工具

SkyArk

https://github.com/cyberark/SkyArk
在扫描的 AWS 环境中发现特权最高的用户，包括 AWS 影子管理员
需要对 IAM 服务具有只读权限
>git clone https://github.com/cyberark/SkyArk
>powershell -ExecutionPolicy Bypass -NoProfile
PS C> Import-Module .\SkyArk.ps1 -force
PS C> Start-AWStealth
或在Cloud Console
PS C> IEX (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/cyberark/SkyArk/master/AWStealth/AWStealth.ps1')  
PS C> Scan-AWShadowAdmins

Pacu

https://github.com/RhinoSecurityLabs/pacu
使用具有多种功能集的可扩展模块集合利用 AWS 环境中的配置缺陷
需要 AWS 密钥
$ git clone https://github.com/RhinoSecurityLabs/pacu
$ bash install.sh
$ python3 pacu.py
set_keys/swap_keys
ls
run <module_name> [--keyword-arguments]
run <module_name> --regions eu-west-1,us-west-1

https://github.com/RhinoSecurityLabs/pacu/wiki/Module-Details

Bucket Finder

https://digi.ninja/projects/bucket_finder.php
如果启用了目录索引，则搜索公共存储桶、列出并下载所有文件
wget https://digi.ninja/files/bucket_finder_1.1.tar.bz2 -O bucket_finder_1.1.tar.bz2
./bucket_finder.rb my_words
./bucket_finder.rb --region ie my_words
	US Standard         = http://s3.amazonaws.com
	Ireland             = http://s3-eu-west-1.amazonaws.com
	Northern California = http://s3-us-west-1.amazonaws.com
	Singapore           = http://s3-ap-southeast-1.amazonaws.com
	Tokyo               = http://s3-ap-northeast-1.amazonaws.com

./bucket_finder.rb --download --region ie my_words
./bucket_finder.rb --log-file bucket.out my_words

Boto3

https://boto3.amazonaws.com/v1/documentation/api/latest/index.html
适用于 Python 的 Amazon Web Services (AWS) 开发工具包
import boto3
s3 = boto3.client('s3',aws_access_key_id='AKIAJQDP3RKREDACTED',aws_secret_access_key='igH8yFmmpMbnkcUaCqXJIRIozKVaREDACTED',region_name='us-west-1')

try:
	result = s3.list_buckets()
	print(result)
except Exception as e:
	print(e)

Prowler

https://github.com/toniblyx/prowler
AWS 安全最佳实践评估、审计、事件响应、持续监控、强化和取证准备
要求：arn:aws:iam::aws:policy/SecurityAudit
>pip install awscli ansi2html detect-secrets
>git clone https://github.com/toniblyx/prowler
>sudo apt install jq
>./prowler -E check42,check43
>./prowler -p custom-profile -r us-east-1 -c check11
>./prowler -A 123456789012 -R ProwlerRole

Principal Mapper

https://github.com/nccgroup/PMapper
在 AWS 中快速评估 IAM 权限的工具
https://github.com/nccgroup/PMapper
>pip install principalmapper
>pmapper graph --create
>pmapper visualize --filetype png
>pmapper analysis --output-type text

判断 PowerUser 是否可以提升权限
>pmapper query "preset privesc user/PowerUser"
>pmapper argquery --principal user/PowerUser --preset privesc

查找所有可以提升权限的主体
>pmapper query "preset privesc *"
>pmapper argquery --principal '*' --preset privesc

查找PowerUser 可以访问的所有点
>pmapper query "preset connected user/PowerUser *"
>pmapper argquery --principal user/PowerUser --resource '*' --preset connected

查找所有可以访问 Power User 的点
>pmapper query "preset connected * user/PowerUser"
>pmapper argquery --principal '*' --resource user/PowerUser --preset connected

ScoutSuite

https://github.com/nccgroup/ScoutSuite/wiki
多云安全审计工具
>git clone https://github.com/nccgroup/ScoutSuite
>python scout.py PROVIDER --help
--session-token 是可选的，仅用于临时凭证（即角色假设）
>python scout.py aws --access-keys --access-key-id <AKIAIOSFODNN7EXAMPLE> --secret-access-key <wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY> --session-token <token>
>python scout.py azure --cli

s3_objects_check

https://github.com/nccgroup/s3_objects_check
有效 S3 对象权限的白盒评估，以识别可公开访问的文件
>git clone https://github.com/nccgroup/s3_objects_check
>python3 -m venv env && source env/bin/activate
>pip install -r requirements.txt
>python s3-objects-check.py -h
>python s3-objects-check.py -p whitebox-profile -e blackbox-profile

cloudplaining

https://github.com/salesforce/cloudsplaining
一种 AWS IAM 安全评估工具，可识别最低权限违规并生成风险优先级报告
>pip3 install --user cloudsplaining
>cloudsplaining download --profile myawsprofile
>cloudsplaining scan --input-file default.json

weirdAAL

https://github.com/carnal0wnage/weirdAAL/wiki
AWS 攻击库
>python3 weirdAAL.py -m ec2_describe_instances -t demo
>python3 weirdAAL.py -m lambda_get_account_settings -t demo
>python3 weirdAAL.py -m lambda_get_function -a 'MY_LAMBDA_FUNCTION','us-west-2' -t yolo

cloudmapper

https://github.com/duo-labs/cloudmapper.git
CloudMapper 帮助您分析您的 Amazon Web Services (AWS) 环境
>git clone https://github.com/duo-labs/cloudmapper.git
>sudo yum install autoconf automake libtool python3-devel.x86_64 python3-tkinter python-pip jq awscli
还可能需要 "build-essential"
sudo apt-get install autoconf automake libtool python3.7-dev python3-tk jq awscli
pipenv install --skip-lock
pipenv shell
report: 生成 HTML 报告。 包括账目摘要和审计结果。
iam_report: 为账户的 IAM 信息生成 HTML 报告
audit: 检查潜在的错误配置
collect: 收集有关帐户的元数据.
find_admins: 查看 IAM 策略以识别管理员用户和角色，或具有特定权限的委托人

最后更新于3年前

这有帮助吗？

https://github.com/cyberark/SkyArk 在扫描的 AWS 环境中发现特权最高的用户，包括 AWS 影子管理员需要对 IAM 服务具有只读权限 >git clone https://github.com/cyberark/SkyArk >powershell -ExecutionPolicy Bypass -NoProfile PS C> Import-Module .\SkyArk.ps1 -force PS C> Start-AWStealth 或在Cloud Console PS C> IEX (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/cyberark/SkyArk/master/AWStealth/AWStealth.ps1') PS C> Scan-AWShadowAdmins

https://github.com/RhinoSecurityLabs/pacu 使用具有多种功能集的可扩展模块集合利用 AWS 环境中的配置缺陷需要 AWS 密钥 $ git clone https://github.com/RhinoSecurityLabs/pacu $ bash install.sh $ python3 pacu.py set_keys/swap_keys ls run <module_name> [--keyword-arguments] run <module_name> --regions eu-west-1,us-west-1 https://github.com/RhinoSecurityLabs/pacu/wiki/Module-Details

https://digi.ninja/projects/bucket_finder.php 如果启用了目录索引，则搜索公共存储桶、列出并下载所有文件 wget https://digi.ninja/files/bucket_finder_1.1.tar.bz2 -O bucket_finder_1.1.tar.bz2 ./bucket_finder.rb my_words ./bucket_finder.rb --region ie my_words US Standard = http://s3.amazonaws.com Ireland = http://s3-eu-west-1.amazonaws.com Northern California = http://s3-us-west-1.amazonaws.com Singapore = http://s3-ap-southeast-1.amazonaws.com Tokyo = http://s3-ap-northeast-1.amazonaws.com ./bucket_finder.rb --download --region ie my_words ./bucket_finder.rb --log-file bucket.out my_words

