Complete Guide to Amass Tool (2025 Edition): From Beginner to Pro in Bug Bounty Recon CyberXsociety

Complete Guide to Amass Tool (2025 Edition): From Beginner to Pro in Bug Bounty Recon

Want to master the Amass tool for recon and subdomain enumeration? This full guide explains everything — from beginner basics to pro-level techniques. Learn how Indian hackers use Amass in real-world bug bounty hunting.

Table of Content

Introduction

What Amass Can Do

Installation (Kali Linux, Termux, Windows WSL)

Amass Modules Explained

Basic Usage with Examples

Amass Configuration Like a Pro

Real-World Recon Scenarios

Advanced Tricks

Amass Visualization

Real Bug Bounty Workflow with Amass

Common Issues and How to Fix Them

Conclusion

🔰 Introduction

Let us be honest — recon is the base of every successful bug bounty report. And if you do not know how to gather deep information about your target, you are already losing. In this guide, we will walk through Amass — a powerful recon tool that can level up your game. Whether you are a student, beginner, or someone who already hunts bugs, this is for you.

What is Amass?

Amass is an open-source tool designed to help ethical hackers and researchers find subdomains, map DNS records, and perform deep recon. It can work silently in the background to collect valuable data from the internet using both active and passive methods. If you are serious about bug bounty hunting, learning Amass is a must.

Why Every Bug Bounty Hunter Must Learn It

In bug bounty, most hackers rush into scanning without knowing the target properly. That is why they miss hidden subdomains, dev environments, and even high-severity bugs. Amass helps you go deep. It collects real, useful data that gives you an edge. Learning this tool means smarter recon, better bugs, and bigger bounties.

Who This Guide is For

This guide is for anyone curious about real hacking — from college students to freelancers and working professionals. Even if you are new to cybersecurity, do not worry. We will start from scratch and go to expert level, with Indian-friendly steps, simple words, and real examples.

🔧 What Amass Can Do

Amass is not just about subdomains. It is a full toolkit for serious recon. You can use it to:

Subdomain Enumeration

Finding subdomains is the first step in recon. Amass can find hundreds of subdomains from public sources, search engines, and certificate transparency logs. This helps you discover hidden parts of the target that others miss.

DNS Mapping

Amass builds a DNS map of your target — showing how everything connects. It can identify IPs, CNAMEs, MX records, and more. This is useful for visualizing infrastructure and planning your attack paths better.

Passive and Active Recon

Amass gives you both safe (passive) and aggressive (active) recon options. Passive is useful when you do not want to be noisy. Active is helpful when you want to go deep and discover everything possible. You get full control.

OSINT

Amass uses Open Source Intelligence (OSINT) to collect data from the internet. It connects with APIs, search engines, and public databases. This helps in building a strong profile of your target — all without making direct contact.

Network Mapping

Want to see how a company’s online assets are structured? Amass can help you do that. It shows the full network — from domains to subnets — so you understand the target’s digital footprint properly.

⚙️ Installation (Kali Linux, Termux, Windows WSL)

Setting up Amass is simple, but if you are in India and using low-end systems or mobile phones, it might feel tricky. Do not worry — we will show you how to install Amass step-by-step on Kali Linux, Termux, and even Windows using WSL (Windows Subsystem for Linux).

🖥️ 1️⃣ Installing Amass on Kali Linux (Easiest Method)

If you are using Kali Linux (recommended for hacking), Amass is already available in its official repository.

Step 1: Update your Kali system first to avoid errors:

sudo apt update && sudo apt upgrade

Step 2: Install Amass:

sudo apt install amass

Step 3: Check installation:

amass -version

That is it! ✅

👉 Want the latest version? Install it using Go (explained below) or use GitHub binary for manual install.

📱 2️⃣ Installing Amass on Termux (For Android Users)

Want to run Amass from your Android phone? Use Termux like this:

Step 1: Install Termux (use F-Droid for the latest version).

Step 2: Update Termux packages:

pkg update && pkg upgrade

Step 3: Install Go programming language (required for Amass):

pkg install git golang

Step 4: Install Amass using Go:

go install -v github.com/owasp-amass/amass/v4/...@master

Step 5: Add Amass to Termux path:

cp ~/go/bin/amass $PREFIX/bin

Step 6: Confirm installation:

amass -version

Now you can start subdomain hunting from your mobile itself. 📱

👉 Note: Android may lag on heavy scans. Use VPS if needed.

