Ultimate Amass Cheat Sheet
Ultimate Amass Cheat Sheet
In-depth DNS enumeration and network mapping using open source intelligence.
1. Enumeration (Enum)
The core subcommand for finding subdomains and mapping the network.
Passive Mode (Safe)
Uses only data sources (APIs). No direct traffic is sent to the target.
Active Mode (Standard)
Attempts to resolve the names found, validates IPs, and performs certificate scraping.
Brute Force
Guess subdomains using a wordlist.
IP/CIDR Enumeration
Find domains hosted on specific IP ranges.
2. Intelligence (Intel)
Discover broader information about the target organization (ASNs, CIDRs).
Reverse Whois
Find root domains associated with an organization name.
ASN Lookup
Find domains hosted within a specific Autonomous System Number.
Reverse IP
Find domains hosted on an IP address.
3. Database Management (DB)
Amass stores all findings in a graph database. You can query this data later without rescanning.
List Findings
Show all subdomains found for a specific domain in the DB.
Show IPs
Show domains and their IP addresses.
Clean Database
Delete findings for a specific domain.
4. Visualization (Viz)
Generate graph files to visualize the network structure in other tools.
Maltego
Generate a CSV file importable into Maltego.
D3 Force Graph
Create an interactive HTML file.
GEXF (Gephi)
Generate a file for Gephi Graphviz.
5. Tracking & Configuration
Tracking Changes
Compare the last scan with the current one to see new/removed subdomains.
Using Config File (API Keys)
Amass is much more powerful with API keys (Shodan, Censys, SecurityTrails). Add them to `config.ini`.
Common Flags
-v: Verbose (debug info).-ip: Show IP addresses in output.-src: Show data source (e.g., [VirusTotal]).-o [file]: Output to text file.-json [file]: Output to JSON file.
Post a Comment