AWS Commands
Prerequisites: https://github.com/BishopFox/cloudfox#prerequisites
To list AWS commands: ./cloudfox aws -h
For help with each command: ./cloudfox aws [command_name] -h
| Command | all-checks |
|---|---|
| Summary | This command runs all other aws commands, with the exception of outbound-assumed-roles |
| Introduced | v1.6.0 |
| Author | Bishop Fox |
| Background | We created all-checks so that there is a way to get most of the cloudfox aws functionality with one single command. The outbound-assumed-roles command is just too slow to include in all-checks, but we didn't want to rename it almost-all-checks, so we kept the name as is ๐. It's also important to know that in all-checks, each sub-command is run with reasonable default options, but that does not include all cloudfox functionality. Some commands allow you to access really cool additional functionality with additional options, so make sure to check out each command individual as well. |
| Use case 1: | Run (almost) all of the commands at once and record all output to your local filesystem โฏ cloudfox aws -p cflab all-checks
|
Example output: all-checks
โฏ cloudfox aws -p cflab all-checks
[๐ฆ cloudfox v1.9.0 ๐ฆ ] AWS Caller Identity: arn:aws:iam::049881439828:user/terraform-user
[๐ฆ cloudfox ๐ฆ ] Getting a lay of the land, aka "What regions is this account using?"
[inventory][cflab] Enumerating selected services in all regions for account 049881439828.
[inventory][cflab] Supported Services: ApiGateway, ApiGatewayv2, AppRunner, CloudFormation, Cloudfront, DynamoDB,
[inventory][cflab] EC2, ECS, EKS, ELB, ELBv2, Glue, Grafana, IAM, Lambda, Lightsail, MQ,
[inventory][cflab] OpenSearch, RDS, S3, SecretsManager, SNS, SQS, SSM
[inventory] Status: 364/364 tasks complete (9 errors -- For details check /Users/sethart/.cloudfox/cloudfox-error.log)
[inventory] Output written to [cloudfox-output/aws/cflab/table/inventory.txt]
[inventory] Output written to [cloudfox-output/aws/cflab/csv/inventory.csv]
[inventory] Output written to [cloudfox-output/aws/cflab/table/inventory-global.txt]
[inventory] Output written to [cloudfox-output/aws/cflab/csv/inventory-global.csv]
[inventory][cflab] 69 resources found in the services we looked at. This is NOT the total number of resources in the account.
[tags][cflab] Enumerating tags for account 049881439828.
[tags] Status: 17/17 regions complete (0 errors -- For details check /Users/sethart/.cloudfox/cloudfox-error.log)
[tags] Output written to [cloudfox-output/aws/cflab/table/tags.txt]
[tags] Output written to [cloudfox-output/aws/cflab/csv/tags.csv]
[tags][cflab] 37 tags found.
[tags][cflab] 25 unique resources with tags found.
[๐ฆ cloudfox ๐ฆ ] Gathering the info you'll want for your application & service enumeration needs.
[instances][cflab] Enumerating EC2 instances in all regions for account 049881439828
[instances][cflab] Attempting to build a PrivEsc graph in memory using local pmapper data if it exists on the filesystem.
[instances][cflab] Found pmapper data for this account. Using it for role analysis.
[instances] Status: 17/17 tasks complete (0 errors -- For details check /Users/sethart/.cloudfox/cloudfox-error.log)
[instances] Output written to [cloudfox-output/aws/cflab/table/instances.txt]
[instances] Output written to [cloudfox-output/aws/cflab/csv/instances.csv]
[instances][cflab] Loot written to [cloudfox-output/aws/cflab/loot/instances-ec2PrivateIPs.txt]
[instances][cflab] Loot written to [cloudfox-output/aws/cflab/loot/instances-ec2PublicIPs.txt]
[instances][cflab] 5 instances found.
[lambdas][cflab] Enumerating lambdas for account 049881439828.
[lambdas][cflab] Attempting to build a PrivEsc graph in memory using local pmapper data if it exists on the filesystem.
[lambdas][cflab] Found pmapper data for this account. Using it for role analysis.
[lambdas] Status: 17/17 regions complete (0 errors -- For details check /Users/sethart/.cloudfox/cloudfox-error.log)
[lambdas] Output written to [cloudfox-output/aws/cflab/table/lambdas.txt]
[lambdas] Output written to [cloudfox-output/aws/cflab/csv/lambdas.csv]
[lambdas][cflab] Loot written to [cloudfox-output/aws/cflab/loot/lambda-get-function-commands.txt]
[lambdas][cflab] 2 lambdas found.
[route53][cflab] Enumerating Route53 for account 049881439828.
[route53][cflab] No DNS records found, skipping the creation of an output file.
[filesystems][cflab] Enumerating filesystems for account 049881439828.
[filesystems][cflab] Supported Services: EFS, FSx
[filesystems] Status: 34/34 tasks complete (0 errors -- For details check /Users/sethart/.cloudfox/cloudfox-error.log)
[filesystems] Output written to [cloudfox-output/aws/cflab/table/filesystems.txt]
[filesystems] Output written to [cloudfox-output/aws/cflab/csv/filesystems.csv]
[filesystems][cflab] Loot written to [cloudfox-output/aws/cflab/loot/filesystems-mount-commands.txt]
[filesystems][cflab] 1 filesystems found.
[endpoints][cflab] Enumerating endpoints for account 049881439828.
[endpoints][cflab] Supported Services: App Runner, APIGateway, ApiGatewayV2, Cloudfront, EKS, ELB, ELBv2, Grafana,
[endpoints][cflab] Lambda, MQ, OpenSearch, Redshift, RDS
[endpoints] Status: 212/212 tasks complete (9 errors -- For details check /Users/sethart/.cloudfox/cloudfox-error.log)
[endpoints] Output written to [cloudfox-output/aws/cflab/table/endpoints.txt]
[endpoints] Output written to [cloudfox-output/aws/cflab/csv/endpoints.csv]
[endpoints][cflab] Loot written to [cloudfox-output/aws/cflab/loot/endpoints-UrlsOnly.txt]
[endpoints][cflab] 3 endpoints found.
[ecs-tasks][cflab] Enumerating ECS tasks in all regions for account 049881439828
[ecs-tasks][cflab] Attempting to build a PrivEsc graph in memory using local pmapper data if it exists on the filesystem.
[ecs-tasks][cflab] Found pmapper data for this account. Using it for role analysis.
[ecs-tasks] Status: 17/17 tasks complete (0 errors -- For details check /Users/sethart/.cloudfox/cloudfox-error.log)
[ecs-tasks] Output written to [cloudfox-output/aws/cflab/table/ecs-tasks.txt]
[ecs-tasks] Output written to [cloudfox-output/aws/cflab/csv/ecs-tasks.csv]
[ecs-tasks][cflab] Loot written to [cloudfox-output/aws/cflab/loot/ecs-tasks-PrivateIPs.txt]
[ecs-tasks][cflab] Loot written to [cloudfox-output/aws/cflab/loot/ecs-tasks-PublicIPs.txt]
[ecs-tasks][cflab] 1 ECS tasks found.
[eks][cflab] Enumerating EKS clusters for account 049881439828.
[eks][cflab] Attempting to build a PrivEsc graph in memory using local pmapper data if it exists on the filesystem.
[eks][cflab] Found pmapper data for this account. Using it for role analysis.
[eks] Status: 17/17 regions complete (0 errors -- For details check /Users/sethart/.cloudfox/cloudfox-error.log)
[eks][cflab] No clusters found, skipping the creation of an output file.
[elastic-network-interfaces][cflab] Enumerating elastic network interfaces in all regions for account 049881439828
[elastic-network-interfaces] Status: 17/17 tasks complete (0 errors -- For details check /Users/sethart/.cloudfox/cloudfox-error.log)
[elastic-network-interfaces] Output written to [cloudfox-output/aws/cflab/table/elastic-network-interfaces.txt]
[elastic-network-interfaces] Output written to [cloudfox-output/aws/cflab/csv/elastic-network-interfaces.csv]
[elastic-network-interfaces][cflab] Loot written to [cloudfox-output/aws/cflab/loot/elastic-network-interfaces-PrivateIPs.txt]
[elastic-network-interfaces][cflab] Loot written to [cloudfox-output/aws/cflab/loot/elastic-network-interfaces-PublicIPs.txt]
[elastic-network-interfaces][cflab] 9 elastic network interfaces found.
[๐ฆ cloudfox ๐ฆ ] Looking for secrets hidden between the seat cushions.
[instances][cflab] Enumerating EC2 instances in all regions for account 049881439828
[instances][cflab] Attempting to build a PrivEsc graph in memory using local pmapper data if it exists on the filesystem.
