find-exposed-resources.sh
This commit is contained in:
parent
7e0bb74f06
commit
a98678255a
|
@ -244,8 +244,11 @@ drwxr-xr-x 3 root root 4096 lis 4 16:18 home
|
|||
|
||||
- **`exfiltrateLambdaTasksDirectory.py`** - Script that creates an in-memory ZIP file from the entire directory `$LAMBDA_TASK_ROOT` (typically `/var/task`) and sends it out in a form of HTTP(S) POST request, within an `exfil` parameter. To be used for exfiltrating AWS Lambda's entire source code.
|
||||
|
||||
- **`find-exposed-resources.sh`** - Utterly simple script enumerating some of the resources that could be publicly shared which would count as a security misconfiguration.
|
||||
|
||||
- **`get-session-creds-in-config-format.sh`** - Calls `aws sts assume-role` using MFA token in order to then retrieve session credentials and reformat it into `~/.aws/credentials` file format. Having that it's easy to copy-and-paste that script's output into credentials file. Then tools such as _s3tk_ that are unable to process MFA tokens may just use preconfigured profile creds.
|
||||
|
||||
- **`identifyS3Bucket.rb`** - This script attempts to identify passed name whether it resolves to a valid AWS S3 Bucket via different means. This script may come handy when revealing S3 buckets hidden behind HTTP proxies.
|
||||
|
||||
- **`pentest-ec2-instance`** - A set of utilities for quick starting, ssh-ing and stopping of a single temporary EC2 instance intended to be used for Web out-of-band tests (SSRF, reverse-shells, dns/http/other daemons).
|
||||
|
||||
|
|
|
@ -0,0 +1,105 @@
|
|||
#!/bin/bash
|
||||
#
|
||||
# This script attempts quickly enumerate some of the exposed resources
|
||||
# available given a set of AWS credentials.
|
||||
# Based on excellent work of Scott Piper:
|
||||
# https://duo.com/blog/beyond-s3-exposed-resources-on-aws
|
||||
#
|
||||
|
||||
if [ $# -lt 1 ]; then
|
||||
echo "Usage: ./find-exposed-resources.sh <profile-name> [region]"
|
||||
echo ""
|
||||
echo "If region is not specified, will enumerate all regions."
|
||||
exit 1
|
||||
fi
|
||||
|
||||
PROFILE=$1
|
||||
REGION=
|
||||
|
||||
if [[ "$2" != "" ]]; then
|
||||
REGION="$2"
|
||||
fi
|
||||
|
||||
trap ctrl_c INT
|
||||
|
||||
function ctrl_c() {
|
||||
echo "[!] User interrupted script execution."
|
||||
exit 1
|
||||
}
|
||||
|
||||
function _aws() {
|
||||
if [[ "$REGION" != "" ]]; then
|
||||
#echo "aws --region $REGION --profile $PROFILE $@ --no-paginate"
|
||||
aws --region $REGION --profile $PROFILE $@ --no-paginate
|
||||
else
|
||||
#echo "aws --profile $PROFILE $@ --no-paginate"
|
||||
aws --profile $PROFILE $@ --no-paginate
|
||||
fi
|
||||
}
|
||||
|
||||
function ebs_snapshots() {
|
||||
out=$(_aws ec2 describe-snapshots --owner-id self --restorable-by-user-ids all)
|
||||
if ! echo "$out" | grep -q '": \[\]'; then
|
||||
echo "---[ Public EBS Snapshots"
|
||||
echo "$out"
|
||||
echo
|
||||
fi
|
||||
}
|
||||
|
||||
function rds_snapshots() {
|
||||
out=$(_aws rds describe-db-snapshots --snapshot-type public)
|
||||
if ! echo "$out" | grep -q '": \[\]'; then
|
||||
echo "---[ Public RDS Snapshots"
|
||||
echo "$out"
|
||||
echo
|
||||
fi
|
||||
}
|
||||
|
||||
function ami_images() {
|
||||
out=$(_aws ec2 describe-images --owners self --executable-users all)
|
||||
if ! echo "$out" | grep -q '": \[\]'; then
|
||||
echo "---[ Public RDS Snapshots"
|
||||
echo "$out"
|
||||
echo
|
||||
fi
|
||||
}
|
||||
|
||||
function s3_buckets() {
|
||||
echo "---[ Public S3 Buckets"
|
||||
for bucket in $(_aws s3api list-buckets --query 'Buckets[*].Name' --output text)
|
||||
do
|
||||
pub=$(_aws s3api get-bucket-policy-status --bucket $bucket --query 'PolicyStatus.IsPublic' 2> /dev/null || echo 'false')
|
||||
echo -n "IsPublic:"
|
||||
if [[ "$pub" == "true" ]]; then
|
||||
echo -en "\e[91m"
|
||||
else
|
||||
echo -en "\e[34m"
|
||||
fi
|
||||
echo -e "$pub\e[39m - Bucket: \e[93m$bucket\e[39m"
|
||||
done
|
||||
echo
|
||||
}
|
||||
|
||||
regions=$(aws ec2 describe-regions --query 'Regions[*].RegionName' --output text)
|
||||
|
||||
if [[ "$REGION" == "" ]]; then
|
||||
for region in ${regions[@]}
|
||||
do
|
||||
REGION="$region"
|
||||
echo "=================== Region: $region ======================"
|
||||
echo
|
||||
ebs_snapshots
|
||||
rds_snapshots
|
||||
ami_images
|
||||
done
|
||||
echo
|
||||
else
|
||||
echo "=================== Region: $REGION ======================"
|
||||
echo
|
||||
ebs_snapshots
|
||||
rds_snapshots
|
||||
ami_images
|
||||
echo
|
||||
fi
|
||||
|
||||
s3_buckets
|
Loading…
Reference in New Issue