Recon tools: amass

What is amass?

I'm a big fanboy of many of the owasp tools, like zaproxy, but in this case lets talk a little bit about amass.  Like many other tools, it's good for searching for subdomains and subdomain bruteforcing, but it does so much more than that. In this example, simply asking amass to enumerate the domain feemcotech.solutions (amass enum -d feemcotech.solutions) we get more than just subdomains, we get various records and information available about the resolutions and ips related as well.


feemcotech.solutions (FQDN) --> mx_record --> mx00.ionos.com (FQDN)

feemcotech.solutions (FQDN) --> mx_record --> mx01.ionos.com (FQDN)

blog.feemcotech.solutions (FQDN) --> a_record --> 74.208.236.20 (IPAddress)

blog.feemcotech.solutions (FQDN) --> aaaa_record --> 2607:f1c0:100f:f000::200 (IPAddress)

74.208.0.0/16 (Netblock) --> contains --> 74.208.236.20 (IPAddress)

8560 (ASN) --> managed_by --> ONEANDONE-AS Brauerstrasse 48 (RIROrganization)

8560 (ASN) --> announces --> 74.208.0.0/16 (Netblock)

feemcotech.solutions (FQDN) --> a_record --> 217.160.0.29 (IPAddress)

feemcotech.solutions (FQDN) --> aaaa_record --> 2001:8d8:100f:f000::200 (IPAddress)

www.feemcotech.solutions (FQDN) --> a_record --> 212.227.172.252 (IPAddress)

www.feemcotech.solutions (FQDN) --> aaaa_record --> 2001:8d8:105:1:0:1:0:1 (IPAddress)

2607:f1c0::/32 (Netblock) --> contains --> 2607:f1c0:100f:f000::200 (IPAddress)

217.160.0.0/18 (Netblock) --> contains --> 217.160.0.29 (IPAddress)

8560 (ASN) --> managed_by --> IONOS-AS This is the joint network for IONOS, Fasthosts, Arsys, 1&1 Mail and Media and 1&1 Telecom. Formerly known as 1&1 Internet SE., DE (RIROrganization)

8560 (ASN) --> announces --> 2607:f1c0::/32 (Netblock)

8560 (ASN) --> announces --> 217.160.0.0/18 (Netblock)

mx00.ionos.com (FQDN) --> a_record --> 74.208.5.3 (IPAddress)

mx01.ionos.com (FQDN) --> a_record --> 74.208.5.21 (IPAddress)

2001:8d8:100::/40 (Netblock) --> contains --> 2001:8d8:105:1:0:1:0:1 (IPAddress)

74.208.0.0/16 (Netblock) --> contains --> 74.208.5.3 (IPAddress)

74.208.0.0/16 (Netblock) --> contains --> 74.208.5.21 (IPAddress)

2001:8d8::/32 (Netblock) --> contains --> 2001:8d8:100f:f000::200 (IPAddress)

8560 (ASN) --> announces --> 2001:8d8:100::/40 (Netblock)

8560 (ASN) --> announces --> 2001:8d8::/32 (Netblock)

212.227.0.0/16 (Netblock) --> contains --> 212.227.172.252 (IPAddress)

8560 (ASN) --> announces --> 212.227.0.0/16 (Netblock)

feemcotech.solutions (FQDN) --> ns_record --> ns1018.ui-dns.de (FQDN)

feemcotech.solutions (FQDN) --> ns_record --> ns1027.ui-dns.org (FQDN)

feemcotech.solutions (FQDN) --> ns_record --> ns1050.ui-dns.biz (FQDN)

feemcotech.solutions (FQDN) --> ns_record --> ns1110.ui-dns.com (FQDN)

ns1050.ui-dns.biz (FQDN) --> a_record --> 217.160.81.50 (IPAddress)

ns1050.ui-dns.biz (FQDN) --> aaaa_record --> 2001:8d8:fe:53:0:d9a0:5132:100 (IPAddress)

2001:8d8::/32 (Netblock) --> contains --> 2001:8d8:fe:53:0:d9a0:5132:100 (IPAddress)

217.160.80.0/22 (Netblock) --> contains --> 217.160.81.50 (IPAddress)

8560 (ASN) --> announces --> 217.160.80.0/22 (Netblock)

ns1027.ui-dns.org (FQDN) --> a_record --> 217.160.83.27 (IPAddress)

ns1027.ui-dns.org (FQDN) --> aaaa_record --> 2001:8d8:fe:53:0:d9a0:531b:100 (IPAddress)

ns1110.ui-dns.com (FQDN) --> a_record --> 217.160.82.110 (IPAddress)

ns1110.ui-dns.com (FQDN) --> aaaa_record --> 2001:8d8:fe:53:0:d9a0:526e:100 (IPAddress)

