09/16/2022 - Miniseries - Subdomain Enumeration Part 3

Today we will take a closer look at Project Amass.

09/16/2022 - Miniseries - Subdomain Enumeration Part 3


This post is aimed more at beginners who want to get into the topic. I will write it a bit simpler and not highlight the "How does it work exactly?", but rather how to get to the goal on a simple level. I will not address payment software. Please keep in mind that I only show an excerpt of how you can use the tools. This does not mean that there are not other or additional possibilities. If you missed part 2, click here.

I am using a Kali VM with 4 cores and 4GB RAM as a test environment. Kali is up to date.


Project Amass


Discord: https://discord.gg/rtN8GMd
Project: https://github.com/owasp-amass/amass
Twitter: https://twitter.com/owaspamass
Website: https://owasp.org/www-project-amass/


How do I get the software?

git clone https://github.com/owasp-amass/amass
cd Amass

install project amass


Amass Intel


Amass intel means that you try to find all other related domains to the specified company or domain. A more detailed description can be found at: https://github.com/owasp-amass/amass/blob/master/doc/tutorial.md.
It is also possible to search by the company name.

amass intel -d example.com -whois -active

image commands example.com


If you want to save the data:

amass intel -org 'Example Ltd' -whois -active -o /home/USERNAME/filename.csv

intel company

However, .txt and .json can also be used.


Amass Enum


Tip: Change the DNS in the config - some ISPs don't like mass DNS requests.


aktive scan - minimal settings:

amass enum -active -d example.com -brute -src -ip -o /home/USERNAME/test.csv



aktive scan - advanced settings:

amass enum -active -d example.com -brute -w /home/USERNAME/wordlist/wordlist.txt -src -ip -dir /home/USERNAME/example/ -o /home/USERNAME/test.csv

how to use project amass

Here we have via -w the possibility to specify the directory where the wordlist is located. Via -dir /home/USERNAME/example we specify the location where the databank should be stored. This can be used in the future and the content will be updated. After a successful scan you get a summary of the findings including IP and ASN. In my example, however, you must remove the -demo part - it only hides sensitive data.


passive scan:

amass enum -passive -d example.com -brute -src -o /home/USERNAME/test.csv

Also in passive scan you can specify a database via -dir /home/USERNAME/example/.


advanced scan:

amass enum -passive -d example.com -brute -dir /home/USERNAME/example/ -src -o /home/USERNAME/test.csv



Amass DB


Amass stores everything in its own database if you don't define your own. But what can you do with it?
Should have everything stored in a separate database:

amass db -d /home/USERNAME/example/ -ip -show > /home/USERNAME/example.csv

then you can save them to a .csv file using the command shown above.


If you have not defined a database:

amass db -show example.com



Amass Track


This makes it easier to notice changes in the infrastructure. Amass track compares several enumerations with each other and shows the differences. If you want to build a larger database with tens of domains, you should use track from time to time. For example, has the mail server been moved? Does a subdomain no longer exist, but you still have access to the application via IP?

Please do not forget that in companies once someone built something and he is no longer there. Many people hate documentation or "it's only there for testing" are typical excuses. However, many like to overlook the fact that this makes the company vulnerable.

amass track -dir /home/USERNAME/example/ -d example.com -last [NUMBER]

By "number" is meant the number of the last scans - so how many scans to compare.


Amass Viz


Amass Viz (Visualization) visualizes the findings so that one can better recognize correlations. A tool that implements this well is maltego.com.

without own db:

amass viz -d3 -d example.com


code with own db:

amass viz -d3 -dir /home/USERNAME/FOLDER/ -d example.com

Naming your own file is not possible - at least that always led to errors for me. The file is saved in the directory where you are when you enter the command. For example, if you are in the home directory, the amass.html will be saved to the home directory if you do not specify a path.


Maltego Export


We can also have the results prepared so that they can be imported into Maltego.

amass viz -maltego -dir /home/USERNAME/FOLDER/ -d example.com -o /home/USERNAME/FOLDER/


A .csv file is created and this can be imported into Maltego via the Import | Export - Import a 3rd Party Table tab.

menue maltego import csv file
showcase maltego visualizes file
If you zoom in, you can see the IPs and much more.

I tested the Community Edition here - worked wonderfully.


own config

Amass comes with a sample configuration. If you want to automate amass in any way or you want to improve your output, create your own.

Under: amass/examples/ you will find the config.ini. Here you can enter the path of your own wordlist, API keys and more.


Project Amass is more than just subdomain enumeration, so it's worth taking a closer look at the tool. If you want to support the project, just do it.

See you in the next part.