Want to master the Amass tool for recon and subdomain enumeration? This full guide explains everything — from beginner basics to pro-level techniques. Learn how Indian hackers use Amass in real-world bug bounty hunting.
Table of Content
Installation (Kali Linux, Termux, Windows WSL)
- Installing Amass on Kali Linux (Easiest Method)
- Installing Amass on Termux (For Android Users)
- Installing Amass on Windows (WSL Method)
- Installing Amass Using GitHub Binary (Best for Beginners)
- Summary of Installation Methods (Quick Reference Table)
- Common errors and fixes
- Pro Tips for Beginners
Amass Configuration Like a Pro
- Extract Only Subdomains (FQDNs)
- Extract Only IPv4 Addresses
- Extract Only IPv6 Addresses
- Bonus Tips for Automation
- Why This Matters
- Scheduling periodic scans
Real Bug Bounty Workflow with Amass
Common Issues and How to Fix Them
🔰 Introduction
Let us be honest — recon is the base of every successful bug bounty report. And if you do not know how to gather deep information about your target, you are already losing. In this guide, we will walk through Amass — a powerful recon tool that can level up your game. Whether you are a student, beginner, or someone who already hunts bugs, this is for you.
What is Amass?
Amass is an open-source tool designed to help ethical hackers and researchers find subdomains, map DNS records, and perform deep recon. It can work silently in the background to collect valuable data from the internet using both active and passive methods. If you are serious about bug bounty hunting, learning Amass is a must.
Why Every Bug Bounty Hunter Must Learn It
In bug bounty, most hackers rush into scanning without knowing the target properly. That is why they miss hidden subdomains, dev environments, and even high-severity bugs. Amass helps you go deep. It collects real, useful data that gives you an edge. Learning this tool means smarter recon, better bugs, and bigger bounties.
Who This Guide is For
This guide is for anyone curious about real hacking — from college students to freelancers and working professionals. Even if you are new to cybersecurity, do not worry. We will start from scratch and go to expert level, with Indian-friendly steps, simple words, and real examples.
🔧 What Amass Can Do
Amass is not just about subdomains. It is a full toolkit for serious recon. You can use it to:
Subdomain Enumeration
Finding subdomains is the first step in recon. Amass can find hundreds of subdomains from public sources, search engines, and certificate transparency logs. This helps you discover hidden parts of the target that others miss.
DNS Mapping
Amass builds a DNS map of your target — showing how everything connects. It can identify IPs, CNAMEs, MX records, and more. This is useful for visualizing infrastructure and planning your attack paths better.
Passive and Active Recon
Amass gives you both safe (passive) and aggressive (active) recon options. Passive is useful when you do not want to be noisy. Active is helpful when you want to go deep and discover everything possible. You get full control.
OSINT
Amass uses Open Source Intelligence (OSINT) to collect data from the internet. It connects with APIs, search engines, and public databases. This helps in building a strong profile of your target — all without making direct contact.
Network Mapping
Want to see how a company’s online assets are structured? Amass can help you do that. It shows the full network — from domains to subnets — so you understand the target’s digital footprint properly.
⚙️ Installation (Kali Linux, Termux, Windows WSL)
Setting up Amass is simple, but if you are in India and using low-end systems or mobile phones, it might feel tricky. Do not worry — we will show you how to install Amass step-by-step on Kali Linux, Termux, and even Windows using WSL (Windows Subsystem for Linux).
🖥️ 1️⃣ Installing Amass on Kali Linux (Easiest Method)
If you are using Kali Linux (recommended for hacking), Amass is already available in its official repository.
Step 1: Update your Kali system first to avoid errors:
sudo apt update && sudo apt upgradeStep 2: Install Amass:
sudo apt install amassStep 3: Check installation:
amass -versionThat is it! ✅
👉 Want the latest version? Install it using Go (explained below) or use GitHub binary for manual install.
📱 2️⃣ Installing Amass on Termux (For Android Users)
Want to run Amass from your Android phone? Use Termux like this:
Step 1: Install Termux (use F-Droid for the latest version).
