diff --git a/brute/brute.py b/brute/brute.py new file mode 100644 index 0000000..ce65263 --- /dev/null +++ b/brute/brute.py @@ -0,0 +1,75 @@ +import boto3 +import botocore +import pprint + +pp = pprint.PrettyPrinter(indent=5, width=80) + + + +#bruteforce EC2 access + +#from http://docs.aws.amazon.com/general/latest/gr/rande.html +regions = ['us-east-1', 'us-east-2', 'us-west-1', 'us-west-2', 'ca-central-1', 'eu-central-1', 'eu-west-1', 'eu-west-2', 'ap-northeast-1', 'ap-northeast-2', 'ap-southeast-1', 'ap-southeast-2', ] + +def generic_permission_bruteforcer(AWS_ACCESS_KEY_ID, AWS_SECRET_ACCESS_KEY, tests): + actions = [] + try: + client = boto3.client('ec2', aws_access_key_id = AWS_ACCESS_KEY_ID, aws_secret_access_key = AWS_SECRET_ACCESS_KEY, region_name='ap-southeast-1') + except Exception as e: + print('Failed to connect: "{}"' .format(e.error_message)) + return actions + + actions = generic_method_bruteforcer(AWS_ACCESS_KEY_ID, AWS_SECRET_ACCESS_KEY, tests) + if actions: + print "\nActions allowed are:" + print actions + + return actions + +def generic_method_bruteforcer(AWS_ACCESS_KEY_ID, AWS_SECRET_ACCESS_KEY, tests): + actions = [] + client = boto3.client('ec2', aws_access_key_id = AWS_ACCESS_KEY_ID, aws_secret_access_key = AWS_SECRET_ACCESS_KEY, region_name='ap-southeast-1') + for api_action, method_name, args, kwargs in tests: + try: + method = getattr(client, method_name) + method(*args, **kwargs) + #print method --wont return anything on dryrun + except botocore.exceptions.ClientError as e: + if e.response['Error']['Code'] == 'DryRunOperation': + print('{} IS allowed' .format(api_action)) + actions.append(api_action) + else: + print e + else: + print('{} IS allowed' .format(api_action)) + actions.append(api_action) + return actions + +#http://boto3.readthedocs.io/en/latest/reference/services/ec2.html#client +def brute_ec2_perms(AWS_ACCESS_KEY_ID, AWS_SECRET_ACCESS_KEY): + print ("### Enumerating EC2 Permissions ###") + perms =[] + tests = [('DescribeInstances', 'describe_instances', (), {'DryRun':True}, ), + ('DescribeInstanceStatus', 'describe_instance_status', (), {'DryRun':True}, ), + ('DescribeImages', 'describe_images', (), {'DryRun':True, 'Owners': ['self',]} ), + ('DescribeVolumes', 'describe_volumes', (), {'DryRun':True}, ), + ('DescribeSnapshots', 'describe_snapshots', (), {'DryRun':True, 'OwnerIds': ['self',]} ), + ('DescribeAccountAttributes', 'describe_account_attributes', (), {'DryRun':True}, ), + ('DescribeAccounts', 'describe_addresses', (), {'DryRun':True}, ), + ('DescribeAddresses','describe_addresses', (), {'DryRun':True}, ), + ('DescribeAvailabilityZones', 'describe_availability_zones', (), {'DryRun':True}, ), + ('DescribeBundleTasks', 'describe_bundle_tasks', (), {'DryRun':True}, ), + ('DescribeClassicLinkInstances','describe_classic_link_instances', (), {'DryRun':True}, ), + ('DescribeConversionTasks', 'describe_conversion_tasks', (), {'DryRun':True}, ), + ('DescribeCustomerGateways', 'describe_customer_gateways', (), {'DryRun':True}, ), + ('DescribeDhcpOptions', 'describe_dhcp_options', (), {'DryRun':True}, ), + ('DescribeEgressOnlyInternetGateways','describe_egress_only_internet_gateways', (), {'DryRun':True}, ), + + + #('', '', (), {'DryRun':True}, ), + ] + return generic_permission_bruteforcer(AWS_ACCESS_KEY_ID, AWS_SECRET_ACCESS_KEY, tests) + + +brute_ec2_perms(AWS_ACCESS_KEY_ID, AWS_SECRET_ACCESS_KEY) +