🪟 3️⃣ Installing Amass on Windows (WSL Method)

Using Windows 10 or 11? The best way to install Amass is with WSL (Windows Subsystem for Linux).

Step 1: Enable WSL (if not done already):

wsl --install

Restart if required.

Step 2: Install Ubuntu (or Debian) from Microsoft Store.

Step 3: Update Linux inside WSL:

sudo apt update && sudo apt upgrade

Step 4: Install Amass:

sudo apt install amass

Step 5: Verify installation:

amass -version

Now your Windows is ready for bug bounty recon with Amass. ✔

📦 4️⃣ Installing Amass Using GitHub Binary (Best for Beginners)

What if Go fails or you want the easiest setup? Direct download from GitHub is the way.

Step 1: Visit 👉 https://github.com/owasp-amass/amass/releases

Step 2: Download the latest release matching your OS (Linux/Windows). Example:
amass_linux_amd64.zip

Step 3: Extract the zip:

unzip amass_linux_amd64.zip

Step 4: Move it to your system path:

sudo mv amass_linux_amd64/amass /usr/local/bin/

Step 5: Give permissions to run:

sudo chmod +x /usr/local/bin/amass

Step 6: Check version:

amass -version

For Windows Users:

  • Download .zip → Extract → Add folder to Path (System Environment Variables) → Run from CMD or PowerShell.
🧩 Summary of Installation Methods (Quick Reference Table)
PlatformBest Method
Kali Linuxsudo apt install amass
Termux (Android)go install github.com/owasp-amass/amass/v4/...@master
Windows (WSL)sudo apt install amass
Any OS (Manual)Download binary from GitHub releases
Common Errors & Fixes
❌ Problem✅ Fix
go: command not foundInstall Go (sudo apt install golang)
amass: not foundAdd Amass binary to system path
Permission deniedUse sudo chmod +x on the binary
Slow downloadTry VPN, or download from faster mirror
API errors during scanCheck if API keys are active/valid
Pro Tips for Beginners
  • Prefer VPS if running long scans
  • Create custom folders for recon results
  • Organize tools in /opt/ (Linux users) for cleaner setup
  • Use Amass with other recon tools (Subfinder, httpx) for better results

📦 Amass Modules Explained

Amass is built with different modules. Each one has a unique job. Once you know how they work, you will start using Amass like a pro.

Enum

This is the heart of Amass. It is used for subdomain discovery, DNS resolution, and finding associated IPs. It can run passive, active, or mixed scans depending on your settings.

Intel

Use this when you want to dig into a target’s full digital identity. It can pull ASN, CIDR, and domain relationships. Perfect for scoping big targets like company-wide recon.

Viz

Short for Visualization. This module allows you to create graphs and visual data maps of everything Amass discovers. You can export it as DOT or GraphML and use tools like Maltego or Gephi to analyze.

Track

This module helps you track how the data changes over time. For example, if a new subdomain appears next week, it can compare and tell you what is new or missing.

DB

Amass can store all its scan data in a local database. This is useful when you want to run multiple scans, compare results, or work offline. You can even create your own recon database over time.

🚀 Basic Usage with Examples

Let us start with the basics. You have installed Amass — now what? Do not worry, you do not need to remember complex commands. We will begin with simple examples that you can run on any system. These will help you understand how Amass collects data and what each result means.

First Scan Example

To run your first scan, just open your terminal and type:

amass enum -d example.com

That’s it! This will start a passive scan for all subdomains related to example.com. Even without API keys, Amass will collect data from public sources and give you a clean list.

Passive Scan (Safe)

A passive scan means Amass will not directly touch the target website. It will search from public sources like search engines, DNS records, and SSL data. This is perfect when you want to stay low and quiet — especially on private programs or in the learning stage.

amass enum -passive -d target.com
Active Scan (Aggressive)

Active mode goes one step deeper. It makes direct DNS and web requests to gather more hidden data. But be careful — this is noisy and visible to the target. Only use this when you are allowed or on public/authorized targets.

amass enum -active -d target.com

You can even combine both for stronger results:

amass enum -d target.com -active -brute

🧠 Amass Configuration Like a Pro

Default scans are good, but real hackers customize everything. You can add your own API keys, wordlists, DNS resolvers, and output formats. This helps Amass go further and find more valuable subdomains in less time.

