Merge branch 'master' into stsroles

create_dbs.py

@@ -6,7 +6,7 @@ import builtins
 import sqlite3
 from sqlite3 import Error
 
-from libs.sql import *
+from libs.aws.sql import *
 
 
 

libs/aws/brute.py

@@ -16,7 +16,7 @@ import pprint
 import sys
 
 
-from libs.sql import *
+from libs.aws.sql import *
 
 pp = pprint.PrettyPrinter(indent=5, width=80)
 

libs/aws/ec2.py

@@ -10,7 +10,7 @@ import pprint
 import sys
 import time
 
-from libs.sql import *
+from libs.aws.sql import *
 
 pp = pprint.PrettyPrinter(indent=5, width=80)
 

libs/aws/sns.py

@@ -11,20 +11,25 @@ regions = ['us-east-1', 'us-east-2', 'us-west-1', 'us-west-2', 'ca-central-1', '
 session = boto3.Session()
 credentials = session.get_credentials()
 AWS_ACCESS_KEY_ID = credentials.access_key
+topics_list = {}
 
-def list_sns_topics():
+def list_sns_topics(should_i_print=True):
     title = "SNS Topics"
-    print(title)
-    print("-" * len(title))
+    if should_i_print:
+        print(title)
+        print("-" * len(title))
     try:
         for region in regions:
             client = boto3.client('sns', region_name=region)
             topics = client.list_topics()
-            print(region)
-            print("=" * len(region))
+            if should_i_print:
+                print(region)
+                print("=" * len(region))
             if topics['Topics']:
-                for topic in topics['Topics']:
-                    print(topic)
+                topics_list[region] = topics['Topics']
+                if should_i_print:
+                    for topic in topics['Topics']:
+                        print(topic)
     except botocore.exceptions.ClientError as e:
         if e.response['Error']['Code'] == 'InvalidClientTokenId':
             sys.exit("The AWS KEY IS INVALID. Exiting")
@@ -79,6 +84,20 @@ def delete_sns_topic(topic, region):
     except KeyboardInterrupt:
         print("CTRL-C received, exiting...")
 
+def list_all_sns_subscribers():
+    print("Scanning regions....")
+    list_sns_topics(False)
+    for region,topics in topics_list.items():
+        for topic in topics:
+            region_title = "Region: {}".format(region)
+            print(region_title)
+            print("=" * len(region_title))
+            list_sns_subscribers(topic['TopicArn'],region)
+
+
+
+
+
 def delete_sns_subscriber(endpoint, region):
     try:
         client = boto3.client('sns', region_name=region)
@@ -90,8 +109,8 @@ def delete_sns_subscriber(endpoint, region):
             print('{} : Is NOT a root key' .format(AWS_ACCESS_KEY_ID))
         elif e.response['Error']['Code'] == 'SubscriptionRequiredException':
             print('{} : Has permissions but isnt signed up for service - usually means you have a root account' .format(AWS_ACCESS_KEY_ID))
-        #elif e.response['Error']['Code'] == 'InvalidParameter':
-        #    print('The region you provided ({}) is invalid for the Subscriber endpoint. Are you sure this subscriber exists in this region?'.format(region))
+        elif e.response['Error']['Code'] == 'InvalidParameter':
+            print('The region you provided ({}) is invalid for the Subscriber endpoint. Are you sure this subscriber exists in this region?'.format(region))
         else:
             print("Unexpected error: {}" .format(e))
     except KeyboardInterrupt:

libs/utils/common.py

@@ -5,8 +5,13 @@ def list_all_files(directory):
 
   array = []
 
