A Model Context Protocol (MCP) server for OWASP Amass - the premier open-source tool for subdomain enumeration and attack surface mapping. This server enables AI assistants to perform comprehensive reconnaissance and asset discovery via natural language.
This MCP server provides a bridge between AI assistants and OWASP Amass, executing commands via SSH on a remote Kali Linux system. It exposes all major Amass capabilities including subdomain enumeration, intelligence gathering, change tracking, and visualization generation.
- Subdomain Enumeration - Passive (OSINT), active (DNS), and brute-force discovery
- Intelligence Gathering - Reverse WHOIS, ASN lookup, CIDR investigation
- Attack Surface Tracking - Monitor infrastructure changes over time
- Graph Database - Query and manage discovered assets
- Visualization Export - D3.js, Vis.js, Maltego, GEXF formats
- Configurable Data Sources - Support for 50+ OSINT APIs
Amass must be installed on a Kali Linux system:
# Option 1: Package manager
sudo apt update && sudo apt install amass
# Option 2: Go install (latest version)
go install -v github.com/owasp-amass/amass/v4/...@masterKey-based SSH authentication to your Kali system is required. Configure a host alias in ~/.ssh/config:
Host kali
HostName 192.168.1.100
Port 22
User your-username
IdentityFile ~/.ssh/id_ed25519
Test connectivity:
ssh kali amass -versionIf Amass requires elevated privileges on your Kali system:
echo "your-username ALL=(ALL) NOPASSWD: /usr/bin/amass" | sudo tee /etc/sudoers.d/amassgit clone https://github.com/schwarztim/sec-amass-mcp.git
cd sec-amass-mcp
npm install
npm run build| Variable | Default | Description |
|---|---|---|
AMASS_SSH_HOST |
kali |
SSH host alias for Kali system |
AMASS_TIMEOUT |
600000 |
Command timeout in milliseconds (10 min default) |
Add to your claude_desktop_config.json:
{
"mcpServers": {
"amass": {
"command": "node",
"args": ["/path/to/sec-amass-mcp/dist/index.js"],
"env": {
"AMASS_SSH_HOST": "kali",
"AMASS_TIMEOUT": "600000"
}
}
}
}For enhanced results, configure API keys in ~/.config/amass/config.yaml on your Kali system:
scope:
domains:
- example.com
options:
resolvers:
- 8.8.8.8
- 1.1.1.1
data_sources:
- name: SecurityTrails
credentials:
apikey: your-api-key
- name: Shodan
credentials:
apikey: your-api-keyPerform DNS enumeration and subdomain discovery.
Parameters:
domain(required) - Target domain to enumeratepassive- OSINT-only mode (no DNS queries, stealthier)active- Enable DNS resolution validationbrute- Enable brute-force subdomain discoverywordlist- Custom wordlist path for brute-forcerecursive- Recursively brute-force discovered subdomainsjson- Output results in JSON formatsrc- Show data source for each resultip- Include IP addresses in outputasn- Filter by ASN numberscidr- Filter by CIDR rangestimeout- Custom timeout in milliseconds
Gather intelligence about an organization's attack surface.
Parameters:
domain- Target domain for investigationorg- Organization name for reverse WHOIS lookupasn- ASN numbers to investigateip- IP address to investigatecidr- CIDR ranges to investigatewhois- Enable reverse WHOIS lookupsactive- Enable active intelligence gathering
Track attack surface changes over time.
Parameters:
domain(required) - Target domain to tracklast- Compare against last N enumerationssince- Compare since date (format: 2006-01-02)history- Show full enumeration history
Query and manage the Amass graph database.
Parameters:
domain- Filter by domainnames- Show discovered subdomain namesip- Show discovered IP addressesasn- Show ASN informationcidr- Show CIDR rangessummary- Show summary statisticslist- List available enumerations
Generate visualizations from enumeration data.
Parameters:
domain- Filter by domaind3- Output path for D3.js HTML visualizationvisjs- Output path for Vis.js HTML visualizationmaltego- Output path for Maltego CSVgexf- Output path for GEXF graph format
Dedicated brute-force subdomain discovery.
Parameters:
domain(required) - Target domainwordlist(required) - Path to wordlist filerecursive- Recursively brute-force discoveriesmin_for_recursive- Minimum subdomains before recursion
Check Amass configuration and available data sources.
Parameters:
check- Validate configuration filelist_sources- List all available data sources
Get the installed Amass version.
{
"tool": "amass_enum",
"arguments": {
"domain": "example.com",
"passive": true,
"src": true
}
}{
"tool": "amass_enum",
"arguments": {
"domain": "example.com",
"active": true,
"ip": true,
"json": true
}
}{
"tool": "amass_enum",
"arguments": {
"domain": "example.com",
"brute": true,
"recursive": true,
"wordlist": "/usr/share/seclists/Discovery/DNS/subdomains-top1million-5000.txt"
}
}{
"tool": "amass_intel",
"arguments": {
"org": "Example Corporation",
"whois": true
}
}{
"tool": "amass_track",
"arguments": {
"domain": "example.com",
"last": 5
}
}{
"tool": "amass_viz",
"arguments": {
"domain": "example.com",
"d3": "/tmp/example-graph.html"
}
}- This tool is designed for authorized security testing only
- Always obtain proper authorization before scanning any domain
- Passive mode (
-passive) minimizes detection risk - Active and brute-force modes generate significant DNS traffic
- Configure rate limiting via Amass config to avoid detection
# Test SSH connectivity
ssh kali echo "Connection successful"
# Test Amass availability
ssh kali amass -versionFor large scopes, increase the timeout:
{
"arguments": {
"domain": "example.com",
"timeout": 1800000
}
}- Check if DNS resolvers are accessible from Kali
- Verify API keys are configured correctly
- Try passive mode first to test OSINT sources
MIT License - see LICENSE for details.
This tool is provided for educational and authorized security testing purposes only. Users are responsible for ensuring they have proper authorization before scanning any systems or networks. Unauthorized scanning may violate laws and regulations.