.com" -dir ./amass_output
# Chain multiple triples for complex queries
amass assoc -t1 "fqdn,domain,example.com" \
-t2 "fqdn,ns_record,nameserver" \
-dir ./amass_output
# Use triples from a file
amass assoc -tf triples.txt -dir ./amass_output
ASSOC Options Reference:
| Option | Description | Example |
|---|---|---|
-t1 | 1st triple to use for association walk | -t1 "subject,predicate,object" |
-t2 to -t10 | Additional triples for complex queries (up to 10) | -t2, -t3, ... -t10 |
-tf | Path to file containing triples list | -tf triples.txt |
-dir | Path to directory containing graph database | -dir ./amass_output |
-config | Path to YAML configuration file | -config config.yaml |
-silent | Disable all output during execution | -silent |
-nocolor | Disable colorized output | -nocolor |
Understanding Triples:
Triples are structured as “subject,predicate,object”:
• Subject: Starting entity (e.g., FQDN, IP, ASN)
• Predicate: Relationship type (e.g., domain, ns_record, a_record)
• Object: Target entity or valueExample:
"fqdn,domain,example.com"means “find all FQDNs belonging to domain example.com”
4. TRACK Subcommand (Change Monitoring)
Purpose: Analyze OAM data to identify newly discovered assets by comparing current and previous enumeration results.
Real-World Use Case: Bug bounty hunters use
trackto monitor targets daily. New subdomains often indicate new features being deployed, which may contain fresh vulnerabilities!
TRACK Command Syntax:
Usage: amass track [options] [-since '01/02 15:04:05 2006 MST'] -d domain
TRACK Options Reference:
| Option | Description | Example | When to Use |
|---|---|---|---|
-d | Domain names separated by commas (can be used multiple times) | -d example.com,test.com | Specify target domains to track |
-df | Path to a file providing registered domain names | -df domains.txt | Track multiple domains from a file |
-dir | Path to the directory containing the graph database | -dir ./amass_output | Specify where your Amass database is stored |
-since | Exclude all assets discovered before this timestamp | -since '01/15 08:00:00 2024 UTC' | Focus on recent changes only |
-config | Path to the YAML configuration file | -config config.yaml | Use custom configuration settings |
-silent | Disable all output during execution | -silent | Background processing and automation |
-nocolor | Disable colorized output | -nocolor | Log files and piped output |
-h / -help | Show the program usage message | -h | View quick help information |
TRACK Usage Examples:
# Track changes for a specific domain
amass track -d example.com -dir ./amass_output
# Track changes since a specific date
amass track -d example.com -since '12/01 00:00:00 2024 UTC' -dir ./amass_output
# Track multiple domains from file
amass track -df targets.txt -dir ./amass_output
# Compare different enumeration runs
# First, run enumerations at different times
amass enum -d example.com -dir ./recon_day1
# ... wait some time ...
amass enum -d example.com -dir ./recon_day2
# Then track the differences
amass track -d example.com -dir ./recon_day2
# Silent mode for automation
amass track -d example.com -dir ./monitoring -silent -nocolor > changes.txt
Understanding the -since Flag:
• Format:MM/DD HH:MM:SS YYYY TZ
• Example:'01/15 14:30:00 2024 UTC'
• Use this to filter assets discovered after a specific timestamp
• Perfect for daily monitoring workflows
• Helps reduce noise from old assets
When to Use TRACK:
• Daily monitoring: Automated bug bounty target surveillance
• Shadow IT detection: Find unauthorized subdomains
• Infrastructure changes: Track DevOps deployments
• Subdomain takeover: Monitor for vulnerable orphaned domains
• Competitive intelligence: Track competitor infrastructure evolution
• Security audits: Identify newly exposed assets
• Compliance: Ensure no unauthorized domains appear
TRACK Workflow Example:
# Automated daily monitoring script
#!/bin/bash
DOMAIN="target.com"
YESTERDAY=$(date -d "yesterday" '+%m/%d %H:%M:%S %Y UTC')
# Run daily enumeration
amass enum -d $DOMAIN -dir ./daily_monitoring
# Track changes from yesterday
amass track -d $DOMAIN -since "$YESTERDAY" -dir ./daily_monitoring | tee new_assets.txt
# Alert if new assets found
if [ -s new_assets.txt ]; then
echo "New assets discovered!" | mail -s "Alert: New Subdomains" [email protected]
fi
5. VIZ Subcommand (Visualization)
Purpose: Analyze OAM data and generate graph visualizations to understand relationships between discovered assets. Create interactive network maps and export to various formats for presentation and further analysis.