-  for file in list_of_files:
-      filename_and_ext = os.path.splitext(file)
-      if (filename_and_ext[1] == ".py") and not (filename_and_ext[0].startswith("__")):
-          array.append(filename_and_ext[0])
+  path ="modules"
+  for (dirpath, dirnames, filenames) in os.walk(path):
+      if ( not (dirpath == os.path.basename(directory)) and
+      (os.path.isdir(dirpath))
+      and not (os.path.basename(dirpath).startswith('__')) ):
+        for file in filenames:
+            list_path_name = dirpath.split('/')
+            if not (file.startswith('.')):
+                array.append(".".join(list_path_name) + "." + os.path.splitext(file)[0])
   return array

modules/aws/aws_lambda.py

@@ -1,7 +1,7 @@
 '''
 This file is used to list lambda functions and event mappings
 '''
-from libs.aws_lambda import *
+from libs.aws.aws_lambda import *
 
 
 def module_lambda_list_functions():

modules/aws/ce.py

@@ -4,7 +4,7 @@ usually have to be root or be specifically assigned the
 permission to get anything from this
 '''
 
-from libs.ce import *
+from libs.aws.ce import *
 
 
 def module_costexplorer_get_cost_and_usage():

modules/aws/cloudfront.py

@@ -2,7 +2,7 @@
 This file is used to perform some EMR actions
 '''
 
-from libs.cloudfront import *
+from libs.aws.cloudfront import *
 
 
 def module_cloudfront_list_distributions():

modules/aws/cloudtrail.py

@@ -1,7 +1,7 @@
 '''
 This file is used to perform cloudtrail actions
 '''
-from libs.cloudtrail import *
+from libs.aws.cloudtrail import *
 
 
 def module_cloudtrail_describe_trails():

modules/aws/cloudwatch.py

@@ -2,7 +2,7 @@
 example calling cloudwatch functions
 decribe alarms, describe alarm history, list metrics
 '''
-from libs.cloudwatch import *
+from libs.aws.cloudwatch import *
 
 
 def module_cloudwatch_describe_alarms():

modules/aws/config.py

@@ -2,7 +2,7 @@
 Module for interacting with the config service
 '''
 
-from libs.config import *
+from libs.aws.config import *
 
 
 def module_config_list_all_rules():

modules/aws/datapipeline.py

@@ -2,7 +2,7 @@
 datapipeline modules
 '''
 
-from libs.datapipeline import *
+from libs.aws.datapipeline import *
 
 
 def module_datapipeline_list_pipelines():

modules/aws/db.py

@@ -6,7 +6,7 @@ import boto3
 import sqlite3
 from sqlite3 import Error
 
-from libs.sql import *
+from libs.aws.sql import *
 
 session = boto3.Session()
 credentials = session.get_credentials()
@@ -21,21 +21,21 @@ def module_show_services_by_key():
     Show services for a given key service:sub_service
     example: elasticbeanstalk:DescribeEvents
     '''
-    results = search_recon_by_key(db_name, AWS_ACCESS_KEY_ID)
+    results = ["{}.{}".format(r[0], r[1]) for r in search_recon_by_key(db_name, AWS_ACCESS_KEY_ID)]
     print("Services enumerated for {}".format(AWS_ACCESS_KEY_ID))
-    for result in results:
-        print("{}:{}".format(result[0], result[1]))
+    for result in sorted(results):
+        print(result)
 
 
 def module_show_services_by_key_with_date():
     '''
     Show services for a given key service:sub_service
-    example: elasticbeanstalk:DescribeEvents
+    example: elasticbeanstalk:DescribeEvents -> Date: 2018-04-18 20:36:41.791780
     '''
-    results = search_recon_by_key(db_name, AWS_ACCESS_KEY_ID)
+    results = [("{}.{}".format(r[0], r[1]), r[2]) for r in search_recon_by_key(db_name, AWS_ACCESS_KEY_ID)]
     print("Services enumerated for {}".format(AWS_ACCESS_KEY_ID))
-    for result in results:
-        print("{}:{} -> Date: {}".format(result[0], result[1], result[2]))
+    for result, date in sorted(results, key=lambda r: r[0]):
+        print("{} -> Date: {}".format(result, date))
 
 # same as show_sevices
 
@@ -45,10 +45,10 @@ def module_list_services_by_key():
     Show services for a given key service:sub_service
     example: elasticbeanstalk:DescribeEvents
     '''
-    results = search_recon_by_key(db_name, AWS_ACCESS_KEY_ID)
+    results = ["{}.{}".format(r[0], r[1]) for r in search_recon_by_key(db_name, AWS_ACCESS_KEY_ID)]
     print("Services enumerated for {}".format(AWS_ACCESS_KEY_ID))
-    for result in results:
-        print("{}:{}".format(result[0], result[1]))
+    for result in sorted(results):
+        print(result)
 
