amass-intel

Discover domains and infrastructure for an organization

TLDR

Discover root domains for an organization

$ amass intel -org "[Company Name]"

Find domains from ASN

$ amass intel -asn [AS12345]

Reverse lookup by IP range

$ amass intel -cidr [192.168.1.0/24]

Find domains from whois data

$ amass intel -whois -d [example.com]

SYNOPSIS

amass intel [-org name] [-asn number] [-cidr range] [options]

amass intel gathers intelligence to identify domains and infrastructure owned by an organization. It uses various techniques including ASN lookup, WHOIS analysis, certificate transparency, and reverse IP lookups.
This command is typically used at the beginning of reconnaissance to identify all root domains before detailed enumeration.

PARAMETERS

-org name

Organization name to research

-asn number

Autonomous System Number (can include AS prefix)

-cidr range

IP range in CIDR notation

-ip address

Single IP address

-whois

Perform reverse WHOIS lookups

-d domain

Domain for WHOIS lookup

-active

Enable active methods

-src

Show data sources

-o file

Output file

-config file

Configuration file

CONFIGURATION

~/.config/amass/config.ini

Amass configuration file defining data sources, API keys, and scope settings.

CAVEATS

Organization name matching is fuzzy; review results for accuracy. WHOIS data may be privacy-protected. ASN information may not cover all organizational assets.

HISTORY

amass intel was added to provide organizational-level reconnaissance capabilities, complementing the domain-focused enum command.