OWASP Amass: Subdomain Enumeration & Attack Surface Mapping

At the start of any authorized engagement, one of the first questions is: “how large is the target’s digital surface, really?” Subdomains, IPs, netblocks, ASN ranges, dependent services — all of these compose the attack surface. OWASP Amass is today one of the most complete open-source tools for exactly that job: subdomain enumeration, network mapping, and external asset discovery at scale.

Legal & ethical scope: Use Amass for authorized penetration tests, bug bounty programs that you have read and accepted, or against your own domains and lab environments. Extracting information about third parties without authorization violates the terms of service of upstream sources (Shodan, VirusTotal, etc.) and may infringe GDPR and other privacy laws.

What Amass is

OWASP Amass is an open-source tool for external asset discovery and attack-surface mapping. It combines several techniques into a single workflow:

• Passive DNS: Queries against public sources (Shodan, Censys, VirusTotal, AlienVault, ThreatCrowd, and more).
• Certificate Transparency (CT): crt.sh, CertSpotter, Google CT logs.
• Web scraping: Search engines (Bing, Yahoo), the Wayback Machine, GitHub.
• Active DNS: Brute force with wordlists, zone transfers, alterations, and permutations.
• WHOIS / Reverse WHOIS / ASN lookups.
• Visualization: Output compatible with Maltego, D3.js, and Gephi.

It is written in Go, available cross-platform, and is the de facto tool of the OWASP Amass Project (part of the OWASP foundation).

Where it fits in the methodology

Amass operates in the External Reconnaissance phase of a pentest or bug bounty engagement. It maps to MITRE ATT&CK T1590 — Gather Victim Network Information and T1596 — Search Open Technical Databases.

Typical place in the workflow:

• Step 1: amass intel — identify domains and ASNs related to the organization.
• Step 2: amass enum — subdomain enumeration for each domain.
• Step 3: Load results into Maltego or Nmap for the next steps.

Installation

Snap (fast)

sudo snap install amass

Go (always latest version)

go install -v github.com/owasp-amass/amass/v4/...@master
export PATH="$PATH:$(go env GOPATH)/bin"

Docker

docker pull caffix/amass
docker run -v "$(pwd)/amass_output":/output caffix/amass enum -d example.com -o /output/results.txt

Kali / Parrot

sudo apt update && sudo apt install -y amass
amass -version

API keys: the hidden ingredient for great results

Many Amass sources return dramatically better results with API keys. Create ~/.config/amass/datasources.yaml and add free-tier keys from:

• Shodan, Censys, SecurityTrails (free tiers)
• VirusTotal, AlienVault OTX, BinaryEdge
• GitHub (for code search)

Example structure:

datasources:
  - name: SecurityTrails
    ttl: 1440
    creds:
      account:
        apikey: YOUR_API_KEY_HERE
  - name: Shodan
    ttl: 10080
    creds:
      account:
        apikey: YOUR_SHODAN_KEY

The three core subcommands

Subcommand	Purpose
amass intel	Discovery of domains, ASNs, organizations.
amass enum	Subdomain enumeration for a specific domain.
amass viz	Visualization output (D3, Maltego, Gephi).

Practical examples (lab / authorized scope)

All of the following examples use example.com (reserved by RFC 2606). In a real engagement, replace it with your authorized target.

1. Basic subdomain enumeration (passive only)

amass enum -passive -d example.com -o example_subs.txt

-passive sends no packets to the target — only public sources. Ideal for the first pass without leaving a footprint.

2. Active enumeration with brute force and IP resolution

amass enum -active -brute -d example.com \
  -ip -src -dir ~/amass_output/example -o example_active.txt

• -active: allows connections to hosts (HTTPS, zone transfers).
• -brute: subdomain brute force with the built-in wordlist.
• -ip: resolves IP for each subdomain.
• -src: shows the source of each finding (useful for the report).
• -dir: persistent database for repeated runs.

3. Intel: finding organization names and ASNs

# Find ASNs related to an organization name:
amass intel -org "Example Corp"

# Domains hosted in a specific CIDR (lab range):
amass intel -ip -cidr 192.0.2.0/24

# Domains in an ASN:
amass intel -asn 64500

4. Visualization for Maltego

# After running enum with -dir ~/amass_output/example:
amass viz -maltego -dir ~/amass_output/example
# Produces an .mtgx file you can import into Maltego.

5. Pipeline with other tools

# Subs → live hosts → screenshots:
amass enum -passive -d example.com -o subs.txt
cat subs.txt | httpx -silent -o live.txt
cat live.txt | gowitness file -f -

# Subs → fast port scan:
amass enum -passive -d example.com -o subs.txt
naabu -list subs.txt -o ports.txt
nmap -iL ports.txt -sV -T3 -oN nmap_results.txt

Common mistakes

• Active mode outside scope: -active performs real DNS queries and HTTPS handshakes — confirm you are inside the engagement scope before enabling it.
• No resolver tuning: Use high-quality DNS resolvers (-rf resolvers.txt) — for example, the curated list at trickest/resolvers.
• Unrestricted brute force: With -brute and a huge wordlist you can be very noisy. Start passive and escalate.
• Outdated version: Amass v3 and v4 differ significantly. Always check with amass -version.
• API key committed to git: datasources.yaml belongs in .gitignore — never publish it.

Defensive / Blue team perspective

• Attack Surface Management: Run Amass against your own organization periodically to find shadow IT, dev/test subdomains, and forgotten assets.
• Certificate Transparency monitoring: Services such as crt.sh expose every new certificate issued for your domains — useful for catching rogue or phishing subdomains.
• DNS hardening: Disable AXFR (zone transfers) on public-facing nameservers. Use DNSSEC and keep internal hostnames out of public records.
• Phishing detection: Watch for typosquat domains that mimic your own.

Best practices

• Always start passive (-passive) and escalate to active only where needed.
• Configure as many API keys as you can — coverage improves dramatically.
• Use -dir for a persistent database — results cross-reference across runs.
• Combine with subfinder, assetfinder, and findomain and cross-check the output.
• Record the date and flags of every run in the pentest report.

Summary

Amass is one of the most complete tools for subdomain enumeration and attack-surface mapping. It combines passive and active techniques, integrates with Maltego, and is the workhorse of any serious recon engagement. Paired with the right API keys, it gives you a huge head start in the information gathering phase.

Next steps

• Maltego: OSINT link analysis
• Recon-ng — Part 1
• All Information Gathering articles
• External references: OWASP Amass Project, MITRE T1590.

For a complete curriculum in offensive security and OSINT, see the courses at Audax Cybersecurity Academy.