[instances][cflab] Found pmapper data for this account. Using it for role analysis.
[instances] Status: 17/17 tasks complete (0 errors -- For details check /Users/sethart/.cloudfox/cloudfox-error.log)
[instance-userdata][cflab] Loot written to [cloudfox-output/aws/cflab/loot/instance-userdata.txt]
[env-vars][cflab] Enumerating environment variables in all regions for account 049881439828.
[env-vars][cflab] Supported Services: App Runner, Elastic Container Service, Lambda, Lightsail Containers, Sagemaker
[env-vars] Status: 82/82 tasks complete (10 errors -- For details check /Users/sethart/.cloudfox/cloudfox-error.log)
[env-vars] Output written to [cloudfox-output/aws/cflab/table/env-vars.txt]
[env-vars] Output written to [cloudfox-output/aws/cflab/csv/env-vars.csv]
[env-vars][cflab] 3 environment variables found.
[cloudformation][cflab] Enumerating cloudformation stacks for account 049881439828.
[cloudformation] Status: 17/17 regions complete (0 errors -- For details check /Users/sethart/.cloudfox/cloudfox-error.log)
[cloudformation] Output written to [cloudfox-output/aws/cflab/table/cloudformation.txt]
[cloudformation] Output written to [cloudfox-output/aws/cflab/csv/cloudformation.csv]
[cloudformation][cflab] Loot written to [cloudfox-output/aws/cflab/loot/cloudformation-data.txt]
[cloudformation][cflab] 2 cloudformation stacks found.
[๐ฆ cloudfox ๐ฆ ] Arming you with the data you'll need for privesc quests.
[buckets][cflab] Enumerating buckets for account 049881439828.
[buckets] Status: 2/2 tasks complete (0 errors -- For details check /Users/sethart/.cloudfox/cloudfox-error.log)
[buckets] Output written to [cloudfox-output/aws/cflab/table/buckets.txt]
[buckets] Output written to [cloudfox-output/aws/cflab/csv/buckets.csv]
[buckets][cflab] Loot written to [cloudfox-output/aws/cflab/loot/bucket-commands.txt]
[buckets][cflab] 9 buckets found.
[ecr][cflab] Enumerating container repositories for account 049881439828.
[ecr] Status: 17/17 regions complete (0 errors -- For details check /Users/sethart/.cloudfox/cloudfox-error.log)
[ecr] Output written to [cloudfox-output/aws/cflab/table/ecr.txt]
[ecr] Output written to [cloudfox-output/aws/cflab/csv/ecr.csv]
[ecr][cflab] Loot written to [cloudfox-output/aws/cflab/loot/ecr-pull-commands.txt]
[ecr][cflab] 1 repositories found.
[secrets][cflab] Enumerating secrets for account 049881439828.
[secrets][cflab] Supported Services: SecretsManager, SSM Parameters
[secrets] Status: 34/34 tasks complete (0 errors -- For details check /Users/sethart/.cloudfox/cloudfox-error.log)
[secrets] Output written to [cloudfox-output/aws/cflab/table/secrets.txt]
[secrets] Output written to [cloudfox-output/aws/cflab/csv/secrets.csv]
[secrets][cflab] Loot written to [cloudfox-output/aws/cflab/loot/pull-secrets-commands.txt]
[secrets][cflab] 7 secrets found.
[ram][cflab] Enumerating shared resources for account 049881439828.
[ram] Status: 17/17 regions complete (0 errors -- For details check /Users/sethart/.cloudfox/cloudfox-error.log)
[ram] Output written to [cloudfox-output/aws/cflab/table/ram.txt]
[ram] Output written to [cloudfox-output/aws/cflab/csv/ram.csv]
[ram][cflab] 2 resources found.
[๐ฆ cloudfox ๐ฆ ] IAM is complicated. Complicated usually means misconfigurations. You'll want to pay attention here.
[principals][cflab] Enumerating IAM Users and Roles for account 049881439828.
[principals] Output written to [cloudfox-output/aws/cflab/table/principals.txt]
[principals] Output written to [cloudfox-output/aws/cflab/csv/principals.csv]
[principals][cflab] 35 IAM principals found.
[permissions][cflab] Enumerating IAM permissions for account 049881439828.
[permissions] Output written to [cloudfox-output/aws/cflab/table/permissions.txt]
[permissions] Output written to [cloudfox-output/aws/cflab/csv/permissions.csv]
[permissions][cflab] 3889 unique permissions identified.
[access-keys][cflab] Mapping user access keys for account: 049881439828.
[access-keys][cflab] Only active access keys are shown.
[access-keys] Output written to [cloudfox-output/aws/cflab/table/access-keys.txt]
[access-keys] Output written to [cloudfox-output/aws/cflab/csv/access-keys.csv]
[access-keys][cflab] Loot written to [cloudfox-output/aws/cflab/loot/access-keys.txt]
[access-keys][cflab] 5 access keys found.
[role-trusts][cflab] Enumerating role trusts for account 049881439828.
[role-trusts][cflab] Looking for pmapper data for this account and building a PrivEsc graph in golang if it exists.
[role-trusts][cflab] Found pmapper data for this account. Using it for role analysis
[role-trusts] Output written to [cloudfox-output/aws/cflab/table/role-trusts-principals.txt]
[role-trusts] Output written to [cloudfox-output/aws/cflab/csv/role-trusts-principals.csv]
[role-trusts][cflab] 9 role trusts found.
[role-trusts] Output written to [cloudfox-output/aws/cflab/table/role-trusts-services.txt]
[role-trusts] Output written to [cloudfox-output/aws/cflab/csv/role-trusts-services.csv]
[role-trusts][cflab] 18 role trusts found.
[role-trusts] Output written to [cloudfox-output/aws/cflab/table/role-trusts-federated.txt]
[role-trusts] Output written to [cloudfox-output/aws/cflab/csv/role-trusts-federated.csv]
[role-trusts][cflab] 3 role trusts found.
[pmapper][cflab] Looking for pmapper data for this account and building a PrivEsc graph in golang if it exists.
[pmapper][cflab] Parsing pmapper data for account 049881439828.
[pmapper] Output written to [cloudfox-output/aws/cflab/table/pmapper.txt]
[pmapper] Output written to [cloudfox-output/aws/cflab/csv/pmapper.csv]
[pmapper][cflab] 11 principals who are admin or have a path to admin identified.
[iam-simulator][cflab] Running multiple iam-simulator queries for account 049881439828. (This command can be pretty slow, FYI)
[iam-simulator] Status: 2/2 tasks complete (0 errors -- For details check /Users/sethart/.cloudfox/cloudfox-error.log)
[iam-simulator] Output written to [cloudfox-output/aws/cflab/table/iam-simulator.txt]
[iam-simulator] Output written to [cloudfox-output/aws/cflab/csv/iam-simulator.csv]
[iam-simulator][cflab] We suggest running the pmapper commands in the loot file to get the same information but taking privesc paths into account.
[iam-simulator][cflab] Loot written to [cloudfox-output/aws/cflab/loot/iam-simulator-pmapper-commands.txt]
[๐ฆ cloudfox ๐ฆ ] That's it! Check your output files for situational awareness and check your loot files for next steps.
[๐ฆ cloudfox ๐ฆ ] FYI, we skipped the outbound-assumed-roles module in all-checks (really long run time). Make sure to try it out manually.
| Command | access-keys |
|---|---|
| Summary | This command maps all active access key IDs for all users in an AWS account. |
| Introduced | v1.6.0 |
| Author | Bishop Fox |
| Background | For a long time, people were granted access to AWS via user accounts which could log in with a user/password (Web, aka Console access), or an access key/secret key (CLI access). The problem is that these access keys don't expire. So if you accidentally check in your access key to GitHub, or to PyPi, or to NPM, anyone with access to those sources can use your hardcoded credentials. While putting your access keys into a public location is really bad, it is also bad if you drop these keys into a private location like a private repository or a private organizational Google Drive share. Because it means that any other users in your organization with access to that private repo, or that Google Drive share can just grab your credentials and log into AWS as you. |
| Use case 1: Found a key | You just got an access key and you want to see if it belongs to any of your in-scope accounts and which user it belongs to. Look for the access key in the list of keys associated with this account and any other in-scope accounts. |
| Use case 2: Hunt for keys | Use the access key IDs from this module as your seed list and search for them in other services like Github, Gitlab, Bitbucket, Slack, Sharepoint, Google Drive, Confluence, Jira, etc. |
| Loot file(s): | loot/access-keys.txt |
Example 1: maps all active access keys for all users in the account
โฏ cloudfox aws --profile cf-exec -v2 access-keys
[๐ฆ cloudfox v1.6.0 ๐ฆ ] AWS Caller Identity: arn:aws:sts::049881439828:assumed-role/CloudFox-exec-role/aws-go-sdk-1662942186266844000
[access-keys] Mapping user access keys for account: 049881439828.
