(Kali Linux & Ubuntu, Passive + Active Recon, API Keys, Logging & More)
OWASP’s Amass is a fantastic tool, but unfortunately, its documentation is lagging and doesn’t match the current 4.2.0 version. After figuring out the current settings and configuration options, I used AI to help me write a guide for using the current version. The more detailed PDF is available here, but there’s a summarized version here in this post to help users find it.
Table of Contents
- Why Amass?
- Installation
- Passive vs Active Scanning
- API Integrations
- Setting up
datasources.yaml&config.yaml - Common Scan Recipes
- Logs & Output Management
- Interpreting the Results
- Best Practices & Tips
- Cheat-Sheet
1 Why Amass?
If you need a single tool that aggregates dozens of OSINT feeds, runs brute-force DNS when you allow it, and keeps a graph database of everything it finds, Amass is that tool.
Version 4.x overhauled config files, dropped some sub-commands, and left a lot of outdated docs behind. This post fills that gap.
2 Installation
Kali Linux (2025)
apt update && sudo apt install amass
amass -version # → v4.2.0
Need the bleeding edge?
apt install golang
go install -v github.com/owasp-amass/amass/v4/...@master # places binary in ~/go/bin
Add export PATH="$PATH:$(go env GOPATH)/bin" to ~/.zshrc if you use the Go build.
Ubuntu 22.04 / 24.04
snap install amass
amass -version # v4.2.0+
Fallback (build-from-source):
apt install -y golang git
go install -v github.com/owasp-amass/amass/v4/...@master
3 Passive vs Active Scanning
| Mode | What happens | Pros | Cons |
|---|---|---|---|
Passive-passive | Queries APIs & public feeds only. No DNS hits against target. | ⚡ Fast, stealthy, free of false positives from DNS brute force. | Finds stale / unresolved subs; skips live validation. |
Active-active | Adds DNS resolution, TLS-cert scraping, zone-xfer attempts, optional brute-force (-brute). | ✅ Validates live subs, uncovers hidden names. | ⏳ Slower and noisy; needs permission. |
Workflow tip: run passive first → feed results into active for validation & discovery.
4 API Integrations
You’ll unleash Amass’s real power only after dropping in API keys.
Typical sources to add:
| Source | Free tier? | Key fields |
|---|---|---|
| Shodan | ✓ | apikey |
| SecurityTrails | ✓ | apikey |
| VirusTotal | ✓ | apikey |
| Censys | X | username (= API ID), secret |
| PassiveTotal | ✓ | apikey, secret |
5 Setting up config.yaml & datasources.yaml
textCopyEdit~/.config/amass/
├── config.yaml
└── datasources.yaml
Minimal config.yaml
yamlCopyEditoptions:
datasources: "/home/<user>/.config/amass/datasources.yaml"
(Add resolvers, output_directory, brute-force wordlists here if desired.)
Sample datasources.yaml
datasources:
- name: Shodan
creds:
account:
apikey: "SHODAN_KEY"
- name: SecurityTrails
creds:
account:
apikey: "ST_KEY"
- name: VirusTotal
creds:
account:
apikey: "VT_KEY"
YAML must use spaces (no tabs) & correct indent.
After saving, test with:
amass enum -config ~/.config/amass/config.yaml -list
# Sources with an asterisk (*) are still missing creds
6 Common Scan Recipes (Amass v4.2.0)
| Goal | Command |
|---|---|
| Quick passive enum | amass enum -passive -d example.com -o passive.txt -log passive.log |
| Active enum + brute | amass enum -active -brute -d example.com -o active.txt -log active.log -max-dns-queries 10 -dir amass_db |
| Cap run-time to 30 min | add -timeout 30 |
| Use only a couple of sources | -include crtsh,securitytrails |
| Exclude slow sources | -exclude duckduckgo,fofa,netlas |
| Diff new vs old | amass db -dir amass_db -d example.com -showchanges |
7 Logs & Output Management
amass enum ... -o run_$(date +%F).txt -log run_$(date +%F).log -dir amass_db
-o– results-log– errors / API fails-dir– persistent graph DB (reuse for futurediffs).
Extract just sub-domains:
amass db -dir amass_db -names -d example.com > subdomains.txt
8 Interpreting Results
Graph-style lines look like:
ns1.example.com (FQDN) --> a_record --> 203.0.113.10 (IPAddress)
To strip only the (FQDN) entries:
grep "(FQDN)" run_*.txt | cut -d ' ' -f1 | sort -u > fqdn_only.txt
9 Best Practices & Tips
- Start passive, then active
Passive = stealth + baseline; Active = deeper, validated. - Throttle DNS with
-max-dns-queriesto avoid loud scans. - Group by project with one
-dirper target → enables tracking. - Keep YAML tidy – incorrect indent breaks everything.
- Update Amass periodically; API endpoints change.
- Pair with other tools – feed subs into
httpx,nuclei, screenshots, etc.
10 Cheat-Sheet
# Passive first
amass enum -passive -d target.com \
-o passive.txt -log passive.log
# Active follow-up
amass enum -active -brute -d target.com \
-min-for-recursive 2 \
-max-dns-queries 10 \
-dir amass_db \
-o active.txt -log active.log
# Show all names from DB
amass db -dir amass_db -names -d target.com
Need more?
- Official repo: https://github.com/owasp-amass/amass
- Example configs:
examples/config.yaml,examples/datasources.yamlin the repo
Happy Hunting!
