From ece4b759f121409bbe00b8de0e080c75f12cfd97 Mon Sep 17 00:00:00 2001
From: carnal0wnage <chris@carnal0wnage.com>
Date: Sun, 11 Feb 2018 19:14:48 -0500
Subject: [PATCH] recon updates

---
 libs/brute.py                 | 63 ++++++++++++++++++++++++++++++++---
 recon_find_all_permissions.py | 30 +++++++++++++++--
 2 files changed, 86 insertions(+), 7 deletions(-)

diff --git a/libs/brute.py b/libs/brute.py
index aea8a3b..5b0612a 100644
--- a/libs/brute.py
+++ b/libs/brute.py
@@ -1,4 +1,4 @@
- import boto3
+import boto3
 import botocore
 import pprint
 import sys
@@ -117,6 +117,10 @@ def brute_acm_permissions(AWS_ACCESS_KEY_ID, AWS_SECRET_ACCESS_KEY):
             ]
     return generic_permission_bruteforcer(AWS_ACCESS_KEY_ID, AWS_SECRET_ACCESS_KEY, 'acm', tests)
 
+#http://boto3.readthedocs.io/en/latest/reference/services/alexaforbusiness.html
+#TODO
+# search_devices with a filter of * might get it done
+
 #http://boto3.readthedocs.io/en/latest/reference/services/apigateway.html
 def brute_apigateway_permissions(AWS_ACCESS_KEY_ID, AWS_SECRET_ACCESS_KEY):
     print ("### Enumerating APIGateway Permissions ###")
@@ -130,6 +134,10 @@ def brute_apigateway_permissions(AWS_ACCESS_KEY_ID, AWS_SECRET_ACCESS_KEY):
             ]
     return generic_permission_bruteforcer(AWS_ACCESS_KEY_ID, AWS_SECRET_ACCESS_KEY, 'apigateway', tests)
 
+#http://boto3.readthedocs.io/en/latest/reference/services/application-autoscaling.html
+#TODO
+#not seeing any functions that dont take args
+
 #http://boto3.readthedocs.io/en/latest/reference/services/appstream.html
 def brute_appstream_permissions(AWS_ACCESS_KEY_ID, AWS_SECRET_ACCESS_KEY):
     print ("### Enumerating APPStream Permissions ###")
@@ -139,6 +147,10 @@ def brute_appstream_permissions(AWS_ACCESS_KEY_ID, AWS_SECRET_ACCESS_KEY):
             ]
     return generic_permission_bruteforcer(AWS_ACCESS_KEY_ID, AWS_SECRET_ACCESS_KEY, 'appstream', tests)
 
+#http://boto3.readthedocs.io/en/latest/reference/services/appsync.html
+#TODO
+#not seeing any functions that dont take args
+
 #http://boto3.readthedocs.io/en/latest/reference/services/athena.html
 def brute_athena_permissions(AWS_ACCESS_KEY_ID, AWS_SECRET_ACCESS_KEY):
     print ("### Enumerating Athena Permissions ###")
@@ -162,6 +174,9 @@ def brute_autoscaling_permissions(AWS_ACCESS_KEY_ID, AWS_SECRET_ACCESS_KEY):
             ]
     return generic_permission_bruteforcer(AWS_ACCESS_KEY_ID, AWS_SECRET_ACCESS_KEY, 'autoscaling', tests)
 
+#http://boto3.readthedocs.io/en/latest/reference/services/autoscaling-plans.html
+#todo
+
 #http://boto3.readthedocs.io/en/latest/reference/services/batch.html
 def brute_batch_permissions(AWS_ACCESS_KEY_ID, AWS_SECRET_ACCESS_KEY):
     print ("### Enumerating Batch Permissions ###")
@@ -179,6 +194,26 @@ def brute_budgets_permissions(AWS_ACCESS_KEY_ID, AWS_SECRET_ACCESS_KEY):
             ]
     return generic_permission_bruteforcer(AWS_ACCESS_KEY_ID, AWS_SECRET_ACCESS_KEY, 'budgets', tests)
 