Important: The
vizsubcommand reads from your Amass graph database, so you must have completed at least one enumeration first usingenum.
VIZ Command Syntax:
Usage: amass viz -d3|-dot|-gexf [options] -d domain
VIZ Options Reference:
| Option | Description | Example | What It Does |
|---|---|---|---|
-d | Domain names separated by commas (can be used multiple times) | -d example.com | Specify which domains to visualize |
-df | Path to a file providing registered domain names | -df domains.txt | Visualize multiple domains from file |
-dir | Path to the directory containing the graph database | -dir ./amass_output | Location of your Amass database |
-d3 | Generate the D3 v4 force simulation HTML file | -d3 | Creates interactive browser-based visualization (RECOMMENDED) |
-dot | Generate the DOT output file | -dot | Graphviz format for static graph images |
-gexf | Generate the Gephi Graph Exchange XML Format (GEXF) file | -gexf | Import into Gephi for advanced graph analysis |
-o | Path to the directory for output files being generated | -o ./viz_output | Where to save visualization files |
-oA | Path prefix used for naming all output files | -oA network_map | Prefix for all output filenames |
-config | Path to the YAML configuration file | -config config.yaml | Use custom configuration settings |
-since | Include only assets validated after this timestamp | -since '01/15 08:00:00 2024 UTC' | Visualize only recent discoveries |
-silent | Disable all output during execution | -silent | Quiet mode for automation |
-nocolor | Disable colorized output | -nocolor | Plain text output for logs |
-h / -help | Show the program usage message | -h | Display help information |
VIZ Output Format Comparison:
| Format | Best For | Features | Tools |
|---|---|---|---|
| D3 (-d3) | Interactive exploration | Zoom, pan, click nodes, force-directed layout | Any modern web browser |
| DOT (-dot) | Static reports & presentations | High-quality images (PNG, SVG, PDF) | Graphviz (dot command) |
| GEXF (-gexf) | Advanced graph analysis | Statistical analysis, community detection | Gephi software |
VIZ Usage Examples:
# Generate D3.js interactive visualization (RECOMMENDED)
amass viz -d3 -d example.com -dir ./amass_output
# Output: amass_d3.html (open in browser)
# Generate DOT file and convert to PNG
amass viz -dot -d example.com -dir ./amass_output -o ./graphs
dot -Tpng ./graphs/amass.dot -o network_map.png
# Export to Gephi format
amass viz -gexf -d example.com -dir ./amass_output -o ./graphs
# Visualize only recent discoveries
amass viz -d3 -d example.com -since '01/01 00:00:00 2024 UTC' -dir ./amass_output
# Generate all formats with custom naming
amass viz -d3 -d example.com -dir ./recon -oA target_network
amass viz -dot -d example.com -dir ./recon -oA target_network
amass viz -gexf -d example.com -dir ./recon -oA target_network
Advanced DOT Visualization Techniques:
# Generate DOT file
amass viz -dot -d example.com -dir ./recon -o ./viz
# Convert to various formats
dot -Tpng ./viz/amass.dot -o network.png -Gdpi=300
dot -Tsvg ./viz/amass.dot -o network.svg
dot -Tpdf ./viz/amass.dot -o network.pdf
# Create large poster-sized visualization
dot -Tpng ./viz/amass.dot -o poster.png -Gsize="24,36!" -Gdpi=150
# Use different layout engines
neato -Tpng ./viz/amass.dot -o network_neato.png # Radial layout
circo -Tpng ./viz/amass.dot -o network_circo.png # Circular layout
fdp -Tpng ./viz/amass.dot -o network_fdp.png # Force-directed
Visualization Benefits:
• Network topology mapping: See how assets connect
• Identify clusters: Group related infrastructure
• Spot anomalies: Find unusual connections or outliers
• Present findings: Impress clients and stakeholders
• Understand architecture: Reverse-engineer network design
• Find pivot points: Identify critical infrastructure nodes
• Track relationships: See IP, ASN, and DNS connections
When to Use VIZ:
• Post-enumeration analysis: After completing scans
• Report generation: Creating client deliverables
• Threat modeling: Understanding attack surface
• Team presentations: Explaining findings visually
• Architecture review: Documenting infrastructure
• Pattern recognition: Identifying infrastructure patterns
• Comparative analysis: Before/after visualizations
Complete Visualization Workflow:
#!/bin/bash
DOMAIN="target.com"
OUTPUT_DIR="./viz_complete"
# Step 1: Perform comprehensive enumeration
echo "[*] Running enumeration..."
