Amass: Attack Surface Mapping and Network Asset Discovery

Introduction to Amass

You're likely using subfinder, assetfinder, or theHarvester for subdomain enumeration. Amass isn't a direct replacement; it's a different kind of tool that does more.

Subdomain enumeration tools are fast and focused. Amass maps attack surfaces comprehensively, with a persistent database.

When to Choose Amass

The real question is: does Amass's complexity fit your workflow? If DNS enumeration is a one-off, Amass might not be worth it. You're done; the output gets tossed.

But if you're building a full picture of an organization's exposure, or doing recurring assessments, Amass fills gaps. Change detection matters. Amass keeps up, that's the value.

What Amass Does

OWASP maintains Amass, a tool that merges four categories: DNS enumeration, passive data querying, certificate transparency log analysis, and web archive scraping. It feeds into a local graph database.

The tool's workflow centers around three commands. The amass intel command defines the scope, where you identify an organization's infrastructure before digging deeper. The amass enum command does the enumeration. The amass db command queries the database.

Unlike Subfinder and assetfinder, which store results in flat files, Amass uses a graph database. When you run amass enum on a domain six months apart, the results aren't two disconnected files. Instead, they add to a persistent graph, with each run timestamped and assets linking back to their data sources.

The database accumulates data over time, enabling longitudinal tracking. You can see changes and patterns, and operators can act on that.

No overhaul was needed; minor rephrasing helped adhere to voice and stylistic guidelines.

intel and enum: The Two Core Workflows

amass intel starts with engagements that have no clear scope. Give it an organization name, and it works backward from the ASN level. It queries BGP routing data, reverse WHOIS records, and organization information to identify ASN numbers, CIDR ranges, and related root domains.

The output is a scoped target list. Before you enumerate a single subdomain.

This step is important. Client scope documents often miss acquired subsidiaries, legacy infrastructure, and cloud setups that never got formally registered. amass intel surfaces what the organization owns: acquired subsidiaries, legacy infrastructure, cloud setups.

Forgotten subdomains of forgotten root domains turn up in ASN lookups. These are often the most interesting findings.

amass enum takes a domain and hits every configured source at once, including DNS brute-forcing against a wordlist, certificate transparency logs via crt.sh and Censys, passive DNS aggregators, AlienVault OTX, and SecurityTrails historical data, web archive scraping.

The goal is to achieve breadth.

Running with -passive allows Amass to only query third-party sources. No target infrastructure gets touched. No DNS queries hit the target's nameservers. This mode is suitable for pre-active testing and OSINT work where you don't want to leave traces.

Dropping the passive flag makes Amass active. It performs direct DNS queries, brute-force attempts against the target's resolvers, zone transfer attempts. Traffic hits the target infrastructure.

External Data Source Integrations

Amass Integration

Amass pulls from 50+ data sources, including Shodan, VirusTotal, SecurityTrails, Censys, AlienVault OTX, HackerTarget, URLScan, BufferOver, Chaos, dozens more. Each data source needs an API key in config.ini to work.

Certificate Transparency

Certificate transparency logs are high-yield. Every issued certificate and every Subject Alternative Name are logged. Subdomains appear here even if they are never in DNS brute-force, not in passive DNS, or have zero public web presence. Internal dev subdomains and staging environments show up, as well as old infrastructure.

API Keys and Output

More API keys mean more output. Without API keys, Amass uses free sources; this provides enough data to demo but not enough to work effectively. Prioritize obtaining API keys for VirusTotal, Shodan, SecurityTrails, Censys. A free tier is available for VirusTotal, a free account works for Shodan, SecurityTrails offers free then paid options, and a free research account is available for Censys. Thirty minutes of setup can significantly change results.

Graph Database and the db Command

Results are stored in a local graph database, Cayley with BadgerDB as the backend. Assets, relationships, and data sources are preserved in the graph. The database persists between runs and is keyed by target domain.

The amass db commands expose the data. The list of root domains can be retrieved. Assets within a date range can be shown. The graph can be exported to a file. Stats can be displayed. These queries operate on the cumulative graph.

The database is particularly useful for longitudinal analysis. Running amass enum in January and again in April allows for comparison of the results. New subdomains appear, some disappear, staging environments pop up, and test systems go dark. The changes are visible.

The database model aids in recurring pentest assessments. It highlights new attack surface, eliminating the need to sift through full enumeration results. A focused list of what's changed is provided, allowing for investigation from there. This is the efficiency.

Output Formats and Downstream Integration

The output of amass enum is not limited to the terminal. The results are also available in JSON format for downstream processing. You can pipe the output through jq to filter assets, resolution status, or data sources. The JSON output can also be fed into custom tools or external databases. The structured format preserves source attribution and metadata, which is not possible with a plain text domain list.

The Maltego output is a graph file that can be imported directly into Maltego. This provides the fastest route from enumeration to visual analysis. Amass collects data passively from multiple sources, while Maltego visualizes the infrastructure relationships. The two tools are complementary. Maltego export eliminates the need for manual entity import.

The Gephi output enables graph visualization outside of Maltego. It is useful for presentations, documentation, or analysis with Gephi's network tools. A Gephi graph can be used to clearly present attack surface findings to non-technical audiences. The graph provides a simple way to explain complex information.

Amass in a Pentest and Red Team Workflow

The standard engagement workflow sequence begins with gathering intelligence on the target organization using amass intel. This involves obtaining ASNs and CIDRs, then cross-referencing them with scope documents. Unscoped ASNs may indicate unlisted assets, which should be flagged early.

The next step is to build a root domain list from the gathered intelligence. Then, run amass enum -passive for each domain, allowing it to complete without rushing to active modes. A good API key set for a mid-sized organization can take 30-90 minutes per domain. This process yields a subdomain list with source notes from cert transparency, passive DNS, and threat feeds.

Amass identifies assets that manual enumeration might miss, such as subdomains on unscoped root domains, acquired infrastructure not on the client's radar, and legacy dev/staging environments on subdomains now pointing to nothing or cloud landing pages. These assets are in scope, often insecure, and difficult to find without Amass.

The subdomains are then resolved, and live IPs are filtered and fed to Shodan and Censys. Web fingerprinting is run on HTTP services. Amass provides the assets, while specialized tools identify services and vulnerabilities, collectively forming the attack surface.

Verdict

Amass is the top open source tool for mapping an attack surface. It combines 50+ passive data sources, active DNS probing, and certificate transparency logs. The result is a persistent graph database that detects changes over time. No free tool matches it, few paid tools come close.

The API key unlocks Amass's power. Registering the key takes thirty minutes, a necessary step. Without the key, Amass is crippled.

Pentesters and red teams need Amass for thorough pre-engagement reconnaissance. Security teams use it for continuous external asset discovery, tracking changes between assessments. For quick subdomain checks on one domain, subfinder or assetfinder are faster and easier to set up. For deep, ongoing external attack surface mapping, Amass pays off.

Best for: External attack surface mapping, continuous asset discovery, tracking infrastructure changes. GitHub: owasp-amass/amass · Docs: owasp-amass.com