LinuxCommandLibrary

amass-intel

Discover information about internet targets

TLDR

Find root domains in an IP [addr]ess range

$ amass intel -addr [192.168.0.1-254]
copy

Use active recon methods
$ amass intel -active -addr [192.168.0.1-254]
copy

Find root domains related to a [d]omain
$ amass intel -whois -d [domain_name]
copy

Find ASNs belonging to an [org]anisation
$ amass intel -org [organisation_name]
copy

Find root domains belonging to a given Autonomous System Number
$ amass intel -asn [asn]
copy

Save results to a text file
$ amass intel -o [output_file] -whois -d [domain_name]
copy

List all available data sources
$ amass intel -list
copy

SYNOPSIS

amass intel [global-options] [-passive] [-d domain...] [-o output.json]

PARAMETERS

-a, --addr
    IP addresses associated with domains

-asn, --asn
    ASNs associated with domains

-blf, --blacklist file
    Path to blacklist file

-d, --domain domain
    Domain names to investigate

-df, --dir path
    Output directory path

-dip, --dnsint service
    DNS service for resolutions

-dns, --dns
    DNS names associated with domains

-h1, --http1
    HTTP/1.1 only

-hok, --hops-ok
    Ignore AS hop limits

-ip, --ip
    IP addresses

-list, --list file
    File of domains to load

-o, --output file
    Output file for findings

-org, --org org
    Organization names

-passive
    Passive mode only (default)

-src, --src source
    Configured Amass data source

-timeout duration
    Enumeration timeout

-v, --verbose
    Verbose output

-w, --wildcard
    Wildcard domain testing

-config file
    Path to config file (global)

-log file
    Log file path (global)

DESCRIPTION

amass intel is a subcommand of the OWASP Amass toolkit for network reconnaissance and attack surface mapping. It passively collects intelligence on target domains from public sources like Certificate Transparency logs, BGP feeds, Shodan, Censys, and passive DNS databases. Key data includes associated IP addresses, ASNs, netblocks, organizations, and DNS names, without direct target interaction in default mode. This intel map enhances targeted enumeration by providing context on infrastructure ownership and reachability. Designed for security researchers, pentesters, and OSINT, it outputs structured JSON for integration with other Amass modules like amass enum. Usage involves specifying domains via -d or -org, with options to filter by hops, wildcard tests, or specific data types. Verbose logging and timeouts aid large-scale runs. Optimal performance requires a config file (~/.config/amass/config.yaml) with API keys for premium sources.

CAVEATS

Requires Amass config with API keys (Shodan, etc.) for full sources; passive mode avoids detection but limits depth; large orgs may timeout without adjustment.
JSON output only; no built-in visualization.

INSTALLATION

Go install: go install -v github.com/owasp-amass/amass/v4/...@master
Or binaries from GitHub releases.

EXAMPLE

amass intel -passive -org microsoft -d contoso.com -o intel.json
Gathers intel on contoso.com from Microsoft org sources.

HISTORY

Part of OWASP Amass by Jeff Foley; initial release ~2016 as 'amass'; intel module evolved in v3.x (2019) for passive OSINT; v4.2+ (2024) adds better source integration and performance.

SEE ALSO

amass(1), amass enum(1), subfinder(1), dnsrecon(1)

Copied to clipboard