Step 2: Update Termux packages:
pkg update && pkg upgradeStep 3: Install Go programming language (required for Amass):
pkg install git golangStep 4: Install Amass using Go:
go install -v github.com/owasp-amass/amass/v4/...@masterStep 5: Add Amass to Termux path:
cp ~/go/bin/amass $PREFIX/binStep 6: Confirm installation:
amass -versionNow you can start subdomain hunting from your mobile itself. 📱
👉 Note: Android may lag on heavy scans. Use VPS if needed.
🪟 3️⃣ Installing Amass on Windows (WSL Method)
Using Windows 10 or 11? The best way to install Amass is with WSL (Windows Subsystem for Linux).
Step 1: Enable WSL (if not done already):
wsl --installRestart if required.
Step 2: Install Ubuntu (or Debian) from Microsoft Store.
Step 3: Update Linux inside WSL:
sudo apt update && sudo apt upgradeStep 4: Install Amass:
sudo apt install amassStep 5: Verify installation:
amass -versionNow your Windows is ready for bug bounty recon with Amass. ✔
📦 4️⃣ Installing Amass Using GitHub Binary (Best for Beginners)
What if Go fails or you want the easiest setup? Direct download from GitHub is the way.
Step 1: Visit 👉 https://github.com/owasp-amass/amass/releases
Step 2: Download the latest release matching your OS (Linux/Windows). Example:amass_linux_amd64.zip
Step 3: Extract the zip:
unzip amass_linux_amd64.zipStep 4: Move it to your system path:
sudo mv amass_linux_amd64/amass /usr/local/bin/Step 5: Give permissions to run:
sudo chmod +x /usr/local/bin/amassStep 6: Check version:
amass -versionFor Windows Users:
- Download
.zip→ Extract → Add folder to Path (System Environment Variables) → Run from CMD or PowerShell.
🧩 Summary of Installation Methods (Quick Reference Table)
| Platform | Best Method |
|---|---|
| Kali Linux | sudo apt install amass |
| Termux (Android) | go install github.com/owasp-amass/amass/v4/...@master |
| Windows (WSL) | sudo apt install amass |
| Any OS (Manual) | Download binary from GitHub releases |
❗ Common Errors & Fixes
| ❌ Problem | ✅ Fix |
|---|---|
go: command not found | Install Go (sudo apt install golang) |
amass: not found | Add Amass binary to system path |
| Permission denied | Use sudo chmod +x on the binary |
| Slow download | Try VPN, or download from faster mirror |
| API errors during scan | Check if API keys are active/valid |
Pro Tips for Beginners
- Prefer VPS if running long scans
- Create custom folders for recon results
- Organize tools in
/opt/(Linux users) for cleaner setup - Use Amass with other recon tools (Subfinder, httpx) for better results
📦 Amass Modules Explained
Amass is built with different modules. Each one has a unique job. Once you know how they work, you will start using Amass like a pro.
Enum
This is the heart of Amass. It is used for subdomain discovery, DNS resolution, and finding associated IPs. It can run passive, active, or mixed scans depending on your settings.
Intel
Use this when you want to dig into a target’s full digital identity. It can pull ASN, CIDR, and domain relationships. Perfect for scoping big targets like company-wide recon.
Viz
Short for Visualization. This module allows you to create graphs and visual data maps of everything Amass discovers. You can export it as DOT or GraphML and use tools like Maltego or Gephi to analyze.
Track
This module helps you track how the data changes over time. For example, if a new subdomain appears next week, it can compare and tell you what is new or missing.
DB
Amass can store all its scan data in a local database. This is useful when you want to run multiple scans, compare results, or work offline. You can even create your own recon database over time.
🚀 Basic Usage with Examples
Let us start with the basics. You have installed Amass — now what? Do not worry, you do not need to remember complex commands. We will begin with simple examples that you can run on any system. These will help you understand how Amass collects data and what each result means.
First Scan Example
To run your first scan, just open your terminal and type:
amass enum -d example.com That’s it! This will start a passive scan for all subdomains related to example.com. Even without API keys, Amass will collect data from public sources and give you a clean list.
