loading
loading
Recon
OWASP Amass enumeration that produces structured JSON output.
overview
amass-json runs OWASP Amass attack-surface mapping and emits results as structured JSON. Given a root domain with -d or a file with -df, it discovers subdomains across many passive sources and optional active reconnaissance, and every name arrives with metadata as machine-readable records rather than a flat text list.
All of the depth carries over: -active methods, -brute against a wordlist, resolver and -dns-qps control, recursion settings, and -passive for quiet runs. The difference is the output format, which suits pipelines that parse, filter, or join on fields, or store results for correlation across runs.
In a Trickest workflow the node takes a domain or a file of domains and writes a file and a folder of JSON results. Use it as the discovery stage whenever the pipeline downstream is JSON-aware, then feed the names to a prober so the workflow continues against live hosts.
source github.com/OWASP/Amass
use cases
Enumerate a domain and emit JSON so each name and its metadata become records the next node can parse, filter, and join instead of plain text.
Use -passive to map the surface from data sources alone without sending active traffic, then read the JSON for triage.
Route amass-json output through JQ or into a table so downstream filtering, deduplication, and correlation work on fields rather than lines.
Combine -brute with a wordlist via -w and -ip to expand coverage and attach addresses to discovered names in the same JSON stream.
reference
| Name | Type | Flag | Description |
|---|---|---|---|
| domain | STRING | -d | Domain names separated by commas (can be used multiple times) |
| domain-list | FILE | -df | Path to a file providing root domain names |
| passive | BOOLEAN | -passive | A purely passive mode of execution |
| active-methods | BOOLEAN | -active | Enable active recon methods |
| bruteforce-flag | BOOLEAN | -brute | Perform brute force subdomain enumeration |
| wordlist-brute | FILE | -w | Path to a different wordlist file |
| show-ip | BOOLEAN | -ip | Show the IP addresses for discovered names |
| timeout | STRING | -timeout | Number of minutes to execute the enumeration |
Showing key inputs. amass-json exposes 37 inputs in total.
| Name | Type | Flag | Description |
|---|---|---|---|
| ports | STRING | -p | Ports separated by commas (default: 443) |
| domain | STRING | -d | Domain names separated by commas (can be used multiple times) |
| no-alts | BOOLEAN | -noalts | Disable generation of altered names |
| passive | BOOLEAN | -passive | A purely passive mode of execution |
| show-ip | BOOLEAN | -ip | Show the IP addresses for discovered names |
| timeout | STRING | -timeout | Number of minutes to execute the enumeration |
| blacklist | STRING | -bl | Blacklist of subdomain names that will not be investigated |
| show-ipv4 | BOOLEAN | -ipv4 | Show the IPv4 addresses for discovered names |
| show-ipv6 | BOOLEAN | -ipv6 | Show the IPv6 addresses for discovered names |
| domain-list | FILE | -df | Path to a file providing root domain names |
| active-methods | BOOLEAN | -active | Enable active recon methods |
| wordlist-brute | FILE | -w | Path to a different wordlist file |
| bruteforce-flag | BOOLEAN | -brute | Perform brute force subdomain enumeration |
| ini-config-file | FILE | -config | Path to the INI configuration file |
| max-dns-queries | STRING | -max-dns-queries | Deprecated flag to be replaced by dns-qps in version 4.0 |
| no-recursive-bf | BOOLEAN | -norecursive | Turn off recursive brute forcing |
| trusted-resolver | STRING | -tr | IP addresses of trusted DNS resolver |
| exclude-data-file | FILE | -ef | Path to a file providing data sources to exclude |
| min-for-recursive | STRING | -min-for-recursive | Subdomain labels seen before recursive brute forcing (Default: 1) |
| print-data-sources | BOOLEAN | -src | Print data sources for the discovered names |
| untrusted-resolver | STRING | -r | IP addresses of untrusted DNS resolver |
| exclude-source-names | STRING | -exclude | Data source names separated by commas to be excluded |
| include-data-sources | STRING | -include | Data source names separated by commas to be included |
| wordlist-alternations | FILE | -aw | Path to a different wordlist file for alterations |
| dns-queries-per-second | STRING | -dns-qps | Maximum number of DNS queries per second |
| trusted-resolvers-file | STRING | -trf | Path to a file providing trusted DNS resolvers |
| graph-database-directory | FOLDER | -dir | Path to the directory containing the graph database |
| untrusted-resolvers-file | FILE | -rf | Path to a file providing untrusted DNS resolvers |
| include-data-sources-file | FILE | -if | Path to a file providing data sources to include |
| trusted-dns-resolvers-file | FILE | -trf | Path to a file providing trusted DNS resolvers |
| blacklisted-subdomains-file | FILE | -blf | Path to a file providing blacklisted subdomains |
| no-resolver-rate-monitoring | BOOLEAN | -noresolvrate | Disable resolver rate monitoring |
| untrusted-dns-resolvers-file | FILE | -rf | Path to a file providing preferred DNS resolvers |
| already-known-subdomain-names | FILE | -nf | Path to a file providing already known subdomain names (from other tools/sources) |
| no-resolver-reliability-score | BOOLEAN | -noresolvscore | Disable resolver reliability scoring |
| trusted-dns-max-queries-per-second | STRING | -trqps | Maximum number of DNS queries per second for each trusted resolvers |
| untrusted-dns-max-queries-per-second | STRING | -rqps | Maximum number of DNS queries per second for untrusted resolvers |
example
# amass-json: passive enumeration with IPs for a root domainamass enum -d example.com -passive -ipwww.example.comapi.example.commail.example.comdev.example.comstaging.example.comvpn.example.comcdn.example.comapp.example.comguidance
Use amass-json when you want amass-grade subdomain discovery and need the results as structured JSON for downstream parsing. If a flat text list is enough, the standard amass is simpler. Follow it with a prober to find live hosts.
Same enumeration with plain-text output. Use it when downstream nodes do not need JSON.
Faster passive discovery with its own JSON mode. Lighter when you do not need active methods.
The intel subcommand for org, ASN, and CIDR discovery. Run it first to set scope.
faq
related
Asynchronous DNS brute-force tool for fast subdomain enumeration.
OWASP Amass: network mapping and external asset discovery.
OWASP Amass intel: find an organization's root domains and ranges.
Find related domains and subdomains via shared Google Analytics IDs.
Find domains and subdomains potentially related to a given domain.
OSINT automation for hackers.
A domain feeds amass-json, which enumerates subdomains as JSON and passes the names to httpx so only live hosts land as output.
Facts on this page come from the live Trickest tool library.