The OWASP Amass Project has developed a tool to help information security professionals perform network mapping of attack surfaces and perform external asset discovery using open source information gathering and active reconnaissance techniques.

Information Gathering Techniques Used:

• DNS: Basic enumeration, Brute forcing (optional), Reverse DNS sweeping, Subdomain name alterations/permutations, Zone transfers (optional)
• Scraping: Ask, Baidu, Bing, DNSDumpster, DNSTable, Dogpile, Exalead, Google, HackerOne, IPv4Info, Netcraft, PTRArchive, Riddler, SiteDossier, ViewDNS, Yahoo
• Certificates: Active pulls (optional), Censys, CertSpotter, Crtsh, Entrust, GoogleCT
• APIs: AlienVault, BinaryEdge, BufferOver, CIRCL, CommonCrawl, DNSDB, GitHub, HackerTarget, Mnemonic, NetworksDB, PassiveTotal, Pastebin, RADb, Robtex, SecurityTrails, ShadowServer, Shodan, Spyse (CertDB & FindSubdomains), Sublist3rAPI, TeamCymru, ThreatCrowd, Twitter, Umbrella, URLScan, VirusTotal, WhoisXML
• Web Archives: ArchiveIt, ArchiveToday, Arquivo, LoCArchive, OpenUKArchive, UKGovArchive, Wayback

Use the Installation Guide to get started.

Go to the User's Guide for additional information.

• OWASP: Caffix
• GitHub: @caffix

This project improves thanks to all the people who contribute:

• Find Subdomain Takeover with Amass + SubJack
• OWASP Amass OSINT Reconnaissance
• Top Linux Distros for Ethical Hacking and Penetration Testing
• 5 Subdomain Takeover #ProTips
• Red Team Methodology - A Naked Look
• Asset Enumeration: Expanding a Target's Attack Surface
• Das Sicherheitswerkzeug Kali Linux steht in der Version 2019.3 bereit
• Commando VM 2.0: Customization, Containers, and Kali, Oh My!
• 8 Free Tools to Be Showcased at Black Hat and DEF CON
• amass — Automated Attack Surface Mapping
• Aquatone — A Tool for Domain Flyovers
• Collaborating with the Crowd – Recapping LevelUp 0X04
• Subdomain Enumeration: 2019 Workflow
• REMOTE CODE EXECUTION ! 😜 Recon Wins
• Security assessment on staging domains
• Where You’ll Find Us: An Overview of SecurityTrails Integrations
• Web tools, or where to start a pentester?
• Tool for detailed DNS enumeration and creation of network infrastructure maps
• Top 7 Subdomain Scanner Tools: Find Subdomains in Seconds
• Cyber Talent Gap: How to Do More With Less
• My Recon Process — DNS Enumeration
• Week in OSINT #2019–16: From OSINT for pentesting, to OCR and OWASP
• Stop Using Python for Subdomain Enumeration
• My Personal OSINT Techniques, Part 1 of 2: Key & Layer, Contingency Seeding
• Subdomain Enumeration Tools – 2019 Update
• Leaked Salesforce API access token at IDEA.com
• Week in OSINT #2019–11: This time a collection of mostly tools and sites
• Bug Hunting Methodology (part-1)
• 100 ways to discover (part 1)
• Pose a Threat: How Perceptual Analysis Helps Bug Hunters
• A penetration tester’s guide to subdomain enumeration
• Abusing access control on a large online e-commerce site to register as supplier
• Black Hat Training, Making the Cloud Rain Shells!: Discovery and Recon
• Subdomains Enumeration Cheat Sheet
• Search subdomains and build graphs of network structure with Amass
• Getting started in Bug Bounty
• Source code disclosure via exposed .git folder
• Amass, the best application to search for subdomains
• Subdomain Takeover: Finding Candidates
• Paul's Security Weekly #564: Technical Segment - Bug Bounty Hunting
• The Bug Hunters Methodology v3(ish)
• Doing Recon the Correct Way
• Discovering subdomains
• Asset Discovery: Doing Reconnaissance the Hard Way
• Project Sonar: An Underrated Source of Internet-wide Data
• Top Five Ways the Red Team breached the External Perimeter