update ec2 lib to do an userdata instance attribute check

libs/aws/ec2.py

@@ -438,9 +438,9 @@ def get_instance_volume_details2():
         print("CTRL-C received, exiting...")
 
 
-def describe_elastic_addresses():
+def describe_addresses():
     '''
-    Describe EC2 elastic addresses (loop through all regions)
+    Describe EC2 addresses (loop through all regions)
     '''
     try:
         for region in regions:
@@ -472,45 +472,6 @@ def describe_elastic_addresses():
     except KeyboardInterrupt:
         print("CTRL-C received, exiting...")
 
-def describe_publicips():
-    '''
-    Describe EC2 Public IPs (loop through all regions)
-    '''
-    try:
-        for region in regions:
-            try:
-                client = boto3.client('ec2', region_name=region)
-                response = client.describe_network_interfaces()
-                # print(response)
-            except botocore.exceptions.ClientError as e:
-                if e.response['Error']['Code'] == 'UnauthorizedOperation':
-                    print('{} : (UnauthorizedOperation) when calling describe_network_interfaces -- sure you have required ec2 permissions?' .format(AWS_ACCESS_KEY_ID))
-                    sys.exit()
-                else:
-                    print(e)
-            if response.get('NetworkInterfaces') is None:
-                print("{} likely does not have EC2 permissions\n" .format(AWS_ACCESS_KEY_ID))
-            elif len(response['NetworkInterfaces']) <= 0:
-                print("[-] DescribeNetworkInterfaces allowed for {} but no results [-]" .format(region))
-            else:
-                # print(response)
-                print("[+] Listing Public IPs for region: {} [+]" .format(region))
-                for r in response['NetworkInterfaces']:
-                    if 'Association' in r:
-                        pp.pprint(r['Association']['PublicIp'])
-                    else:
-                        #pp.pprint(r)
-                        next
-    except botocore.exceptions.ClientError as e:
-        if e.response['Error']['Code'] == 'UnauthorizedOperation':
-            print('{} : (UnauthorizedOperation) when calling the describe_network_interfaces-- sure you have ec2 permissions?' .format(AWS_ACCESS_KEY_ID))
-        elif e.response['Error']['Code'] == 'SubscriptionRequiredException':
-            print('{} : Has permissions but isnt signed up for service - usually means you have a root account' .format(AWS_ACCESS_KEY_ID))
-        else:
-            print(e)
-    except KeyboardInterrupt:
-        print("CTRL-C received, exiting...")
-
 
 def describe_network_interfaces():
     '''
@@ -524,7 +485,7 @@ def describe_network_interfaces():
                 # print(response)
             except botocore.exceptions.ClientError as e:
                 if e.response['Error']['Code'] == 'UnauthorizedOperation':
-                    print('{} : (UnauthorizedOperation) when calling describe_network_interfaces -- sure you have required ec2 permissions?' .format(AWS_ACCESS_KEY_ID))
+                    print('{} : (UnauthorizedOperation) when calling get_console_screenshot -- sure you have required ec2 permissions?' .format(AWS_ACCESS_KEY_ID))
                     sys.exit()
                 else:
                     print(e)
@@ -539,7 +500,7 @@ def describe_network_interfaces():
                     pp.pprint(r)
     except botocore.exceptions.ClientError as e:
         if e.response['Error']['Code'] == 'UnauthorizedOperation':
-            print('{} : (UnauthorizedOperation) when calling the describe_network_interfaces -- sure you have ec2 permissions?' .format(AWS_ACCESS_KEY_ID))
+            print('{} : (UnauthorizedOperation) when calling the DescribeInstances-- sure you have ec2 permissions?' .format(AWS_ACCESS_KEY_ID))
         elif e.response['Error']['Code'] == 'SubscriptionRequiredException':
             print('{} : Has permissions but isnt signed up for service - usually means you have a root account' .format(AWS_ACCESS_KEY_ID))
         else:

libs/gcp/gcp_bigquery.py

@@ -0,0 +1,28 @@
+'''
+GCP BigQuery functions for WeirdAAL
+'''
+
+import google.auth
+import googleapiclient.discovery
+import os
+import sys
+
+from google.oauth2 import service_account
+
+from googleapiclient.errors import HttpError
+
+from google.cloud import bigquery, exceptions
+from google.cloud.exceptions import *
+
+
+def gcp_bigquery_list_datasets(project_id, credentials):
+    bigquery_client = bigquery.Client(project=credentials.project_id)
+    datasets = list(bigquery_client.list_datasets())
+    project = bigquery_client.project
+
+    if datasets:
+        print('Datasets in project {}:'.format(project))
+        for dataset in datasets:  # API request(s)
+            print('\t{}'.format(dataset.dataset_id))
+    else:
+        print('{} project does not contain any datasets.'.format(project))

libs/gcp/gcp_iam.py

@@ -0,0 +1,43 @@
+'''
+GCP IAM functions for WeirdAAL
+'''
+
+import google.auth
+import googleapiclient.discovery
+import os
+import sys
+
+from google.oauth2 import service_account
+
+from googleapiclient.errors import HttpError
+
+
+
+# [START iam_list_keys]
+def gcp_iam_list_keys(service_account_email, service):
+    """Lists all keys for a service account."""
+
+    # pylint: disable=no-member
+    keys = service.projects().serviceAccounts().keys().list(
+        name='projects/-/serviceAccounts/' + service_account_email).execute()
+
+    for key in keys['keys']:
+        print('Key: ' + key['name'])
+# [END iam_list_keys]
+
+
+# [START iam_list_service_accounts]
+def gcp_iam_list_service_accounts(project_id, service):
+    """Lists all service accounts for the current project."""
+
+    # pylint: disable=no-member
+    service_accounts = service.projects().serviceAccounts().list(
+        name='projects/' + project_id).execute()
+
+    for account in service_accounts['accounts']:
+        print('Name: ' + account['name'])
+        print('Email: ' + account['email'])
+        print(' ')
+    return service_accounts
+# [END iam_list_service_accounts]
+

libs/gcp/gcp_storage.py

@@ -0,0 +1,39 @@
+'''
+GCP Storage functions for WeirdAAL
+'''
+
+import google.auth
+import googleapiclient.discovery
+import os
+import sys
+
+from google.oauth2 import service_account
+
+from googleapiclient.errors import HttpError
+
+from google.cloud import storage, exceptions
+from google.cloud.exceptions import *
+
+
+
+def gcp_storage_list_buckets(credentials):
+    list_of_buckets = []
+    '''list Google storage buckets for account'''
+    storage_client = storage.Client()
+    buckets = storage_client.list_buckets()
+    for buck in buckets:
+        print(buck.name)
+        list_of_buckets.append(buck.name)
+    return list_of_buckets
+
+
+def gcp_storage_list_blobs(credentials, bucket_name):
+    '''Lists all the blobs in the bucket.'''
+    storage_client = storage.Client()
+    bucket = storage_client.get_bucket(bucket_name)
+
+    blobs = bucket.list_blobs()
+
+    for blob in blobs:
+        print('\t{}'.format(blob.name))
+    print('\n')

modules/aws/ec2.py

@@ -64,12 +64,12 @@ def module_ec2_review_encrypted_volumes():
     review_encrypted_volumes()
 
 
-def module_ec2_describe_elastic_addresses():
+def module_ec2_describe_addresses():
     '''
     This function is used to describe ec2 network addresses.
     python3 weirdAAL.py -m ec2_describe_addresses -t demo
     '''
-    describe_elastic_addresses()
+    describe_addresses()
 
 
 def module_ec2_describe_network_interfaces():
@@ -79,12 +79,6 @@ def module_ec2_describe_network_interfaces():
     '''
     describe_network_interfaces()
 
-def module_ec2_describe_publicips():
-    '''
-    This function is used to describe ec2 network interfaces.
-    python3 weirdAAL.py -m ec2_describe_publicips -t demo
-    '''
-    describe_publicips()
 
 def module_ec2_describe_route_tables():
     '''

