amass-track
Track DNS enumeration changes over time
TLDR
Show the difference between the last two enumerations of the specified domain
Show the difference between a certain point in time and the last enumeration
SYNOPSIS
amass track -d
PARAMETERS
-d
Specifies the target domain for which changes will be tracked.
-dir
Specifies the output directory where Amass stores its project-specific graph database and other data. This is crucial for historical data comparison across scans.
-last
Compares the current scan against data from the last specified duration (e.g., 24h, 7d).
-json
Outputs the tracking results in JSON format.
-o
Writes the tracking results to the specified output file.
-v
Enables verbose output, providing more detailed information during execution.
DESCRIPTION
The amass track command is a powerful sub-command of the OWASP Amass network mapping and asset discovery tool. Its primary purpose is to monitor and report on changes observed in the DNS records and associated IP addresses of assets over time. It leverages historical data stored in Amass's graph database (usually within a specified output directory) to compare the current state of discovered assets with previous reconnaissance efforts. This allows security professionals and penetration testers to identify new subdomains, disappearing assets, changes in IP allocations, or modifications to DNS entries that could indicate infrastructure shifts, new deployments, or potential security events.
By automating the detection of these changes, amass track helps in maintaining an up-to-date attack surface view. It's particularly useful for continuous monitoring programs, red team operations, and vulnerability management processes where understanding the evolving infrastructure of a target organization is critical. It helps in proactively identifying emerging threats or compliance issues related to asset visibility.
CAVEATS
The effectiveness of amass track heavily relies on the presence of a persistent Amass graph database, typically populated by previous amass enum runs with the same -dir path. Without sufficient historical data, the tracking functionality will be limited. It can also consume significant disk space over time as the database grows. Performance may degrade with very large datasets or extensive historical comparisons. Ensure the specified directory is accessible and has sufficient write permissions.
USAGE WITH PERSISTENT DATA
For amass track to function effectively, it requires access to historical data generated by previous amass enum runs. It is crucial to use the same -dir parameter across all Amass commands (enumeration and tracking) to ensure data consistency and allow the tool to build and leverage its graph database for comparison.
OUTPUT INTERPRETATION
The output of amass track typically highlights three categories of changes: new discoveries (assets found in the current scan but not in historical data), disappeared assets (assets present historically but not in the current scan), and changed assets (where DNS records or IP addresses associated with an asset have changed). Understanding these categories is key to interpreting the results.
HISTORY
The amass project, developed by OWASP, was initially released around 2017-2018. It quickly gained popularity as a comprehensive and powerful tool for attack surface mapping. The track subcommand was introduced as a natural evolution to support continuous monitoring and help users understand the dynamic nature of their discovered assets. Its development has focused on leveraging the internal graph database for efficient historical comparisons, making it a cornerstone for persistent reconnaissance operations within the Amass ecosystem.