Passive Scan (Safe)
A passive scan means Amass will not directly touch the target website. It will search from public sources like search engines, DNS records, and SSL data. This is perfect when you want to stay low and quiet — especially on private programs or in the learning stage.
amass enum -passive -d target.com Active Scan (Aggressive)
Active mode goes one step deeper. It makes direct DNS and web requests to gather more hidden data. But be careful — this is noisy and visible to the target. Only use this when you are allowed or on public/authorized targets.
amass enum -active -d target.com You can even combine both for stronger results:
amass enum -d target.com -active -brute 🧠 Amass Configuration Like a Pro
Default scans are good, but real hackers customize everything. You can add your own API keys, wordlists, DNS resolvers, and output formats. This helps Amass go further and find more valuable subdomains in less time.
API Key Setup (for Shodan, Censys, etc.)
Some data sources like Shodan, Censys, and VirusTotal need API keys. Once added, Amass can pull more powerful data. You just need to edit the ~/.config/amass/config.ini file and paste your keys there.
Example:
[shodan]
api_key = YOUR_KEY_HEREThese APIs give you bonus recon data that others will miss without keys.
Custom Wordlists
Want to brute force subdomains like admin.target.com, test.target.com, and more? Use custom wordlists. Just add this flag to your scan:
amass enum -brute -d target.com -w ~/wordlists/subdomains.txt Use lists from Seclists, assetnote, or your own wordlist made from recon.
Using Your Own Resolvers
Sometimes Amass fails due to DNS errors or slow results. Fix that by adding your own list of resolvers. It boosts speed and accuracy.
amass enum -d target.com -r ~/resolvers.txt You can get fast DNS resolvers from public GitHub repos or Cloudflare.
🌍 Real-World Recon Scenarios
Let us now apply Amass to real-world bug bounty use cases. This is where things get exciting. These tricks are used by Indian bug bounty hunters daily to find valid bugs and report them.
How to Find Subdomains of target.com
Run:
amass enum -d target.com -o output.txt This command will collect all known subdomains and save them to a file. You can later scan these subdomains for open ports, misconfigs, or even login panels.
Finding dev/test/staging Environments
These are usually goldmines. Try brute forcing with developer wordlists. Combine Amass with tools like dnsx or httpx to check for dev panels, login pages, or even exposed databases.
amass enum -brute -d target.com -w devlist.txt Filtering False Positives
Amass sometimes gives results that do not resolve or are outdated. Use tools like dnsx or a script to filter only valid, live subdomains.
cat output.txt | dnsx -silent -a This will clean your list and give only live targets.
⚔️ Advanced Tricks
Once you know the basics, go beyond. Combine Amass with other tools, scripts, and automation to create a powerful recon workflow. These tricks are what pros use in real-time bug bounty hunting.
When you work with large recon data, Amass can give you lots of useful information — not just subdomains, but IPs, CNAMEs, ASN data, and more. But how do you quickly extract the exact information you need?
Here are some pro-level commands to filter and extract subdomains, IP addresses, netblocks, and more like a real hacker.
Extract Only Subdomains (FQDNs)
Subdomains are the heart of recon, right? Here’s how to extract them cleanly:
cat output.txt | grep '(FQDN)' | cut -d " " -f1 | sort -u→ What it does:
- Finds lines containing
(FQDN) - Cuts the first field (the subdomain)
- Removes duplicates using
sort -u
Example Output:
deliverynavigator.cloud.google.com
toolresults.clients6.google.com
plus.google.comExtract Only IPv4 Addresses
Want to grab all the IPv4 addresses? Run this:
cat output.txt | grep '(IPAddress)' | grep -oP '\d+\.\d+\.\d+\.\d+' | sort -u→ What it does:
- Filters only lines with
(IPAddress) - Extracts IPv4 patterns
- Removes duplicates
Extract Only IPv6 Addresses
IPv6 is everywhere now. This command pulls only IPv6:
cat output.txt | grep '(IPAddress)' | grep -oP '([a-fA-F0-9:]+:+)+[a-fA-F0-9]+' | sort -uExtract Netblocks
Sometimes you want IP ranges used by a target. This will extract netblocks:
cat output.txt | grep '(Netblock)' | cut -d " " -f1 | sort -uBonus Tips for Automation
- Save directly to a file:
cat output.txt | grep '(FQDN)' | cut -d " " -f1 | sort -u > subs_only.txt- Combine with httpx-toolkit for live checking:
cat subs_only.txt | httpx-toolkit --no-color --status-code --title --output live.txt- Combine with Nmap for full recon:
awk '{print $1}' live.txt | xargs -n1 nmap -T4 -p-📌 Why This Matters
→ Real-world bug bounty hunters do not rely on tool defaults. They know how to shape the output to find hidden gems. These commands help you:
- Filter noise
- Focus on live, juicy targets
- Save hours of manual effort
Practice these regularly, and you will start finding more vulnerabilities faster.
