Amass Docs¶
OWASP Amass is an open-source, versatile attack surface intelligence framework designed to comprehensively map an organization’s footprint. Built for flexibility and depth, Amass combines advanced data collection, network mapping, and OSINT capabilities to deliver detailed insights into physical and digital assets.
// Overview¶
OWASP Amass extends far beyond basic subdomain enumeration, offering a comprehensive, automated approach to information gathering that reveals the full scope of an entity's physical and digital footprint.
Open Asset Model (OAM)
The Open Asset Model expands traditional specifications by modeling both the physical and digital structure of a target's asset landscape. Defining asset types, their unique properties, and the relationships that join them, the OAM compiles a comprehensive view of the attack surface from an adversarial perspective.
Unlocking the Power of OWASP Amass by @jeff_foley - DEFCON 31 Recon Village 33m
-
Automated Deployment and Enumeration: Easily deploy Amass with Docker Compose for quick, automated asset discovery across multiple domains with minimal configuration.
-
Centralized Asset Management with Asset DB: Use the Asset DB for storing, managing, and retrieving discovered assets, with support for long-term tracking and consistent data collection via the Open Asset Model.
-
Scalable and Flexible Infrastructure: Designed for enterprise environments, Docker enables scalable deployments of Amass, ensuring consistent attack surface management for organizations of any size.
-
Advanced Collection and Monitoring: The Collections Engine refines the data collection process, while open-source tools like syslog-ng provide centralized logging, enabling real-time monitoring and diagnostics.
-
Visualization and Data-Driven Insights: The latest release features a fully integrated Grafana dashboard, providing dynamic visualization and analysis for deeper attack surface intelligence.
Getting Started¶
Users have several options when installing the Amass framework.
Build from Source Code¶
Install the Amass swiss army knife executable in your preferred environment.
Prerequisites¶
- Golang: Install an up-to-date version of Go on your system. You can download it from the Go Official Website.
Perform the build and installation process¶
At this point, the binary should be in $GOPATH/bin.
Install using Homebrew¶
The OWASP Amass Project maintains a Homebrew package.
Prerequisites¶
- Homebrew: Intall an up-to-date version of the package manager on your system. You can download it from the Homebrew Official Website.
Perform the build and installation process¶
The following two commands will install Amass into your environment:
Containerized Execution within Docker Compose¶
Follow these steps to set up Amass using Docker Compose:
Prerequisites¶
Before you begin, make sure you have the following installed on your system:
-
Docker: Up-to-date intallation running on your system. You can download it from the Docker Official Website.
-
Docker Compose: Typically, Docker Compose is bundled with Docker Desktop, but you can verify the installation or install it seperately from Docker Compose Installation.
-
Git: To clone the Amass repository. Download it from the Git Official Website
Step 1: Clone the Amass Docker Compose Directory¶
Start by cloning the OWASP Amass repository containing the Docker Compose setup files.
git clone https://github.com/owasp-amass/amass-docker-compose.git
mv amass-docker-compose amass # Optional: Rename the directory to something shorter (e.g., amass)
cd amass # Navigate to the local repository
Step 2: Configure the Compose Environment¶
> Open the assetdb.env File:
Navigate to the config directory and open the assetdb.env file in a text editor to set the database passwords.
- You can replace
nanowith your preferred text editor, likevimorcodefor Visual Studio Code.
> Set the Passwords:
In the assetdb.env file, locate the lines for POSTGRES_PASSWORD and AMASS_PASSWORD. Update them to assign new values.
For example:
Warning
This cannot be performed after you start the Docker Compose and the database has been created.
> Save Changes:
After editing, save the file:
-
If you're using nano: Press
Ctrl + O(then hitEnter) to save andCtrl + Xto exit. -
If you're using vim: Press
Esc, then type:wqand hitEnter.
> Modify the config.yaml File:
Open the config.yaml file to set the database password to the one you just assigned as AMASS_PASSWORD.
> Update the Database Password:
Find the section in the config.yaml file that specifies the database settings. Change the password to match the AMASS_PASSWORD you set earlier.
For example:
> Save Changes:
As before, save the changes using your preferred text editor.
Update the Data Sources
If you want to configure data sources, you can modify the datasources.yaml file. Open it with:
Step 3: Building the Docker Images¶
Your Amass framework is now configured and ready to be built. Docker Compose will build the required images and start them correctly when you perform your first Amass command execution.
> Type the following to get started:
- If the build process times out, simply execute the command again to resume.
Update Process for the Compose Environment¶
> Make the local repo your current working directory:
> Shutdown the Amass containers within the Docker environment:
> Backup the configuration files:
> Backup the following directories: assetdb , data , logs.
> Update the local repo:
Update Process for the Docker Images¶
> Make the local repo your current working directory:
> Shutdown the Amass containers within the Docker environment:
> Update components from their GitHub repos:
Amass Packages Maintained by a Third Party¶
License¶
Copyright 2017-2025 Jeff Foley
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.