OWASP Amass is one of the most comprehensive subdomain enumeration tools available. Unlike simple DNS brute-forcers, Amass combines passive reconnaissance (certificate transparency, APIs, DNS databases) with active techniques (DNS brute-forcing, permutation scanning, ASN/IP range discovery) to build a complete attack surface map.
Installation
# Kali/Parrot
sudo apt install amass
# Go install
go install -v github.com/owasp-amass/amass/v4/...@master
# Docker
docker pull caffix/amass
docker run -v $(pwd)/output:/root/.config/amass caffix/amass enum -d example.com
Verify: amass -version
Basic Passive Enumeration
Passive mode uses third-party data sources without touching the target’s infrastructure:
amass enum -passive -d example.com -o passive_results.txt
Passive data sources include: Censys, Shodan, VirusTotal, SecurityTrails, DNSdumpster, Crtsh (certificate transparency), RapidDNS, and many more.
Active Enumeration
Active mode also performs DNS resolution, zone transfers, and brute-forcing:
amass enum -d example.com -o active_results.txt
Combine with a wordlist for brute-force:
amass enum -d example.com -brute -w /usr/share/seclists/Discovery/DNS/subdomains-top1million-20000.txt -o results.txt
API Keys Configuration
Amass becomes dramatically more powerful with API keys from:
- Censys (censys.io) — free account
- Shodan (shodan.io) — free API key
- VirusTotal — free API key
- SecurityTrails — free account
- BinaryEdge — free tier
- PassiveTotal (RiskIQ)
Configure in ~/.config/amass/config.ini (or config.yaml):
[data_sources.Censys]
[data_sources.Censys.Credentials]
apikey = your-censys-api-id
secret = your-censys-api-secret
[data_sources.Shodan]
[data_sources.Shodan.Credentials]
apikey = your-shodan-api-key
[data_sources.VirusTotal]
[data_sources.VirusTotal.Credentials]
apikey = your-virustotal-key
Apply the config:
amass enum -config ~/.config/amass/config.ini -d example.com -o results.txt
ASN and IP Range Discovery
Amass excels at discovering IP infrastructure owned by a target organization:
# Find ASNs associated with an organization
amass intel -org "Example Corp" -asn
# From a known IP, discover the full range
amass intel -ip 93.184.216.34
# From ASN, enumerate all subdomains in that ASN
amass enum -d example.com -asn AS1234
This is critical for bug bounty work — many programs have broad scope (“*.example.com and all assets”) and discovering owned IP ranges reveals additional targets.
Subdomain Permutation
Generate permutations of discovered subdomains to find more:
amass enum -d example.com -alts -w /usr/share/seclists/Discovery/DNS/dns-Jhaddix.txt
The -alts flag enables alteration/permutation mode — if api.example.com exists, Amass tries api2.example.com, api-dev.example.com, api-staging.example.com, etc.
# JSON output for parsing
amass enum -d example.com -json output.json
# Graph database for visualization
amass enum -d example.com -dir ./amass_output/
# Visualize the network graph
amass viz -d3 -dir ./amass_output/ -o graph.html
The D3 visualization shows relationships between domains, IPs, ASNs, and netblocks — useful for presenting attack surface to clients.
Multi-Domain Enumeration
For organizations with multiple domains:
amass enum -d example.com -d example.net -d example.org -o all_results.txt
Or use a domain list:
amass enum -df domains.txt -o results.txt
Tracking Changes Over Time
Amass has a built-in graph database that tracks findings across runs:
# First run
amass enum -d example.com -dir ./amass_db/
# Later run — Amass highlights NEW subdomains since last scan
amass enum -d example.com -dir ./amass_db/
# Show tracked records
amass db -dir ./amass_db/ -d example.com -names
This is invaluable for continuous monitoring programs and bug bounty platforms.
Practical Bug Bounty Recon Workflow
# Step 1: Passive sweep (fast, stealthy)
amass enum -passive -d target.com -config config.ini -o step1_passive.txt
# Step 2: Active with brute-force
amass enum -d target.com -brute -w subdomains-top1million-20000.txt \
-config config.ini -o step2_active.txt
# Step 3: Find additional scope via ASN
amass intel -org "Target Corporation"
# Step 4: Combine results
cat step1_passive.txt step2_active.txt | sort -u > all_subdomains.txt
# Step 5: Resolve and probe live hosts
cat all_subdomains.txt | httpx -silent -status-code -o live_hosts.txt
Amass pairs well with:
- httpx: probe discovered subdomains for live web servers
- nmap: port scan discovered hosts
- nuclei: run vulnerability templates against live hosts
- subfinder: complement Amass with additional passive sources
- massdns: high-speed DNS resolution for large subdomain lists
The combination of Amass (broad discovery) + httpx (live check) + nuclei (automated vuln scan) is a foundational recon pipeline for bug bounty hunters.