Amass
OWASP\'s attack-surface mapping tool — passive, active and brute-force enumeration of an organization\'s external footprint
⚡ TL;DR
🎯 The Problem It Solves
Before you test, you need to know what exists: subdomains, related domains, ASNs, netblocks. Amass pulls that picture together from passive sources (OSINT), active DNS, and brute-forcing — so your scope actually reflects reality instead of the three hosts the client remembered to tell you about.
🔧 How It Works
Amass runs in modes: \'intel\' (map an org to netblocks/ASNs), \'enum\' (passive + active DNS, cert transparency, scraping) and \'brute\' (subdomain guessing). It correlates everything into a graph (optionally Neo4j) and can track changes over time. API keys (for passive sources like VirusTotal, SecurityTrails, etc.) dramatically improve coverage.
🚀 Installation & Quick Start
Installation
go install -v github.com/owasp-amass/...@latestQuick Start
- Install: go install -v github.com/owasp-amass/amass/v4/...@latest
- Passive only: amass enum -passive -d example.com
- Full enum: amass enum -d example.com -o out.txt
- Brute-force subdomains: amass enum -brute -d example.com
- Visualize: amass db -show (or pipe to Neo4j with -neo4j)
✅ Pros
- •The most thorough open-source external attack-surface mapper
- •Multiple techniques mean you catch what one method misses
- •Graph/Neo4j view is excellent for presenting scope to clients
- •Free and OWASP-backed
❌ Cons
- •Verbose and intense — output needs consolidation
- •Best coverage requires API keys you may not have
- •Neo4j graph mode is another moving part to stand up
- •Brute-force mode is loud and easy to detect
💬 Practitioner Verdict
"Amass is the recon workhorse for mapping an external footprint properly. It\'s louder and more involved than a quick subfinder pass, but the depth — especially the graph and the intel mapping — is worth it when scope accuracy matters. Get API keys before you rely on it."
📊 Specifications
- Language
- Go
- License
- Apache-2.0
- Platform
- Linux, macOS, Windows
- Kill Chain
- Reconnaissance
- MITRE ATT&CK
- T1590, T1595, T1592
💰 Pricing Reality
Free and open source (Apache-2.0). No paid tier for the tool itself; you supply your own API keys for third-party passive sources.