amass icon indicating copy to clipboard operation
amass copied to clipboard

Published 20 hours ago verified publisher icon owasp-amass

Amass passive for subdomain discovery doesn't work as expected.

Open nil0x42 opened this issue 2 years ago • 4 comments
trafficstars

Hi ! Since release v4.0.3, amass doesn't work as expected when using passive mode only.

Amass passive

Get subdomains for tesla.com:

amass enum -passive -config ./config.yaml -dir /tmp -d tesla.com -o /tmp/out

Since latest release, amass alerts that output domains are no longer displayed, an that amass db must be used to extract them:

Passive mode does not generate output during the enumeration
        Obtain your list of FQDNs using the following command:
        amass db -names -d tesla.com

So i tried this command:

amass db -dir /tmp -names -d tesla.com

And got:

No names were discovered

Therefore, if i inspect the contents of amass.sqlite with Sqlite Browser, i can see that assets were correctly gathered.

Temporary workaround:

From now i am using this workaround to get the list of subdomains:

sqlite3 -readonly /tmp/amass.sqlite "select json_extract(content, '$.name') from assets where type='FQDN';" > /tmp/out

But of course, one would expect amass to be able to extract the domains by itself, i think it's a bug.

nil0x42 avatar Jul 24 '23 14:07 nil0x42

I have a few thoughts to share in response to your questions:

  1. Does your config.yaml include anything that could be preventing amass from reaching your database?
  2. I'm so happy to see you accessing the database directly using SQL, since we will eventually discontinue support for the db subcommand and create separate tooling for obtaining/analyzing the collected data.
  3. The names are printed as expected for me using v4.0.3 when amass can reach the database containing the collected information.

caffix avatar Jul 24 '23 16:07 caffix

Same issue here (using Amass within Docker and native on MacOS) without setting -config. Currently the mentioned workaround seems to be the only way to extract the list of subdomains.

mydeadlyvenoms avatar Jul 25 '23 08:07 mydeadlyvenoms

Personally, I would have your containerized Amass instances insert the discovered assets into a central PostgreSQL database that can be easily accessed during and after the enumeration process.

caffix avatar Jul 27 '23 16:07 caffix

This is still an issue. I have had this exact issue for a while. I was told in the discord to update amass to current version and it is still an issue. It seems odd that there can't just be an option to output the data to stdout or a file in passive mode...

g0ldencybersec avatar Jul 30 '23 19:07 g0ldencybersec