amass/dnssrv/limits_unix.go:24:47: invalid operation: lim.Cur > defaultNumOpenFiles (mismatched types int64 and uint64)
amass/dnssrv/limits_unix.go:25:12: cannot use defaultNumOpenFiles (type uint64) as type int64 in assignment
*** Error code 2

Revision 73e532d
go-1.11,1

Built the docker image with docker build -t amass https://github.com/OWASP/Amass.git,
tried to run it, but got error. A possible fix would be to ignore SSL check in http.Transport options.

╰$ sudo docker run amass --passive -d example.com
Get https://raw.githubusercontent.com/OWASP/Amass/master/wordlists/namelist.txt: x509: certificate signed by unknown authority

Given a organization or string, I want to enumerate all ASN based on either the Owner property on an ASN.

This is so I can then string that into other Amass tools to automate the end to end enumeration of an organizations external footprint.

Say you run this command:
amass -d google.com -active -p 443

The program simply exits straight away, without any explanation. There should be some explanation why the program exited straight away.

A user on the chat server requested the following:

Some domains will answer all queries with a response. What about a flag that at the start queries a totally random subdomain that's generated. If that gets an answer, only log answers that are different from this reply?

This sounds like testing for wildcards, which we already perform automatically, but double-checking never hurts.

Hey @caffix as a security engineer I might be enumerating a lot of domains, some will not be finised in one sitting (assuming its running on a workstation / pentest laptop and not a server). I would like the option to resume a scan from a known state.

NMAP has done this by pointing a new scan to a previous scan ouput file and nmap resumes from there.

I would like the ability to resume from file or neo4j

Operating system: Windows 10 Enterprise 2016 LTSB - 1607 - 64-bit

Amass 2.4.0 is the last version that works for me - anything above and I get this message:

"This app can't run on your PC - To find a version for your PC, check with the software publisher"

I've tried disabling Windows Defender and Smartscreen to rule those out but still get the same error.

I have only attempted to use the compiled binaries.

Some of the feeds might contain stale data, I would like to validate that they domains provided are in-fact alive and well.

Error while Installing Amass
os : Kali linux
@caffix

Data sources that take a while to process and loop through (e.g., crt.sh) cannot complete as the main process times-out too quickly.

To-do: Add some code to each of the data sources so that it lets the main thread know it is still active and running.

This should not only return more results back but also improve the consistency of data returned.

Amass is a very fast scanner, but when I use -brute flag it DOS my Wifi, and I lost all internet of my home. I think it could be a nice feature to create some timing flag (like nmap) to control the speed of Amass.

Hi,

There are 53 instances of github.com/caffix/amass being used across several files, instead of using the code at github.com/OWASP/Amass .

Are you ok if I send a PR to change it? (I checked both, the develop and master branches show this import, so I would be sending the PR to the develop branch)

After an upgrade to version 2.6.8 Amass is taking a lot of time to finish and return no results.
Before the upgrade I believe I was using version 2.5 and I was able to get some results.
Maybe some conflict with my environment but I have no glue what I should check in order to fix.
OBS. In the commands below I've just cancelled the passive execution since I didn't need to wait until the command finish.
Could you please help me to fix that?
Thanks!

root@zion:~# amass --version
version 2.6.8
root@zion:~# time amass -d example.com

real	36m3.027s
user	0m36.345s
sys	0m29.745s
root@zion:~# time amass --passive -d example.com
unauthorized.example.com
gerendes.cherochk100.example.com
ns1.example.com
...
sic3.example.com
mvasiliy.example.com
bulletproof.example.com
^C
real	9m17.552s
user	0m9.799s
sys	0m2.404s
root@zion:~# 

So we can now scan by ASN/CIDR/IP and find FQDNs/Subdomains on those systems. I would like to take it a step further and find out there else are these domains hosted.

Example:
I run amass on a network range, it finds the following FQDNs:

mail.example1.com
ftp.example2.com
vpn.example3.com
origin.example4.com

I want a command that lets Amass scan the domains above (example1.com, example2.com, example3.com, example4.com). So I know where the rest of those domains are hosted.

As a security Engineer I want to pick and choose my Graph backend which out having to worry about Amass Specific support for that Graph. Apache TinkerPop http://tinkerpop.apache.org/ Apache TinkerPop™ is a graph computing framework for both graph databases (OLTP) and graph analytic systems (OLAP).

I'm using virtual machine with 2GB RAM from one of the cloud providers. I faced out of memory error with amass. Could you please help me with this issue?

$ uname -a
Linux bbsm 4.17.9-1-ARCH #1 SMP PREEMPT Sun Jul 22 20:23:36 UTC 2018 x86_64 GNU/Linux

$ go version
go version go1.10.3 linux/amd64

$ amass -version
version v2.3.3

$ amass -active -d criteo.com -o output.txt

amass_stacktrace.txt

I recently discovered the altdns tool which takes a list of domains and permutates them by appending and prepending various common words to subdomains. I think this would be a cool addition to Amass' existing alteration engine.

