Guide to Amass: How to Use Amass more effectively for analyst Domain.

XM1945

3 min readSep 12, 2020

Amass has a lot of features. It’s a bit of a weird tool because despite being synonymous with bug bounty recon, and despite being extremely well known, most people don’t know how to use it to it’s full advantage

Amass is backed by OWASP, which should provide prestige and confidence in the results. It is actively maintained and will likely be supported for a long time, meaning any future bugs will be resolved. Additionally, the adoption rate of Amass is high which potentially means better data consistency and integration with other tools.

Amass supports 55 sources, such as APIs and websites, at the time of writing as part of its subdomain discovery and information gathering techniques. These can be listed using the following command:

amass enum -list

AlienVault,ArchiveIt,ArchiveToday,Arquivo,Ask,Baidu,BinaryEdge,Bing,BufferOver,Censys,CertSpotter,CIRCL,CommonCrawl,Crtsh,[…]

Most of these API keys are free, but many only return limited results unless you have a paid API key. A free one is still better than none. So now you have your work cut out for you. For each of the services above you will need to find the website, then sign up and get an API key.

Amass comes with 5 subcommands, in other words functions:

amass intel — Discover targets for enumerations
amass enum — Perform enumerations and network mapping
amass viz — Visualize enumeration results
amass track — Track differences between enumerations
amass db — Manipulate the Amass graph database

You can see full here: https://github.com/OWASP/Amass/blob/master/doc/user_guide.md

Install

I'm using Kali Linux OS, ez to install:

sudo apt update
sudo apt install amass

see more install with more OS: https://github.com/OWASP/Amass/blob/master/doc/install.md

Show help page with command amass -h

amass -h

The Configuration File

You will need a config file to use your API keys with Amass. See the Example Configuration File for more details:

https://github.com/OWASP/Amass/blob/master/examples/config.ini

Amass automatically tries to discover the configuration file in the following locations:

Linux / Unix:$XDG_CONFIG_HOME/amass/config.ini or $HOME/.config/amass/config.ini
Windows:%AppData%\amass\config.ini
OSX:$HOME/Library/Application Support/amass/config.ini

These are good places for you to put your configuration file.

Note that these locations are based on the output directory. If you use the -dir flag, the location where Amass will try to discover the configuration file will change. For example, if you pass in -dir ./my-out-dir, Amass will try to discover a configuration file in ./my-out-dir/config.ini.

I will use Virustotal and Alientvault API Key for analyst.