Ethical Hacking Tutorials

Ethical Hacking Tutorials, Tips and Tricks

Amass – Subdomain Enumeration Tool

Amass performs scraping of data sources, recursive brute forcing, crawling of web archives, permuting and altering of names, reverse DNS sweeping, and machine learning to obtain additional subdomain names. The architecture makes it easy to add new subdomain enumeration techniques as they are developed.

DNS name resolution is performed across many public servers so the authoritative server will see traffic coming from different locations.


Using the Tool

The most basic use of the tool, which includes reverse DNS lookups and name alterations:

$ amass -d

If you need Amass to run faster and only use the passive data sources:

$ amass -nodns -d

The example below is a good place to start with amass:

$ amass -v -ip -brute -min-for-recursive 3 -d
13139 names discovered - archive: 171, cert: 2671, scrape: 6290, brute: 991, dns: 250, alt: 2766

Add some additional domains to the enumeration:

$ amass -d, -d


Additional switches available through the amass CLI:

Flag Description Example
-active Enable active recon methods amass -active -d net -p 80,443,8080
-bl Blacklist undesired subdomains from the enumeration amass -bl -d
-blf Identify blacklisted subdomains from a file amass -blf data/blacklist.txt -d
-brute Perform brute force subdomain enumeration amass -brute -d
-df Specify the domains to be enumerated via text file amass -df domains.txt
-freq Throttle the rate of DNS queries by number per minute amass -freq 120 -d
-h Show the amass usage information amass -h
-ip Print IP addresses with the discovered names amass -ip -d
-json All discoveries written as individual JSON objects amass -json out.json -d
-l List all the domains to be used during enumeration amass -whois -l -d
-log Log all error messages to a file amass -log amass.log -d
-min-for-recursive Discoveries required for recursive brute forcing amass -brute -min-for-recursive 3 -d
-noalts Disable alterations of discovered names amass -noalts -d
-nodns A purely passive mode of execution amass -nodns -d
-norecursive Disable recursive brute forcing amass -brute -norecursive -d
-o Write the results to a text file amass -o out.txt -d
-oA Output to all available file formats with prefix amass -oA amass_scan -d
-r Specify your own DNS resolvers amass -r, -d
-rf Specify DNS resolvers with a file amass -rf data/resolvers.txt -d
-v Output includes data source and summary information amass -v -d
-version Print the version number of amass amass -version
-w Change the wordlist used during brute forcing amass -brute -w wordlist.txt -d
-whois Search using reverse whois information amass -whois -d


Have amass send all the DNS and infrastructure enumerations to the Neo4j graph database:

$ amass -neo4j neo4j:[email protected]:7687 -d

Here are switches for outputting the DNS and infrastructure findings as a network graph:

Flag Description Example
-d3 Output a D3.js v4 force simulation HTML file amass -d3 network.html -d example
-gexf Output to Graph Exchange XML Format (GEXF) amass -gephi network.gexf -d
-graphistry Output Graphistry JSON amass -graphistry network.json -d
-visjs Output HTML that employs VisJS amass -visjs network.html -d


Network/Infrastructure Options

Caution: If you use these options, amass will attempt to reach out to every IP address within the identified infrastructure and obtain names from TLS certificates. This is “loud” and can reveal your reconnaissance activities to the organization being investigated.

All the flags shown here require the ‘net’ subcommand to be specified first.

To discover all domains hosted within target ASNs, use the following option:

$ amass net -asn 13374,14618

To investigate within target CIDRs, use this option:

$ amass net -cidr,

For specific IPs or address ranges, use this option:

$ amass net -addr,

By default, port 443 will be checked for certificates, but the ports can be changed as follows:

$ amass net -cidr -p 80,443,8080


Subdomain Enumeration Tool: Amass Download

Updated: September 12, 2018 — 4:55 am

Leave a Reply

Your email address will not be published. Required fields are marked *

Ethical Hacking Tutorials © 2018
Skip to toolbar