From a98678255a66943c1c2928ec79e4593d919d8b51 Mon Sep 17 00:00:00 2001 From: mgeeky Date: Thu, 5 Dec 2019 15:41:29 +0100 Subject: [PATCH] find-exposed-resources.sh --- clouds/aws/README.md | 3 + clouds/aws/find-exposed-resources.sh | 105 +++++++++++++++++++++++++++ 2 files changed, 108 insertions(+) create mode 100755 clouds/aws/find-exposed-resources.sh diff --git a/clouds/aws/README.md b/clouds/aws/README.md index 4d30301..83feee5 100644 --- a/clouds/aws/README.md +++ b/clouds/aws/README.md @@ -244,8 +244,11 @@ drwxr-xr-x 3 root root 4096 lis 4 16:18 home - **`exfiltrateLambdaTasksDirectory.py`** - Script that creates an in-memory ZIP file from the entire directory `$LAMBDA_TASK_ROOT` (typically `/var/task`) and sends it out in a form of HTTP(S) POST request, within an `exfil` parameter. To be used for exfiltrating AWS Lambda's entire source code. +- **`find-exposed-resources.sh`** - Utterly simple script enumerating some of the resources that could be publicly shared which would count as a security misconfiguration. + - **`get-session-creds-in-config-format.sh`** - Calls `aws sts assume-role` using MFA token in order to then retrieve session credentials and reformat it into `~/.aws/credentials` file format. Having that it's easy to copy-and-paste that script's output into credentials file. Then tools such as _s3tk_ that are unable to process MFA tokens may just use preconfigured profile creds. - **`identifyS3Bucket.rb`** - This script attempts to identify passed name whether it resolves to a valid AWS S3 Bucket via different means. This script may come handy when revealing S3 buckets hidden behind HTTP proxies. - **`pentest-ec2-instance`** - A set of utilities for quick starting, ssh-ing and stopping of a single temporary EC2 instance intended to be used for Web out-of-band tests (SSRF, reverse-shells, dns/http/other daemons). + diff --git a/clouds/aws/find-exposed-resources.sh b/clouds/aws/find-exposed-resources.sh new file mode 100755 index 0000000..f92a90b --- /dev/null +++ b/clouds/aws/find-exposed-resources.sh @@ -0,0 +1,105 @@ +#!/bin/bash +# +# This script attempts quickly enumerate some of the exposed resources +# available given a set of AWS credentials. +# Based on excellent work of Scott Piper: +# https://duo.com/blog/beyond-s3-exposed-resources-on-aws +# + +if [ $# -lt 1 ]; then + echo "Usage: ./find-exposed-resources.sh [region]" + echo "" + echo "If region is not specified, will enumerate all regions." + exit 1 +fi + +PROFILE=$1 +REGION= + +if [[ "$2" != "" ]]; then + REGION="$2" +fi + +trap ctrl_c INT + +function ctrl_c() { + echo "[!] User interrupted script execution." + exit 1 +} + +function _aws() { + if [[ "$REGION" != "" ]]; then + #echo "aws --region $REGION --profile $PROFILE $@ --no-paginate" + aws --region $REGION --profile $PROFILE $@ --no-paginate + else + #echo "aws --profile $PROFILE $@ --no-paginate" + aws --profile $PROFILE $@ --no-paginate + fi +} + +function ebs_snapshots() { + out=$(_aws ec2 describe-snapshots --owner-id self --restorable-by-user-ids all) + if ! echo "$out" | grep -q '": \[\]'; then + echo "---[ Public EBS Snapshots" + echo "$out" + echo + fi +} + +function rds_snapshots() { + out=$(_aws rds describe-db-snapshots --snapshot-type public) + if ! echo "$out" | grep -q '": \[\]'; then + echo "---[ Public RDS Snapshots" + echo "$out" + echo + fi +} + +function ami_images() { + out=$(_aws ec2 describe-images --owners self --executable-users all) + if ! echo "$out" | grep -q '": \[\]'; then + echo "---[ Public RDS Snapshots" + echo "$out" + echo + fi +} + +function s3_buckets() { + echo "---[ Public S3 Buckets" + for bucket in $(_aws s3api list-buckets --query 'Buckets[*].Name' --output text) + do + pub=$(_aws s3api get-bucket-policy-status --bucket $bucket --query 'PolicyStatus.IsPublic' 2> /dev/null || echo 'false') + echo -n "IsPublic:" + if [[ "$pub" == "true" ]]; then + echo -en "\e[91m" + else + echo -en "\e[34m" + fi + echo -e "$pub\e[39m - Bucket: \e[93m$bucket\e[39m" + done + echo +} + +regions=$(aws ec2 describe-regions --query 'Regions[*].RegionName' --output text) + +if [[ "$REGION" == "" ]]; then + for region in ${regions[@]} + do + REGION="$region" + echo "=================== Region: $region ======================" + echo + ebs_snapshots + rds_snapshots + ami_images + done + echo +else + echo "=================== Region: $REGION ======================" + echo + ebs_snapshots + rds_snapshots + ami_images + echo +fi + +s3_buckets