工具
SkyArk
https://github.com/cyberark/SkyArk
在扫描的 AWS 环境中发现特权最高的用户,包括 AWS 影子管理员
需要对 IAM 服务具有只读权限
>git clone https://github.com/cyberark/SkyArk
>powershell -ExecutionPolicy Bypass -NoProfile
PS C> Import-Module .\SkyArk.ps1 -force
PS C> Start-AWStealth
或在Cloud Console
PS C> IEX (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/cyberark/SkyArk/master/AWStealth/AWStealth.ps1')
PS C> Scan-AWShadowAdmins
Pacu
https://github.com/RhinoSecurityLabs/pacu
使用具有多种功能集的可扩展模块集合利用 AWS 环境中的配置缺陷
需要 AWS 密钥
$ git clone https://github.com/RhinoSecurityLabs/pacu
$ bash install.sh
$ python3 pacu.py
set_keys/swap_keys
ls
run <module_name> [--keyword-arguments]
run <module_name> --regions eu-west-1,us-west-1
https://github.com/RhinoSecurityLabs/pacu/wiki/Module-Details
Bucket Finder
https://digi.ninja/projects/bucket_finder.php
如果启用了目录索引,则搜索公共存储桶、列出并下载所有文件
wget https://digi.ninja/files/bucket_finder_1.1.tar.bz2 -O bucket_finder_1.1.tar.bz2
./bucket_finder.rb my_words
./bucket_finder.rb --region ie my_words
US Standard = http://s3.amazonaws.com
Ireland = http://s3-eu-west-1.amazonaws.com
Northern California = http://s3-us-west-1.amazonaws.com
Singapore = http://s3-ap-southeast-1.amazonaws.com
Tokyo = http://s3-ap-northeast-1.amazonaws.com
./bucket_finder.rb --download --region ie my_words
./bucket_finder.rb --log-file bucket.out my_words
Boto3
https://boto3.amazonaws.com/v1/documentation/api/latest/index.html
适用于 Python 的 Amazon Web Services (AWS) 开发工具包
import boto3
s3 = boto3.client('s3',aws_access_key_id='AKIAJQDP3RKREDACTED',aws_secret_access_key='igH8yFmmpMbnkcUaCqXJIRIozKVaREDACTED',region_name='us-west-1')
try:
result = s3.list_buckets()
print(result)
except Exception as e:
print(e)
Prowler
https://github.com/toniblyx/prowler
AWS 安全最佳实践评估、审计、事件响应、持续监控、强化和取证准备
要求:arn:aws:iam::aws:policy/SecurityAudit
>pip install awscli ansi2html detect-secrets
>git clone https://github.com/toniblyx/prowler
>sudo apt install jq
>./prowler -E check42,check43
>./prowler -p custom-profile -r us-east-1 -c check11
>./prowler -A 123456789012 -R ProwlerRole
Principal Mapper
https://github.com/nccgroup/PMapper
在 AWS 中快速评估 IAM 权限的工具
https://github.com/nccgroup/PMapper
>pip install principalmapper
>pmapper graph --create
>pmapper visualize --filetype png
>pmapper analysis --output-type text
判断 PowerUser 是否可以提升权限
>pmapper query "preset privesc user/PowerUser"
>pmapper argquery --principal user/PowerUser --preset privesc
查找所有可以提升权限的主体
>pmapper query "preset privesc *"
>pmapper argquery --principal '*' --preset privesc
查找PowerUser 可以访问的所有点
>pmapper query "preset connected user/PowerUser *"
>pmapper argquery --principal user/PowerUser --resource '*' --preset connected
查找所有可以访问 Power User 的点
>pmapper query "preset connected * user/PowerUser"
>pmapper argquery --principal '*' --resource user/PowerUser --preset connected
ScoutSuite
https://github.com/nccgroup/ScoutSuite/wiki
多云安全审计工具
>git clone https://github.com/nccgroup/ScoutSuite
>python scout.py PROVIDER --help
--session-token 是可选的,仅用于临时凭证(即角色假设)
>python scout.py aws --access-keys --access-key-id <AKIAIOSFODNN7EXAMPLE> --secret-access-key <wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY> --session-token <token>
>python scout.py azure --cli
s3_objects_check
https://github.com/nccgroup/s3_objects_check
有效 S3 对象权限的白盒评估,以识别可公开访问的文件
>git clone https://github.com/nccgroup/s3_objects_check
>python3 -m venv env && source env/bin/activate
>pip install -r requirements.txt
>python s3-objects-check.py -h
>python s3-objects-check.py -p whitebox-profile -e blackbox-profile
cloudplaining
https://github.com/salesforce/cloudsplaining
一种 AWS IAM 安全评估工具,可识别最低权限违规并生成风险优先级报告
>pip3 install --user cloudsplaining
>cloudsplaining download --profile myawsprofile
>cloudsplaining scan --input-file default.json
weirdAAL
https://github.com/carnal0wnage/weirdAAL/wiki
AWS 攻击库
>python3 weirdAAL.py -m ec2_describe_instances -t demo
>python3 weirdAAL.py -m lambda_get_account_settings -t demo
>python3 weirdAAL.py -m lambda_get_function -a 'MY_LAMBDA_FUNCTION','us-west-2' -t yolo
cloudmapper
https://github.com/duo-labs/cloudmapper.git
CloudMapper 帮助您分析您的 Amazon Web Services (AWS) 环境
>git clone https://github.com/duo-labs/cloudmapper.git
>sudo yum install autoconf automake libtool python3-devel.x86_64 python3-tkinter python-pip jq awscli
还可能需要 "build-essential"
sudo apt-get install autoconf automake libtool python3.7-dev python3-tk jq awscli
pipenv install --skip-lock
pipenv shell
report: 生成 HTML 报告。 包括账目摘要和审计结果。
iam_report: 为账户的 IAM 信息生成 HTML 报告
audit: 检查潜在的错误配置
collect: 收集有关帐户的元数据.
find_admins: 查看 IAM 策略以识别管理员用户和角色,或具有特定权限的委托人