+#http://boto3.readthedocs.io/en/latest/reference/services/ce.html
+#TODO
+#http://boto3.readthedocs.io/en/latest/reference/services/ce.html#CostExplorer.Client.get_cost_and_usage
+#shoudl work we just need to generate start and end times each run
+
+#http://boto3.readthedocs.io/en/latest/reference/services/cloud9.html
+def brute_cloud9_permissions(AWS_ACCESS_KEY_ID, AWS_SECRET_ACCESS_KEY):
+    print ("### Enumerating Cloud9 Permissions ###")
+    tests = [('ListEnvironments', 'list_environments', (), {}, ),
+            ]
+    return generic_permission_bruteforcer(AWS_ACCESS_KEY_ID, AWS_SECRET_ACCESS_KEY, 'cloud9', tests)
+
+#http://boto3.readthedocs.io/en/latest/reference/services/clouddirectory.html
+def brute_clouddirectory_permissions(AWS_ACCESS_KEY_ID, AWS_SECRET_ACCESS_KEY):
+    print ("### Enumerating CloudDirectory Permissions ###")
+    tests = [('ListDirectories', 'list_directories', (), {}, ),
+            ]
+    return generic_permission_bruteforcer(AWS_ACCESS_KEY_ID, AWS_SECRET_ACCESS_KEY, 'clouddirectory', tests)
+
+
 #http://boto3.readthedocs.io/en/latest/reference/services/cloudformation.html
 def brute_cloudformation_permissions(AWS_ACCESS_KEY_ID, AWS_SECRET_ACCESS_KEY):
     print ("### Enumerating CLoudFormation Permissions ###")
@@ -210,6 +245,9 @@ def brute_cloudhsm_permissions(AWS_ACCESS_KEY_ID, AWS_SECRET_ACCESS_KEY):
              ]
     return generic_permission_bruteforcer(AWS_ACCESS_KEY_ID, AWS_SECRET_ACCESS_KEY, 'cloudhsm', tests)
 
+#http://boto3.readthedocs.io/en/latest/reference/services/cloudhsmv2.html
+#TODO
+
 #http://boto3.readthedocs.io/en/latest/reference/services/cloudsearch.html
 def brute_cloudsearch_permissions(AWS_ACCESS_KEY_ID, AWS_SECRET_ACCESS_KEY):
     print ("### Enumerating CloudSearch Permissions ###")
@@ -218,6 +256,9 @@ def brute_cloudsearch_permissions(AWS_ACCESS_KEY_ID, AWS_SECRET_ACCESS_KEY):
             ]
     return generic_permission_bruteforcer(AWS_ACCESS_KEY_ID, AWS_SECRET_ACCESS_KEY, 'cloudsearch', tests)
 
+#http://boto3.readthedocs.io/en/latest/reference/services/cloudsearchdomain.html
+#TODO
+
 #http://boto3.readthedocs.io/en/latest/reference/services/cloudtrail.html
 def brute_cloudtrail_permissions(AWS_ACCESS_KEY_ID, AWS_SECRET_ACCESS_KEY):
     print ("### Enumerating CloudTrail Permissions ###")
@@ -298,6 +339,9 @@ def brute_cognitosync_permissions(AWS_ACCESS_KEY_ID, AWS_SECRET_ACCESS_KEY):
             ]
     return generic_permission_bruteforcer(AWS_ACCESS_KEY_ID, AWS_SECRET_ACCESS_KEY, 'cognito-sync', tests)
 
+#http://boto3.readthedocs.io/en/latest/reference/services/comprehend.html
+#TODO
+
 #http://boto3.readthedocs.io/en/latest/reference/services/config.html
 def brute_configservice_permissions(AWS_ACCESS_KEY_ID, AWS_SECRET_ACCESS_KEY):
     print ("### Enumerating ConfigService Permissions ###")
@@ -327,6 +371,9 @@ def brute_datapipeline_permissions(AWS_ACCESS_KEY_ID, AWS_SECRET_ACCESS_KEY):
             ]
     return generic_permission_bruteforcer(AWS_ACCESS_KEY_ID, AWS_SECRET_ACCESS_KEY, 'datapipeline', tests)
 
