search

owasp-amass / amass

In-depth attack surface mapping and asset discovery
https://owasp.org/www-project-amass/
Other
11.63k stars 1.85k forks source link

amass not find subdomains #108

Closed lacroutelacroute closed 5 years ago

lacroutelacroute commented 5 years ago

amass installed with snap

:~$ amass

    .+++:.            :                             .+++.                   
  +W@@@@@@8        &+W@#               o8W8:      +W@@@@@@#.   oW@@@W#+     
 &@#+   .o@##.    .@@@o@W.o@@o       :@@#&W8o    .@#:  .:oW+  .@#+++&#&     
+@&        &@&     #@8 +@W@&8@+     :@W.   +@8   +@:          .@8           
8@          @@     8@o  8@8  WW    .@W      W@+  .@W.          o@#:         
WW          &@o    &@:  o@+  o@+   #@.      8@o   +W@#+.        +W@8:       
#@          :@W    &@+  &@+   @8  :@o       o@o     oW@@W+        oW@8      
o@+          @@&   &@+  &@+   #@  &@.      .W@W       .+#@&         o@W.    
 WW         +@W@8. &@+  :&    o@+ #@      :@W&@&         &@:  ..     :@o    
 :@W:      o@# +Wo &@+        :W: +@W&o++o@W. &@&  8@#o+&@W.  #@:    o@+    
  :W@@WWWW@@8       +              :&W@@@@&    &W  .o#@@W&.   :W@WWW@@&     
    +o&&&&+.                                                    +oooo.      

                                                           Version 2.9.2
                                    Authored By Jeff Foley - @jeff_foley
                            In-Depth DNS Enumeration and Network Mapping

Usage: amass [options] <-d domain> -active Attempt zone transfers and certificate name grabs -bl value Blacklist of subdomain names that will not be investigated -blf string Path to a file providing blacklisted subdomains -brute Execute brute forcing after searches -config string Path to the INI configuration file. Additional details below -d value Domain names separated by commas (can be used multiple times) -df string Path to a file providing root domain names -do string Path to data operations output file -ef string Path to a file providing data sources to exclude -exclude value Data source names separated by commas to be excluded -h Show the program usage message -if string Path to a file providing data sources to include -include value Data source names separated by commas to be included -include-unresolvable Output DNS names that did not resolve -ip Show the IP addresses for discovered names -json string Path to the JSON output file -list Print the names of all available data sources -log string Path to the log file where errors will be written -min-for-recursive int Number of subdomain discoveries before recursive brute forcing -noalts Disable generation of altered names -norecursive Turn off recursive brute forcing -o string Path to the text output file -oA string Path prefix used for naming all output files -p value Ports separated by commas (default: 443) -passive Disable DNS resolution of names and dependent features -r value IP addresses of preferred DNS resolvers (can be used multiple times) -rf string Path to a file providing preferred DNS resolvers -src Print data sources for the discovered names -version Print the version number of this amass binary -w string Path to a different wordlist file

An example configuration file can be found here: https://github.com/OWASP/Amass/blob/master/examples/amass_config.ini

:~$ amass -version version 2.9.2

:~$ amass -o out.txt -p 80,8080,443 -d google.com Average DNS queries performed: 1024/sec, DNS names remaining: 287512 Average DNS queries performed: 907/sec, DNS names remaining: 285768 Average DNS queries performed: 1305/sec, DNS names remaining: 265069 Average DNS queries performed: 1370/sec, DNS names remaining: 246626 Average DNS queries performed: 1395/sec, DNS names remaining: 228239 Average DNS queries performed: 1389/sec, DNS names remaining: 208891 Average DNS queries performed: 1387/sec, DNS names remaining: 190272 Average DNS queries performed: 1375/sec, DNS names remaining: 170626 Average DNS queries performed: 1401/sec, DNS names remaining: 150079

without result none

lacroutelacroute commented 5 years ago

other test

:~$ amass -d doctorlan.com Average DNS queries performed: 6/sec, DNS names remaining: 1 Average DNS queries performed: 1/sec, DNS names remaining: 1 No names were discovered

caffix commented 5 years ago

Thank you, @lacroutelacroute! Today, we discovered a bug in the new graph database handler. If the directory where you are executing the enumerations has a subdirectory named '.amass', delete it. Then get the updated version 2.9.2 and try again.

lacroutelacroute commented 5 years ago

work fine

sumgr0 commented 5 years ago

Hi,

I've been experiencing the same bug in amass version 2.9.3 running on Kali Linux 2019.01, since the past 2 days now. Can anyone confirm this to be working?

