Amass is a robust open-source tool from OWASP that streamlines the process of mapping an organization’s attack surface. Whether you’re hunting for subdomains or mapping a network’s infrastructure, Amass offers a comprehensive suite of features to reveal hidden layers of your target’s digital presence.

What is Amass?

Amass is an OSINT tool focused on network mapping and subdomain enumeration. It leverages passive, active, and brute-force techniques to gather data from multiple sources, painting a detailed picture of a target’s online infrastructure. This makes it indispensable for penetration testers and security researchers looking to get the full scope before launching deeper assessments.

Key Features

• Subdomain Enumeration: Quickly identify subdomains using both passive and active methods.
• Network Mapping: Visualize relationships between domains and their underlying IP addresses.
• Data Aggregation: Integrates with various APIs and data sources to enhance your intelligence.
• Customizable Workflows: Offers a range of options to tailor scans to your specific needs.

Installation

Installing Amass is straightforward. On Linux, you can install it via your package manager:

sudo apt-get update
sudo apt-get install amass

Alternatively, you can build from source by cloning the repository:

git clone https://github.com/owasp-amass/amass.git
cd amass
go build ./...

Make sure you have Go installed if you choose the source build.

Usage Examples

Here are some practical examples to get you started:

1. Basic Subdomain Enumeration

To enumerate subdomains for a target domain:

amass enum -d example.com

2. Passive Enumeration

For a discreet approach that avoids generating network traffic, run Amass in passive mode:

amass enum -passive -d example.com

This relies solely on publicly available data sources.

3. Active Enumeration with Bruteforce

For deeper discovery, combine active scanning with a brute-force wordlist:

amass enum -active -brute -d example.com -w /path/to/wordlist.txt

4. Visualizing the Network Map

Output results in multiple formats to generate visual network maps:

amass enum -d example.com -oA example

This command creates text, JSON, and Graphviz files, making it easier to visualize the relationships between subdomains and IP addresses.

Best Practices

• Always Get Permission: Only scan domains you have explicit authorization to assess.
• Leverage Multiple Methods: Combine passive and active techniques for a more comprehensive view.
• Analyze the Data: Use Amass output as a starting point for deeper vulnerability assessments rather than relying on it exclusively.

Final Thoughts

Amass is a powerful addition to any security tester’s toolkit, offering deep insights into an organization’s digital footprint. With its extensive features and flexible workflows, it empowers you to uncover hidden assets and plan more effective security strategies. As with all potent tools, its true value lies in how responsibly and creatively you use it.

Happy mapping and happy hunting!