Scheduling Periodic Scans
Recon is not a one-time task. Targets change. New subdomains appear. Use cron to schedule Amass scans daily or weekly:
0 6 * * * /path/to/your/script.sh target.com This way, you will never miss fresh endpoints or new exposed panels.
📊 Amass Visualization
Seeing is believing. Amass comes with a viz module that helps you visualize all the data you collect. This is super helpful when dealing with large programs or mapping complex networks. Instead of reading lists, you can view full graphs of connections between domains, IPs, and DNS records.
Using amass viz to Visualize Recon Data
It is simple. After running your recon, just use:
amass viz -d3 -dir ~/.config/amass/graphdb This will launch a local web page where you can interact with the graph. Click, zoom, and explore relationships visually. Perfect for when you want to show work to your team or understand the target better.
Exporting as DOT, GraphML
Want to save your graph for later or use it with advanced tools? Export your data:
amass viz -g > output.graphml Use Graphviz for .dot or Gephi/Maltego for .graphml. These help in advanced visualization workflows — especially for reporting in big bug bounty programs.
🏆 Real Bug Bounty Workflow with Amass
Let us now connect the dots between tool usage and real bug bounty success. A lot of hunters run random scans. Smart hunters follow workflows. This is how I recommend using Amass in a real recon flow Example:
From scope to report using Amass
1️⃣ Collect passive subdomains
2️⃣ Use brute-force for hidden subdomains
3️⃣ Check live domains with httpx
4️⃣ Scan ports with nmap
5️⃣ Screenshot endpoints with gowitness or aquatone
6️⃣ Start testing for bugs (IDOR, XSS, SSRF, etc.)
7️⃣ Track progress with Notion or Google Sheets
8️⃣ Prepare reports with screenshots, logs, and proofs
Personal Tips to Speed Up Recon
🟢 Use fast DNS resolvers (like Cloudflare or Google)
🟢 Keep multiple API keys (Shodan, Censys) ready
🟢 Run scans on VPS or cloud servers for faster results
🟢 Automate with bash scripts or tools like ReconFTW
🟢 Filter false positives early to save analysis time
This makes sure you do not waste time on dead ends.
🛠 Common Issues and How to Fix Them
❗ Amass Not Resolving?
- Add better DNS resolvers (
-r resolvers.txt) - Restart network or try VPN (in case of ISP issues)
❗ Timeout Issues?
- Happens during brute-forcing large wordlists. Solution? Break lists into smaller parts or increase timeout settings with flags.
❗ Errors While Fetching APIs?
- Check if API keys are active/expired. Some services (like Censys) require paid tiers for higher usage.
❗ Tool Crashing or Stuck?
- Close unnecessary tabs or run on a VPS/cloud to avoid memory issues.
🎯 Conclusion
Amass is not just a tool — it is a skill. Learning it fully means you will always have an advantage in bug bounty recon. Other hackers may quit after finding nothing, but with proper Amass usage, you go deeper and find more bugs.
Daily Practice Ideas
👉 Take 1 public program every day and run Amass recon
👉 Test different flags and configurations
👉 Create your own wordlists and resolvers for Indian-based targets
👉 Compare Amass results with Subfinder/Assetfinder
👉 Save interesting recon cases for learning
How to Improve Speed + Accuracy
- Use VPS for bigger scans
- Always mix passive and active recon
- Clean your results regularly
- Automate your recon to avoid wasting manual time
- Learn how to read graphs from
vizfor better analysis
References
- Bug Bounty Roadmap 2025: The Only Roadmap You’ll Ever Need
- How to Find IDOR Vulnerabilities in Real-World Sites (2025 Guide for Indian Bug Bounty Hunters)
- From Recon to Report: Complete Bug Bounty Workflow for 2025 (With Tools, Commands, and Tips)
- Top Bug Bounty Tools Every Ethical Hacker Should Know in 2025
