amass-intel

Discover domains and infrastructure for an organization

TLDR

Discover root domains for an organization

$ amass intel -org "[Company Name]"

Find domains from ASN

$ amass intel -asn [AS12345]

Reverse lookup by IP range

$ amass intel -cidr [192.168.1.0/24]

Find domains from whois data

$ amass intel -whois -d [example.com]

SYNOPSIS

amass intel [-org name] [-asn number] [-cidr range] [options]

amass intel gathers intelligence to identify domains and infrastructure owned by an organization. It uses various techniques including ASN lookup, WHOIS analysis, certificate transparency, and reverse IP lookups.This command is typically used at the beginning of reconnaissance to identify all root domains before detailed enumeration.

PARAMETERS

-org name

Search string matched against AS description information

-asn number

ASNs separated by commas (can be used multiple times)

-cidr range

CIDRs separated by commas (can be used multiple times)

-addr ips

IPs and ranges (for example 192.168.1.1-254) separated by commas

-whois

Run all discovered domains through reverse WHOIS

-d domain

Domain names separated by commas (can be used multiple times)

-active

Enable active recon methods

-ip

Show the IP addresses for discovered names

-o file

Output file

-config file

Configuration file

CONFIGURATION

~/.config/amass/config.ini

Amass configuration file defining data sources, API keys, and scope settings.

CAVEATS

Organization name matching is fuzzy; review results for accuracy. WHOIS data may be privacy-protected. ASN information may not cover all organizational assets.

HISTORY

amass intel was added to provide organizational-level reconnaissance capabilities, complementing the domain-focused enum command.

RESOURCES

Source code · Documentation