[access-keys] Only active access keys are shown.
โญโโโโโโโโโโโโโโโโโฌโโโโโโโโโโโโโโโโโโโโโโโฎ
โ User Name โ Access Key ID โ
โโโโโโโโโโโโโโโโโโผโโโโโโโโโโโโโโโโโโโโโโโค
โ pele โ AKIAQXHJKLZKIJ6QPJFK โ
โ terraform-user โ AKIAQXHJKLZKG2U6MIFF โ
โฐโโโโโโโโโโโโโโโโโดโโโโโโโโโโโโโโโโโโโโโโโฏ
[access-keys] Output written to [cloudfox-output/aws/cf-exec/table/access-keys.txt]
[access-keys] Output written to [cloudfox-output/aws/cf-exec/csv/access-keys.csv]
[access-keys] Loot written to [cloudfox-output/aws/cf-exec/loot/access-keys.txt]
[access-keys] 2 access keys found.
Example 2: look up a specific access key
โฏ cloudfox aws --profile cf-exec -v2 access-keys --filter AKIAQXHJKLZKIJ6QPJFK
[๐ฆ cloudfox v1.6.0 ๐ฆ ] AWS Caller Identity: arn:aws:sts::049881439828:assumed-role/CloudFox-exec-role/aws-go-sdk-1662942670815294000
[access-keys] Mapping user access keys for account: 049881439828.
[access-keys] Only active access keys are shown.
โญโโโโโโโโโโโโฌโโโโโโโโโโโโโโโโโโโโโโโฎ
โ User Name โ Access Key ID โ
โโโโโโโโโโโโโผโโโโโโโโโโโโโโโโโโโโโโโค
โ pele โ AKIAQXHJKLZKIJ6QPJFK โ
โฐโโโโโโโโโโโโดโโโโโโโโโโโโโโโโโโโโโโโฏ
[access-keys] Output written to [cloudfox-output/aws/cf-exec/table/access-keys.txt]
[access-keys] Output written to [cloudfox-output/aws/cf-exec/csv/access-keys.csv]
[access-keys] Loot written to [cloudfox-output/aws/cf-exec/loot/access-keys.txt]
[access-keys] 1 access keys found.
| Command | api-gws |
|---|---|
| Summary | Enumerate API gateways. Get a loot file with formatted cURL requests. |
| Introduced | v1.13.0 |
| Author | Wyatt Dahlenburg |
| Background | API Gateways are the front door to many other services running in AWS. They can load files from S3 buckets, can redirect to lambda functions, and there are many other options as well. As a penetration tester, you want to use any information you have available to you. So if you have the ability to describe API gateways, you might find an API key that will let you interact with the backend service. This command grabs all of the information needed and generates cURL commands for you to poke at the APIs. |
| Loot file(s): | loot/api-gws.txt |
Example 1: maps all active access keys for all users in the account
[๐ฆ cloudfox v1.13.2 ๐ฆ ][cloudfoxable] AWS Caller Identity: arn:aws:iam::987990985088:user/ctf-starting-user
[๐ฆ cloudfox v1.13.2 ๐ฆ ][cloudfoxable] Account is part of an Organization and is a child account. Management Account: 289507344597
[api-gw][cloudfoxable] Enumerating api-gateways for account 987990985088.
[api-gw] Status: 68/68 tasks complete (0 errors -- For details check /Users/sethart/.cloudfox/cloudfox-error.log)
โญโโโโโโโโโโโโโโโฌโโโโโโโโโโโโฌโโโโโโโโโโโฌโโโโโโโโโโฌโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโฌโโโโโโโโโฌโโโโโโโโโฎ
โ Service โ Region โ Name โ Method โ Endpoint โ ApiKey โ Public โ
โโโโโโโโโโโโโโโโผโโโโโโโโโโโโผโโโโโโโโโโโผโโโโโโโโโโผโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโผโโโโโโโโโผโโโโโโโโโค
โ APIGateway โ us-east-2 โ api1 โ POST โ https://abcdefgt7.execute-api.us-east-2.amazonaws.com/prod/add โ abc โ True โ
โ APIGateway โ us-east-2 โ api2 โ OPTIONS โ https://defghigk.execute-api.us-east-2.amazonaws.com/prod/cart โ โ True โ
โ APIGateway โ us-east-1 โ api3 โ POST โ https://zbbebfdsd.execute-api.us-east-1.amazonaws.com/UUID/UUID โ โ True โ
โ APIGateway โ us-east-2 โ api1 โ POST โ https://abcdefgt7.execute-api.us-east-2.amazonaws.com/prod/removeโ abc โ True โ
โฐโโโโโโโโโโโโโโโดโโโโโโโโโโโโดโโโโโโโโโโดโโโโโโโโโโโดโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโดโโโโโโโโโดโโโโโโโโโฏ
[api-gw][cloudfoxable] For context and next steps: https://github.com/BishopFox/cloudfox/wiki/AWS-Commands#api-gw
[๐ฆ cloudfox v1.13.2 ๐ฆ ][cloudfoxable] Cached AWS data written to /Users/sethart/.cloudfox/cached-data/aws/987990985088
| Command | buckets |
|---|---|
| Summary | Lists the buckets in the account and gives you handy commands for inspecting them further. |
| Introduced | v1.6.0 |
| Author | Bishop Fox |
| Background | S3 buckets contain files. Buckets can be public or private, and files within buckets can also be public or private. If a bucket is public, and it contains sensitive or private data, that can be bad. That's the stuff you hear about on the news. The important to think to look for when evaluating bucket permissions is the combination of list and get permissions. If you can get (download) all of the objects in the bucket, but you can't list them, thats not useful unless you already know the file names or locations. But if you can list and get the objects, you can essentially download the entire bucket. Just because a bucket is private, it does not mean it is not a target on a cloud penetration test. If you are acting as a compromised user or application, and that application has access to a private bucket, that is an attack path worth investigating. As a penetration tester, you'll want to figure out what buckets exist, select the ones that seem interesting, and then ultimately, you'll want to get the objects (files) that seem interesting within the buckets. The way this often plays out is that you use this buckets module to help find interesting items, and then as you gain more access on your penetration test, you check to see if you have gained access to a principal that has permission to access the objects you have identified as interesting. When you have, you can use the commands in the loot file to download the contents of the bucket. |
| Use case 1: Find interesting buckets |
The first thing you should do is look to see which buckets look interesting. Look for buckets names that look like they contain sensitive data, or secrets, or both. |
| Use case 2: Selectively list and/or download files |
Use the pre-populated commands in the loot file to list the file names of certain buckets, and download files from the buckets. You will need to execute these commands as a principal with permission to list and download objects in the targeted buckets, which you might or might not have. |
| Loot file(s): | loot/bucket-commands.txt |
Example:
โฏ cloudfox aws --profile cf-exec -v2 buckets
[๐ฆ cloudfox v1.6.0 ๐ฆ ] AWS Caller Identity: arn:aws:sts::049881439828:assumed-role/CloudFox-exec-role/aws-go-sdk-1662942714852430000
[buckets] Enumerating buckets for account 049881439828.
[buckets] Status: 1/1 tasks complete (0 errors -- For details check /Users/sethart/.cloudfox/cloudfox-error.log)
โญโโโโโโโโโโฌโโโโโโโโโฌโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโฎ
โ Service โ Region โ Name โ
โโโโโโโโโโโผโโโโโโโโโผโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโค
โ S3 โ Global โ cf-templates-1c3fmu2nov5ko-us-east-1 โ
โ S3 โ Global โ cloudfox-bucket1 โ
โ S3 โ Global โ cloudfox-bucket2 โ
โ S3 โ Global โ cloudfox-bucket3 โ
โ S3 โ Global โ cloudfox-terraform-state โ
โฐโโโโโโโโโโดโโโโโโโโโดโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโฏ
[buckets] Output written to [cloudfox-output/aws/cf-exec/table/buckets.txt]
[buckets] Output written to [cloudfox-output/aws/cf-exec/csv/buckets.csv]
[buckets] Loot written to [cloudfox-output/aws/cf-exec/loot/bucket-commands.txt]
[buckets] 5 buckets found.
