amass-enum

Find (passively) subdomains of a [d]omain

$ amass enum -d [domain_name]

$ amass enum -active -d [domain_name] -p [80,443,8080]

$ amass enum -brute -d [domain_name]

$ amass enum -o [output_file] -d [domain_name]

$ amass enum -o [output_file] -dir [path/to/directory] -d [domain_name]

$ amass enum -list

amass enum {-d | -df } [-active] [-brute] [-ip] [-v] [-o ] [-dir ] [-config ] [-timeout ] [-src ] []

-d domain
    Specifies the target domain for enumeration. This option can be used multiple times for several domains.

-df file
    Provides a path to a file containing a list of target domains, one per line.

-active
    Enables active enumeration techniques, which involve direct interactions with the target, such as port scanning, web scraping, and active DNS queries.

-passive
    Instructs Amass to only use passive reconnaissance techniques, relying on OSINT, DNS records, web archives, and other non-intrusive data sources. This is often the default if active isn't specified.

-brute
    Activates brute-forcing of subdomains using wordlists. Requires a wordlist to be specified or uses default ones.

-ip
    Displays the IP addresses for discovered subdomains in the output.

-v
    Enables verbose output, providing more detailed information about the enumeration process and findings.

-o file
    Specifies an output file where the enumeration results will be saved.

-dir directory
    Defines an output directory where Amass will store its database and other generated files.

-config file
    Provides the path to a custom configuration file for Amass, allowing extensive customization of settings, API keys, and resolvers.

-timeout duration
    Sets the maximum duration for the enumeration to run (e.g., '5m' for 5 minutes, '1h' for 1 hour).

-src sources
    A comma-separated list of specific data sources to use for enumeration (e.g., 'dns,cert,virustotal').

-w wordlist
    Specifies a custom wordlist file to be used for subdomain brute-forcing.

-norecursive
    Disables recursive brute-forcing of subdomains. By default, Amass may brute-force subdomains of discovered subdomains.

The amass enum command is a powerful subcommand of the OWASP Amass tool, specializing in passive and active subdomain enumeration techniques. Its primary goal is to discover internet-facing assets belonging to an organization. It achieves this by gathering information from a multitude of data sources, including public DNS records, web archives, search engines, threat intelligence platforms, and more. Amass builds a comprehensive map of an organization's attack surface, crucial for security assessments. The tool supports both passive reconnaissance, which minimizes direct interaction with the target, and active reconnaissance, involving techniques like DNS brute-forcing, web scraping, and active DNS queries. Its extensive capabilities make it an invaluable resource for penetration testers, bug bounty hunters, and security professionals engaged in asset discovery, vulnerability assessment, and maintaining an up-to-date inventory of external assets.

Using amass enum, especially with active reconnaissance and brute-forcing, can be resource-intensive and generate significant network traffic.
Active enumeration techniques might trigger security alerts on target systems or be perceived as malicious activity. Always ensure you have explicit permission before conducting any active scans on a domain.
The effectiveness of amass enum heavily relies on the availability and configuration of API keys for various third-party services, which need to be set up in the configuration file.
Results can vary based on network conditions, DNS resolver quality, and the completeness of external data sources.

amass enum leverages a detailed configuration file (typically located at ~/.config/amass/config.ini) to customize its behavior. This file is crucial for inputting API keys for various third-party data sources (e.g., VirusTotal, Shodan, AlienVault, Censys) that provide valuable intelligence. Proper configuration and valid API keys significantly enhance the tool's ability to discover a wider range of subdomains and associated information.

A powerful feature of Amass is its ability to store discovered attack surface information in a graph database, such as Neo4j. This allows for advanced visualization and analysis of the relationships between domains, subdomains, IP addresses, and other assets, providing a clearer picture of the target's infrastructure than raw text output alone.

The Amass project, including the enum subcommand, was initially created by Jeff Foley (caffix) and became an official OWASP project. It was developed to address the need for a comprehensive and automated attack surface mapping tool. Since its inception, amass enum has undergone continuous development, expanding its data sources, enumeration techniques, and integration capabilities. Its focus on combining passive OSINT with active DNS and brute-forcing methods quickly established it as a leading tool for reconnaissance in penetration testing and bug bounty programs. Regular updates and community contributions ensure it remains at the forefront of external asset discovery.

amass(1), nmap(1), dnsrecon(1), sublist3r(1), assetfinder(1)