🔒SecurityRepoIndex

Amass

OWASP\'s attack-surface mapping tool — passive, active and brute-force enumeration of an organization\'s external footprint

4.4/ 514,823 GitHub starsGoApache-2.0

⚡ TL;DR

What
OWASP\'s attack-surface mapping tool — passive, active and brute-force enumeration of an organization\'s external footprint
Who
Recon engineers, Bug bounty hunters, Red teams, Attack-surface management teams
Catch
Verbose and intense — output needs consolidation
Verdict
⭐⭐⭐⭐ Essential

🎯 The Problem It Solves

Before you test, you need to know what exists: subdomains, related domains, ASNs, netblocks. Amass pulls that picture together from passive sources (OSINT), active DNS, and brute-forcing — so your scope actually reflects reality instead of the three hosts the client remembered to tell you about.

🔧 How It Works

Amass runs in modes: \'intel\' (map an org to netblocks/ASNs), \'enum\' (passive + active DNS, cert transparency, scraping) and \'brute\' (subdomain guessing). It correlates everything into a graph (optionally Neo4j) and can track changes over time. API keys (for passive sources like VirusTotal, SecurityTrails, etc.) dramatically improve coverage.

🚀 Installation & Quick Start

Installation

go install -v github.com/owasp-amass/...@latest

Quick Start

  1. Install: go install -v github.com/owasp-amass/amass/v4/...@latest
  2. Passive only: amass enum -passive -d example.com
  3. Full enum: amass enum -d example.com -o out.txt
  4. Brute-force subdomains: amass enum -brute -d example.com
  5. Visualize: amass db -show (or pipe to Neo4j with -neo4j)

✅ Pros

  • The most thorough open-source external attack-surface mapper
  • Multiple techniques mean you catch what one method misses
  • Graph/Neo4j view is excellent for presenting scope to clients
  • Free and OWASP-backed

❌ Cons

  • Verbose and intense — output needs consolidation
  • Best coverage requires API keys you may not have
  • Neo4j graph mode is another moving part to stand up
  • Brute-force mode is loud and easy to detect

💬 Practitioner Verdict

"Amass is the recon workhorse for mapping an external footprint properly. It\'s louder and more involved than a quick subfinder pass, but the depth — especially the graph and the intel mapping — is worth it when scope accuracy matters. Get API keys before you rely on it."
Emmanuel, Security Reviewer

📊 Specifications

Language
Go
License
Apache-2.0
Platform
Linux, macOS, Windows
Kill Chain
Reconnaissance
MITRE ATT&CK
T1590, T1595, T1592

💰 Pricing Reality

Free and open source (Apache-2.0). No paid tier for the tool itself; you supply your own API keys for third-party passive sources.

👥 Community Health

Stars14,823
Forks2,147
Contributors200
Health Score8/10

🏷️ Tags

Open SourceFreeNetwork Analysis

🔗 Similar Tools