The AWS Enumerator was created for service enumeration and info dumping for investigations of penetration testers during Black-Box testing. The tool is intended to speed up the process of Cloud review in case the security researcher compromised AWS Account Credentials.

AWS Service Enumeration

Disclaimer

The tool is in beta stage (testing in progress), no destructive API Calls used ( read only actions ). I hope, there will be no issues with the tool. If any issues encountered, please submit the ticket.

Description

The AWS Enumerator was created for service enumeration and info dumping for investigations of penetration testers during Black-Box testing. The tool is intended to speed up the process of Cloud review in case the security researcher compromised AWS Account Credentials.

AWS Enumerator supports more than 600 API Calls ( reading actions Get, List, Describe etc... ), and will be extended.

The tool provides interface for result analysis. All results are saved in json files (one time "Database").

Install

If you have Go installed and configured (i.e. with $GOPATH/bin in your $PATH):

go get -u github.com/shabarkin/aws-enumerator

Basic Usage

Credentials setup

To setup credentials, you should use cred subcommand and supply credentials:

./aws-enumerator cred -aws_access_key_id AKIA***********XKU -aws_region us-west-2 -aws_secret_access_key kIm6m********************5JPF

_img/Screenshot_2021-04-10_at_14.43.51.png

_img/Screenshot_2021-04-10_at_14.45.51.png

It creates .env file, which is loaded to global variables each time you call enum subcommand.

WARNING: If you set these values AWS_REGION, AWS_ACCESS_KEY_ID, AWS_SECRET_ACCESS_KEY, AWS_SESSION_TOKEN in global variables manually before running the tool, it will not be able to load AWS Credentials specified in .env file ( It can't overwrite global variables ).

Enumeration

To enumerate all services, you should use enum subcommand and supply all value or iam,s3,sts,rds ( no spaces between commas ), etc. ...

./aws-enumerator enum -services all

If you want to check specific services (up to 10 ):

./aws-enumerator enum -services iam,sts,rds

_img/Screenshot_2021-04-10_at_13.36.56.png

(-speed flag is optional, the default value is normal ) There are 3 options slow, normal, fast

./aws-enumerator enum -services all -speed slow

Analysis

To analyse the collected information, you should use dump subcommand: ( Use all for quick overview of available API calls )

./aws-enumerator dump -services all

_img/Screenshot_2021-04-10_at_13.56.12.png

Analyze specific services (up to 10) iam,s3,sts, etc ...

./aws-enumerator dump -services iam,s3,sts

_img/Screenshot_2021-04-10_at_14.03.16.png

To filter API calls, you should use -filter option, start typing the name of API call (GetA ...):

./aws-enumerator dump -services iam -filter GetA

_img/Screenshot_2021-04-10_at_14.06.18.png

To retrieve the result of API call, you should use -print option

./aws-enumerator dump -services iam -filter ListS -print

_img/Screenshot_2021-04-10_at_14.08.01.png

Demo Video

Pavel Shabarkin LinkedIn

Similar Resources

Drain-my-spot - Service draining the k8s worker node in case of spot instances related event occurrence

drain-my-spot Service draining the k8s worker node in case of spot instances rel

Feb 5, 2022

Cloud-Z gathers information and perform benchmarks on cloud instances in multiple cloud providers.

Cloud-Z Cloud-Z gathers information and perform benchmarks on cloud instances in multiple cloud providers. Cloud type, instance id, and type CPU infor

Jun 8, 2022

Infrastructure testing helper for AWS Resources that uses AWS SSM to remotely execute commands on EC2 machines.

Infrastructure testing helper for AWS Resources that uses AWS SSM to remotely execute commands on EC2 machines.

Infrastructure testing helper for AWS Resources that uses AWS SSM to remotely execute commands on EC2 machines, to enable infrastructure engineering teams to write tests that validate behaviour.

Sep 5, 2022

Testcontainers is a Golang library that providing a friendly API to run Docker container. It is designed to create runtime environment to use during your automatic tests.

When I was working on a Zipkin PR I discovered a nice Java library called Testcontainers. It provides an easy and clean API over the go docker sdk to

Jan 7, 2023

A penetration toolkit for container environment

ctrsploit: A penetration toolkit for container environment 中文文档 Pre-Built Release https://github.com/ctrsploit/ctrsploit/releases Usage Quick-Start wg

Dec 6, 2022

CDK - Zero Dependency Container Penetration Toolkit

 CDK - Zero Dependency Container Penetration Toolkit

CDK is an open-sourced container penetration toolkit, offering stable exploitation in different slimmed containers without any OS dependency. It comes with penetration tools and many powerful PoCs/EXPs helps you to escape container and takeover K8s cluster easily.