+#http://boto3.readthedocs.io/en/latest/reference/services/dax.html
+#TODO
+
 #http://boto3.readthedocs.io/en/latest/reference/services/devicefarm.html
 #http://docs.aws.amazon.com/general/latest/gr/rande.html#devicefarm_region
 def brute_devicefarm_permissions(AWS_ACCESS_KEY_ID, AWS_SECRET_ACCESS_KEY):
@@ -581,6 +628,9 @@ def brute_glacier_permissions(AWS_ACCESS_KEY_ID, AWS_SECRET_ACCESS_KEY):
             ]
     return generic_permission_bruteforcer(AWS_ACCESS_KEY_ID, AWS_SECRET_ACCESS_KEY, 'glacier', tests)
 
+#http://boto3.readthedocs.io/en/latest/reference/services/glue.html
+#TODO
+
 #http://boto3.readthedocs.io/en/latest/reference/services/greengrass.html
 #If this one doesnt work make sure boto3 is up to date
 def brute_greengrass_permissions(AWS_ACCESS_KEY_ID, AWS_SECRET_ACCESS_KEY):
@@ -894,11 +944,9 @@ def brute_sms_permissions(AWS_ACCESS_KEY_ID, AWS_SECRET_ACCESS_KEY):
     return generic_permission_bruteforcer(AWS_ACCESS_KEY_ID, AWS_SECRET_ACCESS_KEY, 'sms', tests)
 
 #http://boto3.readthedocs.io/en/latest/reference/services/snowball.html
-#TODO
 def brute_snowball_permissions(AWS_ACCESS_KEY_ID, AWS_SECRET_ACCESS_KEY):
     print ("### Enumerating Snowball Permissions ###")
-    tests = [('DescribeAddresses', 'describe_addresses', (), {} ),
-             ('GetSnowballUsage', 'get_snowball_usage', (), {} ),
+    tests = [('GetSnowballUsage', 'get_snowball_usage', (), {} ),
              ('ListClusters', 'list_clusters', (), {} ),
              ('ListJobs', 'list_jobs', (), {} ),
             ]
@@ -926,7 +974,12 @@ def brute_sqs_permissions(AWS_ACCESS_KEY_ID, AWS_SECRET_ACCESS_KEY):
 #TODO
 
 #http://boto3.readthedocs.io/en/latest/reference/services/stepfunctions.html
-#TODO
+def brute_stepfunctions_permissions(AWS_ACCESS_KEY_ID, AWS_SECRET_ACCESS_KEY):
+    print ("### Enumerating Step Functions (SFN) Permissions ###")
+    tests = [('ListActivities', 'list_activities', (), {} ),
+            ]
+    return generic_permission_bruteforcer(AWS_ACCESS_KEY_ID, AWS_SECRET_ACCESS_KEY, 'stepfunctions', tests)
+
 
 #http://boto3.readthedocs.io/en/latest/reference/services/storagegateway.html
 #TODO
diff --git a/recon_find_all_permissions.py b/recon_find_all_permissions.py
index ab97858..854672c 100644
--- a/recon_find_all_permissions.py
+++ b/recon_find_all_permissions.py
@@ -4,27 +4,40 @@ from config import AWS_ACCESS_KEY_ID, AWS_SECRET_ACCESS_KEY
 
