From 518c266059fe190280c1ca0213c4f7bed87e174a Mon Sep 17 00:00:00 2001 From: carnal0wnage Date: Thu, 5 Apr 2018 15:40:02 -0400 Subject: [PATCH] more db stuff, log recon results to db --- libs/brute.py | 30 ++++++++++++++++++++++++++++++ libs/sql.py | 12 ++++++++++-- recon_find_all_permissions.py | 4 +++- show_services_by_key.py | 14 ++++++++++++++ test_insert.py | 4 +++- 5 files changed, 60 insertions(+), 4 deletions(-) create mode 100644 show_services_by_key.py diff --git a/libs/brute.py b/libs/brute.py index 859ff7c..dfe1db1 100644 --- a/libs/brute.py +++ b/libs/brute.py @@ -1,10 +1,22 @@ import boto3 import botocore +import json +import logging import pprint import sys +import datetime #change as required once we decide time format + +from libs.sql import * + + +# we chould probably load this from one place in the future #TODO +db_name = "weirdAAL.db" pp = pprint.PrettyPrinter(indent=5, width=80) +logging.basicConfig(level=logging.ERROR, format='%(message)s',filename='target.txt', filemode='w') + + #from http://docs.aws.amazon.com/general/latest/gr/rande.html regions = ['us-east-1', 'us-east-2', 'us-west-1', 'us-west-2', 'ca-central-1', 'eu-central-1', 'eu-west-1', 'eu-west-2', 'ap-northeast-1', 'ap-northeast-2', 'ap-southeast-1', 'ap-southeast-2', ] @@ -75,6 +87,24 @@ def generic_permission_bruteforcer(AWS_ACCESS_KEY_ID, AWS_SECRET_ACCESS_KEY, ser if actions: print ("\n[+] {} Actions allowed are [+]" .format(service)) print (actions) + timenow = datetime.datetime.now() + + db_logger = [] + for action in actions: + db_logger.append([service, action, AWS_ACCESS_KEY_ID, timenow]) + #print (db_logger) + + #scrapped the json logging idea but keeping it here just in case + #data = json.dumps({'time' : timenow, 'service' : service, 'actions' : actions, 'target' : 'passed_in_target'}) + #logging.critical(data) + + #logging to db here + try: + insert_reconservice_data(db_name, db_logger) + except sqlite3.OperationalError as e: + print (e) + print ("You need to set up the database...exiting") + sys.exit() print ("\n") else: print ("\n[-] No {} actions allowed [-]" .format(service)) diff --git a/libs/sql.py b/libs/sql.py index 782e538..be102f8 100644 --- a/libs/sql.py +++ b/libs/sql.py @@ -29,6 +29,7 @@ def create_recon_table(db_name, table_name): service text, sub_service text, AWSKeyID text, + checked_at text, PRIMARY KEY (ID))""" #FOREIGN KEY (AWSKeyID) references AWSKey(ID))""" create_table(db_name,table_name,sql) @@ -50,14 +51,21 @@ def insert_awskey_data(db_name, records): query(db_name, sql,record) def insert_reconservice_data(db_name, records): - sql = """INSERT INTO recon(AWSKeyID, service, sub_service) VALUES (?,?,?)""" + sql = """INSERT INTO recon(service, sub_service, AWSKeyID, checked_at) VALUES (?,?,?,?)""" for record in records: query(db_name,sql,record) +def search_recon_by_key(db_name,AWSKeyID): + with sqlite3.connect(db_name) as db: + cursor = db.cursor() + cursor.execute("""SELECT service,sub_service FROM recon WHERE AWSKeyID=?""",(AWSKeyID,)) + results = cursor.fetchall() + return results + def query(db_name,sql,data): with sqlite3.connect(db_name) as db: cursor = db.cursor() - cursor.execute("""PRAGMA foreign_keys = ON""") + #cursor.execute("""PRAGMA foreign_keys = ON""") cursor.execute(sql,data) db.commit() diff --git a/recon_find_all_permissions.py b/recon_find_all_permissions.py index ce107c7..448be51 100644 --- a/recon_find_all_permissions.py +++ b/recon_find_all_permissions.py @@ -1,7 +1,9 @@ from libs.brute import * from libs.s3 import * + from config import AWS_ACCESS_KEY_ID, AWS_SECRET_ACCESS_KEY + check_root_account(AWS_ACCESS_KEY_ID, AWS_SECRET_ACCESS_KEY) brute_acm_permissions(AWS_ACCESS_KEY_ID, AWS_SECRET_ACCESS_KEY) #AlexaForBusiness @@ -15,7 +17,7 @@ brute_autoscaling_permissions(AWS_ACCESS_KEY_ID, AWS_SECRET_ACCESS_KEY) brute_batch_permissions(AWS_ACCESS_KEY_ID, AWS_SECRET_ACCESS_KEY) brute_budgets_permissions(AWS_ACCESS_KEY_ID, AWS_SECRET_ACCESS_KEY) #CostExplorer -brute_cloud9_permissions(AWS_ACCESS_KEY_ID, AWS_SECRET_ACCESS_KEY) +#brute_cloud9_permissions(AWS_ACCESS_KEY_ID, AWS_SECRET_ACCESS_KEY) Was working now its not brute_clouddirectory_permissions(AWS_ACCESS_KEY_ID, AWS_SECRET_ACCESS_KEY) brute_cloudformation_permissions(AWS_ACCESS_KEY_ID, AWS_SECRET_ACCESS_KEY) brute_cloudfront_permissions(AWS_ACCESS_KEY_ID, AWS_SECRET_ACCESS_KEY) diff --git a/show_services_by_key.py b/show_services_by_key.py new file mode 100644 index 0000000..e5aa37c --- /dev/null +++ b/show_services_by_key.py @@ -0,0 +1,14 @@ +import sqlite3 +from sqlite3 import Error + +from libs.sql import * + +from config import AWS_ACCESS_KEY_ID, AWS_SECRET_ACCESS_KEY + + +if __name__ == "__main__": + db_name = "weirdAAL.db" + results = search_recon_by_key(db_name,AWS_ACCESS_KEY_ID) + print("Services enumerated for {}".format(AWS_ACCESS_KEY_ID)) + for result in results: + print("{}:{}".format(result[0],result[1])) \ No newline at end of file diff --git a/test_insert.py b/test_insert.py index aee682a..83c14cf 100644 --- a/test_insert.py +++ b/test_insert.py @@ -1,3 +1,4 @@ +import datetime import sqlite3 from sqlite3 import Error @@ -8,9 +9,10 @@ from libs.sql import * if __name__ == "__main__": db_name = "weirdAAL.db" + timenow = datetime.datetime.now() test_aws_key = [("AKIAIOSFODNN7EXAMPLE", "some test shit")] insert_awskey_data(db_name,test_aws_key) - test_service_data = [("AKIAIOSFODNN7EXAMPLE","ec2","DescribeInstances"),("AKIAIOSFODNN7EXAMPLE","ecr","DescribeRepositories")] + test_service_data = [("ec2","DescribeInstances","AKIAIOSFODNN7EXAMPLE", timenow),("ecr","DescribeRepositories","AKIAIOSFODNN7EXAMPLE",timenow)] insert_reconservice_data(db_name, test_service_data) \ No newline at end of file