The AWS Enumerator was created for service enumeration and info dumping for investigations of penetration testers during Black-Box testing. The tool is intended to speed up the process of Cloud review in case the security researcher compromised AWS Account Credentials.

Overview

AWS Service Enumeration

Disclaimer

The tool is in beta stage (testing in progress), no destructive API Calls used ( read only actions ). I hope, there will be no issues with the tool. If any issues encountered, please submit the ticket.

Description

The AWS Enumerator was created for service enumeration and info dumping for investigations of penetration testers during Black-Box testing. The tool is intended to speed up the process of Cloud review in case the security researcher compromised AWS Account Credentials.

AWS Enumerator supports more than 600 API Calls ( reading actions Get, List, Describe etc... ), and will be extended.

The tool provides interface for result analysis. All results are saved in json files (one time "Database").

Install

If you have Go installed and configured (i.e. with $GOPATH/bin in your $PATH):

go get -u github.com/shabarkin/aws-enumerator

Basic Usage

Credentials setup

To setup credentials, you should use cred subcommand and supply credentials:

./aws-enumerator cred -aws_access_key_id AKIA***********XKU -aws_region us-west-2 -aws_secret_access_key kIm6m********************5JPF

_img/Screenshot_2021-04-10_at_14.43.51.png

_img/Screenshot_2021-04-10_at_14.45.51.png

It creates .env file, which is loaded to global variables each time you call enum subcommand.

WARNING: If you set these values AWS_REGION, AWS_ACCESS_KEY_ID, AWS_SECRET_ACCESS_KEY, AWS_SESSION_TOKEN in global variables manually before running the tool, it will not be able to load AWS Credentials specified in .env file ( It can't overwrite global variables ).

Enumeration

To enumerate all services, you should use enum subcommand and supply all value or iam,s3,sts,rds ( no spaces between commas ), etc. ...

./aws-enumerator enum -services all

If you want to check specific services (up to 10 ):

./aws-enumerator enum -services iam,sts,rds

_img/Screenshot_2021-04-10_at_13.36.56.png

(-speed flag is optional, the default value is normal ) There are 3 options slow, normal, fast

./aws-enumerator enum -services all -speed slow

Analysis

To analyse the collected information, you should use dump subcommand: ( Use all for quick overview of available API calls )

./aws-enumerator dump -services all

_img/Screenshot_2021-04-10_at_13.56.12.png

Analyze specific services (up to 10) iam,s3,sts, etc ...

./aws-enumerator dump -services iam,s3,sts

_img/Screenshot_2021-04-10_at_14.03.16.png

To filter API calls, you should use -filter option, start typing the name of API call (GetA ...):

./aws-enumerator dump -services iam -filter GetA

_img/Screenshot_2021-04-10_at_14.06.18.png

To retrieve the result of API call, you should use -print option

./aws-enumerator dump -services iam -filter ListS -print

_img/Screenshot_2021-04-10_at_14.08.01.png

Demo Video

Pavel Shabarkin LinkedIn

You might also like...
Testcontainers is a Golang library that providing a friendly API to run Docker container. It is designed to create runtime environment to use during your automatic tests.

When I was working on a Zipkin PR I discovered a nice Java library called Testcontainers. It provides an easy and clean API over the go docker sdk to

Andrews-monitor - A Go program to monitor when times were available to order for Brown's Andrews dining hall. Used during the portion of the pandemic when the dining hall was only available for online order.

Andrews Dining Hall Monitor A Go program to monitor when times were available to order for Brown's Andrews dining hall. Used during the portion of the

A penetration toolkit for container environment

ctrsploit: A penetration toolkit for container environment 中文文档 Pre-Built Release https://github.com/ctrsploit/ctrsploit/releases Usage Quick-Start wg

 CDK - Zero Dependency Container Penetration Toolkit
CDK - Zero Dependency Container Penetration Toolkit

CDK is an open-sourced container penetration toolkit, offering stable exploitation in different slimmed containers without any OS dependency. It comes with penetration tools and many powerful PoCs/EXPs helps you to escape container and takeover K8s cluster easily.

Cloud-Z gathers information and perform benchmarks on cloud instances in multiple cloud providers.

Cloud-Z Cloud-Z gathers information and perform benchmarks on cloud instances in multiple cloud providers. Cloud type, instance id, and type CPU infor

Infrastructure testing helper for AWS Resources that uses AWS SSM to remotely execute commands on EC2 machines.
Infrastructure testing helper for AWS Resources that uses AWS SSM to remotely execute commands on EC2 machines.