 check_root_account(AWS_ACCESS_KEY_ID, AWS_SECRET_ACCESS_KEY)
 brute_acm_permissions(AWS_ACCESS_KEY_ID, AWS_SECRET_ACCESS_KEY)
+#AlexaForBusiness
 brute_apigateway_permissions(AWS_ACCESS_KEY_ID, AWS_SECRET_ACCESS_KEY)
+#Application Auto Scaling
 brute_appstream_permissions(AWS_ACCESS_KEY_ID, AWS_SECRET_ACCESS_KEY)
+#AppSync no usable functions
 brute_athena_permissions(AWS_ACCESS_KEY_ID, AWS_SECRET_ACCESS_KEY)
+brute_autoscaling_permissions(AWS_ACCESS_KEY_ID, AWS_SECRET_ACCESS_KEY)
+#AutoScalingPlans
 brute_batch_permissions(AWS_ACCESS_KEY_ID, AWS_SECRET_ACCESS_KEY)
 brute_budgets_permissions(AWS_ACCESS_KEY_ID, AWS_SECRET_ACCESS_KEY)
-brute_autoscaling_permissions(AWS_ACCESS_KEY_ID, AWS_SECRET_ACCESS_KEY)
+#CostExplorer
+brute_cloud9_permissions(AWS_ACCESS_KEY_ID, AWS_SECRET_ACCESS_KEY)
+brute_clouddirectory_permissions(AWS_ACCESS_KEY_ID, AWS_SECRET_ACCESS_KEY)
 brute_cloudformation_permissions(AWS_ACCESS_KEY_ID, AWS_SECRET_ACCESS_KEY)
 brute_cloudfront_permissions(AWS_ACCESS_KEY_ID, AWS_SECRET_ACCESS_KEY)
 brute_cloudhsm_permissions(AWS_ACCESS_KEY_ID, AWS_SECRET_ACCESS_KEY)
+#cloudhsmv2
 brute_cloudsearch_permissions(AWS_ACCESS_KEY_ID, AWS_SECRET_ACCESS_KEY)
+#CloudSearchDomain
 brute_cloudtrail_permissions(AWS_ACCESS_KEY_ID, AWS_SECRET_ACCESS_KEY)
 brute_cloudwatch_permissions(AWS_ACCESS_KEY_ID, AWS_SECRET_ACCESS_KEY)
 brute_codebuild_permissions(AWS_ACCESS_KEY_ID, AWS_SECRET_ACCESS_KEY)
+brute_codecommit_permissions(AWS_ACCESS_KEY_ID, AWS_SECRET_ACCESS_KEY)
 brute_codedeploy_permissions(AWS_ACCESS_KEY_ID, AWS_SECRET_ACCESS_KEY)
+brute_codepipeline_permissions(AWS_ACCESS_KEY_ID, AWS_SECRET_ACCESS_KEY)
 brute_codestar_permissions(AWS_ACCESS_KEY_ID, AWS_SECRET_ACCESS_KEY)
 brute_cognitoidentity_permissions(AWS_ACCESS_KEY_ID, AWS_SECRET_ACCESS_KEY)
 brute_cognitoidp_permissions(AWS_ACCESS_KEY_ID, AWS_SECRET_ACCESS_KEY)
 brute_cognitosync_permissions(AWS_ACCESS_KEY_ID, AWS_SECRET_ACCESS_KEY)
+#Comprehend
 brute_configservice_permissions(AWS_ACCESS_KEY_ID, AWS_SECRET_ACCESS_KEY)
 #brute_costandusagereportservice_permissions(AWS_ACCESS_KEY_ID, AWS_SECRET_ACCESS_KEY) #Could not connect to the endpoint URL: "https://cur.us-west-2.amazonaws.com/"
 brute_datapipeline_permissions(AWS_ACCESS_KEY_ID, AWS_SECRET_ACCESS_KEY)
+#DAX
 brute_devicefarm_permissions(AWS_ACCESS_KEY_ID, AWS_SECRET_ACCESS_KEY)