Loot Example:
โฏ cat cloudfox-output/aws/cflab/loot/bucket-commands.txt
#############################################
# The profile you will use to perform these commands is most likely not the profile you used to run CloudFox
# Set the $profile environment variable to the profile you are going to use to inspect the buckets.
# E.g., export profile=dev-prod.
#############################################
# ------------------------------
# Bucket: cloudfox-bucket2-zwt9j
# Recursively list all file names
aws --profile $profile s3 ls --human-readable --summarize --recursive --page-size 1000 s3://cloudfox-bucket2-zwt9j/
# Download entire bucket (do this with caution as some buckets are HUGE)
mkdir -p ./s3-buckets/cloudfox-bucket2-zwt9j
aws --profile $profile s3 cp s3://cloudfox-bucket2-zwt9j/ ./s3-buckets/cloudfox-bucket2-zwt9j --recursive
| Command | cape |
|---|---|
| Summary | Enumerates cross-account privilege escalation paths. Cape can answer the questions and more: Which IAM principals in your other accounts can touch your production account? Which vendor accounts, GitHub repositories, Okta groups, and Terraform projects have a path to production? And the most pressing concern: Do any of these cross-account paths lead to administrative privileges? Think of cape like this: Pmapper and cloudfox's role-trusts commands had a baby, and that baby can help you find cross account privilege escalation paths. |
| Introduced | v1.14.0 |
| Author | Bishop Fox |
| Background | As a penetration tester or security engineer, you have been given SecurityAudit permissions to 3 AWS accounts: production, operations, and development. Your objective is to figure out if there is any way the role developer in the development account can gain administrative permissions in the production account. Let's walk through how you can answer that question with cape below. |
Usage Instructions:
- Configure a profile for each in scope account:
production,operations, anddevelopment:โฏ cat ../tmp/sethenv.profiles dev.AWSAdministratorAccess Operations.AdministratorAccess prod.AWSAdministratorAccess - Run pmapper for each profile:
Note: This will save the pmapper data on the host that ran pmapper in a predictable location that cloudfox will use as long as cloudfox is run on the same host/container/machine that ran pmapper.
โฏ for line in `cat ../tmp/sethenv.profiles`; do pmapper --profile $line graph create; done - Run cloudfox's cape command on each profile using cloudfox's
-l(profile-list) option:Note: The./cloudfox aws -l ../tmp/sethenv.profiles cape --admin-only--admin-onlyflag significantly reduces the amount of time it takes for cape to run, so I suggest running that first. Then, feel free to try it without that flag. It will work, but might take hours depending on how many accounts are in scope. - Cloudfox's
capecommand will give you the standard table output by default, but this output is almost impossible to read without ultra wide screen monitor. So to address this, I created a terminal user interface using a go library called Bubbletea. Check it out with the following command:cloudfox aws -l ../tmp/sethenv.profiles cape tui --admin-only
| Command | cloudformation |
|---|---|
| Summary | Lists the cloudformation stacks in the account. Generates loot file with stack details, stack parameters, and stack output. |
| Introduced | v1.8.0 |
| Author | Bishop Fox |
| Background | Cloudformation is AWS's infrastructure as code service. You can create a Cloudformation template, than when executed, creates the AWS resources described in the template. For example, a single Cloudformation template, when executed, can create an EC2 instance, an S3 bucket, and an IAM role, and then it can then attach the IAM role to the EC2 instance. You can sometimes find secrets in Cloudformation templates. This is not as fruitful as finding secrets in environment variables or EC2 user-data scripts, but it is still worth looking. AWS automatically redacts secrets that match certain naming conventions in certain locations, but if you get lucky, you will find a password, API key, or something valuable here. |
| Use case 1: Look for Secrets |
Search the loot file for any secrets. |
| Loot file(s): | loot/cloudformation-data.txt |
Example:
โฏ cloudfox aws --profile cflab -v2 cloudformation
[๐ฆ cloudfox v1.8.0 ๐ฆ ] AWS Caller Identity: arn:aws:iam::049881439828:user/seth
[cloudformation][cflab] Enumerating cloudformation stacks for account 049881439828.
[cloudformation] Status: 21/21 regions complete (4 errors -- For details check /Users/sethart/.cloudfox/cloudfox-error.log)
โญโโโโโโโโโโโโโโโโโฌโโโโโโโโโโโโฌโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโฌโโโโโโโฎ
โ Service โ Region โ Name โ Role โ
โโโโโโโโโโโโโโโโโโผโโโโโโโโโโโโผโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโผโโโโโโโค
โ cloudformation โ us-west-1 โ intro โ โ
โ cloudformation โ us-west-2 โ privesc-cloudformationStack โ โ
โ cloudformation โ us-west-2 โ token โ โ
โฐโโโโโโโโโโโโโโโโโดโโโโโโโโโโโโดโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโดโโโโโโโฏ
[cloudformation] Output written to [cloudfox-output/aws/cflab/table/cloudformation.txt]
[cloudformation] Output written to [cloudfox-output/aws/cflab/csv/cloudformation.csv]
[cloudformation][cflab] Loot written to [cloudfox-output/aws/cflab/loot/cloudformation-data.txt]
Loot Example:
โฏ cat cloudfox-output/aws/cflab/loot/cloudformation-data.txt
#############################################
# Look for secrets. Use something like trufflehog
#############################################
=============================================
Stack Name: privesc-cloudformationStack
Stack Outputs:
Stack Parameters:
Stack Template:
{"Resources":{"Secret1":{"Properties":{"Description":"Super strong password that nobody would ever be able to guess","Name":"iam-vulnerable","SecretString":"Summer2021!"},"Type":"AWS::SecretsManager::Secret"}}}
=============================================
=============================================
Stack Name: token
Stack Outputs:
Stack Parameters:
Stack Parameter Key: IP
Stack Parameter Value: 74.69.129.103
Stack Parameter Key: VPC
Stack Parameter Value: vpc-0c924df8a157859e0
Stack Parameter Key: Subnet
Stack Parameter Value: subnet-0be80af569fa0e1a4
Stack Template:
Parameters:
IP:
Type: String
Description: Enter your source IPv4 address
...omitted for brevity...
| Command | codebuild |
|---|---|
| Summary | Enumerate CodeBuild projects. |
| Introduced | v1.11.0 |
| Author | Bishop Fox |
Example:
โฏ cloudfox aws --profile cflab -v2 codebuild
[๐ฆ cloudfox v1.13.0 ๐ฆ ] AWS Caller Identity: arn:aws:iam::049881439828:user/seth
[codebuild][cflab] Enumerating codebuild projects for account 049881439828.
[codebuild] Status: 21/21 regions complete (4 errors -- For details check /Users/sethart/.cloudfox/cloudfox-error.log)
โญโโโโโโโโโโโโฌโโโโโโโโโโโโโโโโโโโโโโโโโโโโฌโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโฌโโโโโโโโโโโโโโโฌโโโโโโโโโโโโโโโโโโโโโฎ
โ Region โ Name โ Role โ IsAdminRole? โ CanPrivEscToAdmin? โ
โโโโโโโโโโโโโผโโโโโโโโโโโโโโโโโโโโโโโโโโโโผโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโผโโโโโโโโโโโโโโโผโโโโโโโโโโโโโโโโโโโโโค
โ us-west-2 โ testing-deployment โ arn:aws:iam::049881439828:role/ecs/deployment/testing โ No โ No โ
โ us-west-2 โ notifications-deployment โ arn:aws:iam::049881439828:role/ecs/deployment/code-build-notifications โ No โ No โ
โ us-west-2 โ search-deployment โ arn:aws:iam::049881439828:role/ecs/deployment/code-build--search โ No โ No
โฐโโโโโโโโโโโโดโโโโโโโโโโโโโโโโโโโโโโโโโโโโดโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโดโโโโโโโโโโโโโโโดโโโโโโโโโโโโโโโโโโโโโฏ
[codebuild][cflab] Output written to /Users/sethart/.cloudfox/cloudfox-output/aws/cflab-049881439828/table/codebuild.txt
[codebuild][cflab] Output written to /Users/sethart/.cloudfox/cloudfox-output/aws/cflab-049881439828/csv/codebuild.csv
[codebuild][cflab] Output written to /Users/sethart/.cloudfox/cloudfox-output/aws/cflab-049881439828/json/codebuild.json
| Command | databases |
|---|---|
| Summary | Enumerate RDS databases. Get a loot file with connection strings |
| Introduced | v1.11.0 |
| Author | Bishop Fox (Contributions from @enzowritescode) |
Example:
โฏ cloudfox aws --profile cloudfoxable databases
[๐ฆ cloudfox v1.14.0-prerelease ๐ฆ ][cloudfoxable] AWS Caller Identity: arn:aws:iam::987990985088:user/ctf-starting-user
[๐ฆ cloudfox v1.14.0-prerelease ๐ฆ ][cloudfoxable] Account is part of an Organization and is a child account. Management Account: 289507344597
[databases][cloudfoxable] Enumerating databases for account 987990985088.