API Key Setup (for Shodan, Censys, etc.)

Some data sources like Shodan, Censys, and VirusTotal need API keys. Once added, Amass can pull more powerful data. You just need to edit the ~/.config/amass/config.ini file and paste your keys there.

Example:

[shodan]
api_key = YOUR_KEY_HERE

These APIs give you bonus recon data that others will miss without keys.

Custom Wordlists

Want to brute force subdomains like admin.target.com, test.target.com, and more? Use custom wordlists. Just add this flag to your scan:

amass enum -brute -d target.com -w ~/wordlists/subdomains.txt

Use lists from Seclists, assetnote, or your own wordlist made from recon.

Using Your Own Resolvers

Sometimes Amass fails due to DNS errors or slow results. Fix that by adding your own list of resolvers. It boosts speed and accuracy.

amass enum -d target.com -r ~/resolvers.txt

You can get fast DNS resolvers from public GitHub repos or Cloudflare.

🌍 Real-World Recon Scenarios

Let us now apply Amass to real-world bug bounty use cases. This is where things get exciting. These tricks are used by Indian bug bounty hunters daily to find valid bugs and report them.

How to Find Subdomains of target.com

Run:

amass enum -d target.com -o output.txt

This command will collect all known subdomains and save them to a file. You can later scan these subdomains for open ports, misconfigs, or even login panels.

Finding dev/test/staging Environments

These are usually goldmines. Try brute forcing with developer wordlists. Combine Amass with tools like dnsx or httpx to check for dev panels, login pages, or even exposed databases.

amass enum -brute -d target.com -w devlist.txt
Filtering False Positives

Amass sometimes gives results that do not resolve or are outdated. Use tools like dnsx or a script to filter only valid, live subdomains.

cat output.txt | dnsx -silent -a

This will clean your list and give only live targets.

⚔️ Advanced Tricks

Once you know the basics, go beyond. Combine Amass with other tools, scripts, and automation to create a powerful recon workflow. These tricks are what pros use in real-time bug bounty hunting.

When you work with large recon data, Amass can give you lots of useful information — not just subdomains, but IPs, CNAMEs, ASN data, and more. But how do you quickly extract the exact information you need?

Here are some pro-level commands to filter and extract subdomains, IP addresses, netblocks, and more like a real hacker.

Extract Only Subdomains (FQDNs)

Subdomains are the heart of recon, right? Here’s how to extract them cleanly:

cat output.txt | grep '(FQDN)' | cut -d " " -f1 | sort -u

→ What it does:

  • Finds lines containing (FQDN)
  • Cuts the first field (the subdomain)
  • Removes duplicates using sort -u

Example Output:

deliverynavigator.cloud.google.com
toolresults.clients6.google.com
plus.google.com
Extract Only IPv4 Addresses

Want to grab all the IPv4 addresses? Run this:

cat output.txt | grep '(IPAddress)' | grep -oP '\d+\.\d+\.\d+\.\d+' | sort -u

→ What it does:

  • Filters only lines with (IPAddress)
  • Extracts IPv4 patterns
  • Removes duplicates
Extract Only IPv6 Addresses

IPv6 is everywhere now. This command pulls only IPv6:

cat output.txt | grep '(IPAddress)' | grep -oP '([a-fA-F0-9:]+:+)+[a-fA-F0-9]+' | sort -u
Extract Netblocks

Sometimes you want IP ranges used by a target. This will extract netblocks:

cat output.txt | grep '(Netblock)' | cut -d " " -f1 | sort -u
Bonus Tips for Automation
  • Save directly to a file:
cat output.txt | grep '(FQDN)' | cut -d " " -f1 | sort -u > subs_only.txt
  • Combine with httpx-toolkit for live checking:
cat subs_only.txt | httpx-toolkit --no-color --status-code --title --output live.txt
  • Combine with Nmap for full recon:
awk '{print $1}' live.txt | xargs -n1 nmap -T4 -p-

📌 Why This Matters

→ Real-world bug bounty hunters do not rely on tool defaults. They know how to shape the output to find hidden gems. These commands help you:

  • Filter noise
  • Focus on live, juicy targets
  • Save hours of manual effort

Practice these regularly, and you will start finding more vulnerabilities faster.

