search

owasp-amass / amass

In-depth attack surface mapping and asset discovery
https://owasp.org/www-project-amass/
Other
12.07k stars 1.88k forks source link

Docker certs #245

Closed lmeyerov closed 4 years ago

lmeyerov commented 5 years ago

When I run a command through Docker (:latest), I see a bunch of x509: certificate signed by unknown authority: 

08:00:33.192933 DNSDumpster: The POST request failed: Post https://dnsdumpster.com/: x509: certificate signed by unknown authority
0
...
08:01:53.192937 Data Manager: Gremlin TinkerPop Handler failed to insert infrastructure data: x509: certificate signed by unknown authority
08:01:53.192944 Gremlin TinkerPop Handler failed to insert AAAA record: x509: certificate signed by unknown authority

Yet when run directly (via snap install) on the same command, it works.

Repros:

Docker

docker run -v /home/ubuntu/graphistry/.notebooks/amass/data:/amass/ caffix/amass:latest enum -src -log /amass/zz.err.log

Snap

 amass enum -config data/config.ini -src -log err.log

config.ini:

#mode = passive
maximum_dns_queries = 1000

[domains]
domain = graphistry.com

[resolvers]
resolver = 1.1.1.1 ; Cloudflare
resolver = 8.8.8.8 ; Google
resolver = 64.6.64.6 ; Verisign
resolver = 74.82.42.42 ; Hurricane Electric
resolver = 1.0.0.1 ; Cloudflare Secondary
resolver = 8.8.4.4 ; Google Secondary
resolver = 9.9.9.10 ; Quad9 Secondary
resolver = 64.6.65.6 ; Verisign Secondary
resolver = 77.88.8.1 ; Yandex.DNS Secondary

[gremlin]
url = wss://zzzz.gremlin.cosmos.azure.com:443/
username = /dbs/zzz-test-db/colls/zzzz-test-graph
password = yyyy==

Some googling suggests this may be some funny docker alpine / go issue, but pretty unclear.

VltraHeaven commented 5 years ago

First try passing your config file to the Amass container to see if you get a different result. Since Amass automatically looks for the config file within the database directory specified with the -dir flag, you can put your config file in /home/ubuntu/graphistry/.notebooks/amass/data on your host and adjust your docker one-liner to look something like this...

$ cp config.ini /home/ubuntu/graphistry/.notebooks/amass/data
$ docker run -v /home/ubuntu/graphistry/.notebooks/amass/data:/amass/ caffix/amass:latest enum -dir /amass -src -log /amass/zz.err.log

You can also take it a step further if you think there is something wrong with the container image and use docker to build a fresh container on your host machine.

$ cd ~/Amass
$ docker build -t amass-local .
$ cp config.ini /home/ubuntu/graphistry/.notebooks/amass/data
$ docker run -v /home/ubuntu/graphistry/.notebooks/amass/data:/amass/ amass-local  enum -dir /amass -src -log /amass/zz.err.log
lmeyerov commented 5 years ago

Pass 1: re:config, yep, it was already there

Pass 2: fresh container, I was using the one on dockerhub, just cleaned and reran:

docker ps -a | awk '{ print $1,$2 }' | grep amass | awk '{print $1 }' | xargs -I {} docker rm {}
docker image rm caffix/amass
docker run -v /home/ubuntu/graphistry/.notebooks/amass/data:/amass/ caffix/amass:latest enum -config /amass/config.ini -src -log /amass/zz.err.log

Same thing

Happy to try an older tag, tho looks like all from same day on https://hub.docker.com/r/caffix/amass/tags

caffix commented 5 years ago

Has this problem been fixed for you in Amass v3.1.6?

lmeyerov commented 5 years ago

We've been slammed with a few things -- will check next time we're on this stuff (1-2w?), lmk if would be useful to prioritize higher