2001:8d8::/32 (Netblock) --> contains --> 2001:8d8:fe:53:0:d9a0:5012:100 (IPAddress)

2001:8d8::/32 (Netblock) --> contains --> 2001:8d8:fe:53:0:d9a0:531b:100 (IPAddress)

2001:8d8::/32 (Netblock) --> contains --> 2001:8d8:fe:53:0:d9a0:526e:100 (IPAddress)

217.160.80.0/22 (Netblock) --> contains --> 217.160.80.18 (IPAddress)

217.160.80.0/22 (Netblock) --> contains --> 217.160.83.27 (IPAddress)

217.160.80.0/22 (Netblock) --> contains --> 217.160.82.110 (IPAddress)


The enumeration has finished


Now, that's impressive of a free tool you can install just about anywhere and run, but it missed a few things, lets see what else we can get. In this case, we're gonna use a more active scanning feature by adding the -active tag and the -brute tag along with a custom wordlist we made (not really necessary for this, but it shows a point). You can make a quick wordlist from a website using cewl, or there's some really neat stuff with openai you can do to find likely password words then mutate those, but in this case, i just wrote some stuff in a text file and moved along.

feemcotech.solutions (FQDN) --> mx_record --> mx00.ionos.com (FQDN)

feemcotech.solutions (FQDN) --> mx_record --> mx01.ionos.com (FQDN)

mx00.ionos.com (FQDN) --> a_record --> 74.208.5.3 (IPAddress)

74.208.0.0/16 (Netblock) --> contains --> 74.208.5.3 (IPAddress)

8560 (ASN) --> managed_by --> ONEANDONE-AS Brauerstrasse 48 (RIROrganization)

8560 (ASN) --> announces --> 74.208.0.0/16 (Netblock)

feemcotech.solutions (FQDN) --> a_record --> 217.160.0.29 (IPAddress)

feemcotech.solutions (FQDN) --> aaaa_record --> 2001:8d8:100f:f000::200 (IPAddress)

feemcotech.solutions (FQDN) --> node --> www.feemcotech.solutions (FQDN)

www.feemcotech.solutions (FQDN) --> a_record --> 212.227.172.252 (IPAddress)

www.feemcotech.solutions (FQDN) --> aaaa_record --> 2001:8d8:105:1:0:1:0:1 (IPAddress)

2001:8d8:100::/40 (Netblock) --> contains --> 2001:8d8:105:1:0:1:0:1 (IPAddress)

217.160.0.0/18 (Netblock) --> contains --> 217.160.0.29 (IPAddress)

8560 (ASN) --> announces --> 2001:8d8:100::/40 (Netblock)

8560 (ASN) --> announces --> 217.160.0.0/18 (Netblock)

212.227.0.0/16 (Netblock) --> contains --> 212.227.172.252 (IPAddress)

2001:8d8::/32 (Netblock) --> contains --> 2001:8d8:100f:f000::200 (IPAddress)

8560 (ASN) --> managed_by --> IONOS-AS This is the joint network for IONOS, Fasthosts, Arsys, 1&1 Mail and Media and 1&1 Telecom. Formerly known as 1&1 Internet SE., DE (RIROrganization)

8560 (ASN) --> announces --> 212.227.0.0/16 (Netblock)

8560 (ASN) --> announces --> 2001:8d8::/32 (Netblock)

feemcotech.solutions (FQDN) --> ns_record --> ns1018.ui-dns.de (FQDN)

feemcotech.solutions (FQDN) --> ns_record --> ns1027.ui-dns.org (FQDN)

feemcotech.solutions (FQDN) --> ns_record --> ns1050.ui-dns.biz (FQDN)

feemcotech.solutions (FQDN) --> ns_record --> ns1110.ui-dns.com (FQDN)

ns1027.ui-dns.org (FQDN) --> a_record --> 217.160.83.27 (IPAddress)

ns1027.ui-dns.org (FQDN) --> aaaa_record --> 2001:8d8:fe:53:0:d9a0:531b:100 (IPAddress)

ns1110.ui-dns.com (FQDN) --> a_record --> 217.160.82.110 (IPAddress)

ns1110.ui-dns.com (FQDN) --> aaaa_record --> 2001:8d8:fe:53:0:d9a0:526e:100 (IPAddress)

feemcotech.solutions (FQDN) --> node --> blog.feemcotech.solutions (FQDN)