Scheduling Periodic Scans

Recon is not a one-time task. Targets change. New subdomains appear. Use cron to schedule Amass scans daily or weekly:

0 6 * * * /path/to/your/script.sh target.com

This way, you will never miss fresh endpoints or new exposed panels.

📊 Amass Visualization

Seeing is believing. Amass comes with a viz module that helps you visualize all the data you collect. This is super helpful when dealing with large programs or mapping complex networks. Instead of reading lists, you can view full graphs of connections between domains, IPs, and DNS records.

Using amass viz to Visualize Recon Data

It is simple. After running your recon, just use:

amass viz -d3 -dir ~/.config/amass/graphdb

This will launch a local web page where you can interact with the graph. Click, zoom, and explore relationships visually. Perfect for when you want to show work to your team or understand the target better.

Exporting as DOT, GraphML

Want to save your graph for later or use it with advanced tools? Export your data:

amass viz -g > output.graphml

Use Graphviz for .dot or Gephi/Maltego for .graphml. These help in advanced visualization workflows — especially for reporting in big bug bounty programs.

🏆 Real Bug Bounty Workflow with Amass

Let us now connect the dots between tool usage and real bug bounty success. A lot of hunters run random scans. Smart hunters follow workflows. This is how I recommend using Amass in a real recon flow Example:

From scope to report using Amass

1️⃣ Collect passive subdomains
2️⃣ Use brute-force for hidden subdomains
3️⃣ Check live domains with httpx
4️⃣ Scan ports with nmap
5️⃣ Screenshot endpoints with gowitness or aquatone
6️⃣ Start testing for bugs (IDOR, XSS, SSRF, etc.)
7️⃣ Track progress with Notion or Google Sheets
8️⃣ Prepare reports with screenshots, logs, and proofs

Personal Tips to Speed Up Recon

🟢 Use fast DNS resolvers (like Cloudflare or Google)
🟢 Keep multiple API keys (Shodan, Censys) ready
🟢 Run scans on VPS or cloud servers for faster results
🟢 Automate with bash scripts or tools like ReconFTW
🟢 Filter false positives early to save analysis time

This makes sure you do not waste time on dead ends.

🛠 Common Issues and How to Fix Them

Amass Not Resolving?

  • Add better DNS resolvers (-r resolvers.txt)
  • Restart network or try VPN (in case of ISP issues)

Timeout Issues?

  • Happens during brute-forcing large wordlists. Solution? Break lists into smaller parts or increase timeout settings with flags.

Errors While Fetching APIs?

  • Check if API keys are active/expired. Some services (like Censys) require paid tiers for higher usage.

Tool Crashing or Stuck?

  • Close unnecessary tabs or run on a VPS/cloud to avoid memory issues.

🎯 Conclusion

Amass is not just a tool — it is a skill. Learning it fully means you will always have an advantage in bug bounty recon. Other hackers may quit after finding nothing, but with proper Amass usage, you go deeper and find more bugs.

Daily Practice Ideas

👉 Take 1 public program every day and run Amass recon
👉 Test different flags and configurations
👉 Create your own wordlists and resolvers for Indian-based targets
👉 Compare Amass results with Subfinder/Assetfinder
👉 Save interesting recon cases for learning

How to Improve Speed + Accuracy
  • Use VPS for bigger scans
  • Always mix passive and active recon
  • Clean your results regularly
  • Automate your recon to avoid wasting manual time
  • Learn how to read graphs from viz for better analysis

References

Leave a Comment

Your email address will not be published. Required fields are marked *

Related Posts

All our articles, tutorials, and guides are published on our blog, where we have written in-depth about various topics related to ethical hacking and cybersecurity. We go from the very basic concepts to advanced techniques.

Quick Links
Get In Touch

© 2024 CyberXsociety

Scroll to Top
Stay In Touch

Stay ahead with the latest in ethical hacking, cybersecurity, and more! Subscribe now to get notified first when new blog posts go live.

×