Dec 29, 2022

Andrews-monitor - A Go program to monitor when times were available to order for Brown's Andrews dining hall. Used during the portion of the pandemic when the dining hall was only available for online order.

Andrews Dining Hall Monitor A Go program to monitor when times were available to order for Brown's Andrews dining hall. Used during the portion of the

Jan 1, 2022

GitHub Rate Limits Prometheus exporter. Works with both App and PAT credentials

GitHub Rate Limits Prometheus exporter. Works with both App and PAT credentials

Github Rate Limit Prometheus Exporter A prometheus exporter which scrapes GitHub API for the rate limits used by PAT/GitHub App. Helm Chart with value

Sep 19, 2022

Traefik-redirect-operator is created to substitute manual effort of creating an ingress and service type External.

Traefik-redirect-operator is created to substitute manual effort of creating an ingress and service type External.

Overview Traefik Redirect Operator is used to help creating a combination of Ingress of Traefik controller along with Service's ExternalName type. The

Sep 22, 2021
Comments
  • Feature: how to pass a endpoint_url ?

    Feature: how to pass a endpoint_url ?

    it is possible to set in i.e. boto3 the endpoint_url for private environments. Is this allowed with some simple modifications here? I am not a go developer

    Thanks for the tool!

k6 is a modern load testing tool for developers and testers in the DevOps era.
k6 is a modern load testing tool for developers and testers in the DevOps era.

k6 is a modern load testing tool, building on our years of experience in the load and performance testing industry. It provides a clean, approachable scripting API, local and cloud execution, and flexible configuration.

Jan 8, 2023
provide api for cloud service like aliyun, aws, google cloud, tencent cloud, huawei cloud and so on

cloud-fitter 云适配 Communicate with public and private clouds conveniently by a set of apis. 用一套接口,便捷地访问各类公有云和私有云 对接计划 内部筹备中,后续开放,有需求欢迎联系。 开发者社区 开发者社区文档

Dec 20, 2022
Open Service Mesh (OSM) is a lightweight, extensible, cloud native service mesh that allows users to uniformly manage, secure, and get out-of-the-box observability features for highly dynamic microservice environments.
Open Service Mesh (OSM) is a lightweight, extensible, cloud native service mesh that allows users to uniformly manage, secure, and get out-of-the-box observability features for highly dynamic microservice environments.

Open Service Mesh (OSM) Open Service Mesh (OSM) is a lightweight, extensible, Cloud Native service mesh that allows users to uniformly manage, secure,

Jan 2, 2023
Savoir - A tool to perform tasks during internal security assessment

Savoir Savoir is a tool to perform tasks during internal security assessment. Th

Nov 9, 2022
⚙️ Operating Account Operators (OAO) is a Golang tool to interact with the LDAP protocol to manage account groups, roles, ACLs/ACEs, etc...
⚙️ Operating Account Operators (OAO) is a Golang tool to interact with the LDAP protocol to manage account groups, roles, ACLs/ACEs, etc...

⚙️ OAO (Operating Account Operators) ⚙️ Operating Account Operators (OAO) is a Golang tool to interact with the LDAP protocol to manage account groups

May 11, 2023
expose controller, when deployment created service and ingress will be created

expose-controller expose controller, when deployment created service and ingress will be created How to test git clone repository cd expose-controller

Dec 23, 2021
Cheiron is a Kubernetes Operator made with OperatorSDK for reconciling service account and attaching imagePullSecrets to service accounts automatically

anny-co/cheiron NOTE: Cheiron is currently in very early stages of development and and far from anything usable. Feel free to contribute if you want t

Sep 13, 2021
Dynamic Application Security Testing (DAST) for Cloud
Dynamic Application Security Testing (DAST) for Cloud

Dynamic Application Security Testing (DAST) for Cloud Probr analyzes the complex behaviours and interactions in your cloud resources to enable enginee

Dec 15, 2022
🔥 🔥 Open source cloud native security observability platform. Linux, K8s, AWS Fargate and more. 🔥 🔥
🔥 🔥   Open source cloud native security observability platform. Linux, K8s, AWS Fargate and more. 🔥 🔥

CVE-2021-44228 Log4J Vulnerability can be detected at runtime and attack paths can be visualized by ThreatMapper. Live demo of Log4J Vulnerability her

Jan 1, 2023
Operator Permissions Advisor is a CLI tool that will take a catalog image and statically parse it to determine what permissions an Operator will request of OLM during an install

Operator Permissions Advisor is a CLI tool that will take a catalog image and statically parse it to determine what permissions an Operator will request of OLM during an install. The permissions are aggregated from the following sources:

Apr 22, 2022