Upload File

the owasp amass project … · introduction • jeff foley (a.k.a caffix), project lead for owasp...

  • Home
  • Documents
  • The OWASP Amass Project … · Introduction • Jeff Foley (a.k.a caffix), Project Lead for OWASP Amass • US Manager, Penetration Testing & Red Teaming at National Grid
11
The OWASP Amass Project DNS Enumeration written in Go September 6, 2018 Presented by Jeff Foley

Upload: others

Post on 21-May-2020

6 views

Category:

Documents


0 download

Report

TRANSCRIPT

Page 1: The OWASP Amass Project … · Introduction • Jeff Foley (a.k.a caffix), Project Lead for OWASP Amass • US Manager, Penetration Testing & Red Teaming at National Grid

TheOWASPAmassProjectDNSEnumerationwritteninGoSeptember6,2018PresentedbyJeffFoley

Page 2: The OWASP Amass Project … · Introduction • Jeff Foley (a.k.a caffix), Project Lead for OWASP Amass • US Manager, Penetration Testing & Red Teaming at National Grid

Introduction

•  JeffFoley(a.k.acaffix),ProjectLeadforOWASPAmass

•  USManager,PenetrationTesting&RedTeamingatNationalGrid

•  https://github.com/caffix•  https://twitter.com/jeff_foley

Page 3: The OWASP Amass Project … · Introduction • Jeff Foley (a.k.a caffix), Project Lead for OWASP Amass • US Manager, Penetration Testing & Red Teaming at National Grid

WhatisAmass?•  DNSenumerationandnetworkmappingtoaidin

understandinganorganization’sattacksurfaceontheInternet

•  Theprojectprovidesasuiteoftoolsthatemployactiveandpassivetechniques:–  Traditionalsubdomainenumerator–  Maltegolocaltransform–  TLScertificatesubdomainnamegrabber–  Morecomingsoon

•  Amassalsosupportsthevisualizationoffindingstobetterunderstandthenetworksbeinginvestigated.

Page 4: The OWASP Amass Project … · Introduction • Jeff Foley (a.k.a caffix), Project Lead for OWASP Amass • US Manager, Penetration Testing & Red Teaming at National Grid

GettingAmass•  OnLinux,AmassiseasytogetwithSnapcraft:

$sudosnapinstallamass

•  Usedocker:$sudodockerbuild–tamasshttps://github.com/OWASP/Amass.git$sudodockerrunamass–v–ip–freq480–dowasp.org

•  UseGotoinstallAmass:$goget–ugithub.com/OWASP/Amass/…

Page 5: The OWASP Amass Project … · Introduction • Jeff Foley (a.k.a caffix), Project Lead for OWASP Amass • US Manager, Penetration Testing & Red Teaming at National Grid

Collaboration/CurrentGoals

•  KeepingupwithnewdatasourcesandpossiblyaddservicesthatrequireAPIkeys

•  Addsupportforadditionalpackagemanagers•  ContinueturningAmassfunctionalitiesintosmallersuitetools.

Page 6: The OWASP Amass Project … · Introduction • Jeff Foley (a.k.a caffix), Project Lead for OWASP Amass • US Manager, Penetration Testing & Red Teaming at National Grid

LessonsLearned

•  OneoflargestAmasscontributionsisthe“Alt&Sweep”technique– Alterations&permutationsofnames(AltDNS)–  ReverseDNSsweepsarounddiscoveredIPaddresses–  Inacyclicrelationship,additionalnetworkinfrastructureisrevealed

•  Duringthelifeoftheproject,manydatasourceshaveincreasedthenumberofnamesprovided.

Page 7: The OWASP Amass Project … · Introduction • Jeff Foley (a.k.a caffix), Project Lead for OWASP Amass • US Manager, Penetration Testing & Red Teaming at National Grid

Demonstration

•  Theowasp.orgenumeration:https://asciinema.org/a/P2kuxzy164LgCfc8uL2YtCMoM

•  Thefb.comenumeration:https://asciinema.org/a/v6B1qdMRILRUflpkwRPhvCTaY

Page 8: The OWASP Amass Project … · Introduction • Jeff Foley (a.k.a caffix), Project Lead for OWASP Amass • US Manager, Penetration Testing & Red Teaming at National Grid

DemonstrationCont.

