amass enum – Find subdomains of a domain (Command Examples)

The “amass” tool is a powerful open-source command-line tool used for enumerating and discovering subdomains of a given domain. It is widely used in the field of cybersecurity for reconnaissance and mapping purposes. Here’s a more detailed explanation:

  • Subdomain Enumeration: The primary function of the “amass” tool is to enumerate or find subdomains associated with a specific domain. It leverages various techniques, such as DNS queries, web scraping, and passive intelligence gathering, to collect information about subdomains.
  • Domain Mapping and Reconnaissance: By discovering subdomains, “amass” helps in mapping the external infrastructure of a target domain. This information is valuable for understanding the attack surface and identifying potential entry points or vulnerabilities.
  • Comprehensive Data Sources: “amass” integrates with multiple data sources, including DNS servers, web archives, search engines, and certificate transparency logs, to gather subdomain information. It combines the results from these sources to provide a comprehensive view of the target domain’s subdomains.
  • Passive and Active Techniques: The tool utilizes passive techniques, such as querying public resources and analyzing historical data, to collect subdomain information without directly interacting with the target infrastructure. It also employs active techniques, like DNS resolution and brute-forcing, to actively discover subdomains.
  • Intelligent Subdomain Bruteforcing: “amass” uses intelligent subdomain bruteforcing techniques to generate potential subdomains based on common patterns, keywords, or known subdomain structures. This helps in discovering subdomains that might not be explicitly listed or easily guessable.
  • Integration with DNS Resolution: The tool performs DNS resolution for identified subdomains, providing associated IP addresses. This enables users to map subdomains to their corresponding IP addresses, facilitating further analysis and investigation.
  • Output Formats and Integration: “amass” provides flexible output options, allowing users to export the discovered subdomains in various formats, such as CSV (Comma-Separated Values), JSON (JavaScript Object Notation), or plain text. This facilitates integration with other tools or workflows for additional analysis or processing.
  • Configuration and Customization: “amass” offers a wide range of configuration options to tailor the subdomain enumeration process according to specific requirements. Users can customize DNS settings, control the depth of enumeration, and apply filters to refine the results.
  • Continuous Monitoring and Updating: As subdomains may change over time, “amass” can be used to perform regular scans and updates to identify any newly added or removed subdomains. This helps in maintaining an up-to-date understanding of the target domain’s infrastructure.

“amass” is a versatile and widely used tool for subdomain enumeration. By efficiently discovering subdomains associated with a domain, it assists security professionals, penetration testers, and researchers in conducting comprehensive reconnaissance and mapping activities, enhancing their understanding of the target’s external infrastructure.

amass enum Command Examples

1. Passively find subdomains of a domain:

# amass enum -passive -d domain_name

2. Find subdomains of a domain and actively verify them attempting to resolve the found subdomains:

# amass enum -active -d domain_name -p 80,443,8080

3. Do a brute force search for subdomains:

# amass enum -brute -d domain_name

4. Save the results to a text file:

# amass enum -o output_file -d domain_name

5. Save the results to a database:

# amass enum -o output_file -dir path/to/database_directory
Related Post