The OWASP Amass using for network mapping, asset discovery, penetration testing and cyber security auditor.
The Project performs network mapping of attack surfaces and external asset discovery using open source information gathering and active reconnaissance techniques.
Introduction
Whether you are a penetration tester, an auditor, a security researcher or the CISO/IT manager, you may have several valid reasons for network mapping out the external attack surface of an organisation. This process is also referred to as reconnaissance or information gathering.
The OWASP Amass project (Amass) can help with this to a large extent depending on your requirements. In this blog post, we will aim to demonstrate how one can use Amass to discover majority of an organisation’s externally exposed assets.
The focus will be on performing continuous subdomain discovery exercises. We have broken this blog post into different sections to make it easier to get to grips with the various functions of Amass. It should be noted that there may be assets out there that are not mapped to a domain and you will need to employ other techniques to uncover them, such as running network scans over the IP ranges owned by the organisation. Although we will not fully demonstrate how to use all the functions offered by Amass, we are hoping that this blog will cover enough to give you a kick-start in mastering Amass.
Why OWASP Amass?
A high number of open-source softwares are available for enumerating subdomains, Autonomous System Numbers (ASNs) and other assets owned by an organisation. Although most of these softwares are great in utilising specific methods, they are not always actively maintained and updated to keep up with the latest techniques and methodologies. So to speak the truth, most of the available software’s are not complete and solely relying on these could give a false sense of security or lead to missing vulnerable assets. The reality is that subdomains can be disclosed anywhere nowadays, such as on social media, Pastebin, source code repositories, HTTP headers and so on.
Amass is backed by OWASP, which should provide prestige and confidence in the results. It is actively maintained and will likely be supported for a long time, meaning any future bugs will be resolved. Additionally, the adoption rate of Amass is high which potentially means better data consistency and integration with other softwares. As such, it can constitute a better and more trustworthy software to use in proof of concepts and engagements, and it may be easier to convince your clients or manager to use it for periodical mapping of the organisation’s attack surface.
There are a number of more technical reasons, which we will explain below and demonstrate in more detail later:
Comes with 5 subcommands, in other words functions:
- amass intel — Discover targets for enumerations
- amass enum — Perform enumerations and network mapping
- amass viz — Visualize enumeration results
- amass track — Track differences between enumerations
- amass db — Manipulate the Amass graph database
Amass’ subcommands can be used in conjunction, in some cases, which could allow you to create scripts that perform multiple Amass operations.
Command-line Usage Information
The Amass software has several subcommands shown below for handling your Internet exposure investigation.
Subcommand Description
- intel : Collect open source intelligence for investigation of the target organization
- enum Perform DNS enumeration and network mapping of systems exposed to the Internet
- viz Generate visualizations of enumerations for exploratory analysis
- track Compare results of enumerations against common target organizations
- db Manage the graph databases storing the enumeration results
Supports 55 sources, such as APIs and websites, at the time of writing as part of its subdomain discovery and information gathering techniques. These can be listed using the following command:
- amass enum -list
- AlienVault,ArchiveIt,ArchiveToday,Arquivo,Ask,Baidu,BinaryEdge,Bing,BufferOver,Censys,CertSpotter,CIRCL,CommonCrawl,Crtsh,[…],ViewDNS,VirusTotal,Wayback,WhoisXML,Yahoo (full list here)
Also See: Command Injection Cheatsheet
It employs various information gathering techniques for DNS enumeration
- Brute-force of subdomains using a domain name wordlists and alteration wordlists
- Identify subdomains by reading SSL/TLS certificates, performing DNS zone transfers or checking certificate transparency logs
- Recursive subdomain discovery on identified domains
- Hashcat-style masks for brute-force of subdomains (this can be very useful if you have internal information on naming conventions and so on)
- It can be configured using a configuration file which makes it easy to maintain, use or integrate with scripts
Lastly, we will not be going into the details of installing Amass in this blog post, but if you are interested, you can do so in a number of ways. You can compile from source if you have a properly configured Golang environment (Go >= 1.13), or run it using Docker, or install it as a package if one is available for your distribution.
