Ethical Hacking #amass#subdomain enumeration#OSINT

Amass Subdomain Enumeration: Complete Usage Guide

Use OWASP Amass for deep subdomain enumeration — passive DNS, active brute-force, ASN mapping, and API source integration.

7 min read

OWASP Amass is one of the most comprehensive subdomain enumeration tools available. Unlike simple DNS brute-forcers, Amass combines passive reconnaissance (certificate transparency, APIs, DNS databases) with active techniques (DNS brute-forcing, permutation scanning, ASN/IP range discovery) to build a complete attack surface map.

Installation

# Kali/Parrot
sudo apt install amass

# Go install
go install -v github.com/owasp-amass/amass/v4/...@master

# Docker
docker pull caffix/amass
docker run -v $(pwd)/output:/root/.config/amass caffix/amass enum -d example.com

Verify: amass -version

Basic Passive Enumeration

Passive mode uses third-party data sources without touching the target’s infrastructure:

amass enum -passive -d example.com -o passive_results.txt

Passive data sources include: Censys, Shodan, VirusTotal, SecurityTrails, DNSdumpster, Crtsh (certificate transparency), RapidDNS, and many more.

Active Enumeration

Active mode also performs DNS resolution, zone transfers, and brute-forcing:

amass enum -d example.com -o active_results.txt

Combine with a wordlist for brute-force:

amass enum -d example.com -brute -w /usr/share/seclists/Discovery/DNS/subdomains-top1million-20000.txt -o results.txt

API Keys Configuration

Amass becomes dramatically more powerful with API keys from:

  • Censys (censys.io) — free account
  • Shodan (shodan.io) — free API key
  • VirusTotal — free API key
  • SecurityTrails — free account
  • BinaryEdge — free tier
  • PassiveTotal (RiskIQ)

Configure in ~/.config/amass/config.ini (or config.yaml):

[data_sources.Censys]
[data_sources.Censys.Credentials]
apikey = your-censys-api-id
secret = your-censys-api-secret

[data_sources.Shodan]
[data_sources.Shodan.Credentials]
apikey = your-shodan-api-key

[data_sources.VirusTotal]
[data_sources.VirusTotal.Credentials]
apikey = your-virustotal-key

Apply the config:

amass enum -config ~/.config/amass/config.ini -d example.com -o results.txt

ASN and IP Range Discovery

Amass excels at discovering IP infrastructure owned by a target organization:

# Find ASNs associated with an organization
amass intel -org "Example Corp" -asn

# From a known IP, discover the full range
amass intel -ip 93.184.216.34

# From ASN, enumerate all subdomains in that ASN
amass enum -d example.com -asn AS1234

This is critical for bug bounty work — many programs have broad scope (“*.example.com and all assets”) and discovering owned IP ranges reveals additional targets.

Subdomain Permutation

Generate permutations of discovered subdomains to find more:

amass enum -d example.com -alts -w /usr/share/seclists/Discovery/DNS/dns-Jhaddix.txt

The -alts flag enables alteration/permutation mode — if api.example.com exists, Amass tries api2.example.com, api-dev.example.com, api-staging.example.com, etc.

Output Formats and Visualization

# JSON output for parsing
amass enum -d example.com -json output.json

# Graph database for visualization
amass enum -d example.com -dir ./amass_output/

# Visualize the network graph
amass viz -d3 -dir ./amass_output/ -o graph.html

The D3 visualization shows relationships between domains, IPs, ASNs, and netblocks — useful for presenting attack surface to clients.

Multi-Domain Enumeration

For organizations with multiple domains:

amass enum -d example.com -d example.net -d example.org -o all_results.txt

Or use a domain list:

amass enum -df domains.txt -o results.txt

Tracking Changes Over Time

Amass has a built-in graph database that tracks findings across runs:

# First run
amass enum -d example.com -dir ./amass_db/

# Later run — Amass highlights NEW subdomains since last scan
amass enum -d example.com -dir ./amass_db/

# Show tracked records
amass db -dir ./amass_db/ -d example.com -names

This is invaluable for continuous monitoring programs and bug bounty platforms.

Practical Bug Bounty Recon Workflow

# Step 1: Passive sweep (fast, stealthy)
amass enum -passive -d target.com -config config.ini -o step1_passive.txt

# Step 2: Active with brute-force
amass enum -d target.com -brute -w subdomains-top1million-20000.txt \
  -config config.ini -o step2_active.txt

# Step 3: Find additional scope via ASN
amass intel -org "Target Corporation"

# Step 4: Combine results
cat step1_passive.txt step2_active.txt | sort -u > all_subdomains.txt

# Step 5: Resolve and probe live hosts
cat all_subdomains.txt | httpx -silent -status-code -o live_hosts.txt

Combining with Other Tools

Amass pairs well with:

  • httpx: probe discovered subdomains for live web servers
  • nmap: port scan discovered hosts
  • nuclei: run vulnerability templates against live hosts
  • subfinder: complement Amass with additional passive sources
  • massdns: high-speed DNS resolution for large subdomain lists

The combination of Amass (broad discovery) + httpx (live check) + nuclei (automated vuln scan) is a foundational recon pipeline for bug bounty hunters.

#bug bounty #OSINT #subdomain enumeration #amass