Table of Contents
  • Home
  • /
  • Blog
  • /
  • Amass: Open-Source Reconnaissance Tool for Network Mapping and Information Gathering
January 18, 2024

Amass: Open-Source Reconnaissance Tool for Network Mapping and Information Gathering

Amass Open Source Reconnaissance Tool For Network Mapping And Information Gathering

Whether you’re a bounty hunter seeking vulnerabilities or an individual looking to enhance your organization’s security posture, ‘Amass’ stands out as a go-to open-source reconnaissance tool. Its appealing features and user-friendly interface make it an invaluable resource for efficiently exploring and understanding the attack surface of your target. In today’s article, we’ll delve into what is Amass, covering its definition, the setup process, and an exploration of its features.

What is Reconnaissance?

Before we delve into the tool details, let’s cover a basic concept: reconnaissance. Simply put, it’s like gathering information or spying on a target. In the world of cybersecurity or hacking, reconnaissance means collecting data about a system, network, or organization to find weak points. This gathered intel can be used for planning and carrying out an attack or knowing more about your organization and improving before an attacker can make a move. It’s the initial step to figure out what you’re dealing with before making any moves.

What is Amass?

The OWASP Amass Project introduces a framework designed for information security professionals. This helps in network mapping of attack surfaces and external asset discovery through open-source intelligence gathering and reconnaissance techniques.

This comprehensive framework comprises an asset discovery collection engine, a storage database for findings, and the Open Asset Model, utilized by diverse tools that help improve the understanding of the attack surface.

Amass helps to map out the external network space and discover assets affiliated with a target organization. This involves systematically identifying and cataloging the various components, devices, and resources connected to the organization’s external network. By doing so, security experts gain a comprehensive understanding of the attack surface, which includes all points vulnerable to potential security threats. This proactive approach allows organizations to strengthen their cybersecurity measures by addressing identified vulnerabilities and securing their assets effectively.

Features of Amass

Amass adopts a modular methodology that involves the systematic gathering of intelligence, mapping the target, visualizing the obtained results, tracking any alterations over time, and efficiently managing the collected data within a structured database. Some of its features are:

  • DNS Enumeration: Amass utilizes DNS queries to fetch information from servers, revealing details about the target’s domain name system.

  • Search Engine Data Scraping: The tool navigates through search engines, extracting pertinent data about the target’s online presence, encompassing websites, social media profiles, and various online platforms.

  • Web Page Crawling: Amass systematically scans the target’s web pages, actively seeking out potential vulnerabilities and attack vectors, particularly in web applications.

  • Reverse IP Investigations: Employing reverse IP lookups, the tool investigates domains sharing the same IP address as the target, uncovering additional potential attack routes.

Amass organizes its capabilities into distinct subcommands, each serving a specific purpose within the tool’s functionality. Let’s break down these subcommands:

  • Intel Subcommand: Gathers target intelligence, understanding its digital presence, potential vulnerabilities, and attack initiation points to guide attack planning.

  • Enum Module: Systematically lists and maps the target, identifying potential attack points or vulnerabilities, akin to creating a map of digital infrastructure.

  • Viz Subcommand: Visualizes results in a graphical format after collecting and enumerating data, aiding effective analysis and interpretation.

  • Track Subcommand: Facilitates tracking and comparison across different enumerations, identifying changes in the attack surface over time to stay updated on security risks.

  • DB Subcommand: Likely associated with Amass’s database functionality, crucial for storing and managing gathered information in a structured manner for efficient utilization during reconnaissance.

How to Set Up the Amass Tool?

The tool is versatile, supporting various software platforms and even different hardware architectures. This means you could set it up on a small but powerful ARM board, like a Raspberry Pi, or even on a mobile phone.

 This can be also achieved by simply installing the package provided in GitHub.

Step 1: Access the GitHub page with all zip files here.

Step 2: Download the appropriate zip file.

Step 3: To perform this verification, save the file named “amass_checksums.txt.” This file contains hash checksums for the required binaries, allowing you to confirm the authenticity of the operating system binaries you’ve downloaded. Make sure on the version downloaded.

Step 4: Extract the file in the desired location and execute the executable file.

This tool is by default installed in the Kali Linux machine.

Exploring Amass features

We will explore a bit on the intel sub-command.

  • To find IP addresses linked to a domain name, use the command:

amass intel -ip -d
  • For discovering domain names associated with a particular IP address, execute:

amass intel -whois -addr <target IP>

We can use The “-demo” flag in the intel subcommands to enable obfuscated output, allowing for discreet presentations without disclosing detailed information about targets. This will substitute Top-Level Domains (TLDs) and Country Code Top-Level Domains (ccTLDs) with ‘x’ characters.

Enum Sub-Command

Enum stands for enumeration, enumeration involves collecting details about a system or network, such as usernames, IP addresses, open ports, and other information. This process aims to pinpoint potential security vulnerabilities that attackers could exploit.

  • For passive DNS enumeration on a target domain(, use:

amass enum -passive -norecursive -noalts -d -o sub-list.txt
  • active DNS enumeration on a target domain(, use:

amass enum -active -d -o sub-list.txt


In essence, the Amass tool stands out as a potent and adaptable choice for network reconnaissance and information-gathering purposes. Whether you are engaged in offensive security operations, seeking potential vulnerabilities, or working on defensive security strategies to safeguard a network, Amass proves invaluable. Its capabilities offer valuable insights into the target network’s structure, helping security professionals comprehend its topology and identify potential weaknesses, thereby enhancing overall security measures. Whether utilized for offensive or defensive purposes, Amass serves as a valuable asset in the toolkit of cybersecurity professionals aiming to understand and fortify network resilience. I hope this article helped in learn more about what is Amass, covering its definition, the setup process, and an exploration of its features.

We hope this post served as a good source of information to know Reconnaissance Tool for Network Mapping and Information Gathering. Visit our website,, and social media pages on FacebookLinkedInTwitterTelegramTumblr, & Medium and subscribe to receive updates like this.

Aroma Rose Reji

Aroma is a cybersecurity professional with more than four years of experience in the industry. She has a strong background in detecting and defending cyber-attacks and possesses multiple global certifications like eCTHPv2, CEH, and CTIA. She is a pet lover and, in her free time, enjoys spending time with her cat, cooking, and traveling. You can connect with her on LinkedIn.

Recently added

Application Security

View All

Learn More About Cyber Security Security & Technology

“Knowledge Arsenal: Empowering Your Security Journey through Continuous Learning”

Cybersecurity All-in-One For Dummies - 1st Edition

"Cybersecurity All-in-One For Dummies" offers a comprehensive guide to securing personal and business digital assets from cyber threats, with actionable insights from industry experts.



View All

Learn Something New with Free Email subscription