 
 # for a key, what services does it have listed in the DB and the date
@@ -59,7 +59,7 @@ def module_list_services_by_key_with_date():
     Show services for a given key service:sub_service with date
     example: elasticbeanstalk:DescribeEvents -> Date: 2018-04-18 20:36:41.791780
     '''
-    results = search_recon_by_key(db_name, AWS_ACCESS_KEY_ID)
+    results = [("{}.{}".format(r[0], r[1]), r[2]) for r in search_recon_by_key(db_name, AWS_ACCESS_KEY_ID)]
     print("Services enumerated for {}".format(AWS_ACCESS_KEY_ID))
-    for result in results:
-        print("{}:{} -> Date: {}".format(result[0], result[1], result[2]))
+    for result, date in sorted(results, key=lambda r: r[0]):
+        print("{} -> Date: {}".format(result, date))

modules/aws/dynamodb.py

@@ -1,7 +1,7 @@
 '''
 dynamoDB examples
 '''
-from libs.dynamodb import *
+from libs.aws.dynamodb import *
 
 
 def module_dynamodb_list_tables():

modules/aws/dynamodbstreams.py

@@ -1,7 +1,7 @@
 '''
 dynamoDBstreams examples
 '''
-from libs.dynamodbstreams import *
+from libs.aws.dynamodbstreams import *
 
 
 def module_dynamodbstreams_list_streams():

modules/aws/ec2.py

@@ -2,7 +2,7 @@
 This file is used to perform various EC2 operations
 '''
 
-from libs.ec2 import *
+from libs.aws.ec2 import *
 
 
 def module_ec2_describe_instances_basic():

modules/aws/ecr.py

@@ -2,7 +2,7 @@
 ECR functions
 '''
 
-from libs.ecr import *
+from libs.aws.ecr import *
 
 
 def module_ecr_describe_repos():

modules/aws/elasticbeanstalk.py

@@ -1,7 +1,7 @@
 '''
 This file is used to perform some ElasticBeanstalk actions
 '''
-from libs.elasticbeanstalk import *
+from libs.aws.elasticbeanstalk import *
 
 
 '''

modules/aws/emr.py

@@ -2,7 +2,7 @@
 This file is used to perform some EMR actions
 '''
 
-from libs.emr import *
+from libs.aws.emr import *
 
 
 def module_emr_list_clusters():

modules/aws/firehose.py

@@ -1,7 +1,7 @@
 '''
 Firehose functions
 '''
-from libs.firehose import *
+from libs.aws.firehose import *
 
 
 def module_firehose_list_delivery_streams():

modules/aws/iam.py

@@ -2,7 +2,7 @@
 IAM recon functions
 '''
 
-from libs.iam import *
+from libs.aws.iam import *
 
 
 def module_iam_list_groups():

modules/aws/iam_pwn.py

@@ -2,8 +2,8 @@
 Functions specifically related to IAM account takeover if you have root or IAM access gather user info,
 manipulate access keys or passwords, make backdoor account
 '''
-from libs.iam import *
-from libs.sts import *
+from libs.aws.iam import *
+from libs.aws.sts import *
 
 
 def module_iam_get_account_summary():

modules/aws/lightsail.py

@@ -2,7 +2,7 @@
 Module for interacting with the lightsail
 '''
 
-from libs.lightsail import *
+from libs.aws.lightsail import *
 
 
 def module_lightsail_get_instances():

modules/aws/opsworks.py

@@ -1,4 +1,4 @@
-from libs.opsworks import *
+from libs.aws.opsworks import *
 
 
 def module_opsworks_describe_stacks():

modules/aws/pricing.py

@@ -4,7 +4,7 @@ usually have to be root or be specifically assigned the
 permission to get anything from this
 '''
 