Thanks

caffix commented 5 years ago

The bug has been fixed in version 2.9.3, but if you share more details regarding how Amass is being used, I'll be happy to help

sumgr0 commented 5 years ago

Not sure of what caused the problem...was getting the similar output as:

amass -d target.com Average DNS queries performed: 6/sec, DNS names remaining: 1 Average DNS queries performed: 1/sec, DNS names remaining: 1 No names were discovered

But it seems to have been sorted itself out

lacroutelacroute commented 5 years ago

for me work fine :~$ amass -version version 2.9.3

sumgr0 commented 5 years ago

I'm trying to run a bunch of domain names against amass using the script on my Kali 2019.01 VM using Virtualbox on Mac as host:

╰─➤ cat targets.lst | while read host; do file=$host && file+="_amass.out"; ~/go/bin/amass -o $file -d $host; done ---------- But it results in the below error message: panic: runtime error: invalid memory address or nil pointer dereference [signal SIGSEGV: segmentation violation code=0x1 addr=0x10 pc=0x5281b7]

goroutine 183 [running]: regexp.(Regexp).allMatches(0x0, 0xc00003e690, 0x68, 0x0, 0x0, 0x0, 0x69, 0xc00c8bde10) /usr/lib/go-1.11/src/regexp/regexp.go:692 +0x127 regexp.(Regexp).FindAllString(0x0, 0xc00003e690, 0x68, 0xffffffffffffffff, 0x0, 0x0, 0x0) /usr/lib/go-1.11/src/regexp/regexp.go:1033 +0xba github.com/OWASP/Amass/amass/sources.(PTRArchive).executeQuery(0xc002f92000, 0xc000034200, 0x8) /root/go/src/github.com/OWASP/Amass/amass/sources/ptrarchive.go:53 +0x137 github.com/OWASP/Amass/amass/sources.(PTRArchive).startRootDomains(0xc002f92000) /root/go/src/github.com/OWASP/Amass/amass/sources/ptrarchive.go:39 +0x83 created by github.com/OWASP/Amass/amass/sources.(*PTRArchive).OnStart /root/go/src/github.com/OWASP/Amass/amass/sources/ptrarchive.go:32 +0x41 panic: runtime error: invalid memory address or nil pointer dereference [signal SIGSEGV: segmentation violation code=0x1 addr=0x10 pc=0x5281b7]

goroutine 152 [running]: regexp.(Regexp).allMatches(0x0, 0xc00e548000, 0x2cf3, 0x0, 0x0, 0x0, 0x2cf4, 0xc00c87fe18) /usr/lib/go-1.11/src/regexp/regexp.go:692 +0x127 regexp.(Regexp).FindAllString(0x0, 0xc00e548000, 0x2cf3, 0xffffffffffffffff, 0x0, 0x0, 0x0) /usr/lib/go-1.11/src/regexp/regexp.go:1033 +0xba github.com/OWASP/Amass/amass/sources.(BufferOver).executeQuery(0xc000160120, 0xc000034167, 0x7) /root/go/src/github.com/OWASP/Amass/amass/sources/bufferover.go:53 +0x137 github.com/OWASP/Amass/amass/sources.(BufferOver).startRootDomains(0xc000160120) /root/go/src/github.com/OWASP/Amass/amass/sources/bufferover.go:39 +0x83 created by github.com/OWASP/Amass/amass/sources.(*BufferOver).OnStart /root/go/src/github.com/OWASP/Amass/amass/sources/bufferover.go:32 +0x41 panic: runtime error: invalid memory address or nil pointer dereference [signal SIGSEGV: segmentation violation code=0x1 addr=0x10 pc=0x5281b7]

Any solutions to resolve this...

caffix commented 5 years ago

Would be interesting to see what domain names were provided to amass, but I'll add some additional checks for domain names

sumgr0 commented 5 years ago

The domain names were: ford.com starbucks.com mastercard.com