Amass Enum
Let’s move onto Amass enum, which is where most of Amass’ powerful capabilities live. Amass enum allows you to perform DNS enumeration and network mapping of the target in order to determine the attack surface exposed by organisations.
The enumeration findings are stored in a graph database, which will be located in Amass’ default output folder or the specified output directory with “-dir” flag. This is also the case with other Amass subcommands.
Amass Intel
The Amass intel subcommand, or module if you want, can aid with collecting open source intelligence on the organisation and allow you to find further root domain names associated with the organisation. To see the available options of this subcommand, simply type it at the terminal:
$ amass intel [...] Usage: amass intel [options] [-whois -d DOMAIN] [-addr ADDR -asn ASN -cidr CIDR] -active Attempt certificate name grabs -addr value IPs and ranges (192.168.1.1-254) separated by commas -asn value ASNs separated by commas (can be used multiple times) [...]
It is probably worth noting at this point that another great perk of Amass is that all the subcommands attempt to maintain argument consistency.
Amass Track
Amass track is the second most useful subcommand in my opinion. It helps compare results across enumerations performed against the same target and domains. An example is the below command which compares the last 2 enumerations performed against “owasp.org”. This is done by specifying the same Amass output folder and database we have been using in this blog. The most interesting lines are the ones starting with the “Found” keyword and this means that the subdomain was not identified in previous enumerations.
Amass Viz and Amass DB
We would also like to briefly mention the other 2 Amass subcommands:
Amass db
You can use this subcommand in order to interact with an Amass graph database, either the default or the one specified with the “-dir” flag.
For example, the below command would list all the different enumerations you have performed in terms of the given domains and are stored in the “amass4owasp” graph database:
$ amass db -dir amass4owasp -list
Next, with a command similar to the below you could retrieve the assets identified during that enumeration — in this case enumeration 1:
$ amass db -dir amass4owasp -d owasp.org -enum 1 -show
You may want to maintain the same Amass output folder for statistical or historical purposes, through which you perform all the subdomain enumeration exercises, as Amass track can be used only against the same graph database and output folder.
Amass Viz
The Amass viz subcommand allows you to visualize all the gathered information (stored in the Amass graph database) for a target in a number of ways. Results can also be imported into Maltego for further OSINT (Open-Source Intelligence) analysis.
The below command generates a d3-force HTML graph based on the graph database stored within the “amass4owasp” folder:
$ amass viz -d3 -dir amass4owasp
Installation
You can find some additional installation variations in the Installation Guide.
Prebuilt Packages
- Simply unzip the package
- Put the precompiled binary into your path
- Start using OWASP Amass!
Homebrew
brew tap caffix/amass brew install amass
Snapcraft
sudo snap install amass
Kali Linux
OWASP Amass is installed by default and can be managed like any other Kali package:
apt-get update apt-get install amass
Docker Container
1. Install Docker
2. Pull the Docker image by running docker pull caffix/amass
3. Run docker run -v OUTPUT_DIR_PATH:/.config/amass/ caffix/amass enum -d example.com
The volume argument allows the Amass graph database to persist between executions and output files to be accessed on the host system. The first field (left of the colon) of the volume option is the amass output directory that is external to Docker, while the second field is the path, internal to Docker, where amass will write the output files.
From Sources
- Install Go and setup your Go workspace
- Download OWASP Amass by running go install -v github.com/OWASP/Amass/v3/…@master
- At this point, the binary should be in $GOPATH/bin
Using Docker
Build the Docker image:
docker build -t amass https://github.com/OWASP/Amass.git
Run the Docker image:
docker run -v OUTPUT_DIR_PATH:/.config/amass/ amass enum –list
The volume argument allows the Amass graph database to persist between executions and output files to be accessed on the host system. The first field (left of the colon) of the volume option is the amass output directory that is external to Docker, while the second field is the path, internal to Docker, where amass will write the output files.
The wordlists maintained in the Amass git repository are available in /examples/wordlists/ within the docker container. For example, to use all.txt:
docker run -v OUTPUT_DIR_PATH:/.config/amass/ amass enum -brute -w /wordlists/all.txt -share -d example.com