-from libs.pricing import *
+from libs.aws.pricing import *
 
 
 def module_pricing_describe_services():

modules/aws/rds.py

@@ -2,7 +2,7 @@
 RDS module
 '''
 
-from libs.rds import *
+from libs.aws.rds import *
 
 
 def module_rds_describe_db_instances():

modules/aws/recon.py

@@ -3,14 +3,14 @@ This module handles the core recon functionality by asking all the services
 that have functions that done have arguments if we can access them :-)
 '''
 
-from libs.brute import *
-from libs.s3 import *
+from libs.aws.brute import *
+from libs.aws.s3 import *
 
 # for recon_defaults
-from libs.elasticbeanstalk import *
-from libs.opsworks import *
-from libs.route53 import *
-from libs.sts import *
+from libs.aws.elasticbeanstalk import *
+from libs.aws.opsworks import *
+from libs.aws.route53 import *
+from libs.aws.sts import *
 
 # maps to available services in boto 1.7.4
 

modules/aws/route53.py

@@ -2,7 +2,7 @@
 route53 functions
 '''
 
-from libs.route53 import *
+from libs.aws.route53 import *
 
 
 def module_route53_list_geolocations():

modules/aws/s3.py

@@ -2,7 +2,7 @@
 S3 module
 '''
 
-from libs.s3 import *
+from libs.aws.s3 import *
 
 
 def module_s3_get_bucket_policy(*args):

modules/aws/ses.py

@@ -2,7 +2,7 @@
 SES module
 '''
 
-from libs.ses import *
+from libs.aws.ses import *
 
 
 def module_ses_list_identities():

modules/aws/sns.py

@@ -2,7 +2,7 @@
 SNS module
 '''
 
-from libs.sns import *
+from libs.aws.sns import *
 
 def module_sns_list_topics():
     '''
@@ -22,6 +22,13 @@ def module_sns_list_subscribers(*args):
     except IndexError:
         print("Please provide a topic arn *AND* region, ex: -a arn:aws:sns:us-east-1:123456789123:sometopic,us-east-1")
 
+def module_sns_list_all_subscribers():
+    '''
+    Rather than listing a single topics subscribers, we'll list all topics and all subscribersself.
+    python3 weirdAAL.py -m sns_list_all_subscribers
+    '''
+    list_all_sns_subscribers()
+
 def module_sns_delete_topic(*args):
     '''
     SNS delete a topic. Takes two arguments - the topic arn and the region.

modules/aws/sqs.py

@@ -2,7 +2,7 @@
 SQS Modules
 '''
 
-from libs.sqs import *
+from libs.aws.sqs import *
 
 
 def module_sqs_list_queues():

modules/aws/sts.py

@@ -2,7 +2,7 @@
 This file is used to perform some EMR actions
 '''
 
-from libs.sts import *
+from libs.aws.sts import *
 
 
 def module_sts_get_accountid():

modules/aws/translate.py

@@ -2,7 +2,7 @@
 Translate module
 '''
 
-from libs.translate import *
+from libs.aws.translate import *
 
 
 def module_translate_translate_text(*text):

requirements.txt

@@ -6,3 +6,4 @@ python-dateutil==2.6.1
 s3transfer==0.1.11
 six==1.11.0
 virtualenv==15.1.0
+tabulate==0.8.2

weirdAAL.py

@@ -13,6 +13,9 @@ from botocore.exceptions import ClientError
 from modules import *
 import sys
 import builtins
+import re
+from tabulate import tabulate
+import textwrap
 
 os.environ['AWS_SHARED_CREDENTIALS_FILE'] = '.env'
 
@@ -24,19 +27,18 @@ for module in all_modules:
     exec("from %s import *" % module)
 
