Amass is my favorite reconnaissance tool

Let’s say you want to find out all the subdomains for a given domain in order to perform an authorized security audit. There are many options but I have seen the best results using Amass.

$ amass enum -brute -d example.com

With that command you will perform a very noisy brute force subdomain discovery scan. This tools has many advanced featured but for me, most of the time I just use the above command and get excellent result.

Try it on your domains and see what comes up.

Published
Categorized as Default

By Giovanni Collazo

Software developer, user experience designer, and web application security enthusiast from San Juan, Puerto Rico. You can find me on Twitter as @gcollazo.