mx01.ionos.com (FQDN) --> a_record --> 74.208.5.21 (IPAddress)

blog.feemcotech.solutions (FQDN) --> a_record --> 74.208.236.20 (IPAddress)

blog.feemcotech.solutions (FQDN) --> aaaa_record --> 2607:f1c0:100f:f000::200 (IPAddress)

testing.feemcotech.solutions (FQDN) --> a_record --> 127.0.0.2 (IPAddress)

home.feemcotech.solutions (FQDN) --> a_record --> 127.0.0.99 (IPAddress)

ns1018.ui-dns.de (FQDN) --> a_record --> 217.160.80.18 (IPAddress)

ns1018.ui-dns.de (FQDN) --> aaaa_record --> 2001:8d8:fe:53:0:d9a0:5012:100 (IPAddress)

ns1050.ui-dns.biz (FQDN) --> a_record --> 217.160.81.50 (IPAddress)

ns1050.ui-dns.biz (FQDN) --> aaaa_record --> 2001:8d8:fe:53:0:d9a0:5132:100 (IPAddress)

linkedin.feemcotech.solutions (FQDN) --> a_record --> 74.208.236.20 (IPAddress)

linkedin.feemcotech.solutions (FQDN) --> aaaa_record --> 2607:f1c0:100f:f000::200 (IPAddress)

74.208.0.0/16 (Netblock) --> contains --> 74.208.236.20 (IPAddress)

74.208.0.0/16 (Netblock) --> contains --> 74.208.5.21 (IPAddress)

2607:f1c0::/32 (Netblock) --> contains --> 2607:f1c0:100f:f000::200 (IPAddress)

2001:8d8::/32 (Netblock) --> contains --> 2001:8d8:fe:53:0:d9a0:5132:100 (IPAddress)

2001:8d8::/32 (Netblock) --> contains --> 2001:8d8:fe:53:0:d9a0:5012:100 (IPAddress)

2001:8d8::/32 (Netblock) --> contains --> 2001:8d8:fe:53:0:d9a0:531b:100 (IPAddress)

2001:8d8::/32 (Netblock) --> contains --> 2001:8d8:fe:53:0:d9a0:526e:100 (IPAddress)

217.160.80.0/22 (Netblock) --> contains --> 217.160.81.50 (IPAddress)

217.160.80.0/22 (Netblock) --> contains --> 217.160.80.18 (IPAddress)

217.160.80.0/22 (Netblock) --> contains --> 217.160.83.27 (IPAddress)

217.160.80.0/22 (Netblock) --> contains --> 217.160.82.110 (IPAddress)

8560 (ASN) --> announces --> 2607:f1c0::/32 (Netblock)

8560 (ASN) --> announces --> 217.160.80.0/22 (Netblock)


You can see in this case, that not only did it find what was found before, it also proceeded to find linkedin., home., and testing. as subdomains. Along with resolutions from those.  but lets say we hate the way that's writen, maybe lets try doing this a different way. Once we have all the data found, lets go aheda and check our local database of what was found for this domain.

amass db -d feemcotech.solutions -show

www.feemcotech.solutions

blog.feemcotech.solutions

testing.feemcotech.solutions

home.feemcotech.solutions

linkedin.feemcotech.solutions

feemcotech.solutions


OWASP Amass v4.1.0                          https://github.com/owasp-amass/amass

--------------------------------------------------------------------------------

6 names discovered

--------------------------------------------------------------------------------

ASN: 8560 - ONEANDONE-AS Brauerstrasse 48

2001:8d8:100::/40 1    Subdomain Name(s)

2607:f1c0::/32    2    Subdomain Name(s)

74.208.0.0/16     2    Subdomain Name(s)

217.160.0.0/18    1    Subdomain Name(s)

2001:8d8::/32     1    Subdomain Name(s)

212.227.0.0/16    1    Subdomain Name(s)

ASN: 0 - Reserved Network Address Blocks

127.0.0.0/8       2    Subdomain Name(s)

 Now we have a put together listing by asn, including ipv4 and ipv6, as well as a list of subdomains. You can just print out the subdomains using the db subcommand -names, which you can then pipe into something like nuclei or httpx. You could use this to then pull all sorts of information.

In this case, I found out that the ionos web builder is just a wordpress overlay system. Which puts my website at the hands of their admins to keep from vulnerabilities. 


amass db -d feemcotech.solutions -names|grep -iv "home\|testing"|nuclei |grep -iv "tls\|ssl\|http-missing"

                     __     _

   ____  __  _______/ /__  (_)

  / __ \/ / / / ___/ / _ \/ /

 / / / / /_/ / /__/ /  __/ /

/_/ /_/\__,_/\___/_/\___/_/   v3.1.10


projectdiscovery.io


[INF] Current nuclei version: v3.1.10 (latest)

[INF] Current nuclei-templates version: v9.7.5 (latest)

[WRN] Scan results upload to cloud is disabled.