I will happily work on a PR for this, I just wanted to make sure you think it would be a good addition to Amass before starting work on it. :)

Thanks for a great tool! 👍

Some data sources will stop serving requests if they detect 'automated usage'. We should handle these gracefully.

e.g., - Sitedossier does this and Amass incorrectly picks up the domain unauthorized.. as a result of the error message.

This requires us to go through and test all data sources for weird behaviour.

I'm getting the error below for a specific host that I cannot disclose.

# amass -active -brute -r 8.8.8.8,1.1.1.1 -whois -d redacted.com -o amass.txt
...
after a few domains
...
panic: runtime error: index out of range

goroutine 31 [running]:
github.com/OWASP/Amass/amass.parseASNInfo(0xc42f7f9860, 0x21, 0x94417c)
	/root/go/src/github.com/OWASP/Amass/amass/network.go:333 +0x337
github.com/OWASP/Amass/amass.asnLookup(0xe6a5, 0xc42017ac60, 0xe6a5, 0xc3fe20)
	/root/go/src/github.com/OWASP/Amass/amass/network.go:279 +0x20b
github.com/OWASP/Amass/amass.fetchOnlineData(0xc43702cec2, 0xe, 0xe6a5, 0x0, 0x0, 0x0)
	/root/go/src/github.com/OWASP/Amass/amass/network.go:222 +0x24f
github.com/OWASP/Amass/amass.IPRequest(0xc43702cec2, 0xe, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0)
	/root/go/src/github.com/OWASP/Amass/amass/network.go:91 +0xde
github.com/OWASP/Amass/amass.(*DataManagerService).insertDomain(0xc42074aaa0, 0xc436d47768, 0x8)
	/root/go/src/github.com/OWASP/Amass/amass/datamgmtsrv.go:169 +0x2ec
github.com/OWASP/Amass/amass.(*DataManagerService).insertMX(0xc42074aaa0, 0xc435a4a840, 0x2)
	/root/go/src/github.com/OWASP/Amass/amass/datamgmtsrv.go:321 +0x120
github.com/OWASP/Amass/amass.(*DataManagerService).manageData(0xc42074aaa0)
	/root/go/src/github.com/OWASP/Amass/amass/datamgmtsrv.go:133 +0x319
github.com/OWASP/Amass/amass.(*DataManagerService).processRequests(0xc42074aaa0)
	/root/go/src/github.com/OWASP/Amass/amass/datamgmtsrv.go:80 +0x8f
created by github.com/OWASP/Amass/amass.(*DataManagerService).OnStart
	/root/go/src/github.com/OWASP/Amass/amass/datamgmtsrv.go:57 +0x1b6
# amass --version
version v2.5.2

2.6.x found them, but 2.7.0 returns nothing.

@superuser5 wrote:

Would be awesome to be able to put constraints on searches to the known values (IP ranges / cert info / string in whois record ) and with logic OR/AND. The contrains feature could just look for known strings in different areas like whois records or certificate information (whois records could be very messy, so checking if known name of the organization present anywhere in the whois response should be enough):

IP v4 ranges:

• asn - report and limit only to the specific subnets for the ASN
• IP ranges

certificate

• certificate registration details - Subject/Organization name
• certificate altNames (alternative names for the certificate)

whois - match specific strings in the whois records:

• phone number
• email address
• company name
• Registrant Organization/Registrant Name
• Name Server

Example:
1: amass -contrains ASN1234
2: amass -contrains "cert:GitHub AND (whois:ns1.p16.dynect.net OR whois: 1.2083895740 OR whois:[email protected])"

$ whois guthub.com

Last update of whois database: 2018-07-05T20:14:03Z <<<

Domain Name: guthub.com
Registry Domain ID: 1421310529_DOMAIN_COM-VRSN
Registrar WHOIS Server: whois.markmonitor.com
Registrar URL: http://www.markmonitor.com
Updated Date: 2018-02-08T02:13:13-0800
Creation Date: 2008-03-12T13:48:25-0700
Registrar Registration Expiration Date: 2020-03-12T00:00:00-0700
Registrar: MarkMonitor, Inc.
Registrar IANA ID: 292
Registrar Abuse Contact Email: [email protected]
Registrar Abuse Contact Phone: +1.2083895740
Domain Status: clientUpdateProhibited (https://www.icann.org/epp#clientUpdateProhibited)
Domain Status: clientTransferProhibited (https://www.icann.org/epp#clientTransferProhibited)
Domain Status: clientDeleteProhibited (https://www.icann.org/epp#clientDeleteProhibited)
Registrant Organization: GitHub, Inc.
Registrant State/Province: CA
Registrant Country: US
Admin Organization: GitHub, Inc.
Admin State/Province: CA
Admin Country: US
Tech Organization: GitHub, Inc.
Tech State/Province: CA
Tech Country: US
Name Server: ns4.p16.dynect.net
Name Server: ns1.p16.dynect.net
Name Server: ns3.p16.dynect.net
Name Server: ns2.p16.dynect.net
DNSSEC: unsigned
URL of the ICANN WHOIS Data Problem Reporting System: http://wdprs.internic.net/

