/ Reconnaissance & Enumeration, Uncategorized / By

Amass: The Subdomain Enumeration Powerhouse for Pentesters

In recon, subdomain enumeration is where you turn over digital rocks looking for hidden doorways. And when it comes to finding every last dusty corner of a target’s web presence, Amass is your go-to bloodhound.

This post will cover:

  • What Amass is
  • Why it matters for pentesters
  • Installation
  • The most useful commands
  • Real-world use cases
  • Tips and limitations

What Is Amass?

Amass is an advanced open-source tool for attack surface mapping and external asset discovery. It helps you discover:

  • Subdomains (passive and active)
  • IP addresses
  • Network infrastructure
  • Relationships between domains

Amass pulls from OSINT sources, performs DNS queries, brute-forcing, and even graphing relationships between found assets. It’s designed to map out the unseen perimeter before you ever touch a login page.

Why Use Amass?

Here’s what makes Amass shine:

  • Deep enumeration: Passive + active discovery with hundreds of data sources
  • Recursive DNS resolution: Finds nested subdomains too
  • ASNs and CIDRs: Can map full networks
  • Custom wordlists: Brute-force like a boss
  • Visual recon: Built-in graph database and viz tools

For pentesters, this means you’re more likely to uncover:

  • Forgotten staging servers
  • Internal dev environments exposed to the internet
  • Apps on odd subdomains (test.api.target.com, dev-admin.target.com)
  • Domains using different tech stacks and credentials

Installing Amass

On Kali or Parrot OS:

sudo apt install amass

Or via Go (if you’re wild like that):

go install -v github.com/owasp-amass/amass/v4/...@latest

Confirm install:

amass -version

Basic Usage

amass enum -d target.com
# Passive + active subdomain enumeration

Passive Only (stealthier)

amass enum -passive -d target.com

Save Results to File

amass enum -d target.com -o subdomains.txt

Brute Force with Wordlist

amass enum -d target.com -brute -w /path/to/wordlist.txt

Combine Multiple Domains

amass enum -df domains.txt -o all_subs.txt
# domains.txt contains one domain per line

Advanced Techniques

Identify Network Infrastructure

amass intel -whois -d target.com
# Find ASNs, CIDRs, and more

Map Subdomain Relationships

amass viz -d3
# Generates a web-based graph interface from results

Output in JSON

amass enum -d target.com -json results.json

Real-World Use Case

You’re targeting examplecorp.com. A basic amass enum -d examplecorp.com spits out:

  • dev.examplecorp.com
  • api.internal.examplecorp.com
  • vpn-staging.examplecorp.com
  • hr-portal-legacy.examplecorp.com

Now you’ve got entry points. Some might be staging or forgotten systems still live with default creds. Others might leak error messages or offer up attack surfaces that the main domain has hardened.

Tips for Pentesters

  • Always start passive to stay under the radar.
  • Follow up with GoBuster or Dirsearch once you’ve confirmed live hosts.
  • Correlate Amass results with tools like WhatWeb, Nmap, and Aquatone.
  • Use MassDNS with Amass for faster resolution at scale.
  • If you get too many results, focus on subdomains that resolve to unique IPs.

Limitations

  • DNS resolution bottlenecks — Use good resolvers or custom config to speed up
  • Data overload — You’ll often need to filter noise from gold
  • Doesn’t crawl websites — Pair it with tools like Burp, Hakrawler, or Waybackurls to go deeper

Final Thoughts

Amass is like recon with night-vision goggles — it shows you what other tools miss. Whether you’re on a bug bounty, red team op, or internal pentest, running Amass early can give you the keys to places your target forgot existed.

Map the perimeter. Find forgotten doors. Then start knocking.

Related Posts

Scroll to Top