 
+
 parser = argparse.ArgumentParser()
-parser.add_argument("-m", "--module", help="list the module you would like to run", action="store", type=str, required=True)
-parser.add_argument("-t", "--target", help="Give your target a name so we can track results", action="store", type=str, required=True)
+parser.add_argument("-m", "--module", help="list the module you would like to run", action="store", type=str, required=False)
+parser.add_argument("-t", "--target", help="Give your target a name so we can track results", action="store", type=str, required=False)
 parser.add_argument("-a", "--arguments", help="Provide a list of arguments, comma separated. Ex: arg1,arg2,arg3", action="store", type=str, required=False)
-parser.add_argument("-l", "--list", help="list modules", action="store_true")
+parser.add_argument("-l", "--list", help="list modules", required=False, action="store_true")
 parser.add_argument("-v", "--verbosity", help="increase output verbosity", action="store_true")
 args = parser.parse_args()
 
 # Provides us with a global var "db_name" we can access anywhere
 builtins.db_name = "weirdAAL.db"
 
-# Provides us with a global var "target" we can access anywhere
-builtins.target = args.target
 
 def perform_credential_check():
     '''
@@ -62,6 +64,68 @@ def method_create():
         print("That module does not exist")
         exit(1)
 
+builtins.aws_module_methods_info = {}
+builtins.gcp_module_methods_info = {}
+
+def get_methods_for_classname(classname):
+    methods = []
+    all_methods = dir(sys.modules[classname])
+    for meth in all_methods:
+        if meth.startswith("module_"):
+            narg = "{}.__doc__".format(meth)
+            narg = eval(narg)
+            nhash = {}
+            nhash[meth] = narg
+            methods.append(nhash)
+    return methods
+
+
+def make_list_of_methods(cloud_service, mod):
+    meths = get_methods_for_classname(mod)
+    if cloud_service == 'aws':
+        new_mod_name = re.sub("modules.aws.", "", mod)
+        aws_module_methods_info[new_mod_name.upper()] = meths
+    elif cloud_service == 'gcp':
+        new_mod_name = re.sub("modules.gcp.", "", mod)
+        gcp_module_methods_info[new_mod_name.upper()] = meths
+
+
+def make_the_list():
+    for m in sys.modules.keys():
+        if (m.startswith("modules.aws")
+        and not (m == "modules.aws")):
+            make_list_of_methods("aws", m)
+        elif ((m.startswith("modules.gcp"))
+        and not (m == "modules.gcp")):
+            make_list_of_methods("gcp", m)
+
+def normalize_comments(string):
+    string = textwrap.fill(string.strip(), 40)
+    return string
+
+
+def make_tabulate_rows(hash, cloud_provider):
+    entire_contents = []
+    for (key) in hash:
+        for item in hash[key]:
+            for (k,v) in item.items():
+                normalized_comment = normalize_comments(v)
+                entire_contents.append([cloud_provider, key, k, normalized_comment])
+
+    return entire_contents
+
+
+
+def print_the_list():
+    aws_rows = make_tabulate_rows(aws_module_methods_info, 'AWS')
+    gcp_rows = make_tabulate_rows(gcp_module_methods_info, 'GCP')
+    print(tabulate(aws_rows, headers=['Cloud Provider', 'Service', 'Mod', 'Desc']))
+    print(tabulate(gcp_rows, headers=['Cloud Provider', 'Service', 'Mod', 'Desc']))
+
+if (args.list):
+    make_the_list()
+    print_the_list()
+    sys.exit(1)
 
 # Need to figure out if we have keys in the ENV or not
 try:
@@ -70,9 +134,6 @@ except:
     print("Check the above error message and fix to use weirdAAL")
     sys.exit(1)
 
-if (args.list):
-    pass
-
 
 # arg_list has to be defined otherwise will cause an exception
 arg_list = None
@@ -82,12 +143,18 @@ if (args.arguments):
 
 # We need the user to tell us the module they want to proceed on
 if (args.module):
-    arg = method_create()
-    if callable(arg):
-        if arg_list:
-            arg(arg_list)
-        else:
-            arg()
+    if not (args.target):
+        print("Use -t to give your target a name so we can track results!!!")
+        sys.exit(1)
+    else:
+        # Provides us with a global var "target" we can access anywhere
+        builtins.target = args.target
+        arg = method_create()
+        if callable(arg):
+            if arg_list:
+                arg(arg_list)
+            else:
+                arg()
 
 
 # Allow the user to specify verbosity for debugging