Last update of WHOIS database: 2018-07-05T13:14:12-0700 <<<

@kerberosmansour wrote:

This is a feature that might not fit Amass, but is more about what to do with the data:

• Take snapshot of the homepage of each subdomain, present it with visjs in a report.
• Scan the subdomains on common ports, (perhaps have smart filters for known ports on known subdomain names e.g. ftp.example.com, mail.example.com etc..).
• Enumerate the technologies running on an FQDN (language/framework/CMS/etc..).
• Run google dorks agains an FQDN or whole domain and identify potential issues on the site(s).
• Createing an original feed, this maybe a project in and of itself, but a feed within Amass's control would significantly speed up the enumeration process.

I have a Kali Light (Virtualbox machine) and Amass 2.4.1 (snap package) works perfect. Thanks for such amazing tool!
But now I'm trying to run Amass 2.4.1 (prebuilt and complied source code) under Windows Server 2012 R2 (VMware Enterprise VM) and it doesn't work. Since it doesn't have a debug mode I don't know the reason.
The only environment difference between Kali and Windows is that my Windows Server VM is behind a firewall and DNS queries can be maybe only through x.x.x.x internal DNS server and HTTP(S) requests can be maybe only through x.x.x.x HTTP Proxy. The proxy settings seems to be working fine since Go and Git can make HTTP requests without any problem.
Could you please help me to run Amass on this Windows Server?
Thanks!

E:\>amass -v -r x.x.x.x -d example.com
No names were discovered
E:\>nslookup
Default Server:  xxx.xxx.xx
Address:  x.x.x.x

> example.com
Server:  xxx.xxx.xx
Address:  x.x.x.x

Non-authoritative answer:
Name:    example.com
Addresses:  2606:2800:220:1:248:1893:25c8:1946
          93.184.216.34

This may be a non issue or a misunderstanding on my end. When running amass for my personal domain, erkin.xyz, I see the following coming through in the DNS sweeping. My IP address is 204.48.17.202 and when printing the DNS service requests going through, I see a sweep being performed as follows:

My ip
204.48.17.202

4 sample print lines from line 119 in brute.go
127.17.48.204.in-addr.arpa
142.17.48.204.in-addr.arpa
128.17.48.204.in-addr.arpa
143.17.48.204.in-addr.arpa

It looks like we are sweeping the octets backwards? Is this intended or am I missing something? Wouldn't we want to sweep the /24 of our original cidr? I.e. 204.48.17.202/24

I cannot build amass on Windows with go 1.11. I get the following error.

>go get -u -ldflags "-s -w" github.com/OWASP/Amass/cmd/amass
# github.com/OWASP/Amass/cmd/amass
go\src\github.com\OWASP\Amass\cmd\amass\main.go:218:23: undefined: syscall.SIGTSTP
go\src\github.com\OWASP\Amass\cmd\amass\main.go:219:24: undefined: syscall.SIGCONT

@ethicalbughunter wrote:

When I fire up amass with a simple command as " amass -d example.com " it hangs up and giving no result on the screen.

Device: System kali Linux 4.15.0-kali2-amd64

it only works when I used amass -nodns -d example.com

Any Suggestions?
or my device missing some sort of things
please add any installation guide which is not mentioned on https://github.com/OWASP/Amass
likely(go build commands after installing amass)
Thanks
best regards

I'm faced with strange amass behavior on some domains.
Eg with twitter:
amass -d twitter.com -active -r 8.8.8.8 -v -log ~/twitter.log
I see amass activity by the CPU usage after start, but after some time (15-25 min) the usage decreases to 1% and amass process never ends. There is no new information in the log or in the output at a later time.

I'm using the latest amass version from github source.

I'm compiling the latest release 2.8.3 and facing the following error:

>>> Compiling source in /var/tmp/portage/net-analyzer/amass-2.8.3/work/amass-2.8.3 ...
src/github.com/OWASP/Amass/cmd/amass.netdomains/main.go:19:2: cannot find package "github.com/caffix/amass/amass/core" in any of:
        /var/tmp/portage/net-analyzer/amass-2.8.3/work/amass-2.8.3/src/github.com/OWASP/Amass/vendor/github.com/caffix/amass/amass/core (vendor tree)
        /usr/lib/go/src/github.com/caffix/amass/amass/core (from $GOROOT)
        /var/tmp/portage/net-analyzer/amass-2.8.3/work/amass-2.8.3/src/github.com/caffix/amass/amass/core (from $GOPATH)
        /usr/lib/go-gentoo/src/github.com/caffix/amass/amass/core

Now we have data in neo4j, as a security engineer I would like some quick analysis done on the data.
For example using the page rank algorithm and find the outliers (least connected nodes etc..) so I have an idea where potentially the weakest links in the chain might be.

Hello!

