AMASSIVE LEAP IN

HOST DISCOVERY

Patrik Fehrenbach
@itsecurityguard
NahamCon 2021
Whoami
○ Patrik Fehrenbach 󰎲

○ Manager of Triage Services @Hacker0x01

○ Bug Bounty Hunter for 8 Years

○ blog.it-securityguard.com

○ @itsecurityguard
We all know why Recon is important
right?
Why?
You want to be the first <3

You want to find as many subdomains as possible (easter eggs)

The wilder the better (yolo)

Basically 2 Methods:

- Active (Bruteforce)

- Passive (Datasources)
Quick Passive Discovery Lesson
sup3rl33tRecon.*

-.py
-.rb
-.go
-.sh
domain.com

data source 1
data source 2
sort | uniq > results.txt
data source 3
data source 4

nuclei
screenshot
…
….
Tools Tools Tools Tools?
🤔
THE PROBLEM
YOU WANT THEM
ALL
Solution 1
curl -s https://dns.bufferover.run/dns?q=.DOMAIN.com |jq -r .FDNS_A[]|cut -d',' -f2|sort -u
curl -s "https://securitytrails.com/list/apex_domain/domain.com" | grep -Po "((http|https):\/\/)?(([\w.-]*)\.([\w]*)\.([A-z]))\w+" |
Wrappers grep ".domain.com" | sort -u
curl -s "https://jldc.me/anubis/subdomains/domain.com" | grep -Po "((http|https):\/\/)?(([\w.-]*)\.([\w]*)\.([A-z]))\w+" | sort -u
Bash curl "https://recon.dev/api/search?key=apikey&domain=example.com" |jq -r '.[].rawDomains[]' | sed 's/ //g' | sort -u |httpx -silent
curl "https://recon.dev/api/search?key=apikey&domain=example.com" |jq -r '.[].rawDomains[]' | sed 's/ //g' | sort -u |httpx -silent
curl -s "https://rapiddns.io/subdomain/$1?full=1#result" | grep "<td><a" | cut -d '"' -f 2 | grep http | cut -d '/' -f3 | sed 's/#results//g'
Grep | sort -u
wget https://opendata.rapid7.com/sonar.fdns_v2/2021-01-30-1611965078-fdns_a.json.gz ; gunzip
Cat 2021-01-30-1611965078-fdns_a.json ; cat 2021-01-30-1611965078-fdns_a.json | grep ".DOMAIN.com" | jq .name | tr '" " "' " / " | tee
-a sonar
mildew | anew domain | xargs -P 500 -a domains -I@ sh -c 'nc -w1 -z -v @ 443 2>/dev/null && echo @' | xargs -I@ -P10 sh -c
Curl 'gospider -a -s "https://@" -d 2 | grep -Eo "(http|https)://[^/\"].*\.js+" | sed "s#\] \- #\n#g" | anew'
curl "https://recon.dev/api/search?key=apiKEY&domain=paypal.com" |jq -r '.[].rawDomains[]' | sed 's/ //g' | anew |httpx -silent |
Wget xargs -P3 -I@ gospider -d 0 -s @ -c 5 -t 100 -d 5 --blacklist jpg,jpeg,gif,css,tif,tiff,png,ttf,woff,woff2,ico,pdf,svg,txt | grep -Eo
'(http|https)://[^/"]+' | anew
./github-subdomains.py -t APYKEYGITHUB -d domaintosearch | httpx --title

sort -u >> final final final.txt

AMASS - Information Gathering
Framework
shodan wayback certspotter
threatminer archiveit facebookct
- intel archivetoday googlect
sonarsearch
- enum binaryedge hackerone anubis
- vi chaos
builtwith
riddler
zoomeye
recondev
- track threatcrowd ask securitytrails
spyse
- db robtex
rapiddns github
ipv4info hackertarget
sublist3r bing bgpview
mnemonic yahoo circl
c99 sitedossier commoncrawl
threatbook baidu passivetotal
censys bufferover
zetalytics
crtsh virustotal
 Amass Scripting
Engine (ASE)

https://github.com/OWASP/Amass/blob/master/doc/scripting.md
 name = "assetfinder"
type = "ext"

Amass Scripting
function vertical(ctx, domain)
print("in asset finder")

Engine
local cmd = "assetfinder --subs-only " .. domain

local data = assert(io.popen(cmd))

For Command line tools for line in data:lines() do
newname(ctx, line)
end
data:close()
end
 function apiurl(domain)
return "https://dns.projectdiscovery.io/dns/" ..
domain .. "/subdomains"
end
Amass Scripting
Engine
resp, err = request(ctx, {
url=vurl,
headers={['Authorization']=c["key"]},

For GET APIs

for i, sub in pairs(d.subdomains) do
newname(ctx, sub .. "." .. d.domain)
end

https://github.com/OWASP/Amass/blob/936faf367373f1ff5f4a99c37901409858378a
7e/resources/scripts/api/chaos.ads
 resp, err = request(ctx, {
method="POST",
data=body,
url=apiurl(),

Amass Scripting
function apiurl()
return
"https://www.censys.io/api/v1/search/certificates"

Engine end

headers={['Content-Type']="application/json"},
For POST APIs id=cfg["credentials"].key,
pass=cfg["credentials"].secret,
})

https://github.com/OWASP/Amass/blob/4641238b804f7771f34c7f6c964c1ea8973d69
c1/resources/scripts/cert/censys.ads
Inspiration
Putting it all together and
firing up the engine
1. Put all your ADS Scripts in a folder

2. amass
the tool
the submodul
enum
-scripts /root/tools/scripts/ the directory the scripts are in
-passive passive vs. active the included scripts
-src show where the results are from
-d hackerone.com the domain
-include assetfinder,github-subdomains,findomain
-dir /root/output/ the output directory
 Quick Recap

- We solved the problem of inconsistent tools

- We have a simple way of including every tool in AMASS

- We have a centralised way of storing (good) results

Join the Fun and Contribute!
github.com/OWASP/Amass github.com/PatrikFehrenbach/amass-tools

https://discord.gg/rtN8GMd
Follow Follow Follow!

https://twitter.com/jeff_foley https://twitter.com/owaspamass
Thank you!

blog.it-securityguard.com
@itsecurityguard