Amass — Install, Use, Optimise (2026)

OWASP's reference subdomain discovery and asset mapping tool — passive + active reconnaissance in one binary.

Installation

Pick the install method that matches your stack. The Docker option is the cleanest for one-off scans where you don’t want to pollute your workstation.

Go install

go install -v github.com/owasp-amass/amass/v4/...@master

Snap

sudo snap install amass

Docker

docker run -v ~/.config/amass:/.config/amass caffix/amass

Core commands

The handful of invocations you’ll actually run on 90% of engagements:

Passive enumeration (no active probing)

amass enum -passive -d target.com -o subs.txt

Active enumeration with brute force

amass enum -active -brute -d target.com -o subs.txt

Track changes over time

amass track -d target.com

Visualise relationships

amass viz -d3 -d target.com

Use API keys (Shodan, VirusTotal, etc.)

amass enum -d target.com -config ~/.config/amass/config.yaml

Performance optimisation

What separates a junior who runs the default invocation from a practitioner who knows the knobs:

• Passive mode (~80+ data sources) is the default — hits no target packets. Use this for reconnaissance under stealth scoping.
• Active mode adds DNS bruteforce, ZONE transfer, and resolver checks — significantly slower but yields 30-50% more subdomains.
• -rf resolvers.txt with a curated list of fast public resolvers (1.1.1.1, 8.8.8.8, etc.) speeds up active mode 3×.
• API keys for Shodan, Censys, GitHub, VirusTotal in config.yaml unlock 5-10× more data sources. Free tiers are usually enough.
• -timeout 30 overrides the default 10-min cap on long enumerations.

Common pitfalls

Real failure modes that bite people on engagements. Most are recoverable; a few are reputation-damaging.

• Active brute force generates massive DNS query volume — your home ISP may rate-limit you to nowhere mid-scan.
• Default resolvers are public — rate-limited. Build a private resolver list for serious work.
• amass viz requires Maltego or Cytoscape to be useful. Often easier to pipe to dnsx for resolution and skip viz.

Modern alternatives in 2026

The ecosystem moves fast. These are tools you should at least be aware of:

• subfinder (ProjectDiscovery) — faster, simpler, JSON-first.
• assetfinder — Go, single-purpose, very fast.
• findomain — Rust-based, also fast.

India context and engagement notes

For DPDP scoping: Amass + subfinder + dnsx is the standard recipe for “what subdomains do we expose?” Run it monthly and diff against your asset inventory — shadow IT shows up as new subdomains.

⚖️ Legal: Use only on systems you own or have explicit written authorisation to test. In India, unauthorised access is punishable under Section 66 of the IT Act, 2000 (up to 3 years imprisonment + fine). Pair every engagement with a signed Statement of Work or Rules of Engagement before running anything from this page.