Amass
OWASP Amass is an open-source network-mapping and attack-surface discovery tool developed by the Open Web Application Security Project (OWASP). It is widely regarded as one of the most comprehensive tools for performing in-depth DNS enumeration and infrastructure mapping.
In the context of cybersecurity, Amass is used by security professionals, penetration testers, and bug bounty hunters to discover an organization's external assets. Its primary goal is to identify all subdomains, IP addresses, and underlying infrastructure associated with a target domain, effectively creating a complete map of the organization's digital footprint.
Unlike simple subdomain scrapers, Amass uses a variety of methods—including scraping, certificate parsing, API integration, and active DNS querying—to find assets that other tools often miss.
Core Capabilities of Amass
Amass is designed to provide greater visibility into a target network than standard reconnaissance tools.
DNS Enumeration: This is the core function of Amass. It uses brute-force techniques and recursive DNS queries to validate the existence of subdomains.
Open Source Intelligence (OSINT) Gathering: Amass aggregates data from dozens of public sources, including search engines, SSL/TLS certificate transparency logs, and web archives (like the Wayback Machine), to find historical and current asset data.
API Integration: The tool connects to numerous third-party security APIs (such as SecurityTrails, VirusTotal, and Censys) to pull rich datasets about the target's infrastructure.
Visualizations: Amass can export its findings into graph databases (like Maltego or Neo4j), allowing analysts to visually map the relationships between domains, IP addresses, and netblocks.
ASN Mapping: It identifies the Autonomous System Numbers (ASNs) and netblocks associated with an organization, helping to define the full scope of the network range.
How Amass Performs Reconnaissance
Amass utilizes two primary modes of operation to gather intelligence.
Passive Reconnaissance
In passive mode, Amass collects information without directly interacting with the target's servers. It relies entirely on public databases, search engines, and third-party APIs. This method is stealthy and does not alert the target's intrusion detection systems (IDS). It is ideal for the initial phase of an audit where stealth is required.
Active Reconnaissance
In active mode, Amass directly queries the target's name servers and attempts to resolve domain names. It performs:
DNS Brute Forcing: Guessing subdomain names using a wordlist.
Zone Transfers: Attempting to download the entire DNS zone file (though this is rarely successful on modern secure networks).
Recursive DNS Querying: querying specific nameservers to validate findings.
Use Cases for Cybersecurity Professionals
Amass is a versatile tool used across different security disciplines.
Attack Surface Management (ASM): Organizations use Amass to continuously monitor their own perimeter to discover "Shadow IT"—assets that were deployed without the security team's knowledge.
Red Teaming: Attackers use it to find neglected subdomains that may be running vulnerable software or exposing sensitive administrative panels.
Bug Bounty Hunting: Researchers use Amass to find obscure assets that other hunters have missed, increasing their chances of finding a unique vulnerability.
Frequently Asked Questions About Amass
Is OWASP Amass free?
Yes, Amass is a free and open-source tool maintained by the OWASP Foundation. It is available for download on GitHub.
Does Amass replace Nmap?
No. Amass is a discovery tool used to find the hostnames and IP addresses. Nmap is a scanning tool used to probe those specific IP addresses for open ports and services. They are typically used together: Amass finds the list of targets, and Nmap scans them.
What is the difference between Amass and Sublist3r?
Sublist3r is a lighter, Python-based tool that primarily relies on passive scraping. Amass is a heavier, Go-based tool that performs far more intensive active verification, brute-forcing, and graph mapping. Amass is generally considered more powerful but resource-intensive.
Does Amass require API keys?
While Amass works out of the box without keys, its effectiveness is significantly boosted by adding free or paid API keys for services like Shodan, Censys, and SecurityTrails. These keys allow it to query restricted databases for more results.
Is Amass difficult to use?
It has a steeper learning curve than simple command-line scrapers due to its extensive configuration options and flags. However, basic enumeration can be performed with simple one-line commands.
Integrating ThreatNG and OWASP Amass for Total Attack Surface Visibility
Combining ThreatNG’s strategic External Attack Surface Management (EASM) with the deep DNS enumeration capabilities of OWASP Amass creates a comprehensive reconnaissance framework. ThreatNG provides the high-level governance, risk scoring, and broad discovery, while Amass acts as a force multiplier by aggressively mapping the intricate details of the DNS infrastructure.
Together, they ensure that an organization’s digital inventory is not only complete but also assessed for security susceptibility and business risk.
Enhanced External Discovery
Amass is renowned for its ability to find subdomains through scraping and brute-forcing. ThreatNG complements this by providing the "seed" data and the broader context that Amass requires to be effective.
Seed Target Generation: ThreatNG’s purely external, unauthenticated discovery identifies the core business entities, subsidiaries, and root domains associated with an organization. This accurate "seed list" is fed into Amass, ensuring that its intensive enumeration scans are targeted correctly and do not miss entire business units.
Shadow IT Discovery: ThreatNG identifies "Shadow IT" assets such as forgotten cloud environments or legacy marketing microsites. Once ThreatNG flags a new root domain (e.g.,
campaign-2023.com), Amass can be deployed to map every single subdomain under that root, revealing the full extent of the shadow infrastructure.
External Assessment and Validation
Once Amass generates a map of subdomains, ThreatNG performs the critical security assessments to determine which subdomains represent a genuine risk.