[databases][cloudfoxable] Supported Services: RDS, Redshift, DynamoDB, DocumentDB, Neptune
[databases] Status: 51/51 tasks complete (0 errors -- For details check /Users/sethart/.cloudfox/cloudfox-error.log)
[databases][cloudfoxable] Loot written to [/Users/sethart/.cloudfox/cloudfox-output/aws/cloudfoxable-987990985088/loot/databases-UrlsOnly.txt]
โญโโโโโโโโโโโฌโโโโโโโโโฌโโโโโโโโโโโโฌโโโโโโโโโโโโโโโโโโโฌโโโโโโโฌโโโโโโโโโโโฌโโโโโโโโโโโฌโโโโโโโฎ
โ Service โ Engine โ Region โ Name โ Size โ UserName โ Endpoint โ Port โ
โโโโโโโโโโโโผโโโโโโโโโผโโโโโโโโโโโโผโโโโโโโโโโโโโโโโโโโผโโโโโโโผโโโโโโโโโโโผโโโโโโโโโโโผโโโโโโโค
โ DynamoDB โ โ us-west-2 โ my-user-profiles โ 0 โ N/A โ N/A โ 0 โ
โฐโโโโโโโโโโโดโโโโโโโโโดโโโโโโโโโโโโดโโโโโโโโโโโโโโโโโโโดโโโโโโโดโโโโโโโโโโโดโโโโโโโโโโโดโโโโโโโฏ
[databases][cloudfoxable] Output written to /Users/sethart/.cloudfox/cloudfox-output/aws/cloudfoxable-987990985088/table/databases.txt
[databases][cloudfoxable] Output written to /Users/sethart/.cloudfox/cloudfox-output/aws/cloudfoxable-987990985088/csv/databases.csv
[databases][cloudfoxable] Output written to /Users/sethart/.cloudfox/cloudfox-output/aws/cloudfoxable-987990985088/json/databases.json
[databases][cloudfoxable] Output written to /Users/sethart/.cloudfox/cloudfox-output/aws/cloudfoxable-987990985088/loot/databases-UrlsOnly.txt.txt
[databases][cloudfoxable] 2 databases found.
[databases][cloudfoxable] For context and next steps: https://github.com/BishopFox/cloudfox/wiki/AWS-Commands#databases
[๐ฆ cloudfox v1.14.0-prerelease ๐ฆ ][cloudfoxable] Cached AWS data written to /Users/sethart/.cloudfox/cached-data/aws/987990985088
| Command | ecr |
|---|---|
| Summary | List the most recently pushed image from all repositories. |
| Introduced | v1.6.0 |
| Author | Bishop Fox |
| Background | ECR is a container image registry, like DockerHub. An organization can use ECR to host public public images, but most organizations use it mainly for private images that are used in their private infrastructure. Sometimes, the people who create images include sensitive credentials or sensitive client data in the image itself, which should not be the case. The recommended approach is to keep the container image free of hardcoded credentials or data and to pull that information down to the container at runtime. As a penetration tester, if you have access to a principal that can download container images from ECR, you should use commands in the loot file to pull selected container images to your local filesystem, look for secrets, sensitive data, or anything else that might help you mean the penetration testing objectives. |
| Use case 1: | Look for Secrets and/or other sensitive data. |
| Loot file(s): | loot/cloudformation-data.txt |
Example:
โฏ cloudfox aws --profile cf-exec -v2 ecr
[๐ฆ cloudfox v1.9.0 ๐ฆ ] AWS Caller Identity: arn:aws:iam::049881439828:user/terraform-user
[ecr][cflab] Enumerating container repositories for account 049881439828.
[ecr] Status: 17/17 regions complete (0 errors -- For details check /Users/sethart/.cloudfox/cloudfox-error.log)
โญโโโโโโโโโโฌโโโโโโโโโโโโฌโโโโโโโโโโโโโโโโฌโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโฌโโโโโโโโโโโโโโโโโโโโโโฌโโโโโโโโโโโโฌโโโโโโโโโโโโฎ
โ Service โ Region โ Name โ URI โ PushedAt โ ImageTags โ ImageSize โ
โโโโโโโโโโโผโโโโโโโโโโโโผโโโโโโโโโโโโโโโโผโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโผโโโโโโโโโโโโโโโโโโโโโโผโโโโโโโโโโโโผโโโโโโโโโโโโค
โ ECR โ us-west-2 โ cloudfox-repo โ 049881439828.dkr.ecr.us-west-2.amazonaws.com/cloudfox-repo:latest โ 2022-09-12 17:51:57 โ latest โ 718945268 โ
โฐโโโโโโโโโโดโโโโโโโโโโโโดโโโโโโโโโโโโโโโโดโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโดโโโโโโโโโโโโโโโโโโโโโโดโโโโโโโโโโโโดโโโโโโโโโโโโฏ
[ecr] Output written to [cloudfox-output/aws/cflab/table/ecr.txt]
[ecr] Output written to [cloudfox-output/aws/cflab/csv/ecr.csv]
[ecr][cflab] Loot written to [cloudfox-output/aws/cflab/loot/ecr-pull-commands.txt]
[ecr][cflab] 1 repositories found.
Loot Example:
โฏ cat cloudfox-output/aws/cflab/loot/ecr-pull-commands.txt
#############################################
# The profile you will use to perform these commands is most likely not the profile you used to run CloudFox
# Set the $profile environment variable to the profile you are going to use to inspect the repositories.
# E.g., export profile=dev-prod.
#############################################
aws --profile $profile --region us-west-2 ecr get-login-password | docker login --username AWS --password-stdin 049881439828.dkr.ecr.us-west-2.amazonaws.com
docker pull 049881439828.dkr.ecr.us-west-2.amazonaws.com/cloudfox-repo:latest
docker inspect 049881439828.dkr.ecr.us-west-2.amazonaws.com/cloudfox-repo:latest
docker history --no-trunc 049881439828.dkr.ecr.us-west-2.amazonaws.com/cloudfox-repo:latest
docker run -it --entrypoint /bin/sh 049881439828.dkr.ecr.us-west-2.amazonaws.com/cloudfox-repo:latest
docker save 049881439828.dkr.ecr.us-west-2.amazonaws.com/cloudfox-repo:latest -o cloudfox-repo.tar
| Command | ecs-tasks |
|---|---|
| Summary | List all ecs tasks. This returns a list of ecs tasks and associated cluster, task definition, container instance, launch type, and associated IAM principal. |
| Introduced | v1.9.0 |
| Author | Dominic Breuker |
| Background | The Elastic Container Service is a way for you to run containers in AWS in a managed way. You can run a container directly on a EC2 image if you'd like. You can also use Kubernetes to run containers. Think of ECS as somewhere in between doing it yourself, and using full blown Kubernetes. You create a task definition which defines what container image to use, what code to deploy, what IAM role to associate, and many other container configuration options. You can then configure a task that deploys the task definition and, optionally, maps a service to the task definition so it is accessible to other resources. As a penetration tester, you can first think about attacking ECS tasks from a network perspective. Just like you can run code on an EC2 instance and target it via it's DNS name or IP address, you can do the same to ECS tasks. Like EC2, these are mostly going to be running web based services, but they can and often do run non web based services. Also like EC2 instances, if you can compromise a service running on an ECS task and gain RCE or SSRF, you can access the temporary credentials applied to the task and perform any action that the task can perform. |
| Use case 1: | Attack network services running on ECS tasks. Use the loot files with tools like nmap, Aquatone/EyeWitness/GoWitness. If you compromise a service, try to access the task's IAM role. |
| Loot file(s): |
loot/ecs-tasks-PublicIPs.txt loot/ecs-tasks-PrivateIPs.txt
|
Example:
โฏ cloudfox aws -p cflab ecs-tasks -v2
[๐ฆ cloudfox v1.9.0 ๐ฆ ] AWS Caller Identity: arn:aws:iam::049881439828:user/terraform-user
[ecs-tasks][cflab] Enumerating ECS tasks in all regions for account 049881439828
[ecs-tasks][cflab] Attempting to build a PrivEsc graph in memory using local pmapper data if it exists on the filesystem.
[ecs-tasks][cflab] Found pmapper data for this account. Using it for role analysis.
