This Amass tutorial explains how cybersecurity professionals use OWASP Amass to perform subdomain enumeration and attack surface discovery during reconnaissance. Amass is a powerful cybersecurity reconnaissance tool used by ethical hackers, penetration testers, and bug bounty hunters to discover hidden domains, assets, and infrastructure belonging to a target organization.

In this Amass tutorial, security researchers learn how Amass collects information from DNS records, certificate transparency logs, search engines, APIs, and internet intelligence sources to map the external infrastructure of a company.

For example, when running:

amass enum -d example.com

Amass may reveal hidden systems such as:

api.example.com
dev.example.com
vpn.example.com
admin.example.com

These discovered assets are then analyzed for vulnerabilities. Because reconnaissance is the first stage of penetration testing and ethical hacking, learning via this Amass tutorial is an essential skill for cybersecurity professionals.

What is OWASP Amass?

In this Amass tutorial, we first need to understand what Amass actually does.

OWASP Amass is an open-source reconnaissance tool used for subdomain enumeration and attack surface mapping. It helps cybersecurity professionals discover external infrastructure associated with a target domain.

OWASP Amass official project:
https://owasp.org/www-project-amass/

The Amass tool is widely used in:

  • Ethical hacking
  • Bug bounty programs
  • Red team operations
  • penetration testing
  • threat intelligence
  • cybersecurity reconnaissance

When security professionals go through this Amass tutorial, they are essentially learning how to discover hidden internet assets belonging to an organization.

These assets may include:

  • subdomains
  • DNS records
  • related domains
  • cloud infrastructure
  • external services

Because organizations often have large and complex infrastructures, discovering all exposed systems manually would be impossible. This is where the Amass reconnaissance tool becomes extremely powerful.

Why Subdomain Enumeration Matters

Subdomain enumeration is a fundamental step in cybersecurity reconnaissance.

Large organizations rarely operate a single domain. Instead they operate hundreds or thousands of subdomains.

Example:

example.com

Possible infrastructure may be discovered using an Amass :

dev.example.com
api.example.com
mail.example.com
vpn.example.com
portal.example.com
admin.example.com

Many of these systems may:

  • run outdated software
  • expose internal services
  • contain development environments
  • reveal hidden infrastructure

This is why Amass reconnaissance is a critical step in penetration testing.

Simple Explanation for Beginners

Imagine a company website is like a large shopping mall.

The main domain:

example.com

is the main entrance.

But the mall may have many hidden doors:

  • staff entrance
  • delivery entrance
  • emergency exit
  • service hallway

This Amass tutorial teaches ethical hackers how to find every door belonging to the building.

Once all doors are discovered, they can be tested for security weaknesses.

How Amass Works Internally ?

During an Amass tutorial, cybersecurity professionals learn that Amass uses multiple reconnaissance techniques.

Passive Reconnaissance

Passive reconnaissance collects information without directly interacting with the target server.

Sources include:

  • certificate transparency logs
  • public DNS records
  • search engines
  • security intelligence APIs

One of the most important sources is:

OWASP Amass project.

Certificate logs often reveal subdomains created during SSL certificate issuance.

Active Reconnaissance

Active reconnaissance involves direct interaction with DNS infrastructure.

This includes:

  • DNS brute forcing
  • DNS resolution
  • zone transfer attempts

Example:

admin.example.com
test.example.com
dev.example.com

This Amass tutorial teaches how to perform both passive and active reconnaissance safely.

Graph-Based Asset Mapping

One powerful feature of Amass is its graph database engine.

Amass builds relationships between assets:

example.com
   |
   ├ api.example.com
   ├ dev.example.com
   └ portal.example.com

This helps ethical hackers understand:

  • infrastructure relationships
  • domain ownership
  • attack paths

How Attackers Use Amass ?

Understanding the attacker mindset is critical in cybersecurity training.

Professional attackers do not randomly attack systems.

Instead they follow a structured workflow.

Phase 1: Reconnaissance

The first step is information gathering.

Attackers use an Amass tutorial workflow to map the entire infrastructure of a target.

Example command:

amass enum -d target.com

This reveals hidden systems.

