An Introduction to OWASP Amass 4 - Part 8 - Reviewing Results
The OWASP Amass project is an open-source, actively developed security tool with extensive community support that focuses on information gathering and reconnaissance. It helps security researchers and penetration testers discover and map the attack surface of their target networks by using a variety of data sources. Whether you are a penetration tester, an auditor, a security researcher or the CISO/IT manager, you have several valid reasons for mapping out the external attack surface of an organisation. This process is also referred to as reconnaissance or information gathering.
Version 4 is a major revision of Amass. If you are familiar with earlier versions then you will need to change your approach to understand how it is organized and how this "framework" works.
In this instalment in our series on OWASP Amass version 4 we introduce the components of the ecosystem that allow us to view and analyze the assets discovered during enumeration. This is part 8 of the series.
Part 1, is an introduction to the Amass GitHub,
Part 2 discusses the data model and the approach to configuration in your workflow, and
Part 3 explains a Postgres database setup,
Part 4 explains installation of the CLI tool.
In Part 5 we introduced configuration and had our first run of the
amass enumcommand.Part 6 looked at some issues with data sources.
Part 7 spent some quality time with in depth enumeration details.
Overview
We have spent some time now configuring, enumerating, and considering how to work with the OWASP Amass ecosystem. But now it is time to look at some results. We need these results to identify possible shadow IT in our infrastructure, or perhaps we are conducting a pentest and we used Amass enum in the reconnaissance phase of the engagement. This post discusses how to view results of the enumeration work we have performed so far and specifically look at the oam_subs command line tool.
OAM Tools
As mentioned before, starting with version 4, OWASP Amass is now an “ecosystem”. It is no longer a single command line tool that spits out the answer to life, the universe, and everything. It is now a collection or framework of tools. We have seen configuration to manage our workflow, a command line tools (amass) to collect information, and a database to store this information. We are now going to introduce OAM Tools to view and assess the collected data.
But what is OAM Tools?
“The OAM Tools serve the purpose of extracting, manipulating, and analyzing data in an OAM database. ”
OAM Tools is a suite of command line tools in which we will cover the three that currently exists.
oam_subs, Analyze collected OAM assets
oam_track, Analyze collected OAM data to identify newly discovered assets
oam_viz, Analyze collected OAM data to generate files renderable as graph visualizations
But before we go any further, we need to install.
From Source or Local Build?
First, we need to install OAM Tools as most Linux distributions do not package this component. OAM Tool resides in a GitHub repository in the OWASP Amass Project account at:
You have two choices before you. First, install from the repository using Go (Amass is written in go so if you have been following along you will have already installed your Go environment by now or otherwise you are just here for giggles) or do a “local install” (still needing Go) by cloning the repository and building.
The rest of this post will follow the former approach.
Assuming you do indeed have Go installed on your Amass system then to install all the OAM Tools execute the following simple command:
Once installation is complete the three binaries should be available in $GOPATH/bin. Here is the example on my system.
user@host:~# which oam_subs /usr/local/go/bin/oam_subs
Using oam_subs
With the oam_tools installed we can now start to review some of our results from previous work. We will also continue to use the configuration file we have established in a prior post with the target scope, database, and datasources defined. Below we are going to display the results of the enumeration. This retrieves all the details about our target domain from the database. Its a quick view of what has been found.
-config <path to our YAML configuration file>, identify a configuration file to use for scope and database details.
-show, Display all enumeration results
The results below indicates that 42 subdomains were discovered as well as any associated ASN (Autonomous System Number) numbers.
user@host:/home/user/.config/amass# oam_subs -config amass-config-owasp.yaml -show
supporters.owasp.org
20thanniversary.owasp.org
groups.owasp.org
training-12.owasp.org
calendar.owasp.org
dev.owasp.org
genai.owasp.org
mail.owasp.org
name-virt-host.owasp.org
ocms.owasp.org
cornucopia.owasp.org
copi.owasp.org
scvs.owasp.org
secureflag.owasp.org
videos.owasp.org
blt.owasp.org
mas.owasp.org
lightning.owasp.org
cheatsheetseries.owasp.org
securecodingdojo.owasp.org
api.secureflag.owasp.org
asvs.owasp.org
members.owasp.org
calltobattle.owasp.org
www2.owasp.org
wiki.owasp.org
sl.owasp.org
admin.owasp.org
owasp.org
austin.owasp.org
projectexample.owasp.org
gapps.owasp.org
kerala.owasp.org
brainbreak.owasp.org
llm.owasp.org
training.owasp.org
contact.owasp.org
www.owasp.org
cloud.owasp.org
devsecops.owasp.org
crlabs.secureflag.owasp.org
lists.owasp.org
OAM Tool Suite v0.1.2 https://github.com/owasp-amass/oam-tools
--------------------------------------------------------------------------------
42 names discovered
--------------------------------------------------------------------------------
ASN: 13335 - CLOUDFLARENET - Cloudflare, Inc.
104.22.16.0/20 76 Subdomain Name(s)
172.67.0.0/16 38 Subdomain Name(s)
2a06:98c1:3123::/48 7 Subdomain Name(s)
2a06:98c1:3122::/48 7 Subdomain Name(s)
2606:4700:10::/44 114 Subdomain Name(s)
ASN: 0 - Not routed
188.114.96.0/22 22 Subdomain Name(s)
ASN: 16509 - AMAZON-02 - Amazon.com, Inc.
18.67.32.0/21 8 Subdomain Name(s)
52.208.0.0/13 1 Subdomain Name(s)
52.48.0.0/14 1 Subdomain Name(s)
ASN: 14061 - DIGITALOCEAN-ASN - DigitalOcean, LLC
2604:a880:800::/48 1 Subdomain Name(s)
157.245.0.0/16 1 Subdomain Name(s)If there is sensitive information that you do not want to share with an audience but what to show some kind of work then use the -demo parameter.
user@host:/home/user/.config/amass# oam_subs -config amass-config-owasp.yaml -show -demo
llm.xxxxx.xxx
mas.xxxxx.xxx
-----8<-------
OAM Tool Suite v0.1.2 https://github.com/owasp-amass/oam-tools
--------------------------------------------------------------------------------
42 names discovered
--------------------------------------------------------------------------------
ASN: xxxxx - xxxxxxxxxxxxx - xxxxxxxxxxx xxx.
xxx.xx.xx.x/20 76 Subdomain Name(s)
xxx.xx.x.x/16 38 Subdomain Name(s)
xxxxxxxxxxxxxx/44 114 Subdomain Name(s)If you are overwhelmed by the output, you can provide parameter to only view a subset such as -names to only display discovered subdomain names. This can also be combined with the -demo flag.
user@host:/home/user/.config/amass# oam_subs -config amass-config-owasp.yaml -names k3._domainkey.owasp.org s1._domainkey.owasp.org nac1.secureflag.owasp.org mail.owasp.org cornucopia.owasp.org videos.owasp.org -----8<------------------
And we can limit the output to the ASN (Autonomous System Number) table summary using -summary:
user@host:/home/user/.config/amass# oam_subs -config amass-config-owasp.yaml -summary
OAM Tool Suite v0.1.2 https://github.com/owasp-amass/oam-tools
--------------------------------------------------------------------------------
42 names discovered
--------------------------------------------------------------------------------
ASN: 13335 - CLOUDFLARENET - Cloudflare, Inc.
104.22.16.0/20 76 Subdomain Name(s)
2606:4700:10::/44 114 Subdomain Name(s)
172.67.0.0/16 38 Subdomain Name(s)
2a06:98c1:3122::/48 7 Subdomain Name(s)
2a06:98c1:3123::/48 7 Subdomain Name(s)
ASN: 0 - Not routed
188.114.96.0/22 22 Subdomain Name(s)
ASN: 14061 - DIGITALOCEAN-ASN - DigitalOcean, LLC
2604:a880:800::/48 1 Subdomain Name(s)
157.245.0.0/16 1 Subdomain Name(s)
ASN: 16509 - AMAZON-02 - Amazon.com, Inc.
18.67.32.0/21 8 Subdomain Name(s)
52.48.0.0/14 1 Subdomain Name(s)
52.208.0.0/13 1 Subdomain Name(s)Along with the -show parameter, we can add IP address information with -ip, -ipv4, and -ipv6 to show all IPs, only IPv4 addresses, or only IPv6 addresses respectively. This can be combined with -show, -names, or -summary.
user@host:/home/user/.config/amass# oam_subs -config amass-config-owasp.yaml -ipv4 -show cloud.owasp.org 157.245.12.71 dev.owasp.org 104.22.27.77,188.114.98.233,172.67.10.39,188.114.99.233,104.22.26.77 asvs.owasp.org 104.22.26.77,172.67.10.39,104.22.27.77 secureflag.owasp.org 18.67.39.41,18.67.39.56,18.67.39.88,18.67.39.107 lists.owasp.org 188.114.98.233,104.22.26.77,104.22.27.77,172.67.10.39,188.114.99.233 -------8<--------------
And finally we can output this data to a file with -o <filename> to output any of the above STDOUT/STDERR to a file of our choosing. This would be great for passing the data to other tools. Do not forget to add the parameters to identify which data you wish to see output to the file. We can combine this with -silent to not output to STDOUT.
user@host:/home/user/.config/amass# oam_subs -config amass-config-owasp.yaml -o ./somefile -silent -show user@host:/home/user/.config/amass# cat somefile supporters.owasp.org ocms.owasp.org contact.owasp.org sl.owasp.org wiki.owasp.org llm.owasp.org cheatsheetseries.owasp.org -----------8<---------------------
Read the fine Manual
The OAM Tools repository has some documentation that is worth your while to review. There is a User’s Guide that lists all the options and a more Comprehensive Guide that goes into more detail.
Wrap Up
In this instalment we introduced the OAM Tool GitHub repository, showed how to install all the tools within it, and we specifically looked at using oam_subs to extract asset information from the database populated by a prior enumeration. As with prior posts we used the configuration file as part of our workflow.
