 meantime we will now move on to the next session this is our first live tool demo of the day and so far so good but things might go a little skew if so we've got backup options and the backup option and the backup option and we'll see what ends up happening I want to hand over to these guys I'm pretty sharp-ish because their tool is the tool, that's going to sound a bit dodgy but never mind, the project that they work on has already been mentioned in the past through talks there was an entire slide on the last one Mae'r ydych chi i ddweud ydych chi'n un o'r ddeddau yma yn y project. Y project, Dymas, ydych chi'n ffocws ar y wneud o maen nhw'r hwn o'r mas, mae'r mas sydd yn ymddi'r hwn, a'r mas ysgwrdd, ac mae fyddai'r hwn yn ymddi i chi gyd byddai chi'n gyda, ac mae'r gweithio'r hwn yn ymddi'r hwn. Ddodd. Ddiweddol, mae'n gweithio'r mas o Wasb. Felly, rydych chi'n ymwneud, I dreaded having to do as a discovery. It took too long, too many tools, it was cumbersome, and that's what caused a mass to be born. We just needed a smoother way to do this, an easier way to do this, and all the years that I had spent in this field, just 17 years, I shouldn't reveal my secrets, but it just taught me to write my own tools when necessary. I don't like to rely on what's already out there if it's not suiting my needs or meeting my requirements. So I started working on this. It seems like a lot of other people were happy to receive it as well. I'm Jeff Foley. This is Anthony Rhodes. He is a major contributor to this project. He joined so he could bring his advanced penetration testing skills and software development as well to this project and enhance the capabilities. Regardless of what your current experience with this is, we're going to be covering everything from the basic usage of this initially, but then we're going to dive in pretty quick to how to get more out of this, because we've been getting some interesting feedback from people just saying we'd like to go further with a mass now. And with that, I'll hand it over to Anthony. All right. Is this too small? I can bump it up. That's good. Oh, it's too big. That should work, hopefully. So I'm going to be doing a demo of a mass today. I'm just going to show you a basic enumeration right now. I think most people would start out with this command, the enum sub-command, and just pardon the slow network connection. Mass has several sub-commands, a couple of them for enumerations, and then a couple of them like support tools, a tracker database visualization tool. So we're just going to start off with a basic enumeration where we're going to give it a domain name and we're going to try to find sub-domains off of that. So I'm going to give it the dash source flag to show where all these sub-domains are coming from. There's a lot of open source intelligence feeds that we're kind of pulling from. We also have brute forcing and alterations. And then I'm going to tell it to give me the IP because it goes out and resolves them all. So while that's thinking, sometimes it takes a little bit to get the first results. But the way a mass works, and I think what sets it apart from a lot of the other sub-domain enumeration tools is that a lot of those tools will grab from the open source feeds and they'll do brute forcing, but then that's it and it's done. What a mass does is whenever it resolves a name, it feeds it back into the enumeration, and so then it performs brute forcing and alterations on that. So now that we're getting results, I can talk to those. So yeah, so you can see there's, we got threat crowds, cert SH, you know, that's certificates. Way back we crawl archives and grab stuff there, alterations. I'll get it more into that later. That's a little heavy right now. Buffer over is the Rapid7 Project Sonar DNS scans. So that's just API that someone threw up. So that gives a lot of results. Rapid7 did a lot of good work there. And then we got Markov model. That's like kind of similar to alterations. Markov model, Markov chains to try to guess based on the previous input that's training the model. So yeah, it'll keep going. You can see just if you're looking at this data, you can already see that this organization has some patterns where we might be able to iterate that on that further. So like the CSTS3, CSTS4. So yeah, it looks like alterations caught onto that and generated more hits. So whenever alterations supports a lot of different features that I've added in the past year, originally it focused on just like pulling numbers out and then flipping them to every other possible number and then adding numbers. So like every time a saw number it basically generated a thousand more requests because it's really common for people to just keep adding to the number when they have multiple of these domains that are meant for the same purpose. So the features that I added to alterations were doing something similar like that except with words. So if you see right here we have www-dev and this is really common across like all organizations. You know, you'll have dash prod, dash test and a bunch of those. So a massive look for those two, it looks for subdomains that have dashes in them and then it pulls out the first and last words and then it has a word list of like 200 or so really common words that it'll throw in there in the place of dash dev to try to enumerate all the iterations of like this source so you get the dev, the prod, the test and all that. So yeah, let's see if this is done. It's still going. Okay, yeah, it's pretty fast. This is default settings and it's like a couple hundred a second. So you can crank that up. There's a setting for that where you can increase how many connections it can support at a time. All right, cool. So finished. So yeah, I'll talk about this output right here. Don't get mad at me. Okay. So during the whole enumeration it's resolving all these IPs and it's grabbing the net blocks and the autonomous systems that