Subdomain Takeover Susceptibility
Amass Role: Amass excels at finding obscure CNAME records and subdomains that are no longer resolving but still exist in DNS zones.
ThreatNG Assessment: ThreatNG takes the list of subdomains found by Amass and cross-references their CNAME records against its comprehensive Vendor List (including AWS, Heroku, and Azure). It validates if the pointing service is unclaimed, effectively filtering the raw Amass data to highlight only the "Takeover Susceptibility" risks that could lead to reputation damage or phishing attacks.
Web Application Hijack Susceptibility
Amass Role: Amass identifies the existence of a web server on a subdomain.
ThreatNG Assessment: ThreatNG interrogates the identified server to grade its resilience against hijacking. It checks for the presence of Content-Security-Policy (CSP), HTTP Strict-Transport-Security (HSTS), and X-Frame-Options. A subdomain found by Amass is only "secure" if ThreatNG confirms these headers are present; otherwise, it is flagged as a high-risk entry point for Cross-Site Scripting (XSS) or Clickjacking.
Investigation Modules Driving Deep Analysis
ThreatNG’s investigation modules provide the business context that raw DNS data lacks, allowing security teams to understand what Amass has found.
Domain Intelligence Investigation
Workflow: Amass discovers a cluster of subdomains (e.g.,
vpn.corp-us.com,vpn.corp-eu.com).ThreatNG Context: The Domain Intelligence module analyzes the Whois data, registrar information, and expiration dates for these domains. It helps determine if these subdomains are managed by the central IT department or if they were registered by a rogue employee (Shadow IT), helping to categorize the Amass findings into "Authorized" vs. "Unauthorized" infrastructure.
Technology Stack Investigation
Workflow: Amass identifies a host.
ThreatNG Context: ThreatNG scans the host to identify the underlying technology stack (e.g., "This host is running Apache Struts 2.5"). This contextualizes the Amass finding. Instead of just knowing "Host A exists," the security team knows "Host A exists and is running vulnerable middleware," prioritizing it for immediate remediation.
Sensitive Code Exposure
Workflow: ThreatNG monitors public code repositories (GitHub, GitLab) for leaked configuration files.
Integration: If ThreatNG discovers a leaked
bind.conforzonefilein a public repo, this data can be parsed to extract internal hostnames. These internal names are then fed into Amass to test if they are resolvable from the outside, verifying if the "Internal" network is accidentally exposed to the public internet.
Intelligence Repositories (DarCache)
ThreatNG’s DarCache repositories enrich the technical map provided by Amass with threat-centric data.
Ransomware Groups: If Amass discovers an exposed Remote Desktop Gateway or VPN concentrator, ThreatNG checks its Ransomware Groups repository. It can alert the team if that specific gateway technology is currently being targeted by active ransomware gangs (such as LockBit or BlackCat), thereby elevating the asset's risk level.
Dark Web & Compromised Credentials: Amass finds the login portals. ThreatNG’s Dark Web repository checks if credentials for those specific portals are currently for sale on underground marketplaces. This transforms a simple "Discovery" finding into an "Active Threat" alert.
Reporting and Continuous Monitoring
The cooperation between ThreatNG and Amass creates a dynamic, self-updating view of the security posture.
Continuous Monitoring Loop: ThreatNG monitors the perimeter 24/7. When it detects a change—such as an acquisition of a new subsidiary or a new cloud tenant—it updates the scope. This triggers Amass to perform a fresh enumeration of the new scope. This ensures that the asset inventory is always up to date and that no asset goes unassessed.
Unified Reporting: ThreatNG consolidates the findings. The report presents the Security Rating (Strategic View) and the detailed Asset Map (Tactical View from Amass). This satisfies both executive stakeholders (who want to know the score) and engineering teams (who need the list of subdomains to fix).
Cooperation with Complementary Solutions
ThreatNG and Amass function as the "Discovery Layer" in a broader security stack, feeding data to downstream systems.
Security Information and Event Management (SIEM)
Workflow: Amass and ThreatNG map the external assets. This inventory is fed into the SIEM (e.g., Splunk, Sentinel).
Benefit: The SIEM uses this "External Asset List" to correlate with internal logs. If the SIEM sees traffic destined for an IP address that ThreatNG/Amass identified as "Shadow IT," it can immediately flag it as suspicious, as it falls outside the known authorized network.
Vulnerability Management Platforms
Workflow: Amass discovers the subdomains. ThreatNG filters them for liveness and criticality.
Benefit: This validated list is fed into a vulnerability scanner (like Nessus or Qualys). Instead of scanning the entire IP range (which is slow and costly), the scanner targets only the active, relevant assets identified by the ThreatNG/Amass combo, significantly reducing license costs and scan times.
Frequently Asked Questions
Does ThreatNG replace Amass? No. ThreatNG manages the program of exposure management (scoring, risk, context). Amass is a specialized tool for deep DNS enumeration. They work best together.
How does this reduce false positives? Amass can find "dead" DNS records. ThreatNG’s assessment layer validates whether those records point to live services and whether those services have actual security gaps (susceptibilities), ensuring teams focus on real risks.
Can this detect "Shadow Cloud" instances? Yes. Amass finds the CNAME records pointing to cloud providers (AWS, Azure). ThreatNG validates whether those buckets or instances are properly claimed or expose the organization to takeover risks.
