Version: v2.6.0+incompatible Latest Latest

This package is not in the latest version of its module.

Go to latest
Published: Aug 28, 2018 License: Apache-2.0



GitHub Issues CircleCI Status GitHub Release Go Version License Contribute Yes Chat on Discord Follow on Twitter

The OWASP Amass tool obtains subdomain names by scraping data sources, recursive brute forcing, crawling web archives, permuting/altering names and reverse DNS sweeping. Additionally, Amass uses the IP addresses obtained during resolution to discover associated netblocks and ASNs. All the information is then used to build maps of the target networks.

Image of a network graph

How to Install


A precompiled version is available for each release.

If you are on a distribution such as Kali Linux, and have never used snap previously, follow these steps to access snap packages:

$ sudo apt install snapd

$ sudo systemctl start snapd

Add the snap binaries to your PATH using a method similar to the following:

$ export PATH=$PATH:/snap/bin

If your operating environment supports Snap, you can click here to install, or perform the following from the command-line:

$ sudo snap install amass

If you would like snap to get you the latest unstable build of OWASP Amass, type the following command:

$ sudo snap install --edge amass
From Source

If you would prefer to build your own binary from the latest version of the source code, make sure you have a correctly configured Go >= 1.10 environment. More information about how to achieve this can be found on the golang website. Then, take the following steps:

  1. Download amass:
$ go get -u
  1. If you wish to rebuild the binaries from the source code:
$ cd $GOPATH/src/

$ go install ./...

At this point, the binaries should be in $GOPATH/bin.

  1. Several wordlists can be found in the following directory:
$ ls $GOPATH/src/

Using the Tool

The most basic use of the tool, which includes reverse DNS lookups and name alterations:

$ amass -d

If you need Amass to run faster and only use the passive data sources:

$ amass -nodns -d

If you are running Amass within a virtual machine, you may want to slow it down a bit:

$ amass -freq 480 -d

The example below is a good place to start with amass:

$ amass -v -ip -brute -min-for-recursive 3 -d
13139 names discovered - archive: 171, cert: 2671, scrape: 6290, brute: 991, dns: 250, alt: 2766

Add some additional domains to the enumeration:

$ amass -d, -d

Additional switches available through the amass CLI:

Flag Description Example
-active Enable active recon methods amass -active -d net -p 80,443,8080
-bl Blacklist undesired subdomains from the enumeration amass -bl -d
-blf Identify blacklisted subdomains from a file amass -blf data/blacklist.txt -d
-brute Perform brute force subdomain enumeration amass -brute -d
-df Specify the domains to be enumerated via text file amass -df domains.txt
-freq Throttle the rate of DNS queries by number per minute amass -freq 120 -d
-h Show the amass usage information amass -h
-ip Print IP addresses with the discovered names amass -ip -d
-json All discoveries written as individual JSON objects amass -json out.json -d
-l List all the domains to be used during enumeration amass -whois -l -d
-log Log all error messages to a file amass -log amass.log -d
-min-for-recursive Discoveries required for recursive brute forcing amass -brute -min-for-recursive 3 -d
-noalts Disable alterations of discovered names amass -noalts -d
-nodns A purely passive mode of execution amass -nodns -d
-norecursive Disable recursive brute forcing amass -brute -norecursive -d
-o Write the results to a text file amass -o out.txt -d
-oA Output to all available file formats with prefix amass -oA amass_scan -d
-r Specify your own DNS resolvers amass -r, -d
-rf Specify DNS resolvers with a file amass -rf data/resolvers.txt -d
-v Output includes data source and summary information amass -v -d
-version Print the version number of amass amass -version
-w Change the wordlist used during brute forcing amass -brute -w wordlist.txt -d
-whois Search using reverse whois information amass -whois -d

Have amass send all the DNS and infrastructure enumerations to the Neo4j graph database:

$ amass -neo4j neo4j:DoNotUseThisPassword@localhost:7687 -d

Here are switches for outputting the DNS and infrastructure findings as a network graph:

Flag Description Example
-d3 Output a D3.js v4 force simulation HTML file amass -d3 network.html -d example
-gexf Output to Graph Exchange XML Format (GEXF) amass -gephi network.gexf -d
-graphistry Output Graphistry JSON amass -graphistry network.json -d
-visjs Output HTML that employs VisJS amass -visjs network.html -d

Caution: If you use the amass.netnames tool, it will attempt to reach out to every IP address within the identified infrastructure and obtain names from TLS certificates. This is "loud" and can reveal your reconnaissance activities to the organization being investigated.

To discover all domains hosted within target ASNs, use the following option:

$ amass.netnames -asn 13374,14618

To investigate within target CIDRs, use this option:

$ amass.netnames -cidr,

For specific IPs or address ranges, use this option:

$ amass.netnames -addr,

By default, port 443 will be checked for certificates, but the ports can be changed as follows:

$ amass.netnames -cidr -p 80,443,8080

Integrating OWASP Amass into Your Work

If you are using the amass package within your own Go code, be sure to properly seed the default pseudo-random number generator:



func main() {
    output := make(chan *amass.AmassOutput)

    go func() {
        for result := range output {

    // Seed the default pseudo-random number generator

    // Setup the most basic amass configuration
    config := amass.CustomConfig(&amass.AmassConfig{Output: output})


Settings for the OWASP Amass Maltego Local Transform

  1. Setup a new local transform within Maltego:

Maltego setup process

  1. Configure the local transform to properly execute the go program:

Maltego configuration

  1. Go into the Transform Manager, and disable the debug info option:

Disabling debug


  • Discord Server - Discussing OSINT, network recon and developing security tools using Go



Path Synopsis

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL