more s3
This commit is contained in:
carnal0wnage
154
libs/s3.py
Normal file
154
libs/s3.py
Normal file
@@ -0,0 +1,154 @@
|
|||||||
|
'''
|
||||||
|
S3 Library
|
||||||
|
'''
|
||||||
|
|
||||||
|
import boto3
|
||||||
|
import botocore
|
||||||
|
import pprint
|
||||||
|
|
||||||
|
pp = pprint.PrettyPrinter(indent=5, width=80)
|
||||||
|
|
||||||
|
def get_s3bucket_policy(AWS_ACCESS_KEY_ID, AWS_SECRET_ACCESS_KEY, bucket):
|
||||||
|
client = boto3.client(
|
||||||
|
's3',
|
||||||
|
aws_access_key_id=AWS_ACCESS_KEY_ID,
|
||||||
|
aws_secret_access_key=AWS_SECRET_ACCESS_KEY,
|
||||||
|
region_name='us-east-1'
|
||||||
|
)
|
||||||
|
|
||||||
|
try:
|
||||||
|
bucket = bucket
|
||||||
|
print('\n#### Trying to enumate s3 buckets and bucket policy & ACL for {} ####' .format(bucket))
|
||||||
|
|
||||||
|
try:
|
||||||
|
for key in client.list_objects(Bucket=bucket,MaxKeys=100)['Contents']:
|
||||||
|
print('[+] '+ key['Key'].encode('utf-8').strip())
|
||||||
|
#print(key['Key']) #first 100 results
|
||||||
|
except KeyError as e:
|
||||||
|
print "KeyError havent tracked down reason yet"
|
||||||
|
except botocore.exceptions.ClientError as e:
|
||||||
|
if e.response['Error']['Code'] == 'AccessDenied':
|
||||||
|
print('{} : cant list s3 bucket [AccessDenied]' .format(AWS_ACCESS_KEY_ID))
|
||||||
|
elif e.response['Error']['Code'] == 'NoSuchBucketPolicy':
|
||||||
|
print('%s: Has No S3 Policy!' % bucket['Name'])
|
||||||
|
elif e.response['Error']['Code'] == 'AllAccessDisabled':
|
||||||
|
print('{} : cant list s3 bucket [AllAccessDisabled]' .format(AWS_ACCESS_KEY_ID))
|
||||||
|
else:
|
||||||
|
print "Unexpected error: {}" .format(e)
|
||||||
|
|
||||||
|
try:
|
||||||
|
policy = client.get_bucket_policy(Bucket=bucket)
|
||||||
|
if policy:
|
||||||
|
print(bucket + " Policy: ")
|
||||||
|
pp.pprint(policy['Policy'])
|
||||||
|
print("\n")
|
||||||
|
else:
|
||||||
|
pass
|
||||||
|
except botocore.exceptions.ClientError as e:
|
||||||
|
if e.response['Error']['Code'] == 'AccessDenied':
|
||||||
|
print('{} : cant list s3 bucket policy [AccessDenied]' .format(AWS_ACCESS_KEY_ID))
|
||||||
|
elif e.response['Error']['Code'] == 'NoSuchBucketPolicy':
|
||||||
|
print('{}: Has No S3 Policy!' .format(bucket))
|
||||||
|
print("\n")
|
||||||
|
elif e.response['Error']['Code'] == 'AllAccessDisabled':
|
||||||
|
print('{} : cant list s3 bucket policy [AllAccessDisabled]' .format(AWS_ACCESS_KEY_ID))
|
||||||
|
else:
|
||||||
|
print "Unexpected error: {}" .format(e)
|
||||||
|
|
||||||
|
try:
|
||||||
|
acl = client.get_bucket_acl(Bucket=bucket)
|
||||||
|
if acl:
|
||||||
|
print(bucket + " Grants: ")
|
||||||
|
pp.pprint(acl['Grants'])
|
||||||
|
print("\n")
|
||||||
|
else:
|
||||||
|
pass
|
||||||
|
except botocore.exceptions.ClientError as e:
|
||||||
|
if e.response['Error']['Code'] == 'AccessDenied':
|
||||||
|
print('{} : cant list s3 bucket acl [AccessDenied]' .format(AWS_ACCESS_KEY_ID))
|
||||||
|
elif e.response['Error']['Code'] == 'NoSuchBucketPolicy':
|
||||||
|
print('{}: Has No S3 Policy!' .format(bucket))
|
||||||
|
print("\n")
|
