Legal Entity-Driven Reconnaissance with OWASP Amass: Enhancing Bottom-Up Discovery Using RDAP

The OWASP Amass Project has long been a staple in the open-source reconnaissance ecosystem, enabling security researchers, red teamers, and defenders to map attack surfaces through passive and active discovery techniques. Traditionally, tools like Amass have relied on DNS, certificate transparency logs, web scraping, and other data sources to infer the digital footprint of an organization. However, this approach often begins with known domains and struggles to comprehensively uncover the broader infrastructure-especially when initial input is minimal or obfuscated.

This talk introduces a major advancement in the Amass discovery model: leveraging legal entity information as a pivot point for infrastructure enumeration. By incorporating corporate legal names, the project now enables users to query the Registration Data Access Protocol (RDAP) for associated IP address ranges directly linked to specific organizations. This evolution allows for a powerful “outside-in" discovery strategy-one that begins with an organization’s registered presence in global ICANN records and regional internet registries (RIRs).

We will walk through how this process functions end-to-end within Amass, including:

How legal entity names are normalized, enriched, and used to perform RDAP queries across multiple registries.

How this approach facilitates infrastructure discovery even when no initial domain names or IPs are known.

Ways in which the newly discovered CIDRs and netblocks are fed into the broader Amass enumeration engine for DNS sweeps, and passive data correlation.

Importantly, this capability allows researchers to identify internet-connected assets that might otherwise be missed through traditional means-especially helpful for uncovering legacy infrastructure, misconfigured services, and shadow IT. It also helps bypass the inefficiency of wide-scale internet scanning by using authoritative registry data as a precise targeting mechanism.

This talk will include practical demonstrations of the feature in action, guidance on using it effectively in both red and blue team workflows, and a look at where the project is heading next-including potential integrations with open corporate registries, LEI databases, and expanded RDAP coverage.

Takeaways for Recon Village Attendees:

Learn how legal entity metadata can be leveraged to scale reconnaissance beyond domains and WHOIS lookups.

Gain an understanding of how RDAP reveals registered network ownership and how Amass now uses this for bottom-up discovery.

See live examples of uncovering unknown IP ranges and infrastructure linked to an organization-without scanning the full IPv4 space.

Understand the implications of this technique for external asset management, third-party risk analysis, and adversarial recon.

By advancing outside-in discovery with deeper legal and registration context, Amass continues to push the boundaries of OSINT tooling-bridging the gap between traditional internet reconnaissance and more strategic, organizationally-aware approaches to mapping the modern attack surface.