# 工具 **SkyArk** ``` https://github.com/cyberark/SkyArk 在扫描的 AWS 环境中发现特权最高的用户,包括 AWS 影子管理员 需要对 IAM 服务具有只读权限 >git clone https://github.com/cyberark/SkyArk >powershell -ExecutionPolicy Bypass -NoProfile PS C> Import-Module .\SkyArk.ps1 -force PS C> Start-AWStealth 或在Cloud Console PS C> IEX (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/cyberark/SkyArk/master/AWStealth/AWStealth.ps1') PS C> Scan-AWShadowAdmins ``` **Pacu** ``` https://github.com/RhinoSecurityLabs/pacu 使用具有多种功能集的可扩展模块集合利用 AWS 环境中的配置缺陷 需要 AWS 密钥 $ git clone https://github.com/RhinoSecurityLabs/pacu $ bash install.sh $ python3 pacu.py set_keys/swap_keys ls run [--keyword-arguments] run --regions eu-west-1,us-west-1 https://github.com/RhinoSecurityLabs/pacu/wiki/Module-Details ``` **Bucket Finder** ``` https://digi.ninja/projects/bucket_finder.php 如果启用了目录索引,则搜索公共存储桶、列出并下载所有文件 wget https://digi.ninja/files/bucket_finder_1.1.tar.bz2 -O bucket_finder_1.1.tar.bz2 ./bucket_finder.rb my_words ./bucket_finder.rb --region ie my_words US Standard = http://s3.amazonaws.com Ireland = http://s3-eu-west-1.amazonaws.com Northern California = http://s3-us-west-1.amazonaws.com Singapore = http://s3-ap-southeast-1.amazonaws.com Tokyo = http://s3-ap-northeast-1.amazonaws.com ./bucket_finder.rb --download --region ie my_words ./bucket_finder.rb --log-file bucket.out my_words ``` **Boto3** ``` https://boto3.amazonaws.com/v1/documentation/api/latest/index.html 适用于 Python 的 Amazon Web Services (AWS) 开发工具包 import boto3 s3 = boto3.client('s3',aws_access_key_id='AKIAJQDP3RKREDACTED',aws_secret_access_key='igH8yFmmpMbnkcUaCqXJIRIozKVaREDACTED',region_name='us-west-1') try: result = s3.list_buckets() print(result) except Exception as e: print(e) ``` **Prowler** ``` https://github.com/toniblyx/prowler AWS 安全最佳实践评估、审计、事件响应、持续监控、强化和取证准备 要求:arn:aws:iam::aws:policy/SecurityAudit >pip install awscli ansi2html detect-secrets >git clone https://github.com/toniblyx/prowler >sudo apt install jq >./prowler -E check42,check43 >./prowler -p custom-profile -r us-east-1 -c check11 >./prowler -A 123456789012 -R ProwlerRole ``` **Principal Mapper** ``` https://github.com/nccgroup/PMapper 在 AWS 中快速评估 IAM 权限的工具 https://github.com/nccgroup/PMapper >pip install principalmapper >pmapper graph --create >pmapper visualize --filetype png >pmapper analysis --output-type text 判断 PowerUser 是否可以提升权限 >pmapper query "preset privesc user/PowerUser" >pmapper argquery --principal user/PowerUser --preset privesc 查找所有可以提升权限的主体 >pmapper query "preset privesc *" >pmapper argquery --principal '*' --preset privesc 查找PowerUser 可以访问的所有点 >pmapper query "preset connected user/PowerUser *" >pmapper argquery --principal user/PowerUser --resource '*' --preset connected 查找所有可以访问 Power User 的点 >pmapper query "preset connected * user/PowerUser" >pmapper argquery --principal '*' --resource user/PowerUser --preset connected ``` **ScoutSuite** ``` https://github.com/nccgroup/ScoutSuite/wiki 多云安全审计工具 >git clone https://github.com/nccgroup/ScoutSuite >python scout.py PROVIDER --help --session-token 是可选的,仅用于临时凭证(即角色假设) >python scout.py aws --access-keys --access-key-id --secret-access-key --session-token >python scout.py azure --cli ``` **s3\_objects\_check** ``` https://github.com/nccgroup/s3_objects_check 有效 S3 对象权限的白盒评估,以识别可公开访问的文件 >git clone https://github.com/nccgroup/s3_objects_check >python3 -m venv env && source env/bin/activate >pip install -r requirements.txt >python s3-objects-check.py -h >python s3-objects-check.py -p whitebox-profile -e blackbox-profile ``` **cloudplaining** ``` https://github.com/salesforce/cloudsplaining 一种 A​​WS IAM 安全评估工具,可识别最低权限违规并生成风险优先级报告 >pip3 install --user cloudsplaining >cloudsplaining download --profile myawsprofile >cloudsplaining scan --input-file default.json ``` **weirdAAL** ``` https://github.com/carnal0wnage/weirdAAL/wiki AWS 攻击库 >python3 weirdAAL.py -m ec2_describe_instances -t demo >python3 weirdAAL.py -m lambda_get_account_settings -t demo >python3 weirdAAL.py -m lambda_get_function -a 'MY_LAMBDA_FUNCTION','us-west-2' -t yolo ``` **cloudmapper** ``` https://github.com/duo-labs/cloudmapper.git CloudMapper 帮助您分析您的 Amazon Web Services (AWS) 环境 >git clone https://github.com/duo-labs/cloudmapper.git >sudo yum install autoconf automake libtool python3-devel.x86_64 python3-tkinter python-pip jq awscli 还可能需要 "build-essential" sudo apt-get install autoconf automake libtool python3.7-dev python3-tk jq awscli pipenv install --skip-lock pipenv shell report: 生成 HTML 报告。 包括账目摘要和审计结果。 iam_report: 为账户的 IAM 信息生成 HTML 报告 audit: 检查潜在的错误配置 collect: 收集有关帐户的元数据. find_admins: 查看 IAM 策略以识别管理员用户和角色,或具有特定权限的委托人 ``` --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://www.heresecurity.wiki/yun-an-quan/aws/gong-ju.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.