Investigator Use
OWASP Amass is an open-source attack surface mapping and network reconnaissance tool maintained by the OWASP Foundation. It performs comprehensive DNS enumeration, subdomain discovery, network mapping, and external asset identification for any domain target through passive and active data collection techniques.
For OSINT investigators conducting infrastructure reconnaissance, Amass is one of the most powerful and comprehensive tools available for mapping the full online footprint of a target organization. Its passive mode collects data exclusively from public sources — certificate transparency logs, DNS databases, search engine APIs, passive DNS repositories, and threat intelligence feeds — without sending any direct queries to the target.
Amass's subdomain discovery capability is particularly broad, drawing from over 30 data sources simultaneously. A single Amass passive scan can discover hundreds of subdomains that would require days of manual querying across individual sources. Each discovered subdomain represents potential attack surface — development servers, staging environments, forgotten applications, and internal tools exposed to the internet.
The tool's DNS resolution and IP enumeration capabilities help investigators map the full IP infrastructure associated with a target domain, including associated autonomous system numbers (ASNs), netblocks, and hosting providers. This network context is essential for understanding the breadth of a target's online infrastructure.
Amass outputs structured data in multiple formats including JSON, which enables integration with visualization tools (Maltego, Gephi) and custom analysis pipelines. The graph database mode allows long-running investigations to accumulate and query historical reconnaissance data.
For authorized penetration testing engagements, Amass's active modes — DNS brute-forcing and web scraping — can extend coverage beyond passive sources. These modes generate traffic to the target and should only be used within authorized scope.
Run Amass in passive mode for OSINT investigations to avoid generating detectable reconnaissance traffic. Record the domain target, data sources enabled, scan timestamp, and full output. Subdomains discovered should be individually verified for active resolution before being included in reports.
Before You Pivot
Record Context
Capture the target, search terms, and why this source is relevant before you leave the page.
Preserve Evidence
Archive volatile pages, save screenshots, and keep timestamps for anything that may change.
Corroborate
Treat one tool as a lead source. Confirm important findings with independent sources.
Related Tools
CVE
Cyber Threat OSINT
CVE provides standardized vulnerability identifiers and references used in security research, triage, and threat intelligence workflows.
CVE Details
Cyber Threat OSINT
CVE Details aggregates vulnerability records, CVSS scores, and affected software lists for security analysis and patch prioritization.
Default Passwords
Cyber Threat OSINT
Find default passwords and credentials for routers, printers, servers, and network devices for authorized security auditing.
Exploit DB
Cyber Threat OSINT
The Exploit Database archives public exploits and proof-of-concept code for known vulnerabilities, used in penetration testing and research.
Honey DB
Cyber Threat OSINT
HoneyDB aggregates honeypot sensor data to identify malicious IP addresses, attacker tactics, and emerging threat patterns.
Hybrid analysis
Cyber Threat OSINT
Hybrid Analysis provides free malware sandboxing with Falcon Sandbox technology to analyze suspicious files and URLs for threat intelligence.