amass-enum

Passive subdomain enumeration

$ amass enum -passive -d [example.com]

$ amass enum -active -brute -d [example.com]

$ amass enum -config [config.ini] -d [example.com]

$ amass enum -d [example.com] -src

$ amass enum -d [example.com] -ip -o [results.txt]

amass enum [-d domain] [-passive] [-active] [-brute] [options]

amass enum performs DNS enumeration and network mapping. It discovers subdomains using multiple passive and active techniques, including querying data sources, certificate transparency, DNS brute-forcing, and zone transfers.
This is the primary command for subdomain discovery, offering extensive configuration for different reconnaissance needs.

-d domain

Target domain (repeatable for multiple domains)

Use only passive data sources (no direct queries)

Perform active DNS resolution

Enable subdomain brute-forcing

Wordlist for brute-forcing

Show which source discovered each name

Include IP addresses in output

Show only IPv4 addresses

Show only IPv6 addresses

Output file for discovered names

Output in JSON format

Configuration file with API keys and settings

Timeout for the enumeration

~/.config/amass/config.ini

Amass configuration file defining data sources, API keys, resolvers, and scope settings.

Active mode generates DNS traffic that may trigger alerts. Brute-forcing can take significant time. Many data sources require API keys configured in config file.

amass enum has been the core functionality since amass was first released. It has expanded to include dozens of data sources and multiple enumeration techniques.

amass(1), amass-intel(1), subfinder(1)