Phase 2: Identify Interesting Targets

Hackers look for keywords indicating sensitive systems.

Common examples:

admin
internal
dev
vpn
test
staging
portal
backup

These systems often have weaker security.

Example discovered domain:

dev.company.com

Development servers frequently expose vulnerabilities.

Phase 3: Vulnerability Discovery

Once subdomains are discovered using Amass reconnaissance, attackers run additional tools such as:

  • Nmap
  • FFUF
  • Gobuster
  • Burp Suite

Example workflow used by bug bounty hunters:

Amass → Nmap → Directory Bruteforce → Exploitation

SecurityElites Hands-On Lab – Amass Tutorial Using Kali Linux for Beginners

In this Amass tutorial lab, we will learn how to use OWASP Amass step by step to discover hidden subdomains of a website.

This lab is designed so even a beginner who has never used cybersecurity tools before can follow it.

Think of this Amass tutorial as a treasure hunt game.

The goal is simple:

We want to find all the hidden doors of a website.

In cybersecurity, these hidden doors are called:

subdomains

Example:

example.com

Hidden doors might be:

dev.example.com
api.example.com
admin.example.com
portal.example.com

The Amass tool helps ethical hackers discover these hidden systems automatically.

This is why learning this Amass tutorial is one of the first skills in ethical hacking and bug bounty reconnaissance.

Lab Environment Setup

Before starting this Amass tutorial, we need a small lab environment.

You need:

• Kali Linux
• Internet connection
• Terminal access

Kali Linux already contains many cybersecurity tools used by ethical hackers.

One of them is Amass reconnaissance tool.

Step 1 — Open Kali Linux Terminal

First, open the Terminal.

In Kali Linux you can open terminal by clicking:

Applications → Terminal

Or press:

CTRL + ALT + T

The terminal is where we type commands for this Amass tutorial lab.

Think of the terminal like a command center where you talk to the computer.

Step 2 — Check if Amass is Installed

Before starting the Amass tutorial, we need to check if the Amass tool is already installed.

Type this command:

amass

If Amass is installed, you will see a help screen showing different options.

If you see something like:

command not found

that means Amass is not installed yet.

Step 3 — Install Amass (If Needed)

To install Amass, type:

sudo apt update

Press Enter.

Then install Amass:

sudo apt install amass

The system will download and install the Amass reconnaissance tool.

After installation, run:

amass

Now the Amass tutorial lab environment is ready.

Step 4 — Understanding the Basic Amass Command

In this Amass tutorial, the most important command is:

amass enum -d domain.com

Let’s understand this.

amass

This calls the Amass tool.

enum

This means enumeration, which means discovering things.

-d

This means domain.

So the full command means:

“Use Amass to discover subdomains of a domain.”

Step 5 — Run Your First Amass Scan

Now we will run our first scan in this Amass tutorial lab.

Type this command:

amass enum -d tesla.com

Press Enter.

Now Amass will begin searching the internet for subdomains of tesla.com.

After some time you may see results like:

api.tesla.com
energy.tesla.com
shop.tesla.com
auth.tesla.com

These are subdomains discovered during Amass reconnaissance.

Each one is a separate system owned by the company.

Step 6 — Passive Recon Mode

In this Amass tutorial, we can run Amass in passive mode.

Passive mode means:

We only collect public information from the internet.

This is safer and quieter.

Run:

amass enum -passive -d tesla.com

Now Amass will collect data from:

• certificate transparency logs
• search engines
• security databases
• DNS datasets

This type of reconnaissance is called:

Passive Reconnaissance

Step 7 — Active Recon Mode

Active reconnaissance means we actively ask DNS servers for information.

Run this command:

amass enum -active -d tesla.com

In this Amass tutorial, active mode tries to discover more hidden systems.

It performs things like:

• DNS probing
• infrastructure discovery
• deeper enumeration

Active reconnaissance may discover additional subdomains.

Step 8 — Brute Force Subdomains

In this Amass tutorial, we can also try guessing subdomains.

This is called subdomain brute forcing.