[ecs-tasks] Status: 17/17 tasks complete (0 errors -- For details check /Users/sethart/.cloudfox/cloudfox-error.log)
โญโโโโโโโโโโโโโโโโโโโฌโโโโโโโโโโโโโโโโโฌโโโโโโโโโโโโโฌโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโฌโโโโโโโโโโโโโโโฌโโโโโโโโโโโโโโฌโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโฌโโโโโโโโโโโโโโโฌโโโโโโโโโโโโโโโโโโโโโฎ
โ Cluster โ TaskDefinition โ LaunchType โ ID โ External IP โ Internal IP โ RoleArn โ IsAdminRole? โ CanPrivEscToAdmin? โ
โโโโโโโโโโโโโโโโโโโโผโโโโโโโโโโโโโโโโโผโโโโโโโโโโโโโผโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโผโโโโโโโโโโโโโโโผโโโโโโโโโโโโโโผโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโผโโโโโโโโโโโโโโโผโโโโโโโโโโโโโโโโโโโโโค
โ cloudfox-cluster โ webapp:13 โ FARGATE โ 44050e9c230a408593b9e7709be01ddf โ 35.92.101.69 โ 10.0.1.113 โ arn:aws:iam::049881439828:role/rapinoe โ No โ No โ
โฐโโโโโโโโโโโโโโโโโโโดโโโโโโโโโโโโโโโโโดโโโโโโโโโโโโโดโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโดโโโโโโโโโโโโโโโดโโโโโโโโโโโโโโดโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโดโโโโโโโโโโโโโโโดโโโโโโโโโโโโโโโโโโโโโฏ
[ecs-tasks] Output written to [cloudfox-output/aws/cflab/table/ecs-tasks.txt]
[ecs-tasks] Output written to [cloudfox-output/aws/cflab/csv/ecs-tasks.csv]
[ecs-tasks][cflab] Loot written to [cloudfox-output/aws/cflab/loot/ecs-tasks-PrivateIPs.txt]
[ecs-tasks][cflab] Loot written to [cloudfox-output/aws/cflab/loot/ecs-tasks-PublicIPs.txt]
[ecs-tasks][cflab] 1 ECS tasks found.
Example:
โฏ cat cloudfox-output/aws/cflab/loot/ecs-tasks-PublicIPs.txt
52.41.51.204
โฏ cat cloudfox-output/aws/cflab/loot/ecs-tasks-PrivateIPs.txt
10.0.1.205
| Command | eks |
|---|---|
| Summary | List all EKS clusters, see if they expose their endpoint publicly, and check the associated IAM roles attached to reach cluster or node group. Generates a loot file with the aws eks udpate-kubeconfig command needed to connect to each cluster. |
| Introduced | v1.9.0 |
| Author | Bishop Fox |
| Background | Kubernetes is a container orchestrator, aka, a way to run containers. EKS is AWS's managed Kubernetes offering. Penetration testing AWS with managed Kubernetes is kind of by like the movie inception. You don't have a clear view of the Kubernetes layer until you're in the Kubernetes layer. You first need to gain access to a user with access to the Kubernetes cluster, or a service within the cluster to see what's going on. Another thing to note is you can have an environment where 90% of the "secret sauce" of the company uses AWS native services like EC2, S3, RDS, Lambda, etc., and maybe 10% uses EKS/Kubernetes. You can also have an environment where 10% of the "secret sauce" is running on AWS services, and 90% is running inside the EKS cluster. Another illustrative example: you can have an AWS account running at a cost of $100k/month where the whole account consists of 1 EKS cluster! Not an EC2 instance, Lambda function, RDS database, or S3 bucket in sight. As a penetration tester, if EKS is in use, you wan't to see if there is any way to gain access to a principal with access to the target cluster(s). One important note here, is that you might find a principal with the eks:update-kubeconfig permission, but that is only half of what you need to access the cluster. That gives you the ability to connect to the cluster, but then it depends on if your user has access to the cluster (that configuration can happens in the cluster itself (kube-system/configmaps/aws-auth), and not in AWS). |
| Use case 1: Look for access to clusters |
Use the loot file commands to see if any of your compromised principals have access to any of the EKS clusters. This authorization check happens inside the cluster, so this is a case where brute force (seeing if you can access all of the clusters) might be fruitful. |
| Loot file(s): | loot/eks-kubeconfig-commands.txt |
Example:
โฏ cloudfox aws -p cflab eks -v2
[๐ฆ cloudfox v1.9.0 ๐ฆ ] AWS Caller Identity: arn:aws:iam::049881439828:user/terraform-user
[eks][cflab] Enumerating EKS clusters for account 049881439828.
[eks][cflab] Attempting to build a PrivEsc graph in memory using local pmapper data if it exists on the filesystem.
[eks][cflab] Found pmapper data for this account. Using it for role analysis.
[eks] Status: 17/17 regions complete (0 errors -- For details check /Users/sethart/.cloudfox/cloudfox-error.log)
โญโโโโโโโโโโฌโโโโโโโโโโโโฌโโโโโโโโโโโฌโโโโโโโโโฌโโโโโโโโโโโโโโโโฌโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโฌโโโโโโโโโโโโโโโฌโโโโโโโโโโโโโโโโโโโโโฎ
โ Service โ Region โ Name โ Public โ NodeGroup โ Role โ IsAdminRole? โ CanPrivEscToAdmin? โ
โโโโโโโโโโโผโโโโโโโโโโโโผโโโโโโโโโโโผโโโโโโโโโผโโโโโโโโโโโโโโโโผโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโผโโโโโโโโโโโโโโโผโโโโโโโโโโโโโโโโโโโโโค
โ EKS โ us-east-1 โ test-eks โ true โ nodegroup1 โ arn:aws:iam::049881439828:role/role1 โ No โ No โ
โ EKS โ us-east-1 โ test-eks โ true โ nodegroup2 โ arn:aws:iam::049881439828:role/role2 โ No โ No โ
โฐโโโโโโโโโโดโโโโโโโโโโโโดโโโโโโโโโโโดโโโโโโโโโดโโโโโโโโโโโโโโโโดโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโดโโโโโโโโโโโโโโโดโโโโโโโโโโโโโโโโโโโโโฏ
[eks] Output written to [cloudfox-output/aws/cflab/table/eks.txt]
[eks] Output written to [cloudfox-output/aws/cflab/csv/eks.csv]
[eks][cflab] Loot written to [cloudfox-output/aws/cflab/loot/eks-kubeconfig-commands.txt]
[eks][cflab] 1 clusters with a total of 2 node groups found.
Loot Example:
