search

owasp-amass / amass

In-depth attack surface mapping and asset discovery
https://owasp.org/www-project-amass/
Other
11.51k stars 1.84k forks source link

Amass passive for subdomain discovery doesn't work as expected. #939

Open nil0x42 opened 11 months ago

nil0x42 commented 11 months ago

Hi ! Since release v4.0.3, amass doesn't work as expected when using passive mode only.

Amass passive

Get subdomains for tesla.com:

amass enum -passive -config ./config.yaml -dir /tmp -d tesla.com -o /tmp/out

Since latest release, amass alerts that output domains are no longer displayed, an that amass db must be used to extract them:

Passive mode does not generate output during the enumeration
        Obtain your list of FQDNs using the following command:
        amass db -names -d tesla.com

So i tried this command:

amass db -dir /tmp -names -d tesla.com

And got:

No names were discovered

Therefore, if i inspect the contents of amass.sqlite with Sqlite Browser, i can see that assets were correctly gathered.

Temporary workaround:

From now i am using this workaround to get the list of subdomains:

sqlite3 -readonly /tmp/amass.sqlite "select json_extract(content, '$.name') from assets where type='FQDN';" > /tmp/out

But of course, one would expect amass to be able to extract the domains by itself, i think it's a bug.

caffix commented 11 months ago

I have a few thoughts to share in response to your questions:

1) Does your config.yaml include anything that could be preventing amass from reaching your database? 2) I'm so happy to see you accessing the database directly using SQL, since we will eventually discontinue support for the db subcommand and create separate tooling for obtaining/analyzing the collected data. 3) The names are printed as expected for me using v4.0.3 when amass can reach the database containing the collected information.

mydeadlyvenoms commented 11 months ago

Same issue here (using Amass within Docker and native on MacOS) without setting -config. Currently the mentioned workaround seems to be the only way to extract the list of subdomains.

caffix commented 11 months ago

Personally, I would have your containerized Amass instances insert the discovered assets into a central PostgreSQL database that can be easily accessed during and after the enumeration process.

g0ldencybersec commented 11 months ago

This is still an issue. I have had this exact issue for a while. I was told in the discord to update amass to current version and it is still an issue. It seems odd that there can't just be an option to output the data to stdout or a file in passive mode...