Run:

amass enum -brute -d tesla.com

Now Amass will try common names like:

admin.tesla.com
dev.tesla.com
vpn.tesla.com
portal.tesla.com

Many companies accidentally leave these systems exposed.

Step 9 — Save the Results

During a real Amass reconnaissance campaign, ethical hackers always save results.

Run:

amass enum -d tesla.com -o results.txt

Now all discovered subdomains will be saved inside:

results.txt

Saving reconnaissance data helps penetration testers analyze results later.

Step 10 — Discover Where Data Came From

One powerful feature in this Amass tutorial is discovering data sources.

Run:

amass enum -src -d tesla.com

Now Amass will show where it found each subdomain.

Example:

api.tesla.com (crtsh)
energy.tesla.com (dns)
shop.tesla.com (certspotter)

This helps ethical hackers understand how the information was discovered.

Another useful command in this Amass tutorial is intel mode.

Run:

amass intel -d tesla.com

This command discovers related domains owned by the same company.

Example:

teslamotors.com
teslaenergy.com

This helps map the entire digital infrastructure of an organization.

Step 12 — What Happens After Amass Recon?

After completing this Amass tutorial lab, ethical hackers now have a list of discovered assets.

Next steps usually include:

  1. Port scanning using Nmap
  2. Directory discovery using FFUF or Gobuster
  3. Web vulnerability testing using Burp Suite

This process is called:

Recon → Enumeration → Exploitation

And Amass reconnaissance is the first step in this process.

If you are new to cybersecurity, remember this simple idea:

Hackers do not start by attacking.

They start by collecting information.

This Amass tutorial teaches how to collect that information safely and legally.

Frequently Asked Questions – Amass Tutorial using Kali Linux

What is Amass in cybersecurity?

Amass is a reconnaissance tool used for discovering subdomains and internet infrastructure of a target organization. In this Amass tutorial, we learned that Amass gathers information from DNS records, certificate logs, search engines, and public intelligence sources. Ethical hackers use Amass during reconnaissance to understand what systems belong to a company before testing them for vulnerabilities.

Why do ethical hackers use Amass?

Ethical hackers use Amass because organizations often have many hidden subdomains and services. During an Amass tutorial, we learn that discovering these hidden assets helps penetration testers find systems that may be vulnerable or poorly secured. Amass reconnaissance helps map the full attack surface of an organization.

Yes, Amass is legal when used for learning cybersecurity, ethical hacking training, or authorized penetration testing. This Amass tutorial demonstrates how the tool works in a lab environment. However, scanning systems without permission may violate cybersecurity laws, so always test only on systems you own or have permission to assess.

Can beginners learn Amass easily?

Yes. The Amass tutorial is beginner friendly because the basic command is very simple:

amass enum -d domain.com

Even students new to cybersecurity can quickly understand how Amass discovers subdomains and hidden infrastructure.

Why do hackers look for subdomains?

Subdomains often host development servers, APIs, staging environments, and internal portals. During an Amass tutorial, we learn that these systems may have weaker security than the main website. Discovering these systems gives ethical hackers new locations to test for vulnerabilities.

Does Amass work on Kali Linux?

Yes. Amass is included in most Kali Linux installations and is widely used by penetration testers. This Amass tutorial lab used Kali Linux because it already contains many tools used in ethical hacking and cybersecurity reconnaissance.

What should I learn after this Amass tutorial?

After finishing this Amass tutorial, beginners should learn other reconnaissance and penetration testing tools such as:

• Nmap network scanning
• FFUF web fuzzing
• Gobuster directory enumeration
• Burp Suite web security testing

These tools combine with Amass to create a complete ethical hacking workflow.

Conclusion – Key Takeways

This Amass tutorial is one of the most important lessons in cybersecurity reconnaissance.

Before attacking any system, ethical hackers must understand the attack surface.

Amass helps discover:

  • hidden domains
  • infrastructure relationships
  • external assets

This information becomes the foundation of penetration testing and bug bounty research.

Mastering this Amass tutorial workflow will significantly improve your reconnaissance capabilities and help you discover vulnerabilities faster.

RELATED ARTICLESMORE FROM AUTHOR

LEAVE A REPLY

Please enter your comment!
Please enter your name here