[INF] New templates added in latest release: 106

[INF] Templates loaded for current scan: 7455

[INF] Executing 7473 signed templates from projectdiscovery/nuclei-templates

[INF] Targets loaded for current scan: 4

[INF] Running httpx on input host

[INF] Found 4 URL from httpx

[INF] Templates clustered: 1268 (Reduced 4936 Requests)

[caa-fingerprint] [dns] [info] www.feemcotech.solutions

[caa-fingerprint] [dns] [info] feemcotech.solutions

[nameserver-fingerprint] [dns] [info] feemcotech.solutions ["ns1050.ui-dns.biz.","ns1018.ui-dns.de.","ns1027.ui-dns.org.","ns1110.ui-dns.com."]

[mx-fingerprint] [dns] [info] feemcotech.solutions ["10 mx01.ionos.com.","10 mx00.ionos.com."]

[caa-fingerprint] [dns] [info] blog.feemcotech.solutions

[mx-fingerprint] [dns] [info] linkedin.feemcotech.solutions ["10 mx00.ionos.com.","10 mx01.ionos.com."]

[caa-fingerprint] [dns] [info] linkedin.feemcotech.solutions

[txt-fingerprint] [dns] [info] linkedin.feemcotech.solutions ["\"v=spf1 include:_spf-us.ionos.com ~all\""]

[txt-fingerprint] [dns] [info] feemcotech.solutions ["\"google-site-verification=gtB2C3NUo1AzFSivOWIgzHpyB7jMqT0UiSRiCiRShLk\"","\"v=spf1 include:_spf-us.ionos.com ~all\""]

[INF] Using Interactsh Server: oast.site

[addeventlistener-detect] [http] [info] https://www.feemcotech.solutions

[metatag-cms] [http] [info] https://www.feemcotech.solutions ["MyWebsite NOW"]

[robots-txt-endpoint] [http] [info] https://www.feemcotech.solutions/robots.txt

[rdap-whois:expirationDate] [http] [info] https://rdap.identitydigital.services/rdap/domain/feemcotech.solutions ["2025-01-21T14:34:21.007Z"]

[rdap-whois:registrantCountry] [http] [info] https://rdap.identitydigital.services/rdap/domain/feemcotech.solutions ["US"]

[rdap-whois:nameServers] [http] [info] https://rdap.identitydigital.services/rdap/domain/feemcotech.solutions ["ns1018.ui-dns.de","ns1050.ui-dns.biz","ns1027.ui-dns.org","ns1110.ui-dns.com"]

[rdap-whois:status] [http] [info] https://rdap.identitydigital.services/rdap/domain/feemcotech.solutions ["client transfer prohibited","auto renew period"]

[rdap-whois:registrationDate] [http] [info] https://rdap.identitydigital.services/rdap/domain/feemcotech.solutions ["2022-01-21T14:34:21.007Z"]

[rdap-whois:lastChangeDate] [http] [info] https://rdap.identitydigital.services/rdap/domain/feemcotech.solutions ["2024-01-21T14:34:34.882Z"]

[rdap-whois:registrantOrg] [http] [info] https://rdap.identitydigital.services/rdap/domain/feemcotech.solutions ["1&1 Internet Inc"]

[rdap-whois:registrantAddress] [http] [info] https://rdap.identitydigital.services/rdap/domain/feemcotech.solutions ["US","PA"]

[rdap-whois:secureDNS] [http] [info] https://rdap.identitydigital.services/rdap/domain/feemcotech.solutions ["false"]

[missing-sri] [http] [info] https://www.feemcotech.solutions/ ["https://www.feemcotech.solutions/wp-content/plugins/go-x-blocks/js/consent/consent.js?ver=1.0.6+6cc36b5df8"]

[missing-sri] [http] [info] https://www.feemcotech.solutions ["https://www.feemcotech.solutions/wp-content/plugins/go-x-blocks/js/consent/consent.js?ver=1.0.6+6cc36b5df8"]

[waf-detect:nginxgeneric] [http] [info] http://blog.feemcotech.solutions/

[waf-detect:modsecurity] [http] [info] http://blog.feemcotech.solutions/

[waf-detect:nginxgeneric] [http] [info] http://linkedin.feemcotech.solutions/

[waf-detect:modsecurity] [http] [info] http://linkedin.feemcotech.solutions/

[waf-detect:apachegeneric] [http] [info] https://feemcotech.solutions/

[wordpress-detect:version_by_js] [http] [info] https://www.feemcotech.solutions ["6.2.2"]

