Skip to content

Amass

Purpose

Amass discovers additional subdomains for domain scope items using amass enum.

Plugin Information

Plugin ID: amass

Category: Recon

Plugin Type: recon

Execution: active/passive CLI recon depending on the installed Amass configuration

Default State: enabled

Default Profiles:

  • deep
  • stealth
  • recon_expanded

Input Scope

Accepted asset types:

  • domain

Required metadata:

  • None

Produces targets:

  • One Amass execution per domain.

Output

Creates assets:

  • subdomain

Creates vulnerabilities:

  • None

May enrich:

  • Parent domain metadata for discovered subdomains.

Metadata:

  • parent_domain: source domain used for the Amass run.
  • source: amass.

Graph Relations

The worker derives containment from the emitted subdomain metadata:

domain -> contains -> subdomain

Files / Artifacts

Produces:

  • None

Dependencies

Required binary: amass

Required installer entry: tools.amass

Command model:

amass enum -d <domain>

Example Flow

domain
  -> amass
subdomain

Notes

The wrapper records the executed command in RawOutput before the Amass output. It parses JSON-line output when present and falls back to extracting hostnames from text output. Non-zero Amass execution is reported as a failed or timed-out plugin result with stdout and stderr preserved.