Page 9: The OWASP Amass Project … · Introduction • Jeff Foley (a.k.a caffix), Project Lead for OWASP Amass • US Manager, Penetration Testing & Red Teaming at National Grid

DemonstrationCont.

Page 10: The OWASP Amass Project … · Introduction • Jeff Foley (a.k.a caffix), Project Lead for OWASP Amass • US Manager, Penetration Testing & Red Teaming at National Grid

DemonstrationCont.

Page 11: The OWASP Amass Project … · Introduction • Jeff Foley (a.k.a caffix), Project Lead for OWASP Amass • US Manager, Penetration Testing & Red Teaming at National Grid

Thankyou!

Questions?


Amass india

OWASP (Membership) and new OWASP Projects · OWASP 7 OWASP

Cross Teaming

AMASS Deliverable template · This document presents the first iteration of deliverable D7.5 (AMASS open source platform provisioning and website), released by the AMASS WP7 (Industrial

OWASP Day IV•180 blog monitorati OWASP-Italy Day IV – 6th, Nov 09 OWASP 11 OWASP Top Ten

OWASP Testing Guide - OWASP Summit 2011

OWASP – Top 10 · • OWASP Code Review Guide • OWASP Testing Guide • OWASP Top Ten Project . OWASP – TOP 10 • OWASP Top 10 Web Application Security Risks for 2010 are:

OWASP Belgium Chapter Meeting - Brussels - 8 May 2006 - 1 OWASP Update - Open … · 2006/5/8  · OWASP 8 OWASP?

The OWASP Foundation OWASP Global Update Seba Deleersnyder OWASP Foundation Board Member

Study: Nonprofit Health Plans Amass Excessive Surpluses

The OWASP Foundation OWASP AppSec Aguascalientes 2010 ¿Qué es OWASP? Miguel Pérez-Milicua Softtek Miembro de OWASP capítulo Aguacalientes

Teaming Profiles

Owasp Mosc2010 - Tour of Owasp Projects

Owasp tools - OWASP Serbia

AMASS: Archive of Motion Capture as Surface Shapes

OWASP Joomla! Vulnerability Scanner - OWASP-MY

Teaming wms814

SpecialQuest Teaming

OWASP Education OWASP Global Summit Portugal 2011

A. Teaming Part - download.gigabyte.asiadownload.gigabyte.asia/FileList/Manual/...teaming_vlan_document.pdfA. Teaming Part a. Create Teaming Flow ... left click the icon in ProgramsÆRealtek

The OWASP Foundation OWASP Top 10 2010 Kuai Hinojosa Software Security Consultant at Cigital OWASP Global Education Committee OWASP

ECSEL Research and Innovation actions (RIA) › sites › amass.drupal.pulsartecnalia.co… · project and depend on the ongoing involvement of AMASS partners independent of the AMASS

Collaborative Teaming

Teaming Presentation

Review OWASP 2014 - OWASP Perú

RED TEAMING€¦ · in its ability to deal with advanced attacks. WHAT IS RED TEAMING? Red teaming targets people, processes and technology 02. RED TEAMING VS. PENETRATION TESTING

Business Teaming

OWASP 2013 APPSEC USA Talk - OWASP ZAP

Teaming Agreement

Profiling teaming

AMASS: Archive of Motion Capture as Surface Shapesfiles.is.tue.mpg.de/black/papers/amass.pdf · AMASS: Archive of Motion Capture as Surface Shapes Naureen Mahmood1 Nima Ghorbani2

Red Teaming

Teamwork: Insights from 40 years of Research and Practice€¦ · Edmondson - Teaming • Learning to team, teaming to learn • Teaming process (bottom-up) – Teaming mindset adopted

Amass International Group Inc. - Amassgroup

Building Teaming Agreements - diy5b2kdeokq1.cloudfront.net fileCMG Alliance Proprietary TEAMING AGREEMENTS Learning objec7ves • Definions • Teaming agreements VS Joint Venture