OWASP Amass Alternative — Free Online Subdomain Finder
OWASP Amass is one of the most capable subdomain enumeration tools ever built — 50+ data sources, active and passive modes, graph visualization, and a database that tracks your attack surface over time. It is also one of the most demanding tools to configure and run correctly. SubDomainsFinder.com covers the passive recon side from any browser, with zero installation and results in seconds, and adds open port and hosting context that Amass does not surface natively.
Try the free subdomain finder — no install needed
Enter any domain to discover all its subdomains instantly.
TL;DR — when to use which
- Use SubDomainsFinder when you need fast passive reconnaissance in a browser — no Go install, no config file, no risk of accidentally triggering active scans. Results include IP addresses, open ports, and ASN in one view.
- Use Amass when you need the most comprehensive possible subdomain enumeration — active brute-force, zone transfer attempts, 50+ passive sources, and long-term historical tracking of your attack surface.
- Use both when speed matters for initial triage (SubDomainsFinder) and depth matters for thorough coverage on high-value targets (Amass with a fully configured data source file).
What is OWASP Amass?
OWASP Amass is an open-source attack surface mapping tool written in Go, maintained under the OWASP foundation and currently at version 4.x. It is the most feature-complete subdomain enumeration tool in the open-source ecosystem — combining passive data source queries, active DNS enumeration, brute-force wordlist attacks, DNS zone transfer attempts, and web scraping into a single framework. Unlike tools focused purely on passive discovery, Amass can be configured to actively probe a target, which gives it reach that no passive tool can match.
Amass exposes three primary subcommands. amass enum handles subdomain enumeration in both passive and active modes. amass intel provides ASN and CIDR lookups — useful for identifying all IP ranges belonging to an organization before you begin subdomain work. amass viz exports scan results into graph formats including GraphML, Gephi, and D3 JSON, allowing you to visualize relationships between subdomains, IP addresses, and ASNs. A database backend — SQLite by default, with PostgreSQL support — stores results across scan runs so you can diff current findings against previous ones and detect newly exposed infrastructure over time.
The power comes with real operational cost. Amass requires a working Go environment or a pre-built binary, a data source configuration file populated with API keys for its 50+ integrations, and enough machine resources to handle long-running scans against large targets — active enumeration against a major program can consume several gigabytes of memory and run for hours. Active modes send real traffic to the target, which can trigger WAF alerts or be interpreted as hostile reconnaissance. Getting the most out of Amass requires understanding which of its many flags and config options apply to your situation.
# Install via Go (requires Go 1.21+)
go install -v github.com/owasp-amass/amass/v4/...@master
# Or download a pre-built binary from GitHub releases
# https://github.com/owasp-amass/amass/releases
# Passive-only enumeration (no active probes sent to target)
amass enum -passive -d example.com -o passive-results.txt
# Active enumeration (sends DNS queries and brute-forces subdomains)
amass enum -active -d example.com -brute -o active-results.txt
# ASN and CIDR lookup for an organization
amass intel -org "Example Corp"
# Export results to graph visualization
amass viz -d3 -dir ~/.config/amass -o graph.json
# Config file location (required for full source coverage)
# ~/.config/amass/config.yaml — contains API keys for all 50+ sourcesFeature comparison
| Feature | SubDomainsFinder | OWASP Amass |
|---|---|---|
| No installation required | ||
| Browser-based UI | ||
| Passive subdomain discovery | ||
| Active / brute-force enumeration | ||
| IP addresses per subdomainAmass resolves IPs but output needs parsing | ||
| Open ports detectionAmass doesn't do port scanning | ||
| ASN & CIDR lookupsAmass intel command; we show ASN per result | ||
| Historical scan tracking | ||
| 50+ passive data sources | ||
| Graph visualization | ||
| Complex config file needed | ||
| Free to use | ||
| Open source |
Yes No Partial / limited
Where Amass excels
- 50+ passive data sources. No other open-source tool aggregates from as many passive sources as Amass does with a full configuration. The list includes Certificate Transparency logs, Shodan, Censys, VirusTotal, SecurityTrails, PassiveTotal, CIRCL, CommonCrawl, and dozens more. With API keys configured, it will surface subdomains that CT logs alone will never reveal — particularly older hostnames that predate widespread CT adoption or subdomains that appear only in passive DNS data.