amass enum -d $DOMAIN -active -dir $OUTPUT_DIR
# Step 2: Generate D3 interactive visualization
echo "[*] Creating D3 visualization..."
amass viz -d3 -d $DOMAIN -dir $OUTPUT_DIR
# Step 3: Generate DOT file and images
echo "[*] Creating static images..."
amass viz -dot -d $DOMAIN -dir $OUTPUT_DIR -oA ${DOMAIN}_graph
dot -Tpng ${DOMAIN}_graph.dot -o ${DOMAIN}_network.png -Gdpi=300
dot -Tsvg ${DOMAIN}_graph.dot -o ${DOMAIN}_network.svg
# Step 4: Export to Gephi
echo "[*] Exporting to Gephi format..."
amass viz -gexf -d $DOMAIN -dir $OUTPUT_DIR -oA ${DOMAIN}_gephi
# Step 5: Open interactive visualization
echo "[+] Visualization complete!"
echo "[+] Opening D3 visualization in browser..."
xdg-open amass_d3.html # Linux
# open amass_d3.html # macOS
# start amass_d3.html # Windows
Pro Tip: The D3 visualization is interactive! Click and drag nodes to rearrange the layout, zoom in/out with mouse wheel, and hover over nodes to see details. Perfect for live demonstrations and exploratory analysis!
6. ENGINE Subcommand (Direct Database Population)
Purpose: Run the Amass collection engine directly to populate the OAM database. This is a low-level command primarily for development and advanced use cases.
# Run the Amass engine with logging
amass engine -log-dir ./engine_logs
# Silent mode for background processing
amass engine -silent -log-dir ./engine_logs
ENGINE Options Reference:
| Option | Description | Use Case |
|---|---|---|
-log-dir | Path to the log directory | -log-dir ./logs |
-silent | Disable all output during execution | Background processing |
-nocolor | Disable colorized output | Log file compatibility |
Advanced Users Only: Most users should use
enuminstead ofengine. The engine subcommand is for custom integrations and development purposes.
Complete Workflow Example
- # Step 1: Run initial enumeration
amass enum -d example.com -active -dir ./recon_output - # Step 2: View discovered subdomains
amass subs -d example.com -ip -dir ./recon_output - # Step 3: Generate visual network map
amass viz -d3 -d example.com -dir ./recon_output - # Step 4: Wait and run enumeration again
sleep 86400 # Wait 24 hours
amass enum -d example.com -active -dir ./recon_output - # Step 5: Track changes to find new assets
amass track -d example.com -dir ./recon_output - # Step 6: Query specific relationships (advanced)
amass assoc -t1 “fqdn,domain,example.com” -dir ./recon_output
Subcommand Selection Guide:
• enum: For active subdomain discovery ← Start here!