[wordpress-detect:version_by_js] [http] [info] https://www.feemcotech.solutions ["6.2.2"]

[cors-misconfig:arbitrary-origin] [http] [info] https://www.feemcotech.solutions [cors_origin="https://9a1onfeemcotech.solutions"]

[cors-misconfig:arbitrary-origin] [http] [info] https://www.feemcotech.solutions [cors_origin="https://zzuhh.feemcotech.solutions"]

[cors-misconfig:arbitrary-origin] [http] [info] https://www.feemcotech.solutions [cors_origin="http://y5dkw.feemcotech.solutions"]

[cors-misconfig:arbitrary-origin] [http] [info] https://www.feemcotech.solutions [cors_origin="https://www.feemcotech.solutions%60.1llbp.com"]

[cors-misconfig:arbitrary-origin] [http] [info] https://www.feemcotech.solutions [cors_origin="https://www.feemcotech.solutions.5dwwr.com"]

[cors-misconfig:arbitrary-origin] [http] [info] https://www.feemcotech.solutions [cors_origin="https://www.feemcotech.solutionswqylt.com"]

[cors-misconfig:arbitrary-origin] [http] [info] https://www.feemcotech.solutions [cors_origin="https://www.feemcotech.solutions_.igfra.com"]

[cors-misconfig:arbitrary-origin] [http] [info] https://www.feemcotech.solutions [cors_origin="http://wwwafeemcotechasolutions"]

[cors-misconfig:arbitrary-origin] [http] [info] https://www.feemcotech.solutions [cors_origin="null"]

[cors-misconfig:arbitrary-origin] [http] [info] https://www.feemcotech.solutions [cors_origin="https://wwwafeemcotechasolutions"]

[wordpress-user-enum] [http] [info] https://www.feemcotech.solutions/?author=1 ["author/admin"]


 

Thanks for reading

If you need any IT or CyberSecurity work remotely or within the DFW area, please contact us over at FeemcoTechnologies.

Comments

Post a Comment

Popular Posts

Updates

 Windows 11:  That required upgrade you can't perform     I have a lot of issues with using windows, apple, or red hat, and it's mostly because I grew up believing that people shouldn't have to pay to use a computer they already paid for. One time physical purchase, should be an all inclusive package. Sadly, thats not how the world works these days. Now days, your phone apps update every day, your phone updates every week, your computer updates every tuesday and at random, all of them enforce reboots or risk crashing the respective systems, blah. It's all pretty horrible. Now we have Windows 11 out for a while, with even high-end gaming computers that were purchased just before it's release, unable to run windows 11 on it.     If this was just a "my hardware isn't good enough" for it, I guess I could see that. ya know, service purchase with updates and all this garbage, fine. But in some cases, like mine, I have a windows 10 PC waiting to upgrade becau...
Read more

Weird hunting

Image
Bug hunting, threat hunting... license hunting?      Found myself doing some weird hunting, not finding anything special, but it was fun to keep some skills up. To start with, I was spending some time digging through some github repos using a tool called trufflehog . This is a secrets detection tool thats used specifically to determine if secrets have been leaked in code repos. It's really good for finding leaked passwords, apikeys, session tokens, etc... In my case, I was searching and stumbled across a result I wasn't too sure about. It was a .DS_Store file. These files are often left behind by Apple Mac OS when accessing specific filesystems ( you can find details on why this is a thing with a quick google ).  The main idea however, is that for support of specific systems, mac used a metadata caching mechanism, mostly filenames. Sometimes when finding these files, you can extract data from them in order to identify other files you should try to access. The file th...
Read more

Networking Basics - Pentesting Training part 1

Image
Primer:      I want to make a tutorial that I could show my kid to help them understand hacking, methodology, basics, etc... so this is an introduction post, more will follow, and maybe I can add a video series to go along with this.     The first thing to talk about, is what and why. Technology, while ever changing, can will always fall victim to several problems.  First is the idea that use case when created, won't match use case performed. Such as, when creating a remote for a TV, it may use infrared to point to the TV, and that works fine when one TV is in the same room at a time. When more then this is added, conflicts are caused and the light used for remote is picked up by the infrared sensor on multiple TVs. Change channels on one, both go. Second is that nothing created by man, is or is capable of creating, flawlessness. Business profits drive innovation, but not perfectionism (or the attempt to become close to perfect).     With these is...
Read more