326 lines
14 KiB
Python
326 lines
14 KiB
Python
'''
|
|
S3 functions for WeirdAAL
|
|
'''
|
|
|
|
import boto3
|
|
import botocore
|
|
import os
|
|
import pprint
|
|
import sys
|
|
|
|
pp = pprint.PrettyPrinter(indent=5, width=80)
|
|
|
|
'''
|
|
Code to get the AWS_ACCESS_KEY_ID from boto3
|
|
'''
|
|
session = boto3.Session()
|
|
credentials = session.get_credentials()
|
|
AWS_ACCESS_KEY_ID = credentials.access_key
|
|
AWS_SECRET_ACCESS_KEY = credentials.secret_key
|
|
|
|
# from http://docs.aws.amazon.com/general/latest/gr/rande.html
|
|
regions = ['us-east-1', 'us-east-2', 'us-west-1', 'us-west-2', 'ca-central-1', 'ap-south-1', 'ap-northeast-1', 'ap-northeast-2', 'ap-northeast-3', 'ap-southeast-1', 'ap-southeast-2', 'cn-north-1', 'cn-northwest-1', 'eu-central-1', 'eu-west-1', 'eu-west-2', 'eu-west-3', 'sa-east-1']
|
|
|
|
region = 'us-east-1'
|
|
|
|
|
|
def s3_get_bucket_policy(bucket):
|
|
try:
|
|
client = boto3.client('s3', region_name=region)
|
|
print('\n#### Attempting to list s3 bucket contents and bucket Policy & ACL for {} ####'.format(bucket))
|
|
|
|
try:
|
|
for key in client.list_objects(Bucket=bucket)['Contents']:
|
|
print(key['Key'])
|
|
|
|
'''
|
|
# Create a paginator to pull 1000 objects at a time
|
|
paginator = client.get_paginator('list_objects')
|
|
pageresponse = paginator.paginate(Bucket=thebucket)
|
|
|
|
# PageResponse Holds 1000 objects at a time and will continue to repeat in chunks of 1000.
|
|
for pageobject in pageresponse:
|
|
for file in pageobject["Contents"]:
|
|
print(file["Key"])
|
|
'''
|
|
except KeyError as e:
|
|
print("Bucket: {} is empty".format(bucket))
|
|
except botocore.exceptions.ClientError as e:
|
|
if e.response['Error']['Code'] == 'AccessDenied':
|
|
print('{} : cant list s3 bucket [AccessDenied]' .format(AWS_ACCESS_KEY_ID))
|
|
elif e.response['Error']['Code'] == 'NoSuchBucketPolicy':
|
|
print('%s: Has No S3 Policy!' % bucket['Name'])
|
|
elif e.response['Error']['Code'] == 'AllAccessDisabled':
|
|
print('{} : cant list s3 bucket [AllAccessDisabled]' .format(AWS_ACCESS_KEY_ID))
|
|
else:
|
|
print("Unexpected error: {}" .format(e))
|
|
except KeyboardInterrupt:
|
|
print("CTRL-C received, exiting...")
|
|
|
|
try:
|
|
policy = client.get_bucket_policy(Bucket=bucket)
|
|
if policy:
|
|
print(bucket + " Policy: ")
|
|
pp.pprint(policy['Policy'])
|
|
print("\n")
|
|
else:
|
|
print("no Policy found for: {}".format(bucket))
|
|
except botocore.exceptions.ClientError as e:
|
|
if e.response['Error']['Code'] == 'AccessDenied':
|
|
print('{} : cant list s3 bucket policy [AccessDenied]' .format(AWS_ACCESS_KEY_ID))
|
|
elif e.response['Error']['Code'] == 'NoSuchBucketPolicy':
|
|
print('\n{}: Has No S3 Policy!' .format(bucket))
|
|
print("\n")
|
|
elif e.response['Error']['Code'] == 'AllAccessDisabled':
|
|
print('{} : cant list s3 bucket policy [AllAccessDisabled]' .format(AWS_ACCESS_KEY_ID))
|
|
elif e.response['Error']['Code'] == 'SubscriptionRequiredException':
|
|
print('{} : Has permissions but isnt signed up for service - usually means you have a root account' .format(AWS_ACCESS_KEY_ID))
|
|
else:
|
|
print("Unexpected error: {}" .format(e))
|
|
try:
|
|
acl = client.get_bucket_acl(Bucket=bucket)
|
|
if acl:
|
|
print("{} ACL Grants: ".format(bucket))
|
|
pp.pprint(acl['Grants'])
|
|
print("\n")
|
|
else:
|
|
pass
|
|
except botocore.exceptions.ClientError as e:
|
|
if e.response['Error']['Code'] == 'AccessDenied':
|
|
print('{} : cant list s3 bucket acl [AccessDenied]' .format(AWS_ACCESS_KEY_ID))
|
|
elif e.response['Error']['Code'] == 'NoSuchBucketPolicy':
|
|
print('{}: Has No S3 Policy!' .format(bucket))
|
|
print("\n")
|
|
elif e.response['Error']['Code'] == 'AllAccessDisabled':
|
|
print('{} : cant list s3 bucket acl [AllAccessDisabled]' .format(AWS_ACCESS_KEY_ID))
|
|
elif e.response['Error']['Code'] == 'SubscriptionRequiredException':
|
|
print('{} : Has permissions but isnt signed up for service - usually means you have a root account' .format(AWS_ACCESS_KEY_ID))
|
|
else:
|
|
print("Unexpected error: {}" .format(e))
|
|
|
|
except botocore.exceptions.ClientError as e:
|
|
if e.response['Error']['Code'] == 'InvalidClientTokenId':
|
|
sys.exit("The AWS KEY IS INVALID. Exiting")
|
|
elif e.response['Error']['Code'] == 'NotSignedUp':
|
|
print('{} : doesnt have s3 access' .format(AWS_ACCESS_KEY_ID))
|
|
elif e.response['Error']['Code'] == 'SubscriptionRequiredException':
|
|
print('{} : Has permissions but isnt signed up for service - usually means you have a root account' .format(AWS_ACCESS_KEY_ID))
|
|
else:
|
|
print("Unexpected error: {}" .format(e))
|
|
except KeyboardInterrupt:
|
|
print("CTRL-C received, exiting...")
|
|
|
|
|
|
def s3_list_bucket_contents(bucket):
|
|
try:
|
|
client = boto3.client('s3', region_name=region)
|
|
print('\n#### Attempting to list s3 bucket contents for {} ####'.format(bucket))
|
|
|
|
try:
|
|
for key in client.list_objects(Bucket=bucket)['Contents']:
|
|
print(key['Key'])
|
|
|
|
'''
|
|
# Create a paginator to pull 1000 objects at a time
|
|
paginator = client.get_paginator('list_objects')
|
|
pageresponse = paginator.paginate(Bucket=thebucket)
|
|
|
|
# PageResponse Holds 1000 objects at a time and will continue to repeat in chunks of 1000.
|
|
for pageobject in pageresponse:
|
|
for file in pageobject["Contents"]:
|
|
print(file["Key"])
|
|
'''
|
|
except KeyError as e:
|
|
print("Bucket: {} is empty".format(bucket))
|
|
except botocore.exceptions.ClientError as e:
|
|
if e.response['Error']['Code'] == 'AccessDenied':
|
|
print('{} : cant list s3 bucket [AccessDenied]'.format(AWS_ACCESS_KEY_ID))
|
|
elif e.response['Error']['Code'] == 'NoSuchBucketPolicy':
|
|
print('%s: Has No S3 Policy!' % bucket['Name'])
|
|
elif e.response['Error']['Code'] == 'AllAccessDisabled':
|
|
print('{} : cant list s3 bucket [AllAccessDisabled]'.format(AWS_ACCESS_KEY_ID))
|
|
else:
|
|
print("Unexpected error: {}" .format(e))
|
|
except KeyboardInterrupt:
|
|
print("CTRL-C received, exiting...")
|
|
|
|
|
|
def get_s3object_acl(bucket, myfile, region):
|
|
'''
|
|
# specifically get the acl on a file in a buckeet
|
|
|
|
'''
|
|
try:
|
|
client = boto3.client('s3', region_name=region)
|
|
print('#### Trying to enumate s3 ACL for {}:{} ####\n '.format(bucket, myfile))
|
|
acl = client.get_object_acl(Bucket=bucket, Key=myfile)
|
|
print(acl)
|
|
|
|
except botocore.exceptions.ClientError as e:
|
|
if e.response['Error']['Code'] == 'InvalidClientTokenId':
|
|
sys.exit("The AWS KEY IS INVALID. Exiting")
|
|
elif e.response['Error']['Code'] == 'NotSignedUp':
|
|
print('{} : doesnt have s3 access' .format(AWS_ACCESS_KEY_ID))
|
|
elif e.response['Error']['Code'] == 'SubscriptionRequiredException':
|
|
print('{} : Has permissions but isnt signed up for service - usually means you have a root account' .format(AWS_ACCESS_KEY_ID))
|
|
else:
|
|
print("Unexpected error: {}" .format(e))
|
|
except KeyboardInterrupt:
|
|
print("CTRL-C received, exiting...")
