From the command line in Kali Linux, run the amass command to do reconnaissance against a target.

Intel module — Collect intelligence

1. Look for organizations with “uber” in their name:

   amass intel -org uber
   

2. Look up domains for a given IP range:

   amass intel -ip -src -cidr 128.187.0.0/16
   

3. Reverse whois:

   This method is invoked using the -whois flag. Essentially it takes the details from the specified domain’s whois records, and then tries to find other domains with similar whois records.

   This is a great method for discovering root domains that may be owned by an organisation. (source)

   amass intel -whois -d byu.edu
   

4. ASN search

   amass intel -asn 63086
   

Enum module — Enumerate and map targets

1. Determine how many subdomains exist for a given domain:

   amass enum -ip -d nmims.edu
   

Find more options

Look at the Amass Users’ Guide for more options:

https://github.com/OWASP/Amass/blob/master/doc/user_guide.md