Amass

Amass assists information security professionals in performing network mapping of attack surfaces and external asset discovery. It leverages various open source intelligence sources and active techniques to identify subdomains, certificates, and other network assets associated with a target.

Use cases include comprehensive reconnaissance during penetration testing, mapping organizational attack surfaces, and identifying hidden or forgotten internet-facing assets. The tool supports both passive data collection from numerous APIs and web archives, as well as active DNS operations like brute forcing and zone transfers upon request.

It integrates multiple data sources such as search engines, certificate transparency logs, and threat intelligence APIs to build a complete picture of a target's digital footprint.

Amass performs DNS enumeration using basic enumeration, brute forcing (upon request), reverse DNS sweeping, subdomain alterations/permutations, and zone transfers (upon request). It scrapes data from search engines like Google, Bing, and specialized sites like DNSDumpster and Netcraft. Certificate data is pulled from sources like Censys, Crtsh, and GoogleCT, with active pulls available on request. APIs from providers like Shodan, VirusTotal, and SecurityTrails are queried for additional intelligence. Web archives such as Wayback and ArchiveIt are utilized for historical data. These techniques populate an OAM database for analysis via subcommands like enum, subs, and viz.