owasp-amass / amass Goto Github PK
View Code? Open in Web Editor NEWIn-depth attack surface mapping and asset discovery
Home Page: https://owasp.org/www-project-amass/
License: Other
In-depth attack surface mapping and asset discovery
Home Page: https://owasp.org/www-project-amass/
License: Other
$ go get -u github.com/OWASP/Amass/...
# github.com/OWASP/Amass/amass/dnssrv
amass/dnssrv/wildcards.go:100:2: undefined: "math/rand".Shuffle
$ go version
go version go1.9.3 linux/amd64
So we can now scan by ASN/CIDR/IP and find FQDNs/Subdomains on those systems. I would like to take it a step further and find out there else are these domains hosted.
Example:
I run amass on a network range, it finds the following FQDNs:
mail.example1.com
ftp.example2.com
vpn.example3.com
origin.example4.com
I want a command that lets Amass scan the domains above (example1.com, example2.com, example3.com, example4.com). So I know where the rest of those domains are hosted.
I'm using virtual machine with 2GB RAM from one of the cloud providers. I faced out of memory error with amass. Could you please help me with this issue?
$ uname -a
Linux bbsm 4.17.9-1-ARCH #1 SMP PREEMPT Sun Jul 22 20:23:36 UTC 2018 x86_64 GNU/Linux
$ go version
go version go1.10.3 linux/amd64
$ amass -version
version v2.3.3
$ amass -active -d criteo.com -o output.txt
Hello,
I am running Kali, but with docker-ce installed from the docker.com repos. After cloning, when I try to:
docker build .
After a lot of steps, the build stops with the following error message:
... tons of stuff...
golang.org/x/vgo/vendor/cmd/go/internal/fmtcmd
golang.org/x/vgo/vendor/cmd/go/internal/fix
golang.org/x/vgo/vendor/cmd/go/internal/clean
golang.org/x/vgo/vendor/cmd/go/internal/generate
golang.org/x/vgo/vendor/cmd/go/internal/list
golang.org/x/vgo/vendor/cmd/go/internal/bug
golang.org/x/vgo/vendor/cmd/go/internal/modcmd
golang.org/x/vgo/vendor/cmd/go/internal/modget
golang.org/x/vgo/vendor/cmd/go
golang.org/x/vgo
go: creating new go.mod: module github.com/OWASP/Amass
can't load package: package github.com/OWASP/Amass: no Go files in /go/src/github.com/OWASP/Amass
The command '/bin/sh -c apk --no-cache add git && go get -u -v golang.org/x/vgo && vgo install' returned a non-zero code: 1
Are you able to build the latest version of amass using docker?
Built the docker image with docker build -t amass https://github.com/OWASP/Amass.git
,
tried to run it, but got error. A possible fix would be to ignore SSL check in http.Transport options.
โฐ$ sudo docker run amass --passive -d example.com
Get https://raw.githubusercontent.com/OWASP/Amass/master/wordlists/namelist.txt: x509: certificate signed by unknown authority
Amass is a very fast scanner, but when I use -brute flag it DOS my Wifi, and I lost all internet of my home. I think it could be a nice feature to create some timing flag (like nmap) to control the speed of Amass.
Getting consistent failures with the following scan:
amass -v -ip -brute -min-for-recursive 6 -df domains.txt -oA resultsFile
error message:
panic: send on closed channel goroutine 8652393 [running]: github.com/caffix/amass/amass.StartEnumeration.func1(0xc551ca7a40) /home/caffix/go_work/src/github.com/caffix/amass/amass/amass.go:63 +0x42 reflect.Value.call(0x88b940, 0xc42002e080, 0x13, 0x938ef4, 0x4, 0xc46b4080e0, 0x1, 0x1, 0xc551ca7a40, 0xc4a8aa3900, ...) /usr/local/go/src/reflect/value.go:447 +0x969 reflect.Value.Call(0x88b940, 0xc42002e080, 0x13, 0xc46b4080e0, 0x1, 0x1, 0xc46b4080e0, 0x1, 0x1) /usr/local/go/src/reflect/value.go:308 +0xa4 github.com/asaskevich/EventBus.(*EventBus).doPublish(0xc4203f0060, 0xc42044a0f0, 0x93f5f9, 0xc, 0xc4a8aa3900, 0x1, 0x1) /home/caffix/go_work/src/github.com/asaskevich/EventBus/event_bus.go:158 +0xa8 github.com/asaskevich/EventBus.(*EventBus).doPublishAsync(0xc4203f0060, 0xc42044a0f0, 0x93f5f9, 0xc, 0xc4a8aa3900, 0x1, 0x1) /home/caffix/go_work/src/github.com/asaskevich/EventBus/event_bus.go:166 +0xa3 created by github.com/asaskevich/EventBus.(*EventBus).Publish /home/caffix/go_work/src/github.com/asaskevich/EventBus/event_bus.go:150 +0x28b
Binary version 2.8.0
Great work. Enjoyed the presentation in the project showcase yesterday.
I ran
amass -d jemurai.com
and a more detailed command
amass -v -ip -brute -min-for-recursive 3 -d jemurai.com
and I got fewer results with the second command than the first. That surprised me. I didn't see anything in the second command that would suggest that it wouldn't check all of the same things and just add info about IP's, and do brute forcing.
I wonder if there is something in the tool that is different along these paths, or if it was something environmental. (Same laptop, 5 minutes apart) If environmental, I wonder if there is a way to know that the results are partial or if we just need to run it a few different times to ensure that we get full results.
om:go mk$ amass -d jemurai.com
www.jemurai.com
jemurai.com
jasp.jemurai.com
training.jemurai.com
feedback.jemurai.com
ctfd.jemurai.com
om:go mk$ amass -v -ip -brute -min-for-recursive 3 -d jemurai.com
[Brute Force] feedback.jemurai.com,34.206.253.53
[CertSpotter] ctfd.jemurai.com,52.22.145.207
[Forward DNS] jemurai.com,34.195.173.235
[Brute Force] training.jemurai.com,54.194.35.114
OWASP Amass v2.7.10 https://github.com/OWASP/Amass
--------------------------------------------------------------------------------
4 names discovered - brute: 2, cert: 1, dns: 1
--------------------------------------------------------------------------------
ASN: 14618 - AMAZON-AES - Amazon.com, Inc., US
34.192.0.0/12 2 Subdomain Name(s)
52.20.0.0/14 1 Subdomain Name(s)
ASN: 16509 - AMAZON-02 - Amazon.com, Inc., US
54.194.0.0/16 1 Subdomain Name(s)
@sethsec indicated that it would be nice to have the ability to tack on an arg that will take all other command line input, and display what amass will do. Almost a dry run.
For example:
amass -d domain.com -active -brute -min-for-recursive 3 net --cidr 10.0.0.0/24 -
Output:
This command will deploy the following mechanisms:
Passive Query: Source1
Passive Query: Source2
Active Query: Source/Type 1 (Forward DNS Request)
Active Query: Source/Type 2 (Zone transfer Request)
etc..
The idea is to provide the user a little bit more info so they can determine
Given a organization or string, I want to enumerate all ASN based on either the Owner property on an ASN.
This is so I can then string that into other Amass tools to automate the end to end enumeration of an organizations external footprint.
As a security Engineer I want to pick and choose my Graph backend which out having to worry about Amass Specific support for that Graph. Apache TinkerPop http://tinkerpop.apache.org/ Apache TinkerPopโข is a graph computing framework for both graph databases (OLTP) and graph analytic systems (OLAP).
Some data sources will stop serving requests if they detect 'automated usage'. We should handle these gracefully.
e.g., - Sitedossier does this and Amass incorrectly picks up the domain unauthorized.. as a result of the error message.
This requires us to go through and test all data sources for weird behaviour.
I am having an issue when trying to perform discovery in 'net' mode on a server whose certificate has the following characteristics:
This results in the return of a large number of false-positive results from the [ThreatCrowd] data source that appear to be random members of the national TLD's subdomain; it appears that ThreatCrowd is enumerating all of the domains in, for instance, .com.pl. Example output is below:
[ThreatCrowd] lupus1.com.pl,85.128.135.19
[ThreatCrowd] b-52.com.pl,46.4.42.105
[ThreatCrowd] 12.com.pl,188.128.255.251
[ThreatCrowd] m21.com.pl,91.228.197.30
[ThreatCrowd] 02.com.pl,93.157.100.74
[ThreatCrowd] rs232.com.pl,138.201.172.157
This behavior does not occur when enumerating subdomains with the '-d' switch. Here's an example site that can be used to demonstrate this behavior:
https://dhl24.com.pl (cert is issued to '*.dhl24.com.pl')
Site's IP address is 91.227.200.193
Error while Installing Amass
os : Kali linux
@caffix
I recently discovered the altdns tool which takes a list of domains and permutates them by appending and prepending various common words to subdomains. I think this would be a cool addition to Amass' existing alteration engine.
I will happily work on a PR for this, I just wanted to make sure you think it would be a good addition to Amass before starting work on it. :)
Thanks for a great tool! ๐
Say you run this command:
amass -d google.com -active -p 443
The program simply exits straight away, without any explanation. There should be some explanation why the program exited straight away.
Hi , when I using -brute or -d Flag , I will lose my wifi interest didn't matter i use my desktop , laptop or any pc . sorry for my english , I hope you can understand me . So do u know how to fix this problem ?
I have a Kali Light (Virtualbox machine) and Amass 2.4.1 (snap package) works perfect. Thanks for such amazing tool!
But now I'm trying to run Amass 2.4.1 (prebuilt and complied source code) under Windows Server 2012 R2 (VMware Enterprise VM) and it doesn't work. Since it doesn't have a debug mode I don't know the reason.
The only environment difference between Kali and Windows is that my Windows Server VM is behind a firewall and DNS queries can be maybe only through x.x.x.x internal DNS server and HTTP(S) requests can be maybe only through x.x.x.x HTTP Proxy. The proxy settings seems to be working fine since Go and Git can make HTTP requests without any problem.
Could you please help me to run Amass on this Windows Server?
Thanks!
E:\>amass -v -r x.x.x.x -d example.com
No names were discovered
E:\>nslookup
Default Server: xxx.xxx.xx
Address: x.x.x.x
> example.com
Server: xxx.xxx.xx
Address: x.x.x.x
Non-authoritative answer:
Name: example.com
Addresses: 2606:2800:220:1:248:1893:25c8:1946
93.184.216.34
Now we have data in neo4j, as a security engineer I would like some quick analysis done on the data.
For example using the page rank algorithm and find the outliers (least connected nodes etc..) so I have an idea where potentially the weakest links in the chain might be.
A user on the chat server requested the following:
This sounds like testing for wildcards, which we already perform automatically, but double-checking never hurts.
goroutine 45944701 [IO wait]:
internal/poll.runtime_pollWait(0x7f079c2d69b0, 0x72, 0xc5c48d58b8)
/go/src/github.com/OWASP/Amass/parts/go/build/src/runtime/netpoll.go:173 +0x57
internal/poll.(*pollDesc).wait(0xc5b2964d18, 0x72, 0xffffffffffffff00, 0x9a7d20, 0xbe0580)
/go/src/github.com/OWASP/Amass/parts/go/build/src/internal/poll/fd_poll_runtime.go:85 +0x9b
internal/poll.(*pollDesc).waitRead(0xc5b2964d18, 0xc5353dda00, 0x200, 0x200)
/go/src/github.com/OWASP/Amass/parts/go/build/src/internal/poll/fd_poll_runtime.go:90 +0x3d
internal/poll.(*FD).Read(0xc5b2964d00, 0xc5353dda00, 0x200, 0x200, 0x0, 0x0, 0x0)
/go/src/github.com/OWASP/Amass/parts/go/build/src/internal/poll/fd_unix.go:157 +0x17d
net.(*netFD).Read(0xc5b2964d00, 0xc5353dda00, 0x200, 0x200, 0x0, 0x200, 0xc5353dda00)
/go/src/github.com/OWASP/Amass/parts/go/build/src/net/fd_unix.go:202 +0x4f
net.(*conn).Read(0xc5c2fdf358, 0xc5353dda00, 0x200, 0x200, 0x0, 0x0, 0x0)
/go/src/github.com/OWASP/Amass/parts/go/build/src/net/net.go:176 +0x6a
github.com/miekg/dns.(*Conn).Read(0xc5c48d5c98, 0xc5353dda00, 0x200, 0x200, 0x200, 0x200, 0xc5c48d5a80)
/go/src/github.com/OWASP/Amass/parts/amass/go/src/github.com/miekg/dns/client.go:414 +0x1c7
github.com/miekg/dns.(*Conn).ReadMsgHeader(0xc5c48d5c98, 0x0, 0x97bfedfe09c, 0xc266e0, 0x72, 0x0, 0x0)
/go/src/github.com/OWASP/Amass/parts/amass/go/src/github.com/miekg/dns/client.go:327 +0x3a4
github.com/miekg/dns.(*Conn).ReadMsg(0xc5c48d5c98, 0xbedadf4916010d0a, 0x97bfedfe09c, 0xc266e0)
/go/src/github.com/OWASP/Amass/parts/amass/go/src/github.com/miekg/dns/client.go:278 +0x49
github.com/OWASP/Amass/amass/dnssrv.ExchangeConn(0x9adce0, 0xc5c2fdf358, 0xc467fff320, 0x2f, 0x5, 0x0, 0x9adce0, 0xc5c2fdf358, 0x0, 0x0)
/go/src/github.com/OWASP/Amass/parts/amass/go/src/github.com/OWASP/Amass/amass/dnssrv/support.go:109 +0x18b
github.com/OWASP/Amass/amass/dnssrv.Resolve(0xc467fff320, 0x2f, 0x944076, 0x5, 0x0, 0x0, 0x0, 0x0, 0x0)
/go/src/github.com/OWASP/Amass/parts/amass/go/src/github.com/OWASP/Amass/amass/dnssrv/support.go:30 +0x1db
github.com/OWASP/Amass/amass/dnssrv.wildcardTestResolution(0xc42afd5900, 0xf, 0x3, 0x942e85, 0x1)
/go/src/github.com/OWASP/Amass/parts/amass/go/src/github.com/OWASP/Amass/amass/dnssrv/wildcards.go:71 +0x90
github.com/OWASP/Amass/amass/dnssrv.DetectWildcard(0x7ffe9942d398, 0xb, 0xc435df8440, 0x15, 0xc4596f8030, 0x1, 0x1, 0x0)
/go/src/github.com/OWASP/Amass/parts/amass/go/src/github.com/OWASP/Amass/amass/dnssrv/wildcards.go:34 +0x12e
github.com/OWASP/Amass/amass/dnssrv.(*DNSService).completeQueries(0xc4200d8370, 0xc439e66ae0)
/go/src/github.com/OWASP/Amass/parts/amass/go/src/github.com/OWASP/Amass/amass/dnssrv/dnssrv.go:160 +0x3e2
created by github.com/OWASP/Amass/amass/dnssrv.(*DNSService).performRequest
/go/src/github.com/OWASP/Amass/parts/amass/go/src/github.com/OWASP/Amass/amass/dnssrv/dnssrv.go:119 +0x13a
I'm getting something like this a lot of these lately, crashing the execution of amass. No idea what's causing it. It's been happening alot the last few days though.
I cannot build amass on Windows with go 1.11. I get the following error.
>go get -u -ldflags "-s -w" github.com/OWASP/Amass/cmd/amass
# github.com/OWASP/Amass/cmd/amass
go\src\github.com\OWASP\Amass\cmd\amass\main.go:218:23: undefined: syscall.SIGTSTP
go\src\github.com\OWASP\Amass\cmd\amass\main.go:219:24: undefined: syscall.SIGCONT
This may be a non issue or a misunderstanding on my end. When running amass for my personal domain, erkin.xyz, I see the following coming through in the DNS sweeping. My IP address is 204.48.17.202 and when printing the DNS service requests going through, I see a sweep being performed as follows:
My ip
204.48.17.202
4 sample print lines from line 119 in brute.go
127.17.48.204.in-addr.arpa
142.17.48.204.in-addr.arpa
128.17.48.204.in-addr.arpa
143.17.48.204.in-addr.arpa
It looks like we are sweeping the octets backwards? Is this intended or am I missing something? Wouldn't we want to sweep the /24 of our original cidr? I.e. 204.48.17.202/24
panic: close of nil channel [recovered]
panic: runtime error: invalid memory address or nil pointer dereference
[signal SIGSEGV: segmentation violation code=0x1 addr=0x0 pc=0x805503]
goroutine 661556 [running]:
github.com/PuerkitoBio/gocrawl.(*Crawler).Stop.func1(0xc44407c360)
/home/caffix/go_work/src/github.com/PuerkitoBio/gocrawl/crawler.go:335 +0xc3
panic(0x8b66c0, 0x999c00)
/usr/local/go/src/runtime/panic.go:505 +0x229
github.com/PuerkitoBio/gocrawl.(*Crawler).Stop(0xc44407c360)
/home/caffix/go_work/src/github.com/PuerkitoBio/gocrawl/crawler.go:340 +0x55
github.com/caffix/amass/amass/sources.UKGovArchiveQuery.func1(0xc444accb40, 0xc44407c360)
/home/caffix/go_work/src/github.com/caffix/amass/amass/sources/ukgovarchive.go:49 +0x45
created by github.com/caffix/amass/amass/sources.UKGovArchiveQuery
/home/caffix/go_work/src/github.com/caffix/amass/amass/sources/ukgovarchive.go:47 +0x35b
@ethicalbughunter wrote:
When I fire up amass with a simple command as " amass -d example.com " it hangs up and giving no result on the screen.
Device: System kali Linux 4.15.0-kali2-amd64
it only works when I used amass -nodns -d example.com
Any Suggestions?
or my device missing some sort of things
please add any installation guide which is not mentioned on https://github.com/OWASP/Amass
likely(go build commands after installing amass)
Thanks
best regards
It seems like right now, the -json
flag only flushes its result out at the end of the enumeration. Is there any chance that the json output could either be flushed when the result is printed to the console, or give the option to write json to stdout?
@superuser5 indicated that it would be great to have support for a socks proxy (like shadowsocks) or just to be able to specify which proxy to use; especially important when using active recon.
go get github.com/OWASP/Amass.git
package github.com/OWASP/Amass.git: invalid version control suffix in github.com/ path
I recently discovered the altdns tool which takes a list of domains and permutates them by appending and prepending various common words to subdomains. I think this would be a cool addition to Amass' existing alteration engine.
I will happily work on a PR for this, I just wanted to make sure you think it would be a good addition to Amass before starting work on it. :)
Thanks for a great tool! ๐
In the newest version (2.8.2), I'm finding that with -T4, my scans are taking awfully long, and I can't really tell if the process is doing anything.
Would it be possible to maybe have a flag, which outputs every X time, a status on what's going on? Like how many requests are being sent per second when brute forcing, or similar? Queue stats? Stuff like that?
After an upgrade to version 2.6.8 Amass is taking a lot of time to finish and return no results.
Before the upgrade I believe I was using version 2.5 and I was able to get some results.
Maybe some conflict with my environment but I have no glue what I should check in order to fix.
OBS. In the commands below I've just cancelled the passive execution since I didn't need to wait until the command finish.
Could you please help me to fix that?
Thanks!
root@zion:~# amass --version
version 2.6.8
root@zion:~# time amass -d example.com
real 36m3.027s
user 0m36.345s
sys 0m29.745s
root@zion:~# time amass --passive -d example.com
unauthorized.example.com
gerendes.cherochk100.example.com
ns1.example.com
...
sic3.example.com
mvasiliy.example.com
bulletproof.example.com
^C
real 9m17.552s
user 0m9.799s
sys 0m2.404s
root@zion:~#
@superuser5 wrote:
Thanks for making tool so cool! I am redoing this request as the json output already has a lot of data.
It is still not enough to decide if some should be in scope for the organization.
The following additional information (in the json file) will help to decide if domain is in scope:
reason why this domain was included - like cert that matches something.com, name server, org name, cidr, asn, etc. This could go with flag "-reason" or just extra point of information.
Email address of registrant or tech contact from the domains whois records
Name Server from the domains whois record
Company name for the domain, which is different to the company name for the IP dance
SSL cert info
responding ports found from the active scan
thank you in advance.
@superuser5 wrote:
Would be awesome to be able to put constraints on searches to the known values (IP ranges / cert info / string in whois record ) and with logic OR/AND. The contrains feature could just look for known strings in different areas like whois records or certificate information (whois records could be very messy, so checking if known name of the organization present anywhere in the whois response should be enough):
IP v4 ranges:
certificate
whois - match specific strings in the whois records:
Example:
1: amass -contrains ASN1234
2: amass -contrains "cert:GitHub AND (whois:ns1.p16.dynect.net OR whois: 1.2083895740 OR whois:[email protected])"
$ whois guthub.com
Last update of whois database: 2018-07-05T20:14:03Z <<<
Domain Name: guthub.com
Registry Domain ID: 1421310529_DOMAIN_COM-VRSN
Registrar WHOIS Server: whois.markmonitor.com
Registrar URL: http://www.markmonitor.com
Updated Date: 2018-02-08T02:13:13-0800
Creation Date: 2008-03-12T13:48:25-0700
Registrar Registration Expiration Date: 2020-03-12T00:00:00-0700
Registrar: MarkMonitor, Inc.
Registrar IANA ID: 292
Registrar Abuse Contact Email: [email protected]
Registrar Abuse Contact Phone: +1.2083895740
Domain Status: clientUpdateProhibited (https://www.icann.org/epp#clientUpdateProhibited)
Domain Status: clientTransferProhibited (https://www.icann.org/epp#clientTransferProhibited)
Domain Status: clientDeleteProhibited (https://www.icann.org/epp#clientDeleteProhibited)
Registrant Organization: GitHub, Inc.
Registrant State/Province: CA
Registrant Country: US
Admin Organization: GitHub, Inc.
Admin State/Province: CA
Admin Country: US
Tech Organization: GitHub, Inc.
Tech State/Province: CA
Tech Country: US
Name Server: ns4.p16.dynect.net
Name Server: ns1.p16.dynect.net
Name Server: ns3.p16.dynect.net
Name Server: ns2.p16.dynect.net
DNSSEC: unsigned
URL of the ICANN WHOIS Data Problem Reporting System: http://wdprs.internic.net/
Last update of WHOIS database: 2018-07-05T13:14:12-0700 <<<
amass/dnssrv/limits_unix.go:24:47: invalid operation: lim.Cur > defaultNumOpenFiles (mismatched types int64 and uint64)
amass/dnssrv/limits_unix.go:25:12: cannot use defaultNumOpenFiles (type uint64) as type int64 in assignment
*** Error code 2
Revision 73e532d
go-1.11,1
2.6.x found them, but 2.7.0 returns nothing.
I'm compiling the latest release 2.8.3 and facing the following error:
>>> Compiling source in /var/tmp/portage/net-analyzer/amass-2.8.3/work/amass-2.8.3 ...
src/github.com/OWASP/Amass/cmd/amass.netdomains/main.go:19:2: cannot find package "github.com/caffix/amass/amass/core" in any of:
/var/tmp/portage/net-analyzer/amass-2.8.3/work/amass-2.8.3/src/github.com/OWASP/Amass/vendor/github.com/caffix/amass/amass/core (vendor tree)
/usr/lib/go/src/github.com/caffix/amass/amass/core (from $GOROOT)
/var/tmp/portage/net-analyzer/amass-2.8.3/work/amass-2.8.3/src/github.com/caffix/amass/amass/core (from $GOPATH)
/usr/lib/go-gentoo/src/github.com/caffix/amass/amass/core
@kerberosmansour wrote:
This is a feature that might not fit Amass, but is more about what to do with the data:
I'm faced with strange amass behavior on some domains.
Eg with twitter:
amass -d twitter.com -active -r 8.8.8.8 -v -log ~/twitter.log
I see amass activity by the CPU usage after start, but after some time (15-25 min) the usage decreases to 1% and amass process never ends. There is no new information in the log or in the output at a later time.
I'm using the latest amass version from github source.
Hey @caffix as a security engineer I might be enumerating a lot of domains, some will not be finised in one sitting (assuming its running on a workstation / pentest laptop and not a server). I would like the option to resume a scan from a known state.
NMAP has done this by pointing a new scan to a previous scan ouput file and nmap resumes from there.
I would like the ability to resume from file or neo4j
amass -d reddit.com
doesn't find anything, and the same for other domains I tried.
Revision 2.7.0-8-g5ac544c
.
I'm getting the error below for a specific host that I cannot disclose.
# amass -active -brute -r 8.8.8.8,1.1.1.1 -whois -d redacted.com -o amass.txt
...
after a few domains
...
panic: runtime error: index out of range
goroutine 31 [running]:
github.com/OWASP/Amass/amass.parseASNInfo(0xc42f7f9860, 0x21, 0x94417c)
/root/go/src/github.com/OWASP/Amass/amass/network.go:333 +0x337
github.com/OWASP/Amass/amass.asnLookup(0xe6a5, 0xc42017ac60, 0xe6a5, 0xc3fe20)
/root/go/src/github.com/OWASP/Amass/amass/network.go:279 +0x20b
github.com/OWASP/Amass/amass.fetchOnlineData(0xc43702cec2, 0xe, 0xe6a5, 0x0, 0x0, 0x0)
/root/go/src/github.com/OWASP/Amass/amass/network.go:222 +0x24f
github.com/OWASP/Amass/amass.IPRequest(0xc43702cec2, 0xe, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0)
/root/go/src/github.com/OWASP/Amass/amass/network.go:91 +0xde
github.com/OWASP/Amass/amass.(*DataManagerService).insertDomain(0xc42074aaa0, 0xc436d47768, 0x8)
/root/go/src/github.com/OWASP/Amass/amass/datamgmtsrv.go:169 +0x2ec
github.com/OWASP/Amass/amass.(*DataManagerService).insertMX(0xc42074aaa0, 0xc435a4a840, 0x2)
/root/go/src/github.com/OWASP/Amass/amass/datamgmtsrv.go:321 +0x120
github.com/OWASP/Amass/amass.(*DataManagerService).manageData(0xc42074aaa0)
/root/go/src/github.com/OWASP/Amass/amass/datamgmtsrv.go:133 +0x319
github.com/OWASP/Amass/amass.(*DataManagerService).processRequests(0xc42074aaa0)
/root/go/src/github.com/OWASP/Amass/amass/datamgmtsrv.go:80 +0x8f
created by github.com/OWASP/Amass/amass.(*DataManagerService).OnStart
/root/go/src/github.com/OWASP/Amass/amass/datamgmtsrv.go:57 +0x1b6
# amass --version
version v2.5.2
Operating system: Windows 10 Enterprise 2016 LTSB - 1607 - 64-bit
Amass 2.4.0 is the last version that works for me - anything above and I get this message:
"This app can't run on your PC - To find a version for your PC, check with the software publisher"
I've tried disabling Windows Defender and Smartscreen to rule those out but still get the same error.
I have only attempted to use the compiled binaries.
Some of the feeds might contain stale data, I would like to validate that they domains provided are in-fact alive and well.
Data sources that take a while to process and loop through (e.g., crt.sh) cannot complete as the main process times-out too quickly.
To-do: Add some code to each of the data sources so that it lets the main thread know it is still active and running.
This should not only return more results back but also improve the consistency of data returned.
The Amass dep called sort is overwriting GNU sort (coreutils) from the standard OS.
This can break some systems and quite boring to detect.
root@zion:~/go/pkg# go list -f {{.Deps}} github.com/OWASP/Amass/amass/
[bufio bytes compress/flate compress/gzip container/list context crypto crypto/aes crypto/cipher crypto/des crypto/dsa crypto/ecdsa crypto/elliptic crypto/hmac crypto/internal/cipherhw crypto/md5 crypto/rand crypto/rc4 crypto/rsa crypto/sha1 crypto/sha256 crypto/sha512 crypto/subtle crypto/tls crypto/x509 crypto/x509/pkix database/sql database/sql/driver encoding encoding/asn1 encoding/base32 encoding/base64 encoding/binary encoding/gob encoding/hex encoding/json encoding/pem encoding/xml errors fmt github.com/OWASP/Amass/amass/core github.com/OWASP/Amass/amass/dnssrv github.com/OWASP/Amass/amass/handlers github.com/OWASP/Amass/amass/sources github.com/OWASP/Amass/amass/utils github.com/OWASP/Amass/amass/utils/viz github.com/PuerkitoBio/fetchbot github.com/PuerkitoBio/goquery github.com/andybalholm/cascadia github.com/asaskevich/EventBus github.com/irfansharif/cfilter github.com/johnnadratowski/golang-neo4j-bolt-driver github.com/johnnadratowski/golang-neo4j-bolt-driver/encoding github.com/johnnadratowski/golang-neo4j-bolt-driver/errors github.com/johnnadratowski/golang-neo4j-bolt-driver/log github.com/johnnadratowski/golang-neo4j-bolt-driver/structures github.com/johnnadratowski/golang-neo4j-bolt-driver/structures/graph github.com/johnnadratowski/golang-neo4j-bolt-driver/structures/messages github.com/miekg/dns github.com/miekg/dns/vendor/golang.org/x/crypto/ed25519 github.com/miekg/dns/vendor/golang.org/x/crypto/ed25519/internal/edwards25519 github.com/miekg/dns/vendor/golang.org/x/net/bpf github.com/miekg/dns/vendor/golang.org/x/net/internal/iana github.com/miekg/dns/vendor/golang.org/x/net/internal/socket github.com/miekg/dns/vendor/golang.org/x/net/ipv4 github.com/miekg/dns/vendor/golang.org/x/net/ipv6 github.com/temoto/robotstxt-go go/token golang.org/x/net/html golang.org/x/net/html/atom golang.org/x/sys/unix hash hash/crc32 hash/fnv html html/template internal/cpu internal/nettrace internal/poll internal/race internal/singleflight internal/syscall/unix internal/testlog io io/ioutil log math math/big math/bits math/rand mime mime/multipart mime/quotedprintable net net/http net/http/httptrace net/http/internal net/rpc net/textproto net/url os path path/filepath reflect regexp regexp/syntax runtime runtime/cgo runtime/debug runtime/internal/atomic runtime/internal/sys sort strconv strings sync sync/atomic syscall text/template text/template/parse time unicode unicode/utf16 unicode/utf8 unsafe vendor/golang_org/x/crypto/chacha20poly1305 vendor/golang_org/x/crypto/chacha20poly1305/internal/chacha20 vendor/golang_org/x/crypto/cryptobyte vendor/golang_org/x/crypto/cryptobyte/asn1 vendor/golang_org/x/crypto/curve25519 vendor/golang_org/x/crypto/poly1305 vendor/golang_org/x/net/http2/hpack vendor/golang_org/x/net/idna vendor/golang_org/x/net/lex/httplex vendor/golang_org/x/net/proxy vendor/golang_org/x/text/secure/bidirule vendor/golang_org/x/text/transform vendor/golang_org/x/text/unicode/bidi vendor/golang_org/x/text/unicode/norm]
root@zion:~/go/pkg# which sort
/root/go/bin/sort
root@zion:~/go/pkg#
Hi,
There are 53 instances of github.com/caffix/amass
being used across several files, instead of using the code at github.com/OWASP/Amass
.
Are you ok if I send a PR to change it? (I checked both, the develop and master branches show this import, so I would be sending the PR to the develop branch)
Not sure what triggers this. Running on 2.5.0
. May be related to running multiple amass processes at once.
It'd be awesome if this could be handled gracefully!
panic: send on closed channel
goroutine 317741 [running]:
github.com/OWASP/Amass/amass.(*Enumeration).Start.func1(0xc423336780)
/go/src/github.com/OWASP/Amass/parts/amass/go/src/github.com/OWASP/Amass/amass/amass.go:205 +0x114
reflect.Value.call(0x8a3f60, 0xc42000c260, 0x13, 0x958236, 0x4, 0xc42275c300, 0x1, 0x1, 0xc423336780, 0xc423c59de0, ...)
