__ _______________________ _________._________________________ \_ _____/ \______ \ / _ \ / _____/ / _____/ | | \_ _____/ | __) | _/ / /_\ \ / \ ___ / \ ___ | | | __)_ | \ | | \ / | \ \ \_\ \ \ \_\ \ | |___ | \ \___ / |____|_ / \____|__ / \______ / \______ / |_______ \ /_______ / \/ \/ \/ \/ \/ \/ \/

amass Cheatsheet

← Back to cheatsheets

← Home

Amass is an OWASP project for in-depth attack surface mapping and asset discovery using open source information gathering and active reconnaissance techniques.

Subcommands

  • amass intel - Discover targets for enumeration
  • amass enum - Perform subdomain enumeration
  • amass viz - Visualize enumeration results
  • amass track - Track differences between enumerations
  • amass db - Manage the graph database

Intel Subcommand

  • amass intel -d <domain> - Basic intel gathering
  • amass intel -whois -d <domain> - Reverse WHOIS lookup
  • amass intel -org <organization> - Find ASNs by organization
  • amass intel -asn <asn> - Get info about an ASN
  • amass intel -ip <ip> - Discover domains from IP
  • amass intel -cidr <cidr> - Discover domains from CIDR

Enum Subcommand - Basic

  • amass enum -d <domain> - Basic passive enumeration
  • amass enum -passive -d <domain> - Passive only (no DNS resolution)
  • amass enum -active -d <domain> - Active enumeration (zone transfers, etc.)
  • amass enum -brute -d <domain> - Brute force subdomain enumeration
  • amass enum -d <domain> -o output.txt - Save results to file

Enum Subcommand - Advanced

  • amass enum -d <domain> -src - Show data sources
  • amass enum -d <domain> -ip - Show IP addresses
  • amass enum -d <domain> -ipv4 - Show only IPv4 addresses
  • amass enum -d <domain> -ipv6 - Show only IPv6 addresses
  • amass enum -d <domain> -r <resolver> - Use custom resolver
  • amass enum -d <domain> -rf resolvers.txt - Use resolver file
  • amass enum -d <domain> -w wordlist.txt - Custom wordlist for brute
  • amass enum -d <domain> -max-dns-queries 200 - Limit DNS queries/sec

Configuration

  • amass enum -config config.ini -d <domain> - Use config file
  • amass enum -list - List all data sources

Config File Location

  • ~/.config/amass/config.yaml - Default config location
  • ~/.config/amass/datasources.yaml - Data sources config

Example datasources.yaml

datasources:
  - name: SecurityTrails
    creds:
      apikey: your_api_key_here
  - name: Shodan
    creds:
      apikey: your_api_key_here

Database Operations

  • amass db -list - List all enumerations
  • amass db -d <domain> -show - Show stored data for domain
  • amass db -d <domain> -names - List discovered names
  • amass db -d <domain> -ip - Show IP addresses

Visualization

  • amass viz -d <domain> -d3 - Generate D3.js visualization
  • amass viz -d <domain> -gexf - Generate GEXF file (Gephi)
  • amass viz -d <domain> -graphistry - Generate Graphistry JSON
  • amass viz -d <domain> -maltego - Generate Maltego output

Tracking Changes

  • amass track -d <domain> - Track differences between runs
  • amass track -d <domain> -history - Show enumeration history
  • amass track -d <domain> -since "2024-01-01" - Changes since date

Common Examples

Full Passive Enumeration

amass enum -passive -d example.com -src -ip -o results.txt

Passive enumeration showing sources and IPs.

Aggressive Active Scan

amass enum -active -brute -d example.com -w wordlist.txt -o results.txt

Active scan with brute forcing.

Quick Reconnaissance

amass intel -whois -d example.com

Discover related domains via WHOIS.

Tips

  • Use API keys in config for better results (SecurityTrails, Shodan, etc.)
  • Start with passive enumeration to avoid detection
  • Use -src to understand where data comes from
  • Combine with other tools like subfinder for comprehensive coverage
  • Use custom resolvers to avoid rate limiting
  • The database persists data between runs for tracking
  • Always get authorization before scanning targets you don't own

← Back to cheatsheets

← Home