loading
loading
Recon
OWASP Amass: network mapping and external asset discovery.
overview
amass is the OWASP project for attack-surface mapping. Given a root domain, it discovers subdomains by combining many passive data sources with active reconnaissance, then can resolve names, show IP addresses, and brute force additional subdomains against a wordlist. The result is a broad, deduplicated picture of an organization's external footprint built from far more sources than any single feed.
Its depth is the trade-off. amass exposes detailed control over DNS resolvers, query rates, recursion, and which data sources to include or exclude, so it rewards tuning on large scopes. Active methods and brute forcing extend coverage past what passive sources alone return, and a graph database directory lets it persist and correlate results across runs.
In a Trickest workflow, amass runs as the discovery stage: give it a domain with -d or a file of domains with -df, and it writes a deduplicated name list plus a results folder. Hand that to a prober like httpx so the rest of the pipeline works from live hosts, and schedule the run to track a changing attack surface.
source github.com/owasp-amass/amass
use cases
Enumerate subdomains of a root domain from many passive sources at once to scope an engagement or build an asset inventory.
Enable active methods and brute forcing against a wordlist to find names that passive sources never returned, expanding the surface.
Show IP addresses and data sources alongside each name so the output is already enriched for triage and downstream probing.
Pass amass output to httpx and a scanner so the full discovered surface gets classified and tested in one workflow.
reference
| Name | Type | Flag | Description |
|---|---|---|---|
| domain | STRING | -d | Domain names separated by commas (can be used multiple times). |
| domain-list | FILE | -df | Path to a file providing root domain names. |
| active-methods | BOOLEAN | -active | Enable active recon methods. |
| bruteforce-flag | BOOLEAN | -brute | Perform brute-force subdomain enumeration. |
| wordlist-brute | FILE | -w | Path to a wordlist file for brute forcing. |
| show-ip | BOOLEAN | -ip | Show the IP addresses for discovered names. |
| print-data-sources | BOOLEAN | -src | Print the data source next to each discovered name. |
| timeout | STRING | -timeout | Number of minutes to execute the enumeration. |
Showing key inputs. amass exposes 37 inputs in total.
| Name | Type | Flag | Description |
|---|---|---|---|
| ports | STRING | -p | Ports separated by commas (default: 443) |
| domain | STRING | -d | Domain names separated by commas (can be used multiple times) |
| no-alts | BOOLEAN | -noalts | Disable generation of altered names |
| passive | BOOLEAN | -passive | Deprecated since passive is the default setting |
| show-ip | BOOLEAN | -ip | Show the IP addresses for discovered names |
| timeout | STRING | -timeout | Number of minutes to execute the enumeration |
| blacklist | STRING | -bl | Blacklist of subdomain names that will not be investigated |
| show-ipv4 | BOOLEAN | -ipv4 | Show the IPv4 addresses for discovered names |
| show-ipv6 | BOOLEAN | -ipv6 | Show the IPv6 addresses for discovered names |
| domain-list | FILE | -df | Path to a file providing root domain names |
| active-methods | BOOLEAN | -active | Enable active recon methods |
| wordlist-brute | FILE | -w | Path to a different wordlist file |
| bruteforce-flag | BOOLEAN | -brute | Perform brute force subdomain enumeration |
| ini-config-file | FILE | -config | Path to the INI configuration file |
| max-dns-queries | STRING | -max-dns-queries | Deprecated flag to be replaced by dns-qps in version 4.0 |
| no-recursive-bf | BOOLEAN | -norecursive | Turn off recursive brute forcing |
| trusted-resolver | STRING | -tr | IP addresses of trusted DNS resolver |
| exclude-data-file | FILE | -ef | Path to a file providing data sources to exclude |
| min-for-recursive | STRING | -min-for-recursive | Subdomain labels seen before recursive brute forcing (Default: 1) |
| print-data-sources | BOOLEAN | -src | Print data sources for the discovered names |
| untrusted-resolver | STRING | -r | IP addresses of untrusted DNS resolver |
| exclude-source-names | STRING | -exclude | Data source names separated by commas to be excluded |
| include-data-sources | STRING | -include | Data source names separated by commas to be included |
| wordlist-alternations | FILE | -aw | Path to a different wordlist file for alterations |
| dns-queries-per-second | STRING | -dns-qps | Maximum number of DNS queries per second |
| trusted-resolvers-file | STRING | -trf | Path to a file providing trusted DNS resolvers |
| graph-database-directory | FOLDER | -dir | Path to the directory containing the graph database |
| untrusted-resolvers-file | FILE | -rf | Path to a file providing untrusted DNS resolvers |
| include-data-sources-file | FILE | -if | Path to a file providing data sources to include |
| trusted-dns-resolvers-file | FILE | -trf | Path to a file providing trusted DNS resolvers |
| blacklisted-subdomains-file | FILE | -blf | Path to a file providing blacklisted subdomains |
| no-resolver-rate-monitoring | BOOLEAN | -noresolvrate | Disable resolver rate monitoring |
| untrusted-dns-resolvers-file | FILE | -rf | Path to a file providing preferred DNS resolvers |
| already-known-subdomain-names | FILE | -nf | Path to a file providing already known subdomain names (from other tools/sources) |
| no-resolver-reliability-score | BOOLEAN | -noresolvscore | Disable resolver reliability scoring |
| trusted-dns-max-queries-per-second | STRING | -trqps | Maximum number of DNS queries per second for each trusted resolvers |
| untrusted-dns-max-queries-per-second | STRING | -rqps | Maximum number of DNS queries per second for untrusted resolvers |
example
# active recon: brute forcing, IP addresses, and data sources for a root domainamass enum -d example.com -active -brute -ip -src[Crtsh] www.example.com 203.0.113.10[DNSHistory] api.example.com 203.0.113.24[HackerTarget] mail.example.com 203.0.113.24[Brute Forcing] dev.example.com 203.0.113.61[Alterations] staging-api.example.com 203.0.113.61[RapidDNS] vpn.example.com 203.0.113.88[Crtsh] cdn.example.com 203.0.113.102guidance
Use amass when you want deep, multi-source subdomain discovery and are willing to tune it. For a fast, purely passive first pass, subfinder is quicker. amass finds names, so follow it with httpx to learn which are live.
Faster passive-only discovery. amass goes deeper with active methods and brute forcing.
The intel subcommand for org, ASN, and CIDR discovery rather than subdomains.
Lightweight passive finder. amass queries more sources and adds active recon.
faq
related
Asynchronous DNS brute-force tool for fast subdomain enumeration.
OWASP Amass intel: find an organization's root domains and ranges.
OWASP Amass enumeration that produces structured JSON output.
Find related domains and subdomains via shared Google Analytics IDs.
Find domains and subdomains potentially related to a given domain.
OSINT automation for hackers.
A domain feeds amass, which maps the subdomain surface and passes the names to httpx so only live hosts land as output.
Facts on this page come from the live Trickest tool library.