From 0cd2b3735ee7c89ca09fa8add8f1c2a1423dd927 Mon Sep 17 00:00:00 2001 From: carnal0wnage Date: Mon, 19 Jun 2017 07:57:31 -0400 Subject: [PATCH] updates --- brute/brute.py | 51 +++++++++++++++++++++++++---------- ec2/ec2.py | 3 +-- recon_find_all_permissions.py | 9 +++---- 3 files changed, 42 insertions(+), 21 deletions(-) diff --git a/brute/brute.py b/brute/brute.py index dd83f6b..11494d6 100644 --- a/brute/brute.py +++ b/brute/brute.py @@ -786,7 +786,15 @@ def brute_redshift_permissions(AWS_ACCESS_KEY_ID, AWS_SECRET_ACCESS_KEY): #TODO #http://boto3.readthedocs.io/en/latest/reference/services/route53.html -#TODO +def brute_route53_permissions(AWS_ACCESS_KEY_ID, AWS_SECRET_ACCESS_KEY): + print ("### Enumerating Route53 Permissions ###") + tests = [('ListHostedZones', 'list_hosted_zones', (), {}), + ('ListHostedZonesByName', 'list_hosted_zones_by_name', (), {}), + ('ListGeoLocations', 'list_geo_locations', (), {}), + ('ListHealthChecks', 'list_health_checks', (), {}), + ('ListTrafficPolicies', 'list_traffic_policies', (), {}), + ] + return generic_permission_bruteforcer(AWS_ACCESS_KEY_ID, AWS_SECRET_ACCESS_KEY, 'route53', tests) #http://boto3.readthedocs.io/en/latest/reference/services/route53domains.html #TODO @@ -795,13 +803,23 @@ def brute_redshift_permissions(AWS_ACCESS_KEY_ID, AWS_SECRET_ACCESS_KEY): #TODO #http://boto3.readthedocs.io/en/latest/reference/services/sdb.html -#TODO +def brute_sdb_permissions(AWS_ACCESS_KEY_ID, AWS_SECRET_ACCESS_KEY): + print ("### Enumerating SimpleDB Permissions ###") + tests = [('ListDomains', 'list_domains', (), {}), + ] + return generic_permission_bruteforcer(AWS_ACCESS_KEY_ID, AWS_SECRET_ACCESS_KEY, 'sdb', tests) #http://boto3.readthedocs.io/en/latest/reference/services/servicecatalog.html #TODO #http://boto3.readthedocs.io/en/latest/reference/services/ses.html -#TODO +def brute_ses_permissions(AWS_ACCESS_KEY_ID, AWS_SECRET_ACCESS_KEY): + print ("### Enumerating Simple Email Service (SES) Permissions ###") + tests = [('ListIdentities', 'list_identities', (), {}), + ('GetSendStatistics', 'get_send_statistics', (), {}), + ('ListConfigurationSets', 'list_configuration_sets', (), {}), + ] + return generic_permission_bruteforcer(AWS_ACCESS_KEY_ID, AWS_SECRET_ACCESS_KEY, 'ses', tests) #http://boto3.readthedocs.io/en/latest/reference/services/shield.html #TODO @@ -816,10 +834,10 @@ def brute_redshift_permissions(AWS_ACCESS_KEY_ID, AWS_SECRET_ACCESS_KEY): #TODO #http://boto3.readthedocs.io/en/latest/reference/services/sqs.html -#TODO def brute_sqs_permissions(AWS_ACCESS_KEY_ID, AWS_SECRET_ACCESS_KEY): print ("### Enumerating Simple Queue Service (SQS) Permissions ###") - tests = [('ListQueues', 'list_queues', (), {}),] + tests = [('ListQueues', 'list_queues', (), {}), + ] return generic_permission_bruteforcer(AWS_ACCESS_KEY_ID, AWS_SECRET_ACCESS_KEY, 'sqs', tests) #http://boto3.readthedocs.io/en/latest/reference/services/ssm.html @@ -854,14 +872,19 @@ def brute_sts_permissions(AWS_ACCESS_KEY_ID, AWS_SECRET_ACCESS_KEY): #TODO #http://boto3.readthedocs.io/en/latest/reference/services/workspaces.html -#TODO +def brute_workspaces_permissions(AWS_ACCESS_KEY_ID, AWS_SECRET_ACCESS_KEY): + print ("### Enumerating WorkSpaces Permissions ###") + tests = [('DescribeWorkspaceBundles', 'describe_workspace_bundles', (), {} ), + ('DescribeWorkspaceDirectories', 'describe_workspace_directories', (), {} ), + ('DescribeWorkspaces', 'describe_workspaces', (), {} ), + ('DescribeWorkspacesConnectionStatus', 'describe_workspaces_connection_status', (), {} ), + ] + return generic_permission_bruteforcer(AWS_ACCESS_KEY_ID, AWS_SECRET_ACCESS_KEY, 'workspaces', tests) #http://boto3.readthedocs.io/en/latest/reference/services/xray.html -#TODO - - - - - - - +#NO functions that dont take any arguements +def brute_xray_permissions(AWS_ACCESS_KEY_ID, AWS_SECRET_ACCESS_KEY): + print ("### Enumerating X-Ray Permissions ###") + tests = [('GetTraceSummaries', 'get_trace_summaries', (), {}), #requires start/end times + ] + return generic_permission_bruteforcer(AWS_ACCESS_KEY_ID, AWS_SECRET_ACCESS_KEY, 'xray', tests) diff --git a/ec2/ec2.py b/ec2/ec2.py index 39573d3..3a9be5f 100644 --- a/ec2/ec2.py +++ b/ec2/ec2.py @@ -9,8 +9,7 @@ pp = pprint.PrettyPrinter(indent=5, width=80) #from http://docs.aws.amazon.com/general/latest/gr/rande.html regions = ['us-east-1', 'us-east-2', 'us-west-1', 'us-west-2', 'ca-central-1', 'eu-central-1', 'eu-west-1', 'eu-west-2', 'ap-northeast-1', 'ap-northeast-2', 'ap-southeast-1', 'ap-southeast-2', ] -# right now this will print a file with nothing if bad key, should fix at some point --otherwise can assume its a valid key -# we are past the enumeration stage at this point +# we are past the enumeration stage at this point assume you have key that works def review_encrypted_volumes(AWS_ACCESS_KEY_ID, AWS_SECRET_ACCESS_KEY): print("Reviewing EC2 Volumes... This may take a few....") not_encrypted = [] diff --git a/recon_find_all_permissions.py b/recon_find_all_permissions.py index 8a44d5c..3d42703 100644 --- a/recon_find_all_permissions.py +++ b/recon_find_all_permissions.py @@ -10,15 +10,11 @@ import pprint pp = pprint.PrettyPrinter(indent=5, width=80) from brute.brute import * +from s3.s3 import * #insert AWS key, will figure out how to pull this in from a single file for all scripts - - - - - check_root_account(AWS_ACCESS_KEY_ID, AWS_SECRET_ACCESS_KEY) #brute_acm_permissions(AWS_ACCESS_KEY_ID, AWS_SECRET_ACCESS_KEY) #brute_apigateway_permissions(AWS_ACCESS_KEY_ID, AWS_SECRET_ACCESS_KEY) @@ -91,3 +87,6 @@ brute_route53_permissions(AWS_ACCESS_KEY_ID, AWS_SECRET_ACCESS_KEY) #brute_sts_permissions(AWS_ACCESS_KEY_ID, AWS_SECRET_ACCESS_KEY) brute_workspaces_permissions(AWS_ACCESS_KEY_ID, AWS_SECRET_ACCESS_KEY) + +#S3 bucket's while we are here... +get_s3objects_for_account(AWS_ACCESS_KEY_ID, AWS_SECRET_ACCESS_KEY)