are related and then it throws all this into a graph database where all the relationships are preserved. So you can, and then at the end it prints out all of the, that information so you can see, you know, how many hits you're getting per net block. So you can see like they have an AS, Utica College just makes sense, utica.edu and that's where that's the primary source of all their subdomains. So yeah, you did this, so say you did this basic enumeration and you want to like take it a little further and try to discover, you know, more of this target, you know, beyond just looking at utica.edu. So teamux wants to cooperate. So AMAS has a sub-command called Intel and this does, it basically tries to expand the scope of what you're looking at whereas the enum just tries to find all the subdomains and assets within the scope you give it. So this will try to find domain names that are related to utica.edu. So we can give it, we can like pull this AS number out and we can give it to the Intel command. We also want to give it the active command, or the active flag too. And what it will do there is it'll pull the net block for that and then it'll do like a reverse DNS and, you know, cert grabbing to try to find other domains. All right. So yeah, while that's thinking, Intel also supports reverse who is. So if you're unfamiliar with that, reverse who is, there's a ton of these APIs out there and most of them cost money, unfortunately, but the information is invaluable so that's why. So what reverse who is is you can perform a who is on utica.edu and then you can grab email addresses like the admin and the tech contact and all that out of that and also name servers when available in the who is information and then you can feed it into these reverse who is services and it'll give you all the domains that are registered, you know, with those same details. So really to be able to offer that kind of service you have to really scrape who is, which is really hard unless you can somehow acquire, you know, a bulk of the who is information out there. And I tried and it's not feasible, at least from home. Yeah, so this command finished. It gave us a few other domains that appear to be related. Like we got UC fishing, Utico College, I guess probably typosquadding there. So yeah, I can show you the who is stuff. So, oh no, too far. Who is, uh, dash d, utica.edu and please work. So there's only one service for, oh yes, okay. There's only one service for reverse who is that we support that's free, but it only gives you like the top 50 results and sometimes they get angry and, you know, they rate limit and we don't really handle that exactly yet. So this morning when I was testing this out, you know, I got no results for that, but glad that I got results now. So you see here that, you know, this gave us like a treasure trove of new domains to look at. So then we can throw these back into the enum command and, you know, try to get some domains for those. So earlier I picked out a few, yeah, a few of what looked like they really owned because sometimes you can get like, you know, especially in this case for a college, you can get like student websites, um, like if they registered with their, uh, their college email or something. So this list for the who is stuff, you really have to kind of like parse through yourself. Or, you know, I mean, sometimes it's really obvious. Sometimes it's not. Yes. So this is the list I grabbed and then we're going to do another enumeration feeding that stuff in there. We're doing pretty good. Okay. All right. So now it's in a file so we can do the DF flag. All right. What else did I want to do? Throw in brute forcing now. I didn't do brute forcing last time. Don't you hate slow SSH connections? All right. So there's some other, like I was talking with the alteration stuff earlier, just very recently I added the ability to, on top of supplying word lists for alterations and brute forcing, you can now throw in hashcat style masks into those word lists or you can just throw them on the command line. So we'll do that too. So yeah, if you're unfamiliar with how hashcat masks work, you know, hashcat supports what's called a mask attack and essentially it allows you to put wild cards into your word lists, you know, where this question mark A refers to like any character that's possible for DNS that's like 37 different characters, or you can do like dash L for a letter that's like A through Z, or you can do dash D or question mark D for digit 0 through 9. Yeah, I'm just going to do some basic ones and dash WM does it for brute force and then dash AWM throws it into alterations. Okay. All right. So that's going to think a little bit. So like I said earlier, everything is stored into a graph database and what's cool about that is that we can support a lot of support functions for that like tracking so you can track between different enumerations. So say you ran one last week, you want to run one this week, it'll tell you which ones are found that are new, which ones are modified so you can see if like something's changing IPs, it might be more useful if you're like trying to map out a threat actor or something, see if they're trying to move their infrastructure. And there's also visualization. But another really cool thing that we can do with that is if you have a previous enumeration for a domain, for a mask, and then you run a new enumeration, it'll pull all the names that discovered previously and throw them into the new enumeration right in the beginning. So that adds a little more consistency and it also just speeds it up a little bit. Yeah, how are we doing on time? Yeah, like 15 minutes, right? Yeah. So I guess while that's running, I can talk about the visualization stuff. So this is enumeration of the OWASP.org domain. So this is pretty much exactly how it's stored in the graph database. Yeah, this lets you kind of explore all the relationships between everything. You can see