• subs: To view previous results
• track: To monitor changes over time
• viz: To visualize relationships
• assoc: For advanced graph queries
• engine: For development/integration only
Decision Tree: Which Subcommand to Use?
| Your Goal | Use This | Example Command |
|---|---|---|
| Find new subdomains | enum | amass enum -d target.com -active |
| View previous scan results | subs | amass subs -d target.com -dir ./recon |
| Track new assets over time | track | amass track -d target.com -dir ./recon |
| Create visual network map | viz | amass viz -d3 -d target.com -dir ./recon |
| Query relationships | assoc | amass assoc -t1 "fqdn,domain,target.com" |
| Custom integration/dev | engine | amass engine -log-dir ./logs |
Practical Scenarios: When, How, What
| Scenario | Subcommand | When to Use | How to Execute | What You Get |
|---|---|---|---|---|
| Starting a new pentest | enum | Day 1 of engagement | amass enum -d target.com -active -dir ./pentest | Complete subdomain inventory |
| Daily bug bounty monitoring | enum + track | Every 24 hours (cron job) | amass enum -d target.com -dir ./daily && amass track -d target.com -dir ./daily | New/changed subdomains list |
| Checking previous results | subs | When reviewing old scans | amass subs -d target.com -dir ./old_scan -ip | Historical subdomain data |
| Client presentation | viz | Before meeting with client | amass viz -d3 -d target.com -dir ./scan | Interactive network visualization |
| Finding infrastructure relationships | assoc | Deep-dive analysis phase | amass assoc -t1 "fqdn,domain,target.com" -t2 "fqdn,a_record,*" | IP/DNS relationship graph |
| Compliance audit | enum + track | Monthly/quarterly audits | amass enum -d company.com && amass track -since '01/01 00:00:00 2024 UTC' | Unauthorized asset detection |
| Stealth reconnaissance | enum (passive) | Pre-engagement research | amass enum -passive -d target.com -silent | Subdomains with zero footprint |
| Report generation | subs + viz | End of assessment | amass subs -d target.com -summary && amass viz -dot -d target.com | Summary tables and diagrams |
Pro Workflow Tip: Use all subcommands in sequence for comprehensive assessment:
1. ENUM to discover → 2. SUBS to review → 3. VIZ to visualize → 4. TRACK to monitor → 5. ASSOC to analyze relationships
ENUM Command: Complete Options Reference
The enum subcommand is the most powerful and commonly used tool in Amass. Here’s every option explained in detail.
Basic Options
| Option | Description | Example | When to Use | What You Get |
|---|---|---|---|---|
-d | Target domain(s) – comma separated, can be used multiple times | -d example.com,test.com | Required for every scan. Use for single or multiple domains | Specifies which root domains to enumerate |
-df | File with root domain names (one per line) | -df domains.txt | When scanning many domains (10+) from a list | Batch scanning multiple targets efficiently |
-o | Path to text file containing terminal stdout/stderr | -o results.txt | Save discovered subdomains to a file for later analysis | Text file with all discovered subdomains and IPs |
-oA | Path prefix used for naming all output files | -oA scan_2024 | Generate multiple output formats with consistent naming | Creates scan_2024.txt, scan_2024.json, etc. |
-dir | Path to directory containing output files and graph database | -dir ./output | Store all scan data in organized directory | Persistent database for tracking changes over time |
-config | Path to YAML configuration file with API keys and settings | -config config.yaml | Use API keys and custom settings for better results | 300-500% more subdomains with configured APIs |
Basic Options Usage Examples:
# Single domain scan
amass enum -d example.com -o results.txt
# Multiple domains
amass enum -d example.com,test.com,demo.com -dir ./scan
# Scan from file (Bug bounty targets)
echo "target1.com" > targets.txt
echo "target2.com" >> targets.txt
amass enum -df targets.txt -oA bounty_scan
# With configuration file
amass enum -d target.com -config ~/.config/amass/config.yaml -dir ./recon
When to Use Each:
• -d: Every single scan (mandatory)
• -df: Bug bounty programs with multiple targets
• -o: Quick scans needing simple text output
• -oA: Professional reports needing multiple formats
• -dir: Long-term monitoring and change tracking
• -config: Production scans requiring maximum results
Reconnaissance Modes
| Option | Description | Detection Risk | When to Use | What It Does |
|---|---|---|---|---|