There appear to be issues with the domain discovery process. amass was thrown at scanme.nmap.org to see what domains would be discovered from there. Naturally it didn't find much-- there aren't any subdomains there. After that was fruitless, it was thrown at nmap.org, and to my surprise, it found almost nothing. Not even www.nmap.org.

After some tweaking, I decided to try changing the nameservers, other than the default DigitalOcean nameservers I was using. This seemed to find more domains, but not nearly as many as other domain enumeration tools. I decided to enable logging, and to my shock, it was consistently assuming that certain domain names did not resolve. Of note, scanme.nmap.org, according to amass, did not resolve.

Of interest as well is that the nameservers chosen seems to affect the outcome of the result. Scanning entirely with -r 4.2.2.2,4.2.2.3 resolves a few domains correctly (though still yields false negatives), yet using -r 8.8.8.8,9.9.9.9,1.1.1.1 seems to resolve nothing. Going further, hitting the nameservers specific to nmap.org-- namely, ns[1-5].linode.com and hostmaster.insecure.org, additionally don't seem to yield anything.

There seem to be some more problems in here, such as improper parsing of URLs it looks like from just the error messages? But I'm not certain. Either way, here are some notable highlights of false negatives of known active domains.

Attached are logs of some scans. Here's the table of the commands run to produce them. Hope all this helps!

Data

System information

uname -a: Linux sputnik 4.9.0-7-amd64 #1 SMP Debian 4.9.110-1 (2018-07-05) x86_64 GNU/Linux
amass -version: version 2.8.1
Installed with: snap install amass

Execution information

Scan information

amass-level3.log: amass -v -active -brute -ip -r 4.2.2.2,4.2.2.3 -log amass-level3.log -d nmap.org
amass-google.log: amass -v -active -brute -ip -r 8.8.8.8,9.9.9.9 -log amass-google.log -d nmap.org
amass-cloudflare.log: amass -v -active -brute -ip -r 1.1.1.1 -log amass-cloudflare.log -d nmap.org
amass-direct-ns.log: amass -v -active -brute -ip -r 162.159.27.72,45.33.49.119 -d nmap.org

Notable false-negatives

• www.nmap.org:
  • all logs:
    • 23:16:18.873822 DNS query for www.nmap.org, type 16 returned 0 records
    • 23:16:18.915679 DNS query for www.nmap.org, type 5 returned 0 records
  • dig:
    • Level3: www.nmap.org. 3600 IN A 45.33.49.119
    • Google: www.nmap.org. 1676 IN A 45.33.49.119
    • Cloudflare: www.nmap.org. 1865 IN A 45.33.49.119
    • Direct NS: www.nmap.org. 3600 IN A 45.33.49.119
• scanme.nmap.org:
  • amass-cloudflare.log, amass-direct-ns.log, amass-level3.log:
    • 23:16:18.346003 DNS query for scanme.nmap.org, type 16 returned 0 records
    • 23:16:18.435695 DNS query for scanme.nmap.org, type 5 returned 0 records
  • amass-google.log:
    • 23:17:10.031753 DNS query for scanme.nmap.org, type 16 returned 0 records
    • 23:17:13.083533 DNS query for scanme.nmap.org, type 5 returned error 2
  • dig:
    • Level3: scanme.nmap.org. 3600 IN A 45.33.32.156
    • Google: scanme.nmap.org. 3289 IN A 45.33.32.156
    • Cloudflare: scanme.nmap.org. 1776 IN A 45.33.32.156
    • Direct NS: scanme.nmap.org. 3600 IN A 45.33.32.156
• svn.nmap.org:
  • amass-cloudflare.log, amass-direct-ns.log, amass-level3.log:
    • 23:16:18.344238 DNS query for svn.nmap.org, type 16 returned 0 records
    • 23:16:18.415804 DNS query for svn.nmap.org, type 5 returned 0 records
  • amass-google.log:
    • 23:17:10.032100 DNS query for svn.nmap.org, type 16 returned 0 records
    • 23:17:10.066531 DNS query for svn.nmap.org, type 5 returned 0 records
    • 23:17:10.078497 DNS query for svn.nmap.org, type 1 returned 0 records
  • dig:
    • Level3: svn.nmap.org. 1242 IN A 45.33.49.119
    • Google: svn.nmap.org. 1331 IN A 45.33.49.119
    • Cloudflare: svn.nmap.org. 1220 IN A 45.33.49.119
    • Direct NS: svn.nmap.org. 3600 IN A 45.33.49.119

amass-cloudflare.log
amass-direct-ns.log
amass-google.log
amass-level3.log

@sethsec indicated that it would be nice to have the ability to tack on an arg that will take all other command line input, and display what amass will do. Almost a dry run.

For example:

amass -d domain.com -active -brute -min-for-recursive 3 net --cidr 10.0.0.0/24 -

Output:

This command will deploy the following mechanisms:
Passive Query: Source1
Passive Query: Source2
Active Query: Source/Type 1 (Forward DNS Request)
Active Query: Source/Type 2 (Zone transfer Request)
etc..

