Usage: amass enum -d <domain> [-passive] [-active] [-brute]
| Options | Description |
|---|---|
| -d, --domain | Domain names (comma-separated) to target for enumeration. |
| -df, --domain-file Disabled | Path to a file with root domain names (one per line). |
| -passive | Perform purely passive enumeration (no active queries). |
| -active | Enable active techniques (zone transfers, certificate fetching, etc.). |
| -brute | Enable brute-force subdomain enumeration using wordlists/masks. |
| -w, --wordlist Disabled | Path to a custom wordlist for brute forcing. |
| -wm, --wordlist-mask Disabled | Use hashcat-style masks for brute-forcing (e.g. ?l?l?d). |
| -alts | Enable altered name permutations (fuzzy, flips, additions). |
| -aw, --alter-wordlist Disabled | Path to custom wordlist for name alterations. |
| -awm Disabled | Use masks for altered name permutations. |
| -norecursive | Disable recursive brute forcing. |
| -min-for-recursive | Min occurrences before recursive brute forcing (int). |
| -max-depth | Max subdomain depth for brute forcing (int). |
| -ip | Show resolved IP addresses for discovered names. |
| -ipv4 | Show only IPv4 addresses. |
| -ipv6 | Show only IPv6 addresses. |
| -src | Include the data source for each discovered name. |
| -dns-qps | Max DNS queries per second across all resolvers (int). |
| -r | Specify untrusted DNS resolvers. |
| -rf Disabled | Path to file with untrusted DNS resolvers. |
| -tr | Specify trusted DNS resolvers. |
| -trf Disabled | File with trusted DNS resolvers. |
| -rqps | Max queries per second per untrusted resolver (int). |
| -trqps | Max queries per second per trusted resolver (int). |
| -iface Disabled | Network interface to use for active scans (e.g., en0). |
| -p, --ports Disabled | Ports to scan when fetching certificates (default: 443). |
| -scripts Disabled | Directory containing DNS-related scripts to run. |
| -exclude | Comma-separated data sources to exclude. |
| -ef Disabled | File with data sources to exclude. |
| -include | Comma-separated data sources to include. |
| -if Disabled | File with data sources to include. |
| -bl | Blacklist specific subdomains to ignore. |
| -blf Disabled | File with subdomain blacklist entries. |
| -nf Disabled | File with already-known subdomains to seed enumeration. |
| -list | List all supported data sources. |
| -o, --output Disabled | Write output to text file. |
| -oA Disabled | Prefix for all output filenames (text, JSON, graph). |
| -log Disabled | Path to log file for errors and diagnostics. |
| -timeout | Set timeout in minutes for the enumeration run. |
| -v, --verbose | Enable verbose/debug output. |
| -demo | Censor output for demo purposes. |
Amass online
Developed by OWASP, it combines passive and active reconnaissance techniques to collect information about domains, DNS records, IP addresses, and infrastructure.
Homepage
v4.2.0