-passive | Only use passive reconnaissance techniques (DEPRECATED: now default) | None (Undetectable) | Initial recon, stealth operations, reconnaissance without permission | Queries public data sources only (DNS databases, CT logs, search engines) |
-active | Attempt zone transfers and certificate name grabs | High (Logged) | Authorized pentests, comprehensive discovery, when stealth not required | Direct queries to target DNS servers, zone transfer attempts, certificate collection |
-brute | Execute DNS brute forcing after passive/active searches | Very High (Generates significant traffic) | Maximum coverage needed, authorized assessments, when missing subdomains suspected | Tests thousands of subdomain names against target DNS servers |
Choosing the Right Mode:
PASSIVE Mode (Default):
• How: Queries only public databases and third-party services
• When: Pre-engagement recon, bug bounty initial discovery, competitive intelligence
• What: 50-200 subdomains on average, completely undetectable
• Speed: 2-5 minutes
• Detection: Zero – No direct contact with target
ACTIVE Mode:
• How: Directly queries target DNS servers, attempts zone transfers, grabs certificates
• When: Authorized penetration tests, comprehensive security assessments
• What: 200-500 subdomains, discovers hidden and internal subdomains
• Speed: 10-30 minutes
• Detection: High – DNS queries are logged by target servers
BRUTE FORCE Mode:
• How: Tests wordlist entries against target DNS (thousands of queries)
• When: Maximum coverage required, after passive/active found subdomains
• What: 500-2000+ subdomains depending on wordlist size
• Speed: 1-3 hours (can be longer with large wordlists)
• Detection: Very High – Generates massive DNS query volume, triggers IDS/IPS
• Warning: Only use with explicit written authorization!
Mode Comparison & Usage Examples:
# SCENARIO 1: Stealth reconnaissance (Bug Bounty reconnaissance)
amass enum -d target.com -o passive_results.txt
# Result: ~100 subdomains, no detection
# SCENARIO 2: Authorized pentest (With permission)
amass enum -active -d target.com -dir ./pentest
# Result: ~300 subdomains, DNS queries logged
# SCENARIO 3: Maximum coverage (Comprehensive assessment)
amass enum -active -brute -w /usr/share/wordlists/dns.txt -d target.com -dir ./comprehensive
# Result: 1000+ subdomains, heavy traffic, high detection
# SCENARIO 4: Multi-stage approach (Best practice)
# Stage 1: Passive
amass enum -d target.com -o stage1_passive.txt
# Stage 2: Active (if authorized)
amass enum -active -d target.com -o stage2_active.txt
# Stage 3: Targeted brute force (on specific patterns)
amass enum -brute -w targeted_words.txt -d target.com -o stage3_brute.txt
Pro Tip: Always start with passive mode. Only escalate to active/brute if:
1. You have written authorization
2. Passive results justify deeper investigation
3. You understand the detection risk
4. Rate limiting is configured to avoid overwhelming target
Best Practices & Pro Tips
Do’s
- Always get written permission before scanning
- Use passive mode first to avoid detection
- Configure multiple API keys for best results
- Save results with timestamps for tracking
- Use custom DNS resolvers for reliability
- Run scans during off-peak hours
- Validate all discovered subdomains
Don’ts
- Never scan without authorization
- Don’t use aggressive settings on production systems
- Avoid running multiple active scans simultaneously
- Don’t ignore rate limits and timeout settings
- Never hardcode API keys in scripts
Frequently Asked Questions
-
What’s better than Amass?
Amass is the most comprehensive tool. Combine it with Subfinder for speed and Sublist3r for additional sources.
-
How often should I scan?
For bug bounties: daily for high-value targets, weekly for others. For pentesting: at project start and after major changes.
-
Can Amass be detected?
Passive mode is undetectable. Active mode generates DNS traffic that can trigger alerts. Use rate limiting.
Conclusion
Amass Tool v5 is an essential weapon in any cybersecurity professional’s arsenal. Master these techniques to excel in bug bounty programs, penetration testing, and OSINT reconnaissance. Start with passive scanning, progress to active enumeration, and leverage API integrations for maximum results. see other tool recon-ng this is best another tool for recon.
Next Steps:
- Install Amass and run your first scan
- Configure API keys for enhanced results
- Practice on authorized bug bounty targets
- Integrate with other recon tools
- Build automated scanning workflows
Remember: Always practice ethical hacking and obtain proper authorization. Happy hunting!
