OWASP Amass

The OWASP Amass Project has developed a tool to help information security professionals perform network mapping of attack surfaces and perform external asset discovery using open source information gathering and active reconnaissance techniques.

Information Gathering Techniques Used:

• DNS: Basic enumeration, Brute forcing (upon request), Reverse DNS sweeping, Subdomain name alterations/permutations, Zone transfers (upon request)
• Scraping: Ask, Baidu, Bing, CommonCrawl, DNSDumpster, DNSTable, Dogpile, Exalead, FindSubdomains, Google, HackerOne, IPv4Info, Netcraft, PTRArchive, Riddler, SiteDossier, ViewDNS, Yahoo
• Certificates: Active pulls (upon request), Censys, CertDB, CertSpotter, Crtsh, Entrust
• APIs: AlienVault, BinaryEdge, BufferOver, CIRCL, DNSDB, HackerTarget, Mnemonic, NetworksDB, PassiveTotal, RADb, Robtex, SecurityTrails, ShadowServer, Shodan, Sublist3rAPI, TeamCymru, ThreatCrowd, Twitter, Umbrella, URLScan, VirusTotal
• Web Archives: ArchiveIt, ArchiveToday, Arquivo, LoCArchive, OpenUKArchive, UKGovArchive, Wayback

Documentation

Use the Installation Guide to get started.

Go to the User's Guide for additional information.

Community

Join our Discord server:

Project Leader

• OWASP: Caffix
• GitHub: @caffix

Contributors

This project improves thanks to all the people who contribute:

Mentions

• Subdomain Enumeration: 2019 Workflow
• REMOTE CODE EXECUTION ! 😜 Recon Wins
• Where You’ll Find Us: An Overview of SecurityTrails Integrations
• Web tools, or where to start a pentester?
• Tool for detailed DNS enumeration and creation of network infrastructure maps
• Top 7 Subdomain Scanner Tools: Find Subdomains in Seconds
• Cyber Talent Gap: How to Do More With Less
• My Recon Process — DNS Enumeration
• Week in OSINT #2019–16: From OSINT for pentesting, to OCR and OWASP
• Stop Using Python for Subdomain Enumeration
• My Personal OSINT Techniques, Part 1 of 2: Key & Layer, Contingency Seeding
• Subdomain Enumeration Tools – 2019 Update
• Leaked Salesforce API access token at IDEA.com
• Week in OSINT #2019–11: This time a collection of mostly tools and sites
• Bug Hunting Methodology (part-1)
• 100 ways to discover (part 1)
• Pose a Threat: How Perceptual Analysis Helps Bug Hunters
• A penetration tester’s guide to subdomain enumeration
• Abusing access control on a large online e-commerce site to register as supplier
• Black Hat Training, Making the Cloud Rain Shells!: Discovery and Recon
• Subdomains Enumeration Cheat Sheet
• Search subdomains and build graphs of network structure with Amass
• Getting started in Bug Bounty
• Source code disclosure via exposed .git folder
• Amass, the best application to search for subdomains
• Subdomain Takeover: Finding Candidates
• Paul's Security Weekly #564: Technical Segment - Bug Bounty Hunting
• The Bug Hunters Methodology v3(ish)
• Doing Recon the Correct Way
• Discovering subdomains
• Asset Discovery: Doing Reconnaissance the Hard Way
• Project Sonar: An Underrated Source of Internet-wide Data
• Top Five Ways the Red Team breached the External Perimeter

Stargazers over Time