|
|
|
|
|
|
def s3_get_objects_for_account():
|
|
'''
|
|
list s3 buckets for an account
|
|
'''
|
|
try:
|
|
client = boto3.resource('s3', region_name=region)
|
|
|
|
print('#### Trying to list s3 bucketsfor {} ####\n '.format(AWS_ACCESS_KEY_ID))
|
|
for bucket in client.buckets.all():
|
|
print(bucket.name)
|
|
|
|
except botocore.exceptions.ClientError as e:
|
|
if e.response['Error']['Code'] == 'InvalidClientTokenId':
|
|
sys.exit("The AWS KEY IS INVALID. Exiting")
|
|
elif e.response['Error']['Code'] == 'AccessDenied':
|
|
print('{} : cant list s3 bucket policy [AccessDenied]' .format(AWS_ACCESS_KEY_ID))
|
|
elif e.response['Error']['Code'] == 'NotSignedUp':
|
|
print('{} : doesnt have s3 access' .format(AWS_ACCESS_KEY_ID))
|
|
elif e.response['Error']['Code'] == 'SubscriptionRequiredException':
|
|
print('{} : Has permissions but isnt signed up for service - usually means you have a root account' .format(AWS_ACCESS_KEY_ID))
|
|
else:
|
|
print("Unexpected error: {}" .format(e))
|
|
except KeyboardInterrupt:
|
|
print("CTRL-C received, exiting...")
|
|
|
|
|
|
def s3_get_objects_for_account_detailed():
|
|
'''
|
|
list s3 buckets for an account and their policy
|
|
'''
|
|
try:
|
|
client = boto3.resource('s3', region_name=region)
|
|
|
|
print('#### Trying to list s3 bucketsfor {} ####\n '.format(AWS_ACCESS_KEY_ID))
|
|
for bucket in client.buckets.all():
|
|
print(bucket.name)
|
|
s3_get_bucket_policy(bucket.name)
|
|
|
|
except botocore.exceptions.ClientError as e:
|
|
if e.response['Error']['Code'] == 'InvalidClientTokenId':
|
|
sys.exit("The AWS KEY IS INVALID. Exiting")
|
|
elif e.response['Error']['Code'] == 'NotSignedUp':
|
|
print('{} : doesnt have s3 access' .format(AWS_ACCESS_KEY_ID))
|
|
elif e.response['Error']['Code'] == 'SubscriptionRequiredException':
|
|
print('{} : Has permissions but isnt signed up for service - usually means you have a root account' .format(AWS_ACCESS_KEY_ID))
|
|
else:
|
|
print("Unexpected error: {}" .format(e))
|
|
except KeyboardInterrupt:
|
|
print("CTRL-C received, exiting...")
|
|
|
|
|
|
def s3_get_bucket_objects_from_file(file):
|
|
'''
|
|
For a list of buckets attempt to list their contents
|
|
'''
|
|
try:
|
|
client = boto3.resource('s3', region_name=region)
|
|
|
|
with open(file, 'r') as f:
|
|
for line in f:
|
|
line = line.strip()
|
|
if not line:
|
|
continue
|
|
else:
|
|
s3_get_bucket_policy(line)
|
|
except FileNotFoundError as e:
|
|
print("{} not found".format(file))
|
|
except botocore.exceptions.ClientError as e:
|
|
if e.response['Error']['Code'] == 'InvalidClientTokenId':
|
|
sys.exit("The AWS KEY IS INVALID. Exiting")
|
|
elif e.response['Error']['Code'] == 'NotSignedUp':
|
|
print('{} : doesnt have s3 access' .format(AWS_ACCESS_KEY_ID))
|
|
elif e.response['Error']['Code'] == 'SubscriptionRequiredException':
|
|
print('{} : Has permissions but isnt signed up for service - usually means you have a root account' .format(AWS_ACCESS_KEY_ID))
|
|
else:
|
|
print("Unexpected error: {}" .format(e))
|
|
except KeyboardInterrupt:
|
|
print("CTRL-C received, exiting...")
|
|
|
|
|
|
def s3_download_file(bucket, file):
|
|
'''
|
|
download a file from a S3 bucket
|
|
'''
|
|
try:
|
|
client = boto3.resource('s3', region_name=region)
|
|
client.Bucket(bucket).download_file(file, '{}/loot/{}'.format(os.getcwd(), file))
|
|
print("file downloaded to: {}/loot/{}".format(os.getcwd(), file))
|
|
|
|
except botocore.exceptions.ClientError as e:
|
|
if e.response['Error']['Code'] == "404":
|
|
print("{} object does not exist.".format(file))
|
|
elif e.response['Error']['Code'] == 'InvalidClientTokenId':
|
|
sys.exit("The AWS KEY IS INVALID. Exiting")
|
|
elif e.response['Error']['Code'] == 'NotSignedUp':
|
|
print('{} : doesnt have s3 access' .format(AWS_ACCESS_KEY_ID))
|
|
elif e.response['Error']['Code'] == 'SubscriptionRequiredException':
|
|
print('{} : Has permissions but isnt signed up for service - usually means you have a root account' .format(AWS_ACCESS_KEY_ID))
|
|
else:
|
|
print("Unexpected error: {}" .format(e))
|
|
except KeyboardInterrupt:
|
|
print("CTRL-C received, exiting...")
|
|
|
|
|
|
def s3_upload_file(bucket, source_file, dest_file):
|
|
'''
|
|
upload a file to a S3 bucket
|
|
'''
|
|
try:
|
|
client = boto3.resource('s3', region_name=region)
|
|
client.meta.client.upload_file(source_file, bucket, dest_file)
|
|
|
|
print("{} uploaded to: {}/{}".format(source_file, bucket, dest_file))
|
|
except FileNotFoundError as e:
|
|
print("[-] {} not found [-]".format(source_file))
|
|
except botocore.exceptions.ClientError as e:
|
|
if e.response['Error']['Code'] == "404":
|
|
print("{} object does not exist.".format(source_file))
|
|
elif e.response['Error']['Code'] == 'InvalidClientTokenId':
|
|
sys.exit("The AWS KEY IS INVALID. Exiting")
|
|
elif e.response['Error']['Code'] == 'NotSignedUp':
|
|
print('{} : doesnt have s3 access' .format(AWS_ACCESS_KEY_ID))
|
|
elif e.response['Error']['Code'] == 'SubscriptionRequiredException':
|
|
print('{} : Has permissions but isnt signed up for service - usually means you have a root account' .format(AWS_ACCESS_KEY_ID))
|
|
else:
|
|
print("Unexpected error: {}" .format(e))
|
|
except KeyboardInterrupt:
|
|
print("CTRL-C received, exiting...")
|
|
|
|
def s3_get_file_acl(bucket, file):
|
|
'''
|
|
get file in a s3 bucket ACL
|
|
'''
|
|
try:
|
|
client = boto3.client('s3', region_name=region)
|
|
object_acl = client.get_object_acl(Bucket=bucket, Key=file)
|
|
if object_acl:
|
|
print("{} ACL:\n".format(file))
|
|
print("{}".format(object_acl['Grants']))
|
|
except FileNotFoundError as e:
|
|
print("[-] {} not found [-]".format(file))
|
|
except botocore.exceptions.ClientError as e:
|
|
if e.response['Error']['Code'] == "404":
|
|
print("{} object does not exist.".format(file))
|
|
elif e.response['Error']['Code'] == 'InvalidClientTokenId':
|
|
sys.exit("The AWS KEY IS INVALID. Exiting")
|
|
elif e.response['Error']['Code'] == 'NotSignedUp':
|
|
print('{} : doesnt have s3 access' .format(AWS_ACCESS_KEY_ID))
|
|
elif e.response['Error']['Code'] == 'SubscriptionRequiredException':
|
|
print('{} : Has permissions but isnt signed up for service - usually means you have a root account' .format(AWS_ACCESS_KEY_ID))
|
|
else:
|
|
print("Unexpected error: {}" .format(e))
|
|
except KeyboardInterrupt:
|
|
print("CTRL-C received, exiting...")
|