The idea is to provide the user a little bit more info so they can determine

Hi , when I using -brute or -d Flag , I will lose my wifi interest didn't matter i use my desktop , laptop or any pc . sorry for my english , I hope you can understand me . So do u know how to fix this problem ?

amass -d reddit.com doesn't find anything, and the same for other domains I tried.
Revision 2.7.0-8-g5ac544c.

Hello,

I am running Kali, but with docker-ce installed from the docker.com repos. After cloning, when I try to:

docker build .

After a lot of steps, the build stops with the following error message:

... tons of stuff...
golang.org/x/vgo/vendor/cmd/go/internal/fmtcmd
golang.org/x/vgo/vendor/cmd/go/internal/fix
golang.org/x/vgo/vendor/cmd/go/internal/clean
golang.org/x/vgo/vendor/cmd/go/internal/generate
golang.org/x/vgo/vendor/cmd/go/internal/list
golang.org/x/vgo/vendor/cmd/go/internal/bug
golang.org/x/vgo/vendor/cmd/go/internal/modcmd
golang.org/x/vgo/vendor/cmd/go/internal/modget
golang.org/x/vgo/vendor/cmd/go
golang.org/x/vgo
go: creating new go.mod: module github.com/OWASP/Amass
can't load package: package github.com/OWASP/Amass: no Go files in /go/src/github.com/OWASP/Amass
The command '/bin/sh -c apk --no-cache add git   && go get -u -v golang.org/x/vgo   && vgo install' returned a non-zero code: 1

Are you able to build the latest version of amass using docker?

It is plausible to have legitimate, active sub-domains that do not resolve externally but resolve internally (think sub-domains that only resolve using an internal nameserver)

I think these 'unresolvable' sub-domains could still be of value to red-teamers/pentesters/bug-bounty hunters as they could provide information that would otherwise go unnoticed.

e.g., jenkins.example.com may not resolve to an IP but could still be very useful during recon and may prompt the tester to investigate further.

Might be worth putting this function in another flag like --include-unresolvable

The Amass dep called sort is overwriting GNU sort (coreutils) from the standard OS.
This can break some systems and quite boring to detect.

root@zion:~/go/pkg# go list -f {{.Deps}} github.com/OWASP/Amass/amass/
[bufio bytes compress/flate compress/gzip container/list context crypto crypto/aes crypto/cipher crypto/des crypto/dsa crypto/ecdsa crypto/elliptic crypto/hmac crypto/internal/cipherhw crypto/md5 crypto/rand crypto/rc4 crypto/rsa crypto/sha1 crypto/sha256 crypto/sha512 crypto/subtle crypto/tls crypto/x509 crypto/x509/pkix database/sql database/sql/driver encoding encoding/asn1 encoding/base32 encoding/base64 encoding/binary encoding/gob encoding/hex encoding/json encoding/pem encoding/xml errors fmt github.com/OWASP/Amass/amass/core github.com/OWASP/Amass/amass/dnssrv github.com/OWASP/Amass/amass/handlers github.com/OWASP/Amass/amass/sources github.com/OWASP/Amass/amass/utils github.com/OWASP/Amass/amass/utils/viz github.com/PuerkitoBio/fetchbot github.com/PuerkitoBio/goquery github.com/andybalholm/cascadia github.com/asaskevich/EventBus github.com/irfansharif/cfilter github.com/johnnadratowski/golang-neo4j-bolt-driver github.com/johnnadratowski/golang-neo4j-bolt-driver/encoding github.com/johnnadratowski/golang-neo4j-bolt-driver/errors github.com/johnnadratowski/golang-neo4j-bolt-driver/log github.com/johnnadratowski/golang-neo4j-bolt-driver/structures github.com/johnnadratowski/golang-neo4j-bolt-driver/structures/graph github.com/johnnadratowski/golang-neo4j-bolt-driver/structures/messages github.com/miekg/dns github.com/miekg/dns/vendor/golang.org/x/crypto/ed25519 github.com/miekg/dns/vendor/golang.org/x/crypto/ed25519/internal/edwards25519 github.com/miekg/dns/vendor/golang.org/x/net/bpf github.com/miekg/dns/vendor/golang.org/x/net/internal/iana github.com/miekg/dns/vendor/golang.org/x/net/internal/socket github.com/miekg/dns/vendor/golang.org/x/net/ipv4 github.com/miekg/dns/vendor/golang.org/x/net/ipv6 github.com/temoto/robotstxt-go go/token golang.org/x/net/html golang.org/x/net/html/atom golang.org/x/sys/unix hash hash/crc32 hash/fnv html html/template internal/cpu internal/nettrace internal/poll internal/race internal/singleflight internal/syscall/unix internal/testlog io io/ioutil log math math/big math/bits math/rand mime mime/multipart mime/quotedprintable net net/http net/http/httptrace net/http/internal net/rpc net/textproto net/url os path path/filepath reflect regexp regexp/syntax runtime runtime/cgo runtime/debug runtime/internal/atomic runtime/internal/sys sort strconv strings sync sync/atomic syscall text/template text/template/parse time unicode unicode/utf16 unicode/utf8 unsafe vendor/golang_org/x/crypto/chacha20poly1305 vendor/golang_org/x/crypto/chacha20poly1305/internal/chacha20 vendor/golang_org/x/crypto/cryptobyte vendor/golang_org/x/crypto/cryptobyte/asn1 vendor/golang_org/x/crypto/curve25519 vendor/golang_org/x/crypto/poly1305 vendor/golang_org/x/net/http2/hpack vendor/golang_org/x/net/idna vendor/golang_org/x/net/lex/httplex vendor/golang_org/x/net/proxy vendor/golang_org/x/text/secure/bidirule vendor/golang_org/x/text/transform vendor/golang_org/x/text/unicode/bidi vendor/golang_org/x/text/unicode/norm]
root@zion:~/go/pkg# which sort
/root/go/bin/sort
root@zion:~/go/pkg#