||||||
|
elif e.response['Error']['Code'] == 'AllAccessDisabled':
|
||||||
|
print('{} : cant list s3 bucket acl [AllAccessDisabled]' .format(AWS_ACCESS_KEY_ID))
|
||||||
|
else:
|
||||||
|
print "Unexpected error: {}" .format(e)
|
||||||
|
|
||||||
|
except botocore.exceptions.ClientError as e:
|
||||||
|
if e.response['Error']['Code'] == 'InvalidClientTokenId':
|
||||||
|
sys.exit("The AWS KEY IS INVALID. Exiting")
|
||||||
|
elif e.response['Error']['Code'] == 'NotSignedUp':
|
||||||
|
print('{} : doesnt have s3 access' .format(AWS_ACCESS_KEY_ID))
|
||||||
|
else:
|
||||||
|
print "Unexpected error: {}" .format(e)
|
||||||
|
|
||||||
|
#specifically get the acl on a file in a buckeet
|
||||||
|
def get_s3object_acl(AWS_ACCESS_KEY_ID, AWS_SECRET_ACCESS_KEY, bucket, myfile):
|
||||||
|
client = boto3.client(
|
||||||
|
's3',
|
||||||
|
aws_access_key_id=AWS_ACCESS_KEY_ID,
|
||||||
|
aws_secret_access_key=AWS_SECRET_ACCESS_KEY,
|
||||||
|
region_name='us-east-1'
|
||||||
|
)
|
||||||
|
|
||||||
|
try:
|
||||||
|
bucket = bucket
|
||||||
|
myobject = myfile
|
||||||
|
print('#### Trying to enumate s3 ACL for {}:{} ####\n '.format(bucket, myfile))
|
||||||
|
acl = client.get_object_acl(Bucket=bucket,Key=myfile)
|
||||||
|
print acl
|
||||||
|
|
||||||
|
except botocore.exceptions.ClientError as e:
|
||||||
|
if e.response['Error']['Code'] == 'InvalidClientTokenId':
|
||||||
|
sys.exit("The AWS KEY IS INVALID. Exiting")
|
||||||
|
elif e.response['Error']['Code'] == 'NotSignedUp':
|
||||||
|
print('{} : doesnt have s3 access' .format(AWS_ACCESS_KEY_ID))
|
||||||
|
else:
|
||||||
|
print "Unexpected error: {}" .format(e)
|
||||||
|
|
||||||
|
#given an aws keypair what s3 assets does it have permission to
|
||||||
|
def get_s3objects_for_account(AWS_ACCESS_KEY_ID, AWS_SECRET_ACCESS_KEY):
|
||||||
|
client = boto3.resource(
|
||||||
|
's3',
|
||||||
|
aws_access_key_id=AWS_ACCESS_KEY_ID,
|
||||||
|
aws_secret_access_key=AWS_SECRET_ACCESS_KEY,
|
||||||
|
region_name='us-east-1'
|
||||||
|
)
|
||||||
|
|
||||||
|
try:
|
||||||
|
print('#### Trying to list s3 bucketsfor {} ####\n '.format(AWS_ACCESS_KEY_ID))
|
||||||
|
for bucket in client.buckets.all():
|
||||||
|
print(bucket.name)
|
||||||
|
|
||||||
|
except botocore.exceptions.ClientError as e:
|
||||||
|
if e.response['Error']['Code'] == 'InvalidClientTokenId':
|
||||||
|
sys.exit("The AWS KEY IS INVALID. Exiting")
|
||||||
|
elif e.response['Error']['Code'] == 'AccessDenied':
|
||||||
|
print('{} : cant list s3 bucket policy [AccessDenied]' .format(AWS_ACCESS_KEY_ID))
|
||||||
|
elif e.response['Error']['Code'] == 'NotSignedUp':
|
||||||
|
print('{} : doesnt have s3 access' .format(AWS_ACCESS_KEY_ID))
|
||||||
|
else:
|
||||||
|
print "Unexpected error: {}" .format(e)
|
||||||
|
|
||||||
|
|
||||||
|
def get_s3objects_for_account_detailed(AWS_ACCESS_KEY_ID, AWS_SECRET_ACCESS_KEY):
|
||||||
|
client = boto3.resource(
|
||||||
|
's3',
|
||||||
|
aws_access_key_id=AWS_ACCESS_KEY_ID,
|
||||||
|
aws_secret_access_key=AWS_SECRET_ACCESS_KEY,
|
||||||
|
region_name='us-east-1'
|
||||||
|
)
|
||||||
|
|
||||||
|
try:
|
||||||
|
print('#### Trying to list s3 bucketsfor {} ####\n '.format(AWS_ACCESS_KEY_ID))
|
||||||
|
for bucket in client.buckets.all():
|
||||||
|
print(bucket.name)
|
||||||
|
get_s3bucket_policy(AWS_ACCESS_KEY_ID, AWS_SECRET_ACCESS_KEY,bucket.name)
|
||||||
|
|
||||||
|
except botocore.exceptions.ClientError as e:
|
||||||
|
if e.response['Error']['Code'] == 'InvalidClientTokenId':
|
||||||
|
sys.exit("The AWS KEY IS INVALID. Exiting")
|
||||||
|
elif e.response['Error']['Code'] == 'NotSignedUp':
|
||||||
|
print('{} : doesnt have s3 access' .format(AWS_ACCESS_KEY_ID))
|
||||||
|
else:
|
||||||
|
print "Unexpected error: {}" .format(e)
|
||||||
@@ -9,7 +9,7 @@ import pprint
|
|||||||
|
|
||||||
pp = pprint.PrettyPrinter(indent=5, width=80)
|
pp = pprint.PrettyPrinter(indent=5, width=80)
|
||||||
|
|
||||||
from s3.s3 import *
|
from libs.s3 import *
|
||||||
|
|
||||||
#insert AWS key, will figure out how to pull this in from a single file for all scripts
|
#insert AWS key, will figure out how to pull this in from a single file for all scripts
|
||||||
|
|
||||||
|
|||||||
@@ -9,7 +9,7 @@ import pprint
|
|||||||
|
|
||||||
pp = pprint.PrettyPrinter(indent=5, width=80)
|
pp = pprint.PrettyPrinter(indent=5, width=80)
|
||||||
|
|
||||||
from s3.s3 import *
|
from libs.s3 import *
|
||||||
|
|
||||||
AWS_ACCESS_KEY_ID = ''
|
AWS_ACCESS_KEY_ID = ''
|
||||||
AWS_SECRET_ACCESS_KEY =''
|
AWS_SECRET_ACCESS_KEY =''
|
||||||
|
|||||||
@@ -9,7 +9,7 @@ import pprint
|
|||||||
|
|
||||||
pp = pprint.PrettyPrinter(indent=5, width=80)
|
pp = pprint.PrettyPrinter(indent=5, width=80)
|
||||||
|
|
||||||
from s3.s3 import *
|
from libs.s3 import *
|
||||||
|
|
||||||
#insert AWS key, will figure out how to pull this in from a single file for all scripts
|
#insert AWS key, will figure out how to pull this in from a single file for all scripts
|
||||||
|
|
||||||
@@ -17,5 +17,4 @@ from s3.s3 import *
|
|||||||
#AWS_SECRET_ACCESS_KEY =''
|
#AWS_SECRET_ACCESS_KEY =''
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
get_s3objects_for_account_detailed(AWS_ACCESS_KEY_ID, AWS_SECRET_ACCESS_KEY)
|
get_s3objects_for_account_detailed(AWS_ACCESS_KEY_ID, AWS_SECRET_ACCESS_KEY)
|
||||||
@@ -9,7 +9,7 @@ import pprint
|
|||||||
|
|
||||||
pp = pprint.PrettyPrinter(indent=5, width=80)
|
pp = pprint.PrettyPrinter(indent=5, width=80)
|
||||||
|
|
||||||
from s3.s3 import *
|
from libs.s3 import *
|
||||||
|
|
||||||
#insert AWS key, will figure out how to pull this in from a single file for all scripts
|
#insert AWS key, will figure out how to pull this in from a single file for all scripts
|
||||||
|
|
||||||
@@ -17,7 +17,4 @@ AWS_ACCESS_KEY_ID = ''
|
|||||||
AWS_SECRET_ACCESS_KEY =''
|
AWS_SECRET_ACCESS_KEY =''
|
||||||
|
|
||||||
|
|
||||||
#client = boto3.resource('s3')
|
|
||||||
#for bucket in client.buckets.all():
|
|
||||||
# print(bucket.name)
|
|
||||||
get_s3objects_for_account(AWS_ACCESS_KEY_ID, AWS_SECRET_ACCESS_KEY)
|
get_s3objects_for_account(AWS_ACCESS_KEY_ID, AWS_SECRET_ACCESS_KEY)
|
||||||
Reference in New Issue
Block a user