# Amass — In-Depth Attack Surface Mapping and Asset Discovery > An OWASP project for network mapping and external asset discovery using open source intelligence gathering and active reconnaissance techniques. ## Install Save in your project root: # Amass — In-Depth Attack Surface Mapping and Asset Discovery ## Quick Use ```bash # Install go install github.com/owasp-amass/amass/v4/...@master # Passive subdomain enumeration amass enum -passive -d example.com # Active enumeration with DNS resolution amass enum -active -d example.com -o results.txt ``` ## Introduction Amass is an OWASP project written in Go that performs network mapping and external attack surface discovery. It combines passive data sources, active DNS probing, and web scraping to build a comprehensive map of an organization's internet-facing assets, making it a core tool in bug bounty and red team workflows. ## What Amass Does - Discovers subdomains through 50+ passive data sources (certificate logs, search engines, DNS datasets) - Performs active DNS enumeration with brute-forcing, zone transfers, and NSEC walking - Maps network infrastructure by resolving discovered names and correlating IP ranges - Tracks attack surface changes over time with a local graph database - Outputs results in text, JSON, or imports into visualization tools via the graph database ## Architecture Overview Amass uses a pipeline architecture with data sources feeding into an enumeration engine. Passive collectors query APIs (VirusTotal, SecurityTrails, Censys, etc.) and certificate transparency logs. Active modules perform DNS resolution, brute-forcing, and web crawling. All discovered assets are stored in a local graph database that tracks relationships between domains, IPs, ASNs, and netblocks across multiple runs. ## Self-Hosting & Configuration - Install via go install, snap, or download prebuilt binaries - Configure API keys for data sources in a YAML config file (~/.config/amass/config.yaml) - Set rate limits and DNS resolver lists to control scan aggressiveness - Use the database directory to maintain persistent asset tracking across engagements - Integrate with external tools by exporting results in JSON or D3.js graph format ## Key Features - 50+ passive data sources for subdomain discovery without touching the target - Graph database for persistent attack surface tracking across multiple scans - DNS brute-forcing with smart wordlist generation based on discovered patterns - ASN and netblock discovery to map the full network footprint - Scripting engine for writing custom data source modules ## Comparison with Similar Tools - **subfinder** — faster for simple subdomain enumeration but lacks graph tracking and active scanning - **Sublist3r** — older Python tool with fewer data sources and no active enumeration - **Knockpy** — Python subdomain scanner, smaller feature set - **Recon-ng** — modular reconnaissance framework, broader scope but less focused on DNS enumeration ## FAQ **Q: What is the difference between passive and active enumeration?** A: Passive mode queries third-party data sources without contacting the target. Active mode sends DNS queries and web requests directly to the target's infrastructure. **Q: How do I add API keys for data sources?** A: Create a config.yaml file and add credentials for services like VirusTotal, Censys, Shodan, and SecurityTrails to unlock their full results. **Q: Can Amass track attack surface changes over time?** A: Yes. Amass stores results in a local graph database. Running the db subcommand compares results across scans to identify new or removed assets. **Q: How does Amass compare to subfinder for quick subdomain lists?** A: subfinder is faster for simple one-shot subdomain lists. Amass provides deeper analysis with active scanning, graph tracking, and infrastructure correlation. ## Sources - https://github.com/owasp-amass/amass - https://owasp.org/www-project-amass/ --- Source: https://tokrepo.com/en/workflows/asset-6db57893 Author: AI Open Source