@superuser5 indicated that it would be great to have support for a socks proxy (like shadowsocks) or just to be able to specify which proxy to use; especially important when using active recon.

I recently discovered the altdns tool which takes a list of domains and permutates them by appending and prepending various common words to subdomains. I think this would be a cool addition to Amass' existing alteration engine.

I will happily work on a PR for this, I just wanted to make sure you think it would be a good addition to Amass before starting work on it. :)

Thanks for a great tool! 👍

goroutine 45944701 [IO wait]:
internal/poll.runtime_pollWait(0x7f079c2d69b0, 0x72, 0xc5c48d58b8)
        /go/src/github.com/OWASP/Amass/parts/go/build/src/runtime/netpoll.go:173 +0x57
internal/poll.(*pollDesc).wait(0xc5b2964d18, 0x72, 0xffffffffffffff00, 0x9a7d20, 0xbe0580)
        /go/src/github.com/OWASP/Amass/parts/go/build/src/internal/poll/fd_poll_runtime.go:85 +0x9b
internal/poll.(*pollDesc).waitRead(0xc5b2964d18, 0xc5353dda00, 0x200, 0x200)
        /go/src/github.com/OWASP/Amass/parts/go/build/src/internal/poll/fd_poll_runtime.go:90 +0x3d
internal/poll.(*FD).Read(0xc5b2964d00, 0xc5353dda00, 0x200, 0x200, 0x0, 0x0, 0x0)
        /go/src/github.com/OWASP/Amass/parts/go/build/src/internal/poll/fd_unix.go:157 +0x17d
net.(*netFD).Read(0xc5b2964d00, 0xc5353dda00, 0x200, 0x200, 0x0, 0x200, 0xc5353dda00)
        /go/src/github.com/OWASP/Amass/parts/go/build/src/net/fd_unix.go:202 +0x4f
net.(*conn).Read(0xc5c2fdf358, 0xc5353dda00, 0x200, 0x200, 0x0, 0x0, 0x0)
        /go/src/github.com/OWASP/Amass/parts/go/build/src/net/net.go:176 +0x6a
github.com/miekg/dns.(*Conn).Read(0xc5c48d5c98, 0xc5353dda00, 0x200, 0x200, 0x200, 0x200, 0xc5c48d5a80)
        /go/src/github.com/OWASP/Amass/parts/amass/go/src/github.com/miekg/dns/client.go:414 +0x1c7
github.com/miekg/dns.(*Conn).ReadMsgHeader(0xc5c48d5c98, 0x0, 0x97bfedfe09c, 0xc266e0, 0x72, 0x0, 0x0)
        /go/src/github.com/OWASP/Amass/parts/amass/go/src/github.com/miekg/dns/client.go:327 +0x3a4
github.com/miekg/dns.(*Conn).ReadMsg(0xc5c48d5c98, 0xbedadf4916010d0a, 0x97bfedfe09c, 0xc266e0)
        /go/src/github.com/OWASP/Amass/parts/amass/go/src/github.com/miekg/dns/client.go:278 +0x49
github.com/OWASP/Amass/amass/dnssrv.ExchangeConn(0x9adce0, 0xc5c2fdf358, 0xc467fff320, 0x2f, 0x5, 0x0, 0x9adce0, 0xc5c2fdf358, 0x0, 0x0)
        /go/src/github.com/OWASP/Amass/parts/amass/go/src/github.com/OWASP/Amass/amass/dnssrv/support.go:109 +0x18b
github.com/OWASP/Amass/amass/dnssrv.Resolve(0xc467fff320, 0x2f, 0x944076, 0x5, 0x0, 0x0, 0x0, 0x0, 0x0)
        /go/src/github.com/OWASP/Amass/parts/amass/go/src/github.com/OWASP/Amass/amass/dnssrv/support.go:30 +0x1db
github.com/OWASP/Amass/amass/dnssrv.wildcardTestResolution(0xc42afd5900, 0xf, 0x3, 0x942e85, 0x1)
        /go/src/github.com/OWASP/Amass/parts/amass/go/src/github.com/OWASP/Amass/amass/dnssrv/wildcards.go:71 +0x90
github.com/OWASP/Amass/amass/dnssrv.DetectWildcard(0x7ffe9942d398, 0xb, 0xc435df8440, 0x15, 0xc4596f8030, 0x1, 0x1, 0x0)
        /go/src/github.com/OWASP/Amass/parts/amass/go/src/github.com/OWASP/Amass/amass/dnssrv/wildcards.go:34 +0x12e
github.com/OWASP/Amass/amass/dnssrv.(*DNSService).completeQueries(0xc4200d8370, 0xc439e66ae0)
        /go/src/github.com/OWASP/Amass/parts/amass/go/src/github.com/OWASP/Amass/amass/dnssrv/dnssrv.go:160 +0x3e2
created by github.com/OWASP/Amass/amass/dnssrv.(*DNSService).performRequest
        /go/src/github.com/OWASP/Amass/parts/amass/go/src/github.com/OWASP/Amass/amass/dnssrv/dnssrv.go:119 +0x13a