/go/src/github.com/OWASP/Amass/parts/go/build/src/reflect/value.go:447 +0x969
reflect.Value.Call(0x8a3f60, 0xc42000c260, 0x13, 0xc42275c300, 0x1, 0x1, 0xc42275c300, 0x1, 0x1)
/go/src/github.com/OWASP/Amass/parts/go/build/src/reflect/value.go:308 +0xa4
github.com/asaskevich/EventBus.(*EventBus).doPublish(0xc42000c240, 0xc42009bc50, 0x95e934, 0xc, 0xc423c59de0, 0x1, 0x1)
/go/src/github.com/OWASP/Amass/parts/amass/go/src/github.com/asaskevich/EventBus/event_bus.go:158 +0xa8
github.com/asaskevich/EventBus.(*EventBus).doPublishAsync(0xc42000c240, 0xc42009bc50, 0x95e934, 0xc, 0xc423c59de0, 0x1, 0x1)
/go/src/github.com/OWASP/Amass/parts/amass/go/src/github.com/asaskevich/EventBus/event_bus.go:166 +0xa3
created by github.com/asaskevich/EventBus.(*EventBus).Publish
/go/src/github.com/OWASP/Amass/parts/amass/go/src/github.com/asaskevich/EventBus/event_bus.go:150 +0x28b
It is plausible to have legitimate, active sub-domains that do not resolve externally but resolve internally (think sub-domains that only resolve using an internal nameserver)
I think these 'unresolvable' sub-domains could still be of value to red-teamers/pentesters/bug-bounty hunters as they could provide information that would otherwise go unnoticed.
e.g., jenkins.example.com may not resolve to an IP but could still be very useful during recon and may prompt the tester to investigate further.
Might be worth putting this function in another flag like --include-unresolvable
Hello!
There appear to be issues with the domain discovery process. amass
was thrown at scanme.nmap.org
to see what domains would be discovered from there. Naturally it didn't find much-- there aren't any subdomains there. After that was fruitless, it was thrown at nmap.org
, and to my surprise, it found almost nothing. Not even www.nmap.org
.
After some tweaking, I decided to try changing the nameservers, other than the default DigitalOcean nameservers I was using. This seemed to find more domains, but not nearly as many as other domain enumeration tools. I decided to enable logging, and to my shock, it was consistently assuming that certain domain names did not resolve. Of note, scanme.nmap.org
, according to amass
, did not resolve.
Of interest as well is that the nameservers chosen seems to affect the outcome of the result. Scanning entirely with -r 4.2.2.2,4.2.2.3
resolves a few domains correctly (though still yields false negatives), yet using -r 8.8.8.8,9.9.9.9,1.1.1.1
seems to resolve nothing. Going further, hitting the nameservers specific to nmap.org
-- namely, ns[1-5].linode.com
and hostmaster.insecure.org
, additionally don't seem to yield anything.
There seem to be some more problems in here, such as improper parsing of URLs it looks like from just the error messages? But I'm not certain. Either way, here are some notable highlights of false negatives of known active domains.
Attached are logs of some scans. Here's the table of the commands run to produce them. Hope all this helps!
uname -a
: Linux sputnik 4.9.0-7-amd64 #1 SMP Debian 4.9.110-1 (2018-07-05) x86_64 GNU/Linux
amass -version
: version 2.8.1
Installed with: snap install amass
amass-level3.log
: amass -v -active -brute -ip -r 4.2.2.2,4.2.2.3 -log amass-level3.log -d nmap.org
amass-google.log
: amass -v -active -brute -ip -r 8.8.8.8,9.9.9.9 -log amass-google.log -d nmap.org
amass-cloudflare.log
: amass -v -active -brute -ip -r 1.1.1.1 -log amass-cloudflare.log -d nmap.org
amass-direct-ns.log
: amass -v -active -brute -ip -r 162.159.27.72,45.33.49.119 -d nmap.org
www.nmap.org
:
dig
:
www.nmap.org. 3600 IN A 45.33.49.119
www.nmap.org. 1676 IN A 45.33.49.119
www.nmap.org. 1865 IN A 45.33.49.119
www.nmap.org. 3600 IN A 45.33.49.119
scanme.nmap.org
:
amass-cloudflare.log
, amass-direct-ns.log
, amass-level3.log
:
amass-google.log
:
dig
:
scanme.nmap.org. 3600 IN A 45.33.32.156
scanme.nmap.org. 3289 IN A 45.33.32.156
scanme.nmap.org. 1776 IN A 45.33.32.156
scanme.nmap.org. 3600 IN A 45.33.32.156
svn.nmap.org
:
amass-cloudflare.log
, amass-direct-ns.log
, amass-level3.log
:
amass-google.log
:
dig
:
svn.nmap.org. 1242 IN A 45.33.49.119
svn.nmap.org. 1331 IN A 45.33.49.119
svn.nmap.org. 1220 IN A 45.33.49.119
svn.nmap.org. 3600 IN A 45.33.49.119
amass-cloudflare.log
amass-direct-ns.log
amass-google.log
amass-level3.log
A declarative, efficient, and flexible JavaScript library for building user interfaces.
๐ Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. ๐๐๐
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google โค๏ธ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.