https://boto3.amazonaws.com/v1/documentation/api/latest/index.html 适用于 Python 的 Amazon Web Services (AWS) 开发工具包 import boto3 s3 = boto3.client('s3',aws_access_key_id='AKIAJQDP3RKREDACTED',aws_secret_access_key='igH8yFmmpMbnkcUaCqXJIRIozKVaREDACTED',region_name='us-west-1') try: result = s3.list_buckets() print(result) except Exception as e: print(e)

https://github.com/toniblyx/prowler AWS 安全最佳实践评估、审计、事件响应、持续监控、强化和取证准备要求：arn:aws:iam::aws:policy/SecurityAudit >pip install awscli ansi2html detect-secrets >git clone https://github.com/toniblyx/prowler >sudo apt install jq >./prowler -E check42,check43 >./prowler -p custom-profile -r us-east-1 -c check11 >./prowler -A 123456789012 -R ProwlerRole

https://github.com/nccgroup/PMapper 在 AWS 中快速评估 IAM 权限的工具 https://github.com/nccgroup/PMapper >pip install principalmapper >pmapper graph --create >pmapper visualize --filetype png >pmapper analysis --output-type text 判断 PowerUser 是否可以提升权限 >pmapper query "preset privesc user/PowerUser" >pmapper argquery --principal user/PowerUser --preset privesc 查找所有可以提升权限的主体 >pmapper query "preset privesc *" >pmapper argquery --principal '*' --preset privesc 查找PowerUser 可以访问的所有点 >pmapper query "preset connected user/PowerUser *" >pmapper argquery --principal user/PowerUser --resource '*' --preset connected 查找所有可以访问 Power User 的点 >pmapper query "preset connected * user/PowerUser" >pmapper argquery --principal '*' --resource user/PowerUser --preset connected

https://github.com/nccgroup/ScoutSuite/wiki 多云安全审计工具 >git clone https://github.com/nccgroup/ScoutSuite >python scout.py PROVIDER --help --session-token 是可选的，仅用于临时凭证（即角色假设） >python scout.py aws --access-keys --access-key-id <AKIAIOSFODNN7EXAMPLE> --secret-access-key <wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY> --session-token <token> >python scout.py azure --cli

https://github.com/nccgroup/s3_objects_check 有效 S3 对象权限的白盒评估，以识别可公开访问的文件 >git clone https://github.com/nccgroup/s3_objects_check >python3 -m venv env && source env/bin/activate >pip install -r requirements.txt >python s3-objects-check.py -h >python s3-objects-check.py -p whitebox-profile -e blackbox-profile

https://github.com/salesforce/cloudsplaining 一种 AWS IAM 安全评估工具，可识别最低权限违规并生成风险优先级报告 >pip3 install --user cloudsplaining >cloudsplaining download --profile myawsprofile >cloudsplaining scan --input-file default.json

https://github.com/carnal0wnage/weirdAAL/wiki AWS 攻击库 >python3 weirdAAL.py -m ec2_describe_instances -t demo >python3 weirdAAL.py -m lambda_get_account_settings -t demo >python3 weirdAAL.py -m lambda_get_function -a 'MY_LAMBDA_FUNCTION','us-west-2' -t yolo

https://github.com/duo-labs/cloudmapper.git CloudMapper 帮助您分析您的 Amazon Web Services (AWS) 环境 >git clone https://github.com/duo-labs/cloudmapper.git >sudo yum install autoconf automake libtool python3-devel.x86_64 python3-tkinter python-pip jq awscli 还可能需要 "build-essential" sudo apt-get install autoconf automake libtool python3.7-dev python3-tk jq awscli pipenv install --skip-lock pipenv shell report: 生成 HTML 报告。包括账目摘要和审计结果。 iam_report: 为账户的 IAM 信息生成 HTML 报告 audit: 检查潜在的错误配置 collect: 收集有关帐户的元数据. find_admins: 查看 IAM 策略以识别管理员用户和角色，或具有特定权限的委托人