amass-track

Show the difference between the last two enumerations of the specified domain

$ amass track -dir [path/to/database_directory] -d [domain_name] -last 2

$ amass track -dir [path/to/database_directory] -d [domain_name] -since [01/02 15:04:05 2006 MST]

amass track -d -dir [-last ] [-json] [-o ] [-v]

-d
    Specifies the target domain for which changes will be tracked.

-dir
    Specifies the output directory where Amass stores its project-specific graph database and other data. This is crucial for historical data comparison across scans.

-last
    Compares the current scan against data from the last specified duration (e.g., 24h, 7d).

-json
    Outputs the tracking results in JSON format.

-o
    Writes the tracking results to the specified output file.

-v
    Enables verbose output, providing more detailed information during execution.

The amass track command is a powerful sub-command of the OWASP Amass network mapping and asset discovery tool. Its primary purpose is to monitor and report on changes observed in the DNS records and associated IP addresses of assets over time. It leverages historical data stored in Amass's graph database (usually within a specified output directory) to compare the current state of discovered assets with previous reconnaissance efforts. This allows security professionals and penetration testers to identify new subdomains, disappearing assets, changes in IP allocations, or modifications to DNS entries that could indicate infrastructure shifts, new deployments, or potential security events.

By automating the detection of these changes, amass track helps in maintaining an up-to-date attack surface view. It's particularly useful for continuous monitoring programs, red team operations, and vulnerability management processes where understanding the evolving infrastructure of a target organization is critical. It helps in proactively identifying emerging threats or compliance issues related to asset visibility.

The effectiveness of amass track heavily relies on the presence of a persistent Amass graph database, typically populated by previous amass enum runs with the same -dir path. Without sufficient historical data, the tracking functionality will be limited. It can also consume significant disk space over time as the database grows. Performance may degrade with very large datasets or extensive historical comparisons. Ensure the specified directory is accessible and has sufficient write permissions.

For amass track to function effectively, it requires access to historical data generated by previous amass enum runs. It is crucial to use the same -dir parameter across all Amass commands (enumeration and tracking) to ensure data consistency and allow the tool to build and leverage its graph database for comparison.

The output of amass track typically highlights three categories of changes: new discoveries (assets found in the current scan but not in historical data), disappeared assets (assets present historically but not in the current scan), and changed assets (where DNS records or IP addresses associated with an asset have changed). Understanding these categories is key to interpreting the results.

The amass project, developed by OWASP, was initially released around 2017-2018. It quickly gained popularity as a comprehensive and powerful tool for attack surface mapping. The track subcommand was introduced as a natural evolution to support continuous monitoring and help users understand the dynamic nature of their discovered assets. Its development has focused on leveraging the internal graph database for efficient historical comparisons, making it a cornerstone for persistent reconnaissance operations within the Amass ecosystem.

amass(1), amass enum(1), amass db(1), dig(1), whois(1)