The amass tool searches Internet data sources, performs brute force subdomain enumeration, searches web archives, and uses machine learning to generate additional subdomain name guesses. DNS name resolution is performed across many public servers so the authoritative server will see the traffic coming from different locations.

A precompiled version is available for each release.

If you would prefer to build your own binary from the latest version of the source code, make sure you have a correctly configured Go >= 1.10 environment. More information about how to achieve this can be found on the golang website. Then, take the following steps:

1. Download amass:

$ go get -u github.com/caffix/amass

At this point, the amass binary should be in $GOPATH/bin.

2. Several wordlists can be found in the following directory:

$ ls $GOPATH/src/github.com/caffix/amass/wordlists

The most basic use of the tool, which includes reverse DNS lookups and name alterations:

$ amass example.com

Get amass to provide summary information:

$ amass -v example.com
www.example.com
ns.example.com
...
13242 names discovered - search: 211, dns: 4709, archive: 126, brute: 169, alterations: 8027

Have amass print IP addresses with the discovered names:

$ amass -ip example.com

Have amass perform brute force subdomain enumeration as well:

$ amass -brute example.com

Change the wordlist used during the brute forcing phase of the enumeration:

$ amass -w wordlist.txt example.com

Throttle the rate of DNS queries by number per minute:

$ amass -freq 120 example.com

The maximum rate supported is one DNS query every 5 milliseconds.

Allow amass to included additional domains in the search using reverse whois information:

$ amass -whois example.com

You can have amass list all the domains discovered with reverse whois before performing the enumeration:

$ amass -whois -l example.com

Add some additional domains to the search:

$ amass example.com example1.com example2.com

In the above example, the domains example1.com and example2.com are simply appended to the list potentially provided by the reverse whois information.

All these options can be used together:

$ amass -v -ip -whois -brute -w wordlist.txt -freq 240 example.com example1.com

Be sure that the target domain is the last parameter provided to amass, then followed by any extra domains.

If you are using the amass package within your own Go code, be sure to properly seed the default pseudo-random number generator:

import(
    "math/rand"
    "time"
)

rand.Seed(time.Now().UTC().UnixNano())

1. Setup a new local transform within Maltego:

2. Configure the local transform to properly execute the go program:

3. Go into the Transform Manager, and disable the debug info option:

NOTE: Still under development

Author: Jeff Foley / @jeff_foley

Company: ClaritySec, Inc. / @claritysecinc