Amass will never ends, trying to indefinitely detect the same prefix recursively

[phackt]

Hello, i would like to know if i am missing something with amass tool.

Command:

amass enum -src -brute -w longlist.txt -d netflix.com

I got this kind of log: [ThreatCrowd] ttl60a.prod.ftl.netflix.com [... OSINT PART ...]

Then:
[Brute Forcing] 01-09-2017.ttl60a.prod.ftl.netflix.com ... [Brute Forcing] 01-09-2017.01-09-2017.ttl60a.prod.ftl.netflix.com ... [Brute Forcing] 01-09-2017.01-09-2017.01-09-2017.ttl60a.prod.ftl.netflix.com ... [Brute Forcing] 01-09-2017.01-09-2017.01-09-2017.01-09-2017.ttl60a.prod.ftl.netflix.com

And so on. So my questions are:

• do we have to understand that also the subdomains found thanks to OSINT are bruteforced ? (i think it s pretty clear here)
• what about all of these fqdn which resolve the same ip: 01-09-2017.ttl60a.prod.ftl.netflix.com has address 201.156.180.74.

I think this case is tough because if you try to do some wildcard detection, ex whatever.01-09-2017.ttl60a.prod.ftl.netflix.com, you will have no resolution. However here a working prefix (01-09-2017) will indefinitely provides the same result and Amass will never ends (because it won't fall in Amass wildcard detection).

May be we can detect this kind of situation dealing with a recursion always involving the same prefix, or at least how to stop the recursion when discovering subdomains in this case ?

Thanks again for your work, open for the discussion.

Regards,

[caffix]

@phackt Did the new wildcard detection feature help with your specific situation?