cat cloudfox-output/aws/cflab/loot/eks-kubeconfig-commands.txt
#############################################
# The profile you will use to perform these commands is most likely not the profile you used to run CloudFox
# Set the $profile environment variable to the profile you are going to use to inspect the repositories.
# E.g., export profile=found_creds
#############################################
aws --profile $profile --region us-east-1 eks update-kubeconfig --name cflab
| Command | elastic-network-interfaces |
|---|---|
| Summary | List all elastic network interfaces, including eni ID, type, external IP, private IP, VPCID, attached instance and a description. |
| Introduced | v1.9.0 |
| Author | Dominic Breuker |
| Background | Elastic network interfaces are the virtual NICs that get attached to resources in your account, like EC2 instances, RDS databases, ECS tasks, and Elastic Load Balancers. This command get's you ALL of the IP addresses associated with ENIs. Think of the data returned by this module as a superset of the data returned from the instances command. This command gives you all of the IPs associated with EC2 instances, but it also includes IP addresses associated with RDS databases, EFS mounts, Gateways, ELBs, and more. In other words, if you only scan the IP addresses assigned to EC2 instances, you will miss services running in the AWS account. As a penetration tester, you can take the IP addresses generated from this command and feed them into your port scanning tools like nmap and your application fingerprinting tools like Aquatone/EyeWitness/GoWitness. |
| Use case 1 | Identify and attack network services |
| Loot file(s): |
loot/elastic-network-interfaces-PrivateIPs.txt loot/elastic-network-interfaces-PublicIPs.txt
|
Example:
โฏ cloudfox aws -p cflab eni -v2
[๐ฆ cloudfox v1.9.0 ๐ฆ ] AWS Caller Identity: arn:aws:iam::049881439828:user/terraform-user
[elastic-network-interfaces][cflab] Enumerating elastic network interfaces in all regions for account 049881439828
[elastic-network-interfaces] Status: 17/17 tasks complete (0 errors -- For details check /Users/sethart/.cloudfox/cloudfox-error.log)
โญโโโโโโโโโโโโโโโโโโโโโโโโฌโโโโโโโโโโโโฌโโโโโโโโโโโโโโโโโฌโโโโโโโโโโโโโโโฌโโโโโโโโโโโโโโโโโโโโโโโโฌโโโโโโโโโโโโโโโโโโโโโโฌโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโฎ
โ ID โ Type โ External IP โ Internal IP โ VPC ID โ Attached Instance โ Description โ
โโโโโโโโโโโโโโโโโโโโโโโโโผโโโโโโโโโโโโผโโโโโโโโโโโโโโโโโผโโโโโโโโโโโโโโโผโโโโโโโโโโโโโโโโโโโโโโโโผโโโโโโโโโโโโโโโโโโโโโโผโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโค
โ eni-0d53e3af1ccb2ff78 โ interface โ 34.221.102.135 โ 10.0.1.198 โ vpc-0a5b555f19236f968 โ i-09c4720abd8089326 โ โ
โ eni-00ba66c87a55bb1a0 โ interface โ NoExternalIP โ 10.0.1.160 โ vpc-0a5b555f19236f968 โ โ EFS mount target for fs-056221b8056f6cb13 (fsmt-0e32c91201616cd48) โ
โ eni-0c9cedc3ea703c03f โ interface โ 52.12.121.187 โ 10.0.1.106 โ vpc-0a5b555f19236f968 โ i-08c087a559323aff9 โ โ
โ eni-0b315774508ae9615 โ interface โ 54.187.4.219 โ 10.0.1.111 โ vpc-0a5b555f19236f968 โ i-08ec238f610e9c915 โ โ
โ eni-0b409f9e9de0325d0 โ interface โ 52.26.221.228 โ 10.0.1.63 โ vpc-0a5b555f19236f968 โ i-06ba5dcc0b5de0257 โ โ
โ eni-0ae4d60fd191fee82 โ interface โ 52.41.51.204 โ 10.0.1.205 โ vpc-0a5b555f19236f968 โ โ arn:aws:ecs:us-west-2:049881439828:attachment/15b7c6be-e4c5-4a40-9da2-226fd2f7fab2 โ
โ eni-0da7f0c3498e8688d โ interface โ 34.214.146.170 โ 172.31.29.24 โ vpc-0c924df8a157859e0 โ i-02ec97d835d8738dc โ โ
โฐโโโโโโโโโโโโโโโโโโโโโโโโดโโโโโโโโโโโโดโโโโโโโโโโโโโโโโโดโโโโโโโโโโโโโโโดโโโโโโโโโโโโโโโโโโโโโโโโดโโโโโโโโโโโโโโโโโโโโโโดโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโฏ
[elastic-network-interfaces] Output written to [cloudfox-output/aws/cflab/table/elastic-network-interfaces.txt]
[elastic-network-interfaces] Output written to [cloudfox-output/aws/cflab/csv/elastic-network-interfaces.csv]
[elastic-network-interfaces][cflab] Loot written to [cloudfox-output/aws/cflab/loot/elastic-network-interfaces-PrivateIPs.txt]
[elastic-network-interfaces][cflab] Loot written to [cloudfox-output/aws/cflab/loot/elastic-network-interfaces-PublicIPs.txt]
[elastic-network-interfaces][cflab] 7 elastic network interfaces found.
Loot Example:
โฏ cat cloudfox-output/aws/cflab/loot/elastic-network-interfaces-PrivateIPs.txt
172.31.29.24
10.0.1.34
10.0.1.205
10.0.1.111
10.0.1.160
10.0.1.63
10.0.1.139
10.0.1.106
10.0.1.198
โฏ cat cloudfox-output/aws/cflab/loot/elastic-network-interfaces-PublicIPs.txt
34.214.146.170
54.188.27.193
52.41.51.204
54.187.4.219
52.26.221.228
54.187.54.60
52.12.121.187
34.221.102.135
| Command | endpoints |
|---|---|
| Summary | This command enumerates endpoints from various services. |
| Introduced | v1.6.0 |
| Author | Bishop Fox |
| Background | This command queries multiple AWS services that create AWS endpoints for you, i.e., the ones suffixed with *.amazonaws.com, *.cloudfront.net, and *.on.aws. This is yet another place you want to look for vulnerable applications and services in the target environment. There will certainly be overlap between the domain based output of this endpoints command and the IP addresses retrieved from the elastic-network-interfaces command, but due to virtual hosting, sometimes you will get a different result when you use the correct hostname (aka, this endpoint data). Additionally, with the endpoints command you get the specific port the service is hosted on, rather than just the IP address, which means you can skip the nmap phase if you'd like. As a penetration tester, you can take the endpoints generated from this command and feed them into your application fingerprinting tools like Aquatone/EyeWitness/GoWitness. |
| Use case 1 | Look for public endpoints that expose sensitive information |
| Use case 2 | Look for any endpoint (public or private that does not require authentication, use weak or default credentials, or contain vulnerabilities |
| Loot file(s): | loot/endpoints-UrlsOnly.txt.txt |
Example:
โฏ cloudfox aws --profile cf-exec -v2 endpoints
[๐ฆ cloudfox v1.9.0 ๐ฆ ] AWS Caller Identity: arn:aws:iam::049881439828:user/terraform-user
[endpoints][cflab] Enumerating endpoints for account 049881439828.
[endpoints][cflab] Supported Services: App Runner, APIGateway, ApiGatewayV2, Cloudfront, EKS, ELB, ELBv2, Grafana,
[endpoints][cflab] Lambda, MQ, OpenSearch, Redshift, RDS
[endpoints] Status: 212/212 tasks complete (9 errors -- For details check /Users/sethart/.cloudfox/cloudfox-error.log)
โญโโโโโโโโโโโโโฌโโโโโโโโโโโโฌโโโโโโโโโโโโโโโฌโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโฌโโโโโโโฌโโโโโโโโโโโฌโโโโโโโโโฎ
โ Service โ Region โ Name โ Endpoint โ Port โ Protocol โ Public โ
โโโโโโโโโโโโโโผโโโโโโโโโโโโผโโโโโโโโโโโโโโโผโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโผโโโโโโโผโโโโโโโโโโโผโโโโโโโโโค
โ App Runner โ us-west-2 โ example โ https://wejpymersj.us-west-2.awsapprunner.com โ 443 โ https โ True โ
โ ELB โ us-west-2 โ cloudfox-elb โ http://cloudfox-elb-834557314.us-west-2.elb.amazonaws.com:80 โ 80 โ HTTP โ True โ
โ Lambda โ us-west-2 โ lambda2 โ https://scyoucfcogj5mthweznc5fcuva0mpokg.lambda-url.us-west-2.on.aws/ โ 443 โ https โ True โ
โ Lambda โ us-west-2 โ lambda1 โ https://jrtbo2vgw6o74nexfozi3ltgey0kupgn.lambda-url.us-west-2.on.aws/ โ 443 โ https โ True โ
โ RDS โ us-west-2 โ cloudfox-rds โ cloudfox-rds.ckzvqq0tjs4a.us-west-2.rds.amazonaws.com โ 3306 โ mysql โ True โ
โฐโโโโโโโโโโโโโดโโโโโโโโโโโโดโโโโโโโโโโโโโโโดโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโดโโโโโโโดโโโโโโโโโโโดโโโโโโโโโฏ
[endpoints] Output written to [cloudfox-output/aws/cf-exec/table/endpoints.txt]
[endpoints] Output written to [cloudfox-output/aws/cf-exec/csv/endpoints.csv]
[endpoints] Loot written to [cloudfox-output/aws/cf-exec/loot/endpoints-UrlsOnly.txt]
[endpoints] 5 endpoints enumerated.