- Active enumeration capabilities. Amass can brute-force subdomains against a wordlist, attempt DNS zone transfers, and scrape web pages for additional hostnames referenced in source code and response headers. These active techniques find subdomains that are completely invisible to passive tools — internal services accidentally exposed, development environments, legacy hostnames not logged in CT — at the cost of generating traffic the target can observe.
- Historical scan tracking. The built-in database means Amass can tell you what changed between scan runs. Running it weekly against your own infrastructure lets you detect newly exposed subdomains before attackers do. This change-tracking capability is genuinely useful for blue teams managing a large attack surface and is not something passive tools with no persistent storage can replicate.
- ASN and CIDR intelligence via amass intel. Before starting subdomain enumeration, you can use Amass to identify all IP ranges and ASNs associated with an organization — a useful starting point for understanding the full scope of an engagement when the client cannot provide a complete asset list. This shifts the recon process from domain-first to organization-first.
- Graph visualization for complex targets. For large targets with hundreds of subdomains across multiple IP ranges and ASNs, the graph output formats let you understand structural relationships at a glance — which subdomains share infrastructure, which IP blocks belong to the same ASN, where CDN fronting is in use. This is a meaningful analytical advantage for enterprise assessments.
- OWASP backing and enterprise trust. Amass is used in professional penetration testing engagements worldwide. Its OWASP foundation status means it is documented in security standards and methodology guides, and enterprise security teams are familiar with it in scope-of-work definitions.
Where SubDomainsFinder has the edge
- Zero installation on any device. Amass requires a Go toolchain or a pre-built binary, a writable config directory, and a populated API key file before you get useful results. SubDomainsFinder.com requires a browser and a domain name. On a fresh machine, a locked-down workstation, or a mobile device, there is no viable path to running Amass — SubDomainsFinder works on all of them.
- Results in seconds, not minutes or hours. A passive Amass scan on a medium-sized target takes several minutes; active scans on large targets routinely run for 30 minutes to several hours depending on wordlist size and source rate limits. SubDomainsFinder returns results in under 30 seconds for most domains. When you need a fast answer rather than the most exhaustive possible answer, that time difference matters.
- IP, ports, and ASN without post-processing. Amass outputs subdomain names and resolves IP addresses, but the output requires parsing to extract structured data — and it performs no port scanning at all. SubDomainsFinder returns each subdomain with its resolved IP address, detected open ports, ASN, hosting provider, and CDN or WAF detection in a single sortable table. No additional tools or scripting required.
- No risk of accidental active scanning. Amass active mode sends real traffic to the target. In a bug bounty context, active scanning outside authorized scope can result in disqualification or legal risk. SubDomainsFinder is entirely passive — it queries pre-indexed data and never sends probes to the target domain.
- Accessible without security tool experience. A sysadmin auditing their own domain exposure, a compliance analyst checking a vendor’s external footprint, or a developer checking what subdomains their application exposes does not need to understand Amass’s subcommand structure, config file format, or flag conventions. SubDomainsFinder produces an immediately readable result without a learning curve.
Which tool fits your situation?
Pentesters & red teams
Use SubDomainsFinder at the start of an engagement for a fast passive picture of the target — you get IP, port, and ASN context immediately, which helps scope the work before you commit to a longer tool run. Follow up with Amass in passive mode for broader source coverage, and switch to active mode only when the rules of engagement explicitly allow it. The two tools serve different phases: speed versus depth.
Bug bounty hunters
SubDomainsFinder handles quick triage well — useful when you want to check whether a new program has interesting subdomain exposure before investing hours in a deep Amass run. For large programs where scope allows thorough enumeration, Amass with active mode and a good wordlist will find targets that passive tools miss. Running both is not redundant; they surface different subsets of the attack surface.
Blue teams & sysadmins
For periodic external attack surface reviews, SubDomainsFinder is low-friction and requires no tooling setup — suitable for IT staff who are not dedicated security engineers. For teams running a formal attack surface management program, Amass with its database backend and change-tracking is the more powerful choice, though it requires dedicated maintenance and someone comfortable managing a complex configuration.
Check your domain's subdomain exposure now
No install, no config file, no API keys. Results include IP addresses, open ports, and ASN.