R·D Intel

Amass Cheat Sheet — Subdomain Enumeration | by Dhruv - Freedium Milestone: 20GB Reached We’ve reached 20GB of stored data — thank you for helping us grow! Patreon Ko-fi Liberapay Close < Go to the original Amass Cheat Sheet — Subdomain Enumeration 1️⃣ Basic Enumeration Dhruv Follow ~2 min read · March 22, 2026 (Updated: March 22, 2026) · Free: Yes 1️⃣ Basic Enumeration Run a simple passive scan: amass enum -d example.com Passive sources only (no active probing): amass enum -passive -d example.com Specify output file: amass enum -d example.com -o subdomains.txt 2️⃣ Active Enumeration (More Powerful) Active mode performs DNS brute-forcing and resolution. amass enum -active -d example.com Include brute forcing: amass enum -brute -d example.com Use wordlist: amass enum -brute -w wordlist.txt -d example.com 3️⃣ Multiple Domains Enumerate several domains: amass enum -df domains.txt Example domains.txt : example.com test.com target.org 4️⃣ Use API Keys (Better Results) Amass supports APIs like: SecurityTrails Shodan Censys VirusTotal Example config file: amass enum -config config.ini -d example.com Example config.ini snippet: [virustotal] apikey = YOUR_API_KEY [securitytrails] apikey = YOUR_API_KEY 5️⃣ Set Resolver List Using good DNS resolvers improves results. amass enum -rf resolvers.txt -d example.com Example: 1.1.1.1 8.8.8.8 9.9.9.9 6️⃣ Run with Maximum Data Sources Use all sources available: amass enum -src -ip -d example.com Options: FlagPurpose -src Show data source -ip Resolve IPs -brute DNS brute force -active Active scanning 7️⃣ Enumeration with Timing Control Control scan speed: amass enum -d example.com -max-dns-queries 200 8️⃣ Subdomain Visualization Amass can generate graphs. amass viz -d3 -d example.com -o graph.html Other formats: amass viz -dot -d example.com 9️⃣ Use the Amass Database Store results: amass enum -d example.com -dir amass_data List domains: amass db -dir amass_data -names Show IP mapping: amass db -dir amass_data -show -ip 🔟 Track Changes (Attack Surface Monitoring) amass track -d example.com Shows new subdomains discovered over time . 🧠 Pro Bug Bounty Workflow Typical workflow used by hackers: subfinder -d example.com -o subs1.txt amass enum -passive -d example.com -o subs2.txt cat subs*.txt | sort -u > all_subs.txt dnsx -l all_subs.txt -o live_subs.txt httpx -l live_subs.txt Tools often combined with Amass: Subfinder dnsx httpx ⚡ High-Signal Command (Recommended) amass enum -active -brute -min-for-recursive 2 -d example.com -o amass.txt This enables: recursive enumeration brute forcing active discovery 🧪 Useful Wordlists Common sources: SecLists/Discovery/DNS/ assetnote/subdomains From OWASP repository collections. ⚠️ Ethical Reminder Always run enumeration only on systems you are authorized to test (bug bounty scope, internal pentest, or lab environments). _________________________________________________________________ If you want more Content about Cybersecurity and Penetration Testing Then don't Forgot To Follow Us SHARE & SUPPORT ⚡️✅ ❤️ _________________________________________________________________ #bug-bounty #bug-bounty-tips #massa #subdomains-enumeration #enumeration Reporting a Problem Sometimes we have problems displaying some Medium posts. If you have a problem that some images aren't loading - try using VPN. Probably you have problem with access to Medium CDN (or fucking Cloudflare's bot detection algorithms are blocking you).