I'm getting something like this a lot of these lately, crashing the execution of amass. No idea what's causing it. It's been happening alot the last few days though.

installation method : $ sudo snap install amass
os : kali linux

@superuser5 wrote:

Thanks for making tool so cool! I am redoing this request as the json output already has a lot of data.
It is still not enough to decide if some should be in scope for the organization.

The following additional information (in the json file) will help to decide if domain is in scope:

• reason why this domain was included - like cert that matches something.com, name server, org name, cidr, asn, etc. This could go with flag "-reason" or just extra point of information.

• Email address of registrant or tech contact from the domains whois records

• Name Server from the domains whois record

• Company name for the domain, which is different to the company name for the IP dance
  SSL cert info

• responding ports found from the active scan

thank you in advance.

go get github.com/OWASP/Amass.git
package github.com/OWASP/Amass.git: invalid version control suffix in github.com/ path

It seems like right now, the -json flag only flushes its result out at the end of the enumeration. Is there any chance that the json output could either be flushed when the result is printed to the console, or give the option to write json to stdout?

panic: close of nil channel [recovered]
panic: runtime error: invalid memory address or nil pointer dereference
[signal SIGSEGV: segmentation violation code=0x1 addr=0x0 pc=0x805503]

goroutine 661556 [running]:
github.com/PuerkitoBio/gocrawl.(*Crawler).Stop.func1(0xc44407c360)
/home/caffix/go_work/src/github.com/PuerkitoBio/gocrawl/crawler.go:335 +0xc3
panic(0x8b66c0, 0x999c00)
/usr/local/go/src/runtime/panic.go:505 +0x229
github.com/PuerkitoBio/gocrawl.(*Crawler).Stop(0xc44407c360)
/home/caffix/go_work/src/github.com/PuerkitoBio/gocrawl/crawler.go:340 +0x55
github.com/caffix/amass/amass/sources.UKGovArchiveQuery.func1(0xc444accb40, 0xc44407c360)
/home/caffix/go_work/src/github.com/caffix/amass/amass/sources/ukgovarchive.go:49 +0x45
created by github.com/caffix/amass/amass/sources.UKGovArchiveQuery
/home/caffix/go_work/src/github.com/caffix/amass/amass/sources/ukgovarchive.go:47 +0x35b

Getting consistent failures with the following scan:
amass -v -ip -brute -min-for-recursive 6 -df domains.txt -oA resultsFile

error message:
panic: send on closed channel goroutine 8652393 [running]: github.com/caffix/amass/amass.StartEnumeration.func1(0xc551ca7a40) /home/caffix/go_work/src/github.com/caffix/amass/amass/amass.go:63 +0x42 reflect.Value.call(0x88b940, 0xc42002e080, 0x13, 0x938ef4, 0x4, 0xc46b4080e0, 0x1, 0x1, 0xc551ca7a40, 0xc4a8aa3900, ...) /usr/local/go/src/reflect/value.go:447 +0x969 reflect.Value.Call(0x88b940, 0xc42002e080, 0x13, 0xc46b4080e0, 0x1, 0x1, 0xc46b4080e0, 0x1, 0x1) /usr/local/go/src/reflect/value.go:308 +0xa4 github.com/asaskevich/EventBus.(*EventBus).doPublish(0xc4203f0060, 0xc42044a0f0, 0x93f5f9, 0xc, 0xc4a8aa3900, 0x1, 0x1) /home/caffix/go_work/src/github.com/asaskevich/EventBus/event_bus.go:158 +0xa8 github.com/asaskevich/EventBus.(*EventBus).doPublishAsync(0xc4203f0060, 0xc42044a0f0, 0x93f5f9, 0xc, 0xc4a8aa3900, 0x1, 0x1) /home/caffix/go_work/src/github.com/asaskevich/EventBus/event_bus.go:166 +0xa3 created by github.com/asaskevich/EventBus.(*EventBus).Publish /home/caffix/go_work/src/github.com/asaskevich/EventBus/event_bus.go:150 +0x28b

Binary version 2.8.0

I am having an issue when trying to perform discovery in 'net' mode on a server whose certificate has the following characteristics:

• Is a wildcard certificate (ex: foo.com.pl)
• Is in a national TLD which uses a subdomain as a defacto TLD, (ex: .com.pl, .co.uk)

This results in the return of a large number of false-positive results from the [ThreatCrowd] data source that appear to be random members of the national TLD's subdomain; it appears that ThreatCrowd is enumerating all of the domains in, for instance, .com.pl. Example output is below:

[ThreatCrowd] lupus1.com.pl,85.128.135.19
[ThreatCrowd] b-52.com.pl,46.4.42.105
[ThreatCrowd] 12.com.pl,188.128.255.251
[ThreatCrowd] m21.com.pl,91.228.197.30
[ThreatCrowd] 02.com.pl,93.157.100.74
[ThreatCrowd] rs232.com.pl,138.201.172.157

This behavior does not occur when enumerating subdomains with the '-d' switch. Here's an example site that can be used to demonstrate this behavior:

https://dhl24.com.pl (cert is issued to '*.dhl24.com.pl')
Site's IP address is 91.227.200.193

In the newest version (2.8.2), I'm finding that with -T4, my scans are taking awfully long, and I can't really tell if the process is doing anything.

Would it be possible to maybe have a flag, which outputs every X time, a status on what's going on? Like how many requests are being sent per second when brute forcing, or similar? Queue stats? Stuff like that?

Not sure what triggers this. Running on 2.5.0. May be related to running multiple amass processes at once.

It'd be awesome if this could be handled gracefully!

panic: send on closed channel

goroutine 317741 [running]:
github.com/OWASP/Amass/amass.(*Enumeration).Start.func1(0xc423336780)
        /go/src/github.com/OWASP/Amass/parts/amass/go/src/github.com/OWASP/Amass/amass/amass.go:205 +0x114
reflect.Value.call(0x8a3f60, 0xc42000c260, 0x13, 0x958236, 0x4, 0xc42275c300, 0x1, 0x1, 0xc423336780, 0xc423c59de0, ...)
        /go/src/github.com/OWASP/Amass/parts/go/build/src/reflect/value.go:447 +0x969
reflect.Value.Call(0x8a3f60, 0xc42000c260, 0x13, 0xc42275c300, 0x1, 0x1, 0xc42275c300, 0x1, 0x1)
        /go/src/github.com/OWASP/Amass/parts/go/build/src/reflect/value.go:308 +0xa4
github.com/asaskevich/EventBus.(*EventBus).doPublish(0xc42000c240, 0xc42009bc50, 0x95e934, 0xc, 0xc423c59de0, 0x1, 0x1)
        /go/src/github.com/OWASP/Amass/parts/amass/go/src/github.com/asaskevich/EventBus/event_bus.go:158 +0xa8
github.com/asaskevich/EventBus.(*EventBus).doPublishAsync(0xc42000c240, 0xc42009bc50, 0x95e934, 0xc, 0xc423c59de0, 0x1, 0x1)
        /go/src/github.com/OWASP/Amass/parts/amass/go/src/github.com/asaskevich/EventBus/event_bus.go:166 +0xa3
created by github.com/asaskevich/EventBus.(*EventBus).Publish
        /go/src/github.com/OWASP/Amass/parts/amass/go/src/github.com/asaskevich/EventBus/event_bus.go:150 +0x28b

Great work. Enjoyed the presentation in the project showcase yesterday.

I ran
amass -d jemurai.com
and a more detailed command
amass -v -ip -brute -min-for-recursive 3 -d jemurai.com
and I got fewer results with the second command than the first. That surprised me. I didn't see anything in the second command that would suggest that it wouldn't check all of the same things and just add info about IP's, and do brute forcing.

I wonder if there is something in the tool that is different along these paths, or if it was something environmental. (Same laptop, 5 minutes apart) If environmental, I wonder if there is a way to know that the results are partial or if we just need to run it a few different times to ensure that we get full results.

om:go mk$ amass -d jemurai.com
www.jemurai.com
jemurai.com
jasp.jemurai.com
training.jemurai.com
feedback.jemurai.com
ctfd.jemurai.com
om:go mk$ amass -v -ip -brute -min-for-recursive 3 -d jemurai.com
[Brute Force]     feedback.jemurai.com,34.206.253.53
[CertSpotter]     ctfd.jemurai.com,52.22.145.207
[Forward DNS]     jemurai.com,34.195.173.235
[Brute Force]     training.jemurai.com,54.194.35.114

OWASP Amass v2.7.10                               https://github.com/OWASP/Amass
--------------------------------------------------------------------------------
4 names discovered - brute: 2, cert: 1, dns: 1
--------------------------------------------------------------------------------
ASN: 14618 - AMAZON-AES - Amazon.com, Inc., US
	34.192.0.0/12     	2    Subdomain Name(s)
	52.20.0.0/14      	1    Subdomain Name(s)
ASN: 16509 - AMAZON-02 - Amazon.com, Inc., US
	54.194.0.0/16     	1    Subdomain Name(s)