Hacking the Graph: Advanced Target Discovery With OWASP Amass by Jeff Foley | BBV, DEF CON 33

Bug Bounty DEFCON

7 chapters7 takeaways13 key terms5 questions

Overview

This video introduces version 5 of OWASP Amass, a powerful tool for attack surface mapping and asset discovery. The presenter, Jeff Foley, highlights the project's evolution, emphasizing its new open asset model and the 'associate' (assoc) tool. This tool allows users to query the asset database using a custom triple-based query language, enabling complex data exploration beyond traditional subdomain enumeration. The presentation showcases how to leverage this new functionality for advanced target discovery and provides insights into the project's future development, including enhanced visualization and potential AI integrations.

How was this?

Save this permanently with flashcards, quizzes, and AI chat

Chapters

OWASP Amass is a project for attack surface mapping and asset discovery, designed to provide visibility into internet-exposed assets.
Version 5 represents a significant overhaul after two years of development, with a focus on a new open asset model.
Amass uses a cyclic process: discovered data is evaluated, normalized, and correlated to build a complete picture, rather than just aggregating API data.
Active methods, like DNS queries, are optional but crucial for comprehensive discovery.

Understanding Amass's core functionality and its latest version is essential for anyone needing to map and understand digital assets for security or reconnaissance purposes.

The cyclic process where each discovered item is handled independently before normalization and correlation.

The project originated from a critical need for situational awareness, as many organizations lacked accurate knowledge of their internet-facing assets.
Amass was designed as a fully automated tool, unlike interactive tools like Maltego, to provide results without constant user intervention.
It's a widely used and trusted tool, often forming the core of backend services for various organizations.
The goal is to empower users to customize Amass for their specific workflows and gain a unique edge in discovery.

Knowing the 'why' behind Amass helps appreciate its design choices and its value proposition as a proactive security and intelligence-gathering tool.

The speaker's personal experience of finding unknown internet-facing assets in organizations, highlighting the necessity for such a tool.

The entire framework has been rebuilt around the open asset model, which defines how collected data and their relationships are stored and understood.
It goes beyond just infrastructure data, collecting information like business registrations, addresses, and funding details.
Data is stored in a database with options for SQLite (default), Postgres (performant), and Neo4j (graph-like).
The open asset model is designed to be extensible, allowing anyone to contribute data or use it to seed other tools.

The open asset model is the foundation for Amass's advanced querying capabilities, enabling a holistic view of targets.

Collecting business registration information to discover more resources associated with an organization.

The new 'associate' (assoc) tool allows users to query the open asset model database directly, offering more flexibility than previous commands like 'subdomain'.
It uses a custom query language based on 'triples' (subject, predicate, object), representing a single 'hop' or traversal in the data graph.
Queries can be complex, involving multiple triples to navigate the graph and extract specific information.
The tool outputs results in JSON, providing all encountered data, not just the final result, allowing for detailed analysis.

The 'assoc' tool and its triple-based query language unlock powerful, custom data retrieval from the asset database, enabling sophisticated reconnaissance.

A simple triple query to find all FQDNs associated with 'owasp.org'.

New, improved documentation is available, providing step-by-step installation guides and detailed explanations of the open asset model.
The documentation clearly defines asset types, their attributes, properties, and outgoing relations, crucial for building queries.
Triples are constructed using subject, predicate, and object, with flexibility for wildcards and regex.
The documentation includes visual (graph) and tabular representations of the data model, making it easier to understand relationships.

Accessible and detailed documentation is key to empowering users to effectively utilize the advanced features of Amass, especially the new query language.

Using the documentation to find the exact relation label name for 'DNS zone nodes' to build a query.

Queries can start with a unique subject (e.g., a specific FQDN) and traverse relationships like 'name comes from DNS zone nodes' to find related FQDNs.
Subsequent triples can chain operations, such as finding IP addresses from DNS records, or network blocks containing those IPs.
The 'assoc' tool can execute queries defined in files, allowing for complex, multi-hop investigations.
Queries can be filtered by properties, such as the last seen date ('since' directive) or confidence levels, to refine results and manage historical data.

Practical examples demonstrate how to build multi-step queries to uncover intricate relationships within the asset data, moving beyond simple lookups.

A six-triple query to trace from a target domain to IP addresses, then to network blocks, RIR registration info, registrant organizations, and finally the organization name.

The 'assoc' tool's flexibility allows users to ask complex questions and retrieve data that was previously inaccessible or required manual correlation.
Future development may include features like time-windowed queries (specifying a start and end date) and potential AI integrations.
Users are encouraged to integrate their own recon tools by writing plugins and to share their query discoveries and feedback on the project's Discord.
The project aims to move away from creating tools for specific use cases towards providing a powerful, flexible data model that users can query as needed.

Understanding the project's direction and how to contribute fosters community engagement and ensures Amass continues to evolve to meet user needs.

The suggestion to use the 'since' directive to filter for recent data, preventing overwhelming results from years of historical collection.

Key takeaways

1OWASP Amass v5 introduces a powerful open asset model and the 'associate' tool, enabling advanced, customizable data exploration.
2The 'associate' tool uses a triple-based query language to navigate the asset graph, allowing for complex multi-hop data retrieval.
3Effective use of Amass requires understanding its data model, which is well-documented and includes relationships beyond traditional infrastructure.
4Querying with time constraints ('since') is crucial for managing historical data and ensuring the relevance of findings.
5The open nature of the asset model encourages community contributions, including custom queries and integration of third-party tools.
6Amass is shifting towards empowering users with flexible data access rather than providing pre-defined tools for specific tasks.
7Future developments may include AI integration and more sophisticated query capabilities, such as time-windowed searches.

Key terms

OWASP AmassAttack Surface MappingAsset DiscoveryOpen Asset ModelAssociate (assoc) ToolTriples (Subject, Predicate, Object)Query LanguageGraph TraversalFQDN (Fully Qualified Domain Name)Asset DatabaseNormalizationCorrelationSituational Awareness

Test your understanding

1How does Amass's cyclic data processing differ from simply aggregating API data, and why is this distinction important for building a complete picture?
2What is the primary motivation behind the development of OWASP Amass, and how does version 5 aim to fulfill that mission more effectively?
3Explain the concept of 'triples' in Amass's query language and how they are used to navigate the open asset model graph.
4Why is it important to use time constraints like the 'since' directive when querying the Amass asset database, especially with historical data?
5How does the 'associate' tool empower users to perform more advanced reconnaissance compared to previous Amass commands like 'subdomain'?