Infrastructure testing helper for AWS Resources that uses AWS SSM to remotely execute commands on EC2 machines, to enable infrastructure engineering teams to write tests that validate behaviour.

GitHub Rate Limits Prometheus exporter. Works with both App and PAT credentials
GitHub Rate Limits Prometheus exporter. Works with both App and PAT credentials

Github Rate Limit Prometheus Exporter A prometheus exporter which scrapes GitHub API for the rate limits used by PAT/GitHub App. Helm Chart with value

Terraform credentials helper for Vault

Terraform Credentials from HashiCorp Vault terraform-credentials-vault is a Terraform "credentials helper" plugin that allows providing credentials fo

Traefik-redirect-operator is created to substitute manual effort of creating an ingress and service type External.
Traefik-redirect-operator is created to substitute manual effort of creating an ingress and service type External.

Overview Traefik Redirect Operator is used to help creating a combination of Ingress of Traefik controller along with Service's ExternalName type. The

Comments
  • Feature: how to pass a endpoint_url ?

    Feature: how to pass a endpoint_url ?

    it is possible to set in i.e. boto3 the endpoint_url for private environments. Is this allowed with some simple modifications here? I am not a go developer

    Thanks for the tool!

    opened by bestrocker221 1
Owner
Pavel Shabarkin
Pavel Shabarkin
k6 is a modern load testing tool for developers and testers in the DevOps era.

k6 is a modern load testing tool, building on our years of experience in the load and performance testing industry. It provides a clean, approachable scripting API, local and cloud execution, and flexible configuration.

k6 18.8k Dec 7, 2022
provide api for cloud service like aliyun, aws, google cloud, tencent cloud, huawei cloud and so on

cloud-fitter 云适配 Communicate with public and private clouds conveniently by a set of apis. 用一套接口,便捷地访问各类公有云和私有云 对接计划 内部筹备中,后续开放,有需求欢迎联系。 开发者社区 开发者社区文档

null 23 May 8, 2022
Open Service Mesh (OSM) is a lightweight, extensible, cloud native service mesh that allows users to uniformly manage, secure, and get out-of-the-box observability features for highly dynamic microservice environments.

Open Service Mesh (OSM) Open Service Mesh (OSM) is a lightweight, extensible, Cloud Native service mesh that allows users to uniformly manage, secure,

Open Service Mesh 2.5k Nov 30, 2022
Savoir - A tool to perform tasks during internal security assessment

Savoir Savoir is a tool to perform tasks during internal security assessment. Th

Vincent D. 15 Nov 9, 2022
expose controller, when deployment created service and ingress will be created

expose-controller expose controller, when deployment created service and ingress will be created How to test git clone repository cd expose-controller

Kanhaiya Lal Yadav 0 Dec 23, 2021
Cheiron is a Kubernetes Operator made with OperatorSDK for reconciling service account and attaching imagePullSecrets to service accounts automatically

anny-co/cheiron NOTE: Cheiron is currently in very early stages of development and and far from anything usable. Feel free to contribute if you want t

anny 2 Sep 13, 2021
Dynamic Application Security Testing (DAST) for Cloud

Dynamic Application Security Testing (DAST) for Cloud Probr analyzes the complex behaviours and interactions in your cloud resources to enable enginee

null 41 Aug 12, 2022
🔥 🔥 Open source cloud native security observability platform. Linux, K8s, AWS Fargate and more. 🔥 🔥

CVE-2021-44228 Log4J Vulnerability can be detected at runtime and attack paths can be visualized by ThreatMapper. Live demo of Log4J Vulnerability her

null 2.4k Nov 30, 2022
Operator Permissions Advisor is a CLI tool that will take a catalog image and statically parse it to determine what permissions an Operator will request of OLM during an install

Operator Permissions Advisor is a CLI tool that will take a catalog image and statically parse it to determine what permissions an Operator will request of OLM during an install. The permissions are aggregated from the following sources:

International Business Machines 2 Apr 22, 2022
Drain-my-spot - Service draining the k8s worker node in case of spot instances related event occurrence

drain-my-spot Service draining the k8s worker node in case of spot instances rel

Pavel Gonchukov 0 Feb 5, 2022