Amass

# Using Go
go install -v github.com/owasp-amass/amass/v4/...@master

# Using Snap
sudo snap install amass

# Using Homebrew
brew install amass

# Using Docker
docker pull caffix/amass

# Passive enumeration (no direct interaction with target)
amass enum -passive -d target.com -o subs.txt

# Active enumeration (includes DNS resolution)
amass enum -active -d target.com -o subs.txt

# Intel gathering (discover root domains)
amass intel -whois -d target.com

# Brute force subdomain enumeration
amass enum -brute -d target.com -w wordlist.txt

# Use configuration file with API keys
amass enum -d target.com -config config.ini

# Specify resolvers
amass enum -d target.com -rf resolvers.txt

# Active enum with brute force and alterations
amass enum -active -brute -d target.com -w wordlist.txt

# Multiple domains
amass enum -passive -df domains.txt -o results.txt

# Track changes over time
amass track -d target.com -dir ./amass-output

# Visualize results
amass viz -d3 -d target.com -dir ./amass-output

# Comprehensive passive recon
amass enum -passive -d target.com -o amass-passive.txt

# Active enumeration with brute force
amass enum -active -brute -d target.com -w /usr/share/seclists/Discovery/DNS/subdomains-top1million-5000.txt -o amass-full.txt

# Combine with httpx for alive check
amass enum -passive -d target.com | httpx -silent -o alive.txt

# Organization discovery
amass intel -org "Target Corp" -max-dns-queries 2500

[data_sources]
[data_sources.SecurityTrails]
[data_sources.SecurityTrails.account1]
apikey = YOUR_API_KEY

[data_sources.Shodan]
[data_sources.Shodan.account1]
apikey = YOUR_API_KEY