Loot Example:
โฏ cat cloudfox-output/aws/cflab/loot/endpoints-UrlsOnly.txt
http://cloudfox-elb-1403229762.us-west-2.elb.amazonaws.com:80
https://lxs33inw57msz5qkrylengyr240zvxqg.lambda-url.us-west-2.on.aws/
https://fzh63adzkekw4tqlrssqqpepra0dfwjk.lambda-url.us-west-2.on.aws/
| Command | env-vars |
|---|---|
| Summary | Grabs the environment variables from services that have them (App Runner, ECS, Lambda, Lightsail containers, Sagemaker are supported. |
| Introduced | v1.6.0 |
| Author | Bishop Fox |
| Background | Environment variables are used to store environmental context at an operating system level. For example, if you don't want to hard-code a specific S3 bucket name into your application, but rather you want your application to write to one S3 bucket when the app runs in prod, and another S3 bucket when it runs in dev, you can code your application to read the value of the S3_BUCKET environment variable at runtime, and use that to figure out which bucket to use for writing. Some AWS services, like Lambda and ECS allow you to set environment variables when you define the workload. This is perfectly normal and benign. However, when sensitive credentials are set as environment variables, this can lead to unintended privilege escalation. Specifically, the issue is that there might be users who have the IAM permissions to read the workload configuration, including environment variables, even though they don't have permission to execute the workloads. Think about someone who has the lambda:listfunctions permission, but nothing else. If the user has access to read the environment variables for all lambda functions, and inside an environment variable administrative credentials for the AWS are stored, the user with nothing other than lambda:listfunctions can now gain administrative access to the account. As a penetration tester, look through the env-vars output, and if you find any secrets/credentials, you should track down who has access to those credentials using cloudfox iam-simulator's advanced options, and/or pmapper's who-can command syntax. |
| Use case 1 | Look for secrets. If you find one, find what IAM principals have permissions to use the secret, and try to gain access to one of those IAM principals. |
Example:
โฏ cloudfox aws --profile cf-exec -v2 env-vars
[๐ฆ cloudfox v1.6.0 ๐ฆ ] AWS Caller Identity: arn:aws:sts::049881439828:assumed-role/CloudFox-exec-role/aws-go-sdk-1662942784490595000
[env-vars] Enumerating environment variables in all regions for account 049881439828.
[env-vars] Supported Services: App Runner, Elastic Container Service, Lambda, Lightsail Containers, Sagemaker
[env-vars] Status: 105/105 tasks complete (48 errors -- For details check /Users/sethart/.cloudfox/cloudfox-error.log)
โญโโโโโโโโโโโโโฌโโโโโโโโโโโโฌโโโโโโโโโโฌโโโโโโโโโโโโโโโโโโฌโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโฎ
โ Service โ Region โ Name โ Key โ Value โ
โโโโโโโโโโโโโโผโโโโโโโโโโโโผโโโโโโโโโโผโโโโโโโโโโโโโโโโโโผโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโค
โ App Runner โ us-west-2 โ example โ secret_password โ 12345 โ
โ Lambda โ us-west-2 โ lambda1 โ RDS_PASSWORD โ ]M=rsDq}p9n:u{6*$dz2}}t7D:YH#k7 โ
โ Lambda โ us-west-2 โ lambda1 โ RDS_USER โ admin โ
โฐโโโโโโโโโโโโโดโโโโโโโโโโโโดโโโโโโโโโโดโโโโโโโโโโโโโโโโโโดโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโฏ
[env-vars] Output written to [cloudfox-output/aws/cf-exec/table/env-vars.txt]
[env-vars] Output written to [cloudfox-output/aws/cf-exec/csv/env-vars.csv]
[env-vars] 3 environment variables found.
| Command | filesystems |
|---|---|
| Summary | Enumerate the EFS and FSx filesystems that you might be able to mount without credentials (if you have the right network access). |
| Introduced | v1.6.0 |
| Author | Bishop Fox |
| Background | EFS is the most famous AWS filesytem, but this command also looks at the FSx family of filesystems as well. The important thing here is that while EFS and some of the other filessytems provide a mechanim to enforce IAM based authentication, that option is often not used. So this means that if you have internal network access to the VPC, most likely via a compromised or simulated assumed-breach host, you might just be able to mount a filesystem without any credentials and start browsing around. As a penetration tester, look through the filesystems loot output for the specific commands to mount all of the filesystems contained within the account. If you are in the right VPC and subnet, you might be able to mount the filesystem and browse the files. This is another one of those cases where it might just be easier to run all of the commands in the loot file from your compromised host and just hope for the best. Even if IAM is enforced, this just means that have to first gain access to a role that has the right EFS/FSx permissions to mount the share, and then you can mount the share and accces the data. |
Example: Enumerate any EFS or FSx shares
โฏ cloudfox aws --profile cf-exec -v2 filesystems
[๐ฆ cloudfox v1.6.0 ๐ฆ ] AWS Caller Identity: arn:aws:sts::049881439828:assumed-role/CloudFox-exec-role/aws-go-sdk-1662942818660709000
[filesystems] Enumerating filesystems for account 049881439828.
[filesystems] Supported Services: EFS, FSx
[filesystems] Status: 42/42 tasks complete (8 errors -- For details check /Users/sethart/.cloudfox/cloudfox-error.log)
โญโโโโโโโโโโฌโโโโโโโโโโโโฌโโโโโโโโโโโโโโโฌโโโโโโโโโโโโโฌโโโโโโโโโโโโโโโโโโโโโโโโโฌโโโโโโโโโโโโโโโโโโโโโโโโฎ
โ Service โ Region โ Name โ DNS Name โ Mount Target โ Policy โ
โโโโโโโโโโโผโโโโโโโโโโโโผโโโโโโโโโโโโโโโผโโโโโโโโโโโโโผโโโโโโโโโโโโโโโโโโโโโโโโโผโโโโโโโโโโโโโโโโโโโโโโโโค
โ EFS โ us-west-2 โ cloudfox-efs โ 10.0.1.115 โ fsmt-079d42aa439682a63 โ Default (No IAM auth) โ
โฐโโโโโโโโโโดโโโโโโโโโโโโดโโโโโโโโโโโโโโโดโโโโโโโโโโโโโดโโโโโโโโโโโโโโโโโโโโโโโโโดโโโโโโโโโโโโโโโโโโโโโโโโฏ
[filesystems] Output written to [cloudfox-output/aws/cf-exec/table/filesystems.txt]
[filesystems] Output written to [cloudfox-output/aws/cf-exec/csv/filesystems.csv]
[filesystems] Loot written to [cloudfox-output/aws/cf-exec/loot/filesystems-mount-commands.txt]
[filesystems] 1 filesystems found.
Loot Example:
โฏ cat cloudfox-output/aws/cflab/loot/filesystems-mount-commands.txt
########## Mount instructions for EFS - cloudfox-efs ##########
mkdir -p /efs/fsmt-0e32c91201616cd48/
sudo mount -t nfs -o nfsvers=4.1,rsize=1048576,wsize=1048576,hard,timeo=600,retrans=2,noresvport 10.0.1.160:/ /efs/fsmt-0e32c91201616cd48
| Command | filesystems |
|---|---|
| Summary | Like pmapper, but uses the IAM policy simulator. It uses AWS's evaluation logic, but notably, it doesn't consider transitive access via privesc, which is why you should also always also use pmapper. |
| Introduced | v1.6.0 |
| Author | Bishop Fox |
| Background | The IAM "Simulate Principal Policy" feature allows you to test test if a particular IAM principal (i.e., user or role) can perform an action on a resource. As a penetration tester, there are some actions (aka permissions) that are quite interesting, and I often want to know who can perform those permissions on all resources. For example, who can read all objects in all S3 buckets? It would be nice to have a short list of everyone who can do that. Or, who can use the ssm:StartSession permission on all resources? That's what the default mode does. It takes a hardcoded list of actions that are interesting to penetration testers, and asks who has the permission to perform those actions. However, this is only the default mode in cloudfox. If you look at the examples below, you can use the command line parameters to ask a lot of different questions to the iam-simulator. |
| Use case 1 | Check every principal against the hardcoded list of interesting (for a pentester) permissions |
| Use case 2 | Check a specific principal against the hardcoded list of interesting permissions |
| Use case 3 | Check a specific principal against a specific permission |
| Use case 4 | Check all principals against a specific permission |
Example: Default mode checks every principal against a hardcoded list of specific permissions for any resource
โฏ cloudfox aws --profile cf-exec -v2 iam-simulator
[๐ฆ cloudfox v1.6.0 ๐ฆ ] AWS Caller Identity: arn:aws:sts::049881439828:assumed-role/CloudFox-exec-role/aws-go-sdk-1662942906111954000
[iam-simulator] Running multiple iam-simulator queries for account 049881439828. (This command can be pretty slow, FYI)
[iam-simulator] Status: 2/2 tasks complete (0 errors -- For details check /Users/sethart/.cloudfox/cloudfox-error.log)
โญโโโโโโโโโโฌโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโฌโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโฎ
โ Service โ Principal โ Query โ
โโโโโโโโโโโผโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโผโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโค
โ IAM โ arn:aws:iam::049881439828:role/OrganizationAccountAccessRole โ Appears to be an administrator โ
โ IAM โ arn:aws:iam::049881439828:role/adams โ Appears to be an administrator โ
โ IAM โ arn:aws:iam::049881439828:role/aws-reserved/sso.amazonaws.com/AWSReservedSSO_AWSAdministratorAccess_e7f5699f2cb1edb0 โ Appears to be an administrator โ
โ IAM โ arn:aws:iam::049881439828:role/press โ Appears to be an administrator โ
โ IAM โ arn:aws:iam::049881439828:user