modules/gcp/gcp_recon.py

@@ -0,0 +1,89 @@
+'''
+This module handles the core GCP recon functionality by asking all the services
+that have functions that done have arguments if we can access them :-)
+'''
+
+
+
+from libs.gcp.gcp_iam import *
+from libs.gcp.gcp_storage import *
+from libs.gcp.gcp_bigquery import *
+
+credentials = service_account.Credentials.from_service_account_file(
+    filename=os.environ['GOOGLE_APPLICATION_CREDENTIALS'],
+    scopes=['https://www.googleapis.com/auth/cloud-platform'])
+
+service = googleapiclient.discovery.build(
+    'iam', 'v1', credentials=credentials)
+
+def module_gcp_recon_all():
+    '''
+    Main gcp_recon_all module - attempt to connect to each of the services to see if we have some privs
+    python3 weirdAAL.py -m gcp_recon_all -t demo
+    '''
+    try:
+        print("GCP IAM List Keys check")
+        # print(credentials)
+        gcp_iam_list_keys(credentials.service_account_email, service)
+    except HttpError as e:
+        # print(e)
+        if e.resp.status in [403, 500, 503]:
+            print("\tGCP IAM access denied for {}\n".format(credentials.service_account_email))
+        else:
+            print('{}\n'.format(e))
+    except google.auth.exceptions.RefreshError as f:
+        print(f)
+        print("Service key is invalid exiting")
+        sys.exit()
+
+    try:
+        print("GCP IAM list service accounts for the current project: {}.".format(credentials.project_id))
+        # print(credentials)
+        gcp_iam_list_service_accounts(credentials.project_id, service)
+    except HttpError as e:
+        # print(e)
+        if e.resp.status in [403, 500, 503]:
+            print("\tIAM access denied for {}\n".format(credentials.service_account_email))
+        else:
+            print('{}\n'.format(e))
+    except google.auth.exceptions.RefreshError as f:
+        print(f)
+        print("Service key is invalid exiting")
+        sys.exit()
+
+    '''
+    Storage bucket access checks
+    '''
+    try:
+        print("GCP Storage check")
+        buckets = gcp_storage_list_buckets(credentials)
+        if buckets:
+            print("\nAttempting to list bucket contents:")
+            for a in buckets:
+                print('Bucket: {}'.format(a))
+                gcp_storage_list_blobs(credentials, a)
+    except googleapiclient.errors.HttpError as e:
+        print('{}\n'.format(e))
+    except exceptions.Forbidden as e:
+        print("\t Forbidden")
+        print('{}\n'.format(e))
+    except exceptions.PermissionDenied as e:
+        print("\t PermissionDenied")
+    except google.auth.exceptions.RefreshError as f:
+        print(f)
+
+    '''
+    BigQuery access checks
+    ''' 
+    try:
+        print("GCP BigQuery check")
+        gcp_bigquery_list_datasets(credentials.project_id, credentials)
+    except googleapiclient.errors.HttpError as e:
+        print('{}\n'.format(e))
+    except exceptions.Forbidden as e:
+        print("\t Forbidden")
+        print('{}\n'.format(e))
+    except exceptions.PermissionDenied as e:
+            print("\t PermissionDenied")
+    except google.auth.exceptions.RefreshError as f:
+        print(f)

requirements.txt

@@ -7,3 +7,8 @@ s3transfer==0.1.11
 six==1.11.0
 virtualenv==15.1.0
 tabulate==0.8.2
+
+google-api-python-client==1.7.4
+google.cloud==0.34.0
+google-cloud-storage==1.12.0
+google-cloud-bigquery==1.5.1

weirdAAL.py

@@ -1,5 +1,3 @@
-#!/usr/bin/env python3
-
 # This file will help to serve as a starting point for using the rest of the tools
 # Things we want to figure out
 # 1) Is your key active?
@@ -11,7 +9,6 @@
 import boto3
 import argparse
 import os
-import sys
 from botocore.exceptions import ClientError
 from modules import *
 import sys
@@ -20,24 +17,19 @@ import re
 from tabulate import tabulate
 import textwrap
 
-# Let a user set .aws/credentials or another file as the credentials source
-# If user-defined, must be an absolute path
-AWS_SHARED_CREDS_PATH='.env'
-if 'AWS_SHARED_CREDENTIALS_FILE' not in os.environ and os.path.exists(AWS_SHARED_CREDS_PATH):
-    os.environ['AWS_SHARED_CREDENTIALS_FILE'] = AWS_SHARED_CREDS_PATH
-else:
-    print('No Key Information available. Place creds in .env file or export variables.')
-    print('Shared Creds Example File:')
-    print('[default]\n\
-aws_access_key_id = YOUR_AWS_ACCESS_KEY_ID\n\
-aws_secret_access_key = YOUR_AWS_SECRET_ACCESS_KEY')
-    print()
-    print('Or to export them in running shell:')
-    print('export AWS_ACCESS_KEY_ID=<hereyourkeyid>')
-    print('export AWS_SECRET_ACCESS_KEY=<hereyoursecretaccesskey>')
-    print()
-    sys.exit(1)
+# not pythonic but keeping google imports separate for now
+import google.auth
+import googleapiclient.discovery
 
+from google.oauth2 import service_account
+from googleapiclient.errors import HttpError
+
+from google.cloud import storage, exceptions
+from google.cloud.exceptions import *
+
+os.environ['AWS_SHARED_CREDENTIALS_FILE'] = '.env'
+
+os.environ['GOOGLE_APPLICATION_CREDENTIALS'] = 'gcp_keys/34.json'
 
 # If you want to use a transparent + supports SSL proxy you can put it here
 # os.environ['HTTPS_PROXY'] = 'https://127.0.0.1:3128'
@@ -75,6 +67,9 @@ def perform_credential_check():
     except ClientError as e:
         print("The AWS Access Keys are not valid/active")
         sys.exit(1)
+    # excepetion to catch the lack of aws cred here - temp fix
+    except Exception as e:
+        print('\t -')
 
 def method_create():
     try:
@@ -130,7 +125,6 @@ def make_tabulate_rows(hash, cloud_provider):
         for item in hash[key]:
             for (k,v) in item.items():
                 normalized_comment = normalize_comments(v)
-                k = re.sub("module_", "", k)
                 entire_contents.append([cloud_provider, key, k, normalized_comment])
 
     return entire_contents