Hakluke’s Guide to Amass — How to Use Amass More Effectively for Bug Bounties

Luke Stephens (@hakluke)
7 min readAug 23, 2020
ASCII art is life

Amass has a lot of features. It’s a bit of a weird tool because despite being synonymous with bug bounty recon, and despite being extremely well known, most people don’t know how to use it to it’s full advantage. Most people that I see using Amass are just doing this:

amass enum -d clicktheclapbutton50timesplz.com

Amass hums away for a few minutes doing its thing, skulking around the slums of the internet, begging for subdomains from anyone that will listen and then sending them back to you, the hacker. You get your loot and walk away, happy with your bucketload subdomains, feeling as though you’ve achieved something great.

There’s a problem though. You’ve got the same damn subdomains that everyone else has because like most other people, you only used one Amass feature! You know how competitive bounties are right? You don’t want to put yourself at a disadvantage by not understanding the features of one of the greatest recon tools in existence do you? Having said this, amass has a lot of features and you probably won’t use most of them. This blog post outlines how I personally use amass. I’m going to highlight the features that I find to be most useful and ignore the rest.