An Introduction to OWASP Amass 4 - Part 4 - The CLI
The OWASP Amass project is an open-source, actively developed security tool with extensive community support that focuses on information gathering and reconnaissance. It helps security researchers and penetration testers discover and map the attack surface of their target networks by using a variety of data sources. Whether you are a penetration tester, an auditor, a security researcher or the CISO/IT manager, you have several valid reasons for mapping out the external attack surface of an organisation. This process is also referred to as reconnaissance or information gathering.
Version 4 is a major revision of Amass. If you are familiar with earlier versions then you will need to change your approach to understand how it is organized and how this "framework" works.
In this instalment in our series on OWASP Amass version 4 we focus on the installation (if necessary) of the command line interface (CLI) tool. This is part 4 of the series. Part 1, is an introduction to the Amass GitHub, Part 2 discusses the data model and the approach to configuration in your workflow, and Part 3 explains a Postgres database setup.
Installation
Some linux distributions may already have the Amass Command Line Interface (CLI) tool installed (Kali for example). Or they may have it in their package management portfolios. In other cases you will need to install the Amass 4 CLI yourself. The Amass install guide can help you install the CLI on your system as well as identify which package management systems have updated versions.
A Word About Kali
The Kali distrubution has the Amass CLI in its apt package manager but not the other components like the database (asset-db) or oam-tools. However it is recommended to rebuild Amass on Kali as there have been reported problems with the prebuilt image that comes with the Kali Linux distribution.
“I have always recommended that people rebuild Amass on Kali Linux, since many people have had trouble with the prebuilt executable that comes with the distro image”
If you have one of these pre-installed, or supported package management systems then you can safely skip this step. If you do not, such as an Ubuntu system, then follow along as we start with a Go (AKA Golang) install to then install the Amass CLI.
Lets get Going
I am going to install the Amass from the ground up on an Ubuntu 20.04.6 LTS system. This system has no prerequisites installed and does not have Golang installed. If your system already has Golang installed you can safely skip this Golang install section.
We start by ensuring our system is up to date as a best practice.
┌──(user㉿kanga)-[~]
└─$ sudo apt-get update -y; sudo apt-get upgrade -y
Hit:1 http://security.ubuntu.com/ubuntu focal-security InRelease
Hit:2 http://ca.archive.ubuntu.com/ubuntu focal InRelease
Hit:3 http://ca.archive.ubuntu.com/ubuntu focal-updates InRelease
Hit:4 http://ca.archive.ubuntu.com/ubuntu focal-backports InRelease
Hit:5 http://ppa.launchpad.net/oisf/suricata-stable/ubuntu focal InRelease
Hit:6 https://artifacts.elastic.co/packages/7.x/apt stable InRelease
Reading package lists... Done
Reading package lists... Done
Building dependency tree
Reading state information... Done
Calculating upgrade... Done
0 upgraded, 0 newly installed, 0 to remove and 0 not upgraded.After this I am going to browse to https://go.dev/dl/ and check the latest version for my system. At the time of this writing this ends up being 1.22.4. Lets download this version and confirm the checksum.
┌──(user㉿kanga)-[~]
└─$ curl -OL https://go.dev/dl/go1.22.4.linux-amd64.tar.gz
% Total % Received % Xferd Average Speed Time Time Time Current
Dload Upload Total Spent Left Speed
100 75 100 75 0 0 348 0 --:--:-- --:--:-- --:--:-- 348
100 65.7M 100 65.7M 0 0 5743k 0 0:00:11 0:00:11 --:--:-- 6018k
┌──(user㉿kanga)-[~]
└─$ sha256sum go1.22.4.linux-amd64.tar.gz
ba79d4526102575196273416239cca418a651e049c2b099f3159db85e7bade7d go1.22.4.linux-amd64.tar.gzWith the checksum confirmed we can now extract the archive. Here, we are going to use the tar command and extract it in the recommended location /usr/local.
┌──(user㉿kanga)-[~]
└─$ sudo tar -C /usr/local -xvf go1.22.4.linux-amd64.tar.gzOnce extracted to /usr/local we need to add Golang to our path. So we add the following to our ~user/.profile or ~user/.basrc or ~user/.zshrc depending on your shell environment.
export PATH=$PATH:/usr/local/go/binOnce we have updated the path with your favourite editor we need to refresh the shell. In my case I am using zsh so make sure that you source the appropriate file for your shell.
┌──(user㉿kanga)-[~]
└─$ source .zshrcNext, lets test to see if we can run Golang.
┌──(user㉿kanga)-[~]
└─$ go version
go version go1.22.4 linux/amd64We now have go installed and can move on to installing the OWASP Amass command line tool.
Install OWASP Amass CLI
With Golang installed we can now install the OWASP Amass CLI. The OWASP Amass CLI has an Install Guide which you can follow for a variety of install types including what we will follow here.
┌──(user㉿kanga)-[~]
└─$ cd
┌──(user㉿kanga)-[~]
└─$ go install -v github.com/owasp-amass/amass/v4/...@master
go: downloading github.com/owasp-amass/amass/v4 v4.2.0
go: downloading github.com/caffix/service v0.3.0
go: downloading github.com/owasp-amass/config v0.1.4
----------------8<------------------------------This will create a go directory in your home directory and within bin and pkg directories. Let move this to our Golang bin directory.
┌──(user㉿kanga)-[~]
└─$ sudo mv go/bin/amass /usr/local/go/binNow we can test our install.
┌──(garth㉿kanga)-[~/go]
└─$ amass --version
v4.2.0Amass is now installed and we can now move on to configuration.
Wrap Up
In this instalment we covered installing the Amass CLI tool on an Ubuntu server in the case where your system package management tool does not maintain it. In the next instalment we will discuss configuration using both the project and data source configuration files and how these can be used in your workflow.