clusters where so you got like OWASP.org and then a subdomain would be docs and gapps and I can see where this is going. Mail. So yeah, obviously all that points to Google Apps. You can see that here where it all eventually goes to IPs, net blocks, and then eventually Google's AS, or one of Google's ASs. But yeah, this is really cool. You can, a lot of times in much larger enumerations, you can discover patterns or see where they're using third parties like I just showed, or you can see acquisitions where you acquired a company and that'll be like a huge cluster, a way off if it hasn't been fully migrated yet into existing company's infrastructure and it wiggles. Yeah, it's just a snapshot of the enumeration, but we've definitely explored options of streaming the data so we can get live feeds, especially for larger environments where an enumeration might take days or something. It'd be really cool to have that kind of visibility. Yeah. See if this found anything good. Oh yeah. Yeah, I'm just going to kill this now. So yeah, it was like kind of showing you how you can go from a single domain and really kind of iterate on that and you can go even further as you discover more patterns, you can keep feeding it in. So now I'm just going to back up and I'll go over some of the configuration options. So this is our example config and it has, I believe, everything we support. So yeah, active mode, that's grabbing certs and doing zone transfers where possible. By default, its active mode is off. There is a passive mode which will just grab the open source intelligence feeds and it won't do any resolution. So the default is kind of like this in between passive and active where you're only dealing with the DNS servers and not actually poking the target. So this maximum DNS queries, you can ramp that up to pretty high, like 100,000 if you really want to improve the performance. I mean, what this means is it's how many concurrent DNS queries can be performed. It's not how many queries per second. So if you put in like 100,000, you're not going to get 100,000 queries per second. It's just how concurrent it is. If you want, you can tell it to give you the unresolvable ones by default. The enumeration only prints out things that resolve. Yeah, you can give it, this is the default list of resolvers that it reaches out to, a lot of the common public ones, but you can give it a list of 1,000 or so. I mean, as much as your system can support in terms of file descriptors, what we like to do is grab the public DNS service list, server list, and throw it in there. And pretty recently we wrote some code in there to actively determine which servers are giving us bad information or just not responding because maybe they're rate limiting or stuff. So there's an election set up where each request will try on three different servers, and then if we find that one gives a different result than the other two, it'll score down the one that gave the bad result. And then once it gets below a threshold, then we just remove it from the enumeration. It also helps if you don't have any DNS connectivity to any of these servers, it'll tell you pretty instantly now, whereas before it wouldn't. So yeah, say you're in assessment and you have some subdomains that you wanted to exclude because they're specifically out of scope, you can do that here too. Or if you're just weary of some of the data sources like you don't want to reach out to them for whatever reason, you can disable them too. And then the last thing I'm going to go over, oh well, here's all the brute force and alteration settings. I think I'm running out of time pretty soon. But basically you can modify if you want for brute forcing, you can tell it if you want to do recursive brute forcing and how often you want to recurse, or under what circumstances you want to recurse because sometimes you don't necessarily want to recurse on everything because that'll generate way too much traffic. You can see here there's a ton of flags for tweaking the alterations, where you can tell it not to add words and not to flip words or flip numbers, which that's just like an in place substitution rather than a pending or prepending. And for brute force and alterations you can give multiple word lists and it'll de-duplicate them down to a single word list that it'll use. And then finally we have a bunch of commercial APIs that we support and this is where you put them if you have them. So some really good ones. We have census. Alien Vault is free. We have passive total. That's a good one. Security Trails showed in. Twitter is all right. It searches tweets for subdomains. It's not really that effective but it's a cool thing to do. Cisco umbrella and virus total. But yeah, that's about it. Any questions? All right. Oh, you got a question? No. He wants my show in an API key. So as I mentioned in the beginning, Anthony is one of our contributors. We're always looking for more contributors. This project wouldn't be where it is today without them. And also contributing can mean more than just writing code for this. We have quite a few testers that are constantly helping us improve this project. We're always looking for people to help us with documentation and things like that or ways to help people use it better. So if anyone is interested in contributing, please let us know. Join us on our Discord or reach out to us on Twitter and we can discuss it. Yeah. So you asked if you can specify the ports that it reaches out for certificates and stuff. Yeah. You can sew in the config file. You can under network settings, there's a port and you can give any number of those that you want. We have a couple in there. I think by default, we just do 443, right? Yeah. And I think you can do comma separated. Yeah. And on the command line, you can do comma separated port values, all with that dashboard option. And this is our GitHub page. A wasp-a-mass. It's pretty easy. But yeah, thanks for coming.