Skip to main content

amass

Amass is a powerful tool for subdomain enumeration and asset discovery, integrating data from numerous sources to enhance the reconnaissance phase of cybersecurity workflows. It is particularly suited for gathering comprehensive information on target domains, making it an essential component for automated security assessments.

Ideal Use Cases & Fit

Amass excels in scenarios where thorough reconnaissance is required before vulnerability assessments or penetration testing. Typical inputs include lists of target domains, formatted as newline-separated values. It is particularly effective for passive enumeration, where direct DNS queries are not desirable. However, it may not be appropriate for environments requiring immediate results, as extensive enumeration can take time.

Value in Workflows

In security workflows, Amass adds significant value during the early reconnaissance phase by uncovering subdomains related to a primary domain. This information is critical for identifying potential attack surfaces and drafting security assessments. By automating this process, Amass streamlines data gathering and enhances the efficiency of subsequent analysis stages.

Input Data

Amass expects input data in the form of newline-separated domains provided as a file. The function of this input is to define the targets for enumeration. An example of valid input includes:

example.com
example.org
test.com

Configuration

  • passive: Enables passive enumeration mode, avoiding direct DNS queries.
  • norecursive: Disables recursive brute forcing of subdomains, controlling the extent of enumeration.
  • active: Activates active enumeration features such as zone transfers and certificate grabs.
  • timeout: Sets a time limit for enumeration (in minutes), with zero indicating no limit.
  • include: Specifies data source names to include during the enumeration process, separated by commas.
  • exclude: Defines data source names to exclude from the enumeration, also separated by commas.
  • resolvers: Allows the configuration of custom DNS resolver IP addresses, listed as a comma-separated string.
  • dns_qps: Limits the maximum number of DNS queries per second to control resource usage.