May 18, 2024

OSINT Tools: Amass

3 min read

What is Amass?

Amass is an open-source OSINT tool developed by OWASP (Open Web Application Security Project). It is designed to help penetration testers, security professionals, and researchers discover subdomains, associated domains, and other information about a target domain or organization. Amass integrates multiple data sources and techniques to provide a comprehensive view of the target’s digital footprint.


Amass can be installed on various platforms, including Linux, macOS, and Windows. Here’s how to set it up:

1. Linux and macOS

  1. Open a terminal window.
  2. Ensure you have Go (Golang) installed. If not, you can download it from the official website: Go Downloads.
  3. Use the following command to install Amass:bash
  1. go get -v
  2. Once the installation is complete, you can run Amass with the amass command.

2. Windows

  1. Download the latest Windows binary release of Amass from the official GitHub repository: Amass Releases.
  2. Extract the downloaded ZIP file to a directory of your choice.
  3. Open a Command Prompt or PowerShell window and navigate to the directory where you extracted Amass.
  4. You can now use Amass by running the amass.exe executable.

Using Amass

Now that you have Amass installed, let’s explore some common use cases.

1. Basic Subdomain Enumeration

To perform a basic subdomain enumeration, simply run Amass with the target domain as an argument:


amass enum -d

Amass will start querying various data sources and DNS records to discover subdomains associated with the target domain.

2. Enumerating Subdomains with Output

You can save the results to a file using the -o flag:


amass enum -d -o output.txt

This will create a text file (output.txt) containing the discovered subdomains.

3. Using API Keys

Amass can leverage API keys for certain data sources, such as Shodan and Censys. To use an API key, use the -config flag to specify a configuration file containing the key:


amass enum -d -config ~/path/to/config.ini

Your config.ini file should contain your API keys in the following format:


[shodan] key = YOUR_SHODAN_API_KEY [censys] key = YOUR_CENSYS_API_KEY

4. Extensive Enumeration

For a more comprehensive scan, you can include additional sources and services:


amass enum -d -active -brute -w ~/wordlists/your-wordlist.txt

In this example, Amass performs active enumeration, brute-forcing subdomains, and using a custom wordlist.

5. Customizing Output

Amass provides multiple output formats, including JSON, CSV, and others. Use the -o flag followed by the desired output format:


amass enum -d -o json -o output.json


Amass is a versatile and powerful OSINT tool for subdomain enumeration and information gathering. Whether you’re a cybersecurity professional, penetration tester, or researcher, understanding how to use and install Amass can significantly enhance your ability to assess and secure digital assets. Remember to use Amass responsibly and within the bounds of applicable laws and regulations. Happy hunting!

To learn more about Amass and explore its advanced features, be sure to check out the official documentation on GitHub: Amass GitHub Repository.

Leave a Reply

Your email address will not be published. Required fields are marked *

You may have missed

Discover more from

Subscribe now to keep reading and get access to the full archive.

Continue reading