 brute_directconnect_permissions(AWS_ACCESS_KEY_ID, AWS_SECRET_ACCESS_KEY)
 brute_applicationdiscoveryservice_permissions(AWS_ACCESS_KEY_ID, AWS_SECRET_ACCESS_KEY)	
@@ -47,6 +60,7 @@ brute_cloudwatchevents_permissions(AWS_ACCESS_KEY_ID, AWS_SECRET_ACCESS_KEY)
 brute_firehose_permissions(AWS_ACCESS_KEY_ID, AWS_SECRET_ACCESS_KEY)
 brute_gamelift_permissions(AWS_ACCESS_KEY_ID, AWS_SECRET_ACCESS_KEY)
 brute_glacier_permissions(AWS_ACCESS_KEY_ID, AWS_SECRET_ACCESS_KEY)
+#Glue
 brute_greengrass_permissions(AWS_ACCESS_KEY_ID, AWS_SECRET_ACCESS_KEY) #in the docs but not in the codebase?
 brute_health_permissions(AWS_ACCESS_KEY_ID, AWS_SECRET_ACCESS_KEY)
 brute_iam_permissions(AWS_ACCESS_KEY_ID, AWS_SECRET_ACCESS_KEY)
@@ -68,14 +82,26 @@ brute_organizations_permissions(AWS_ACCESS_KEY_ID, AWS_SECRET_ACCESS_KEY)
 brute_polly_permissions(AWS_ACCESS_KEY_ID, AWS_SECRET_ACCESS_KEY)
 brute_rds_permissions(AWS_ACCESS_KEY_ID, AWS_SECRET_ACCESS_KEY)
 brute_redshift_permissions(AWS_ACCESS_KEY_ID, AWS_SECRET_ACCESS_KEY)
-
+brute_rekognition_permissions(AWS_ACCESS_KEY_ID, AWS_SECRET_ACCESS_KEY)
+brute_resourcegroupstaggingapi_permissions(AWS_ACCESS_KEY_ID, AWS_SECRET_ACCESS_KEY)
 brute_route53_permissions(AWS_ACCESS_KEY_ID, AWS_SECRET_ACCESS_KEY)
+brute_route53domains_permissions(AWS_ACCESS_KEY_ID, AWS_SECRET_ACCESS_KEY)
+brute_s3_permissions(AWS_ACCESS_KEY_ID, AWS_SECRET_ACCESS_KEY)
 brute_sdb_permissions(AWS_ACCESS_KEY_ID, AWS_SECRET_ACCESS_KEY)
+brute_servicecatalog_permissions(AWS_ACCESS_KEY_ID, AWS_SECRET_ACCESS_KEY)
 brute_ses_permissions(AWS_ACCESS_KEY_ID, AWS_SECRET_ACCESS_KEY)
+brute_shield_permissions(AWS_ACCESS_KEY_ID, AWS_SECRET_ACCESS_KEY)
+brute_sms_permissions(AWS_ACCESS_KEY_ID, AWS_SECRET_ACCESS_KEY)
+brute_snowball_permissions(AWS_ACCESS_KEY_ID, AWS_SECRET_ACCESS_KEY)
+brute_sns_permissions(AWS_ACCESS_KEY_ID, AWS_SECRET_ACCESS_KEY)
 brute_sqs_permissions(AWS_ACCESS_KEY_ID, AWS_SECRET_ACCESS_KEY)
+
+brute_stepfunctions_permissions(AWS_ACCESS_KEY_ID, AWS_SECRET_ACCESS_KEY)
+
 brute_sts_permissions(AWS_ACCESS_KEY_ID, AWS_SECRET_ACCESS_KEY)
 
 brute_workspaces_permissions(AWS_ACCESS_KEY_ID, AWS_SECRET_ACCESS_KEY)
+#brute_xray_permissions(AWS_ACCESS_KEY_ID, AWS_SECRET_ACCESS_KEY #no functions that dont require args
 
 #check_root_account(AWS_ACCESS_KEY_ID, AWS_SECRET_ACCESS_KEY)
 #brute_acm_permissions(AWS_ACCESS_KEY_ID, AWS_SECRET_ACCESS_KEY)