OWASP Amass is another powerful utility for reconnaissance and building an attack surface, which is used by many pen testers and bug bounters. It allows you to brute-force domains, conduct open-source exploration, visualize search results in a graph, and much more.
Netlas has been integrated into Amass for a long time as one of the additional tools for subdomain search, and in this article, I will briefly describe how to install and configure OWASP Amass to use Netlas search results in working with it.
There are many ways to install Amass: download a pre-built package, use Docker or Homebrew, and others. They are described in detail in the official repository of the utility. In the same guide, I will describe only one installation method — pre-built package.
Installing with pre-built package
- The first step in the installation is to download the package itself. Go to the OWASP Amass repository and open the latest release. Find the version that suits you and download the appropriate archive;
- Next, you need to unpack the downloaded archive into the folder where you want to launch Amass;
- Update PATH to be able to run the utility with the “amass” command. This is also required if you want to use the script, which will be described at the end of this article;
- After that, run the utility. The first time you call any function, Amass automatically creates the directory “amass” in the “$HOME/.config” path, in which you will need to place the configuration file. We will return to it.
Configuration for using Netlas module
Once Amass has been installed, it must be configured to get results from the Netlas API. This requires several steps:
- Make sure you have a “$HOME/.config/amass” folder;
- Go to the directory where you have the utility executable file. There, open the “examples” folder. It contains config.ini. This is the file we need;
- Copy the configuration file to “$HOME/.config/amass”, then open it;
- To use Netlas searches, you need to find the field for its API key, enter your key and then uncomment the corresponding block. The image below shows what changes have been made.
This completes the setup of the configuration file. You can also activate other tools in it if you have the necessary accounts, set up allowed and prohibited sources, and so on, but this is beyond the scope of this article.
Before starting work with Amass, it is worth checking whether the Netlas module has been activated. To do this, enter the command “amass enum -list”. In the resulting list, find Netlas and make sure that there is an “*” opposite it.
Unfortunately, Netlas is now integrated into Amass only at the subdomain search level, so we will only work with the enum function.
This subcommand has a large number of settings that allow it to be used in combination with other tools. For example, you can use Netlas scripts to conduct reconnaissance, and then add the results to the exclusion file so that Amass removes them from its search and thus complements the existing perimeter. At the end of the “Using” block, I will give a few more examples of such a combination of tools, but now I propose to consider the use of the enum command step by step.
- Let’s start with a simple output of subdomains. To do this, use the command “amass enum -d target.com”, where “target.com” is the target domain.
You can see that a certain number of subdomains have been displayed. However, this is a rather long process, since by default Amass searches for subdomains using active methods. Let’s try to speed up the output by including the configuration file created in the previous paragraph. This will allow the utility to receive data from Netlas, which will reduce the dependence on active scanning.
2. To do this, use the following command: “./amass enum -d target.com -config ~/.config/amass/config.ini”. This will make the utility work in accordance with the created configuration file, where we have already connected the Netlas module;
3. To make sure the utility works faster, I will set a timer. After that, let’s compare how many subdomains we managed to find in five minutes using exclusively active and active-passive methods.
The first method managed to discover 43 subdomains in 5 minutes.
The second one — 102 subdomains in the same time.
4. So, we made sure that the use of active-passive methods of Amass, which includes the Netlas API, makes the search faster. Next, I propose to consider the use of some flags that will allow you to add automation elements.
To conduct semi-automatic reconnaissance, we will use the following procedure:
- According to the guide from the “Fast One-Shot Passive Recon Script with Netlas.io” article, we collect the root objects belonging to the target company;
- Next, the file with root domains is passed to Amass via the -df key, after which it, using all connected sources, finds subdomains;
- Using the viz subcommand, we build a graph from the found objects. This will allow us to visualize the results obtained;
As a result, we get a large set of domain names found by Amass with Netlas module and a graph showing the perimeter.
The .sh file that performs these steps will be posted in the Netlas repository.
Let’s test this combination of tools on a real target.
Here are the results of running the script based on the domain names collected by Netlas. Amass discovered 786 domains associated with the target, after which it built a graph that is quite convenient to work with. Further, this script can be modified. For example, you can add downloading HTTP/HTTPS responses using Netlas, outputting a graph in other formats, or running other Amass subcommands, such as intel. This will create a powerful harvester that will carry out almost complete recone.
With OWASP Amass, you can efficiently conduct reconnaissance, visualize exploration results, and compare scans over different periods to understand the dynamics of change. The ability to combine active and passive search methods is an undoubted advantage of the utility, and the Netlas module that is integrated into it somewhat increases the chances that not a single object of interest to you will go unnoticed.
As always, I wish you happy hacking!