aeondave/amass
offensive-tools/osint/amass/SKILL.md
Auth/lab ref: OWASP testing surface mapping tool for subdomain enumeration, DNS brute-forcing, and infrastructure discovery using 50+ data sources.
$ install --global
skillsauthnpx skillsauth add aeondave/malskill amassInstall this skill globally with one command. Works with Claude Code, Cursor, and Windsurf.
Security Scan Results
3 of 9 scanners reported clean
Some scanners were skipped, did not run, or reported a non-clean status. Review each row below.
3
Scanners Passed
9
Scanners in report
Clean
TrivyContainer and dependency vulnerability scanner
95%
Clean
SemgrepStatic code analysis for vulnerabilities
95%
Clean
mcp-scan (Snyk)Model Context Protocol security validation
95%
Skipped
Snyk (dep)Open source security scanning
50%
Skipped
Socket.devSupply chain security analysis
50%
Skipped
VirusTotalMulti-engine malware detection
50%
Skipped
CrowdStrikeAdvanced threat intelligence
50%
Skipped
OSV-ScannerOpen Source Vulnerability database check
50%
Skipped
OWASP Dep-Check
50%
Last scanned: Jun 8, 2026, 3:56 AM128.6s2 files scanned
SKILL.md
- name:
- amass
- description:
- Auth/lab ref: OWASP testing surface mapping tool for subdomain enumeration, DNS brute-forcing, and infrastructure discovery using 50+ data sources.
- license:
- Apache-2.0
- compatibility:
- Go binary; Linux/macOS/Windows.
- author:
- AeonDave
- version:
- 1.0
Amass
OWASP attack surface mapper — thorough subdomain enumeration via 50+ passive + active sources.
Quick Start
# Passive enumeration (no direct target interaction)
amass enum -passive -d target.com
# Active enumeration (DNS brute force + zone transfer attempts)
amass enum -active -d target.com -brute
# Save results
amass enum -d target.com -o subdomains.txt
# Full enumeration with output files
amass enum -d target.com -brute -o subs.txt -oA results/amass
Subcommands
| Subcommand | Purpose |
|-----------|---------|
| enum | Subdomain enumeration (main use) |
| intel | Gather intel on an org (ASN, CIDRs, root domains) |
| viz | Visualize attack surface (Maltego, Gephi, GraphViz) |
| track | Track changes in attack surface over time |
| db | Interact with local Amass database |
Core Flags (enum)
| Flag | Purpose |
|------|---------|
| -d <domain> | Target domain (repeat for multiple) |
| -passive | Passive only (no direct DNS queries to target) |
| -active | Active (DNS queries, zone transfer, cert grabbing) |
| -brute | DNS brute-force with wordlist |
| -w <wordlist> | Custom brute-force wordlist |
| -r <resolvers> | Custom DNS resolvers file |
| -o <file> | Plain text output |
| -oA <prefix> | All output formats (json, txt, etc.) |
| -json <file> | JSON output |
| -ip | Include IP addresses in output |
| -src | Show data source for each result |
| -timeout <n> | Minutes before timeout (default: 30) |
| -max-depth <n> | Max DNS brute-force recursion depth |
| -config <file> | Config file path |
| -dir <path> | Output directory for all files |
| -dL <file> | File with list of domains |
Common Workflows
Passive recon (silent, no DNS to target):
amass enum -passive -d target.com -src -o passive_subs.txt
Active + brute force:
amass enum -active -d target.com -brute -o active_subs.txt
Multiple domains from file:
amass enum -passive -dL domains.txt -o all_subs.txt
D3.js visualization of attack surface:
amass viz -d3 -dir amass_out/ -d target.com
# Opens interactive graph in browser at amass_out/vis/d3.html
With IP resolution:
amass enum -d target.com -ip -o subs_with_ips.txt
Organization intelligence (find all CIDRs + domains):
# Find ASN for organization
amass intel -org "Target Corp"
# Enumerate from ASN
amass intel -asn 12345 -ip
# Enumerate from CIDR
amass intel -cidr 203.0.113.0/24
Config File (API Keys)
# ~/.config/amass/config.ini or /etc/amass/config.ini
[data_sources]
[data_sources.CertSpotter]
[data_sources.CertSpotter.Credentials]
apikey = YOUR_KEY
[data_sources.Shodan]
[data_sources.Shodan.Credentials]
apikey = YOUR_KEY
[data_sources.SecurityTrails]
[data_sources.SecurityTrails.Credentials]
apikey = YOUR_KEY
[data_sources.VirusTotal]
[data_sources.VirusTotal.Credentials]
apikey = YOUR_KEY
[data_sources.Hunter]
[data_sources.Hunter.Credentials]
apikey = YOUR_KEY
Post-Processing
# Sort and deduplicate
sort -u subdomains.txt > unique_subs.txt
# Resolve live hosts (dnsx)
cat unique_subs.txt | dnsx -silent -a -resp > live_hosts.txt
# HTTP probe (httpx)
cat unique_subs.txt | httpx -silent -status-code -title -tech-detect > web_services.txt
# Feed into nmap
nmap -iL unique_subs.txt -sV -p 80,443,8080,8443 --open -T4
Resources
| File | When to load |
|------|--------------|
| references/config.md | Full config file options, API source list, wordlist recommendations, pipeline with httpx/dnsx |
Related Skills
aeondave/vibe-audit-technique
development
VerifiedTrustedCommunity
White-box auditing methodology for AI-generated ('vibe-coded') applications. Focuses on modern stack misconfigurations (Supabase, Next.js, Vercel).
4SKILL.mdUpdated Jun 12, 2026
aeondave/source-review-technique
development
VerifiedTrustedCommunity
Hybrid AI/Deterministic SAST methodology for discovering zero-day vulnerabilities in source code. Orchestrates structural search with AI-driven data flow and sink validation.
4SKILL.mdUpdated Jun 12, 2026
aeondave/hardware-technique
development
VerifiedTrustedCommunity
Auth assessment: hardware/embedded methodology; UART/JTAG/SWD/SPI/I2C, firmware extraction, boot/debug paths, embedded OS evidence.
4SKILL.mdUpdated Jun 12, 2026
aeondave/container-technique
devops
VerifiedTrustedCommunity
Container methodology: Identifying containerization limits, Docker/K8s misconfigurations, and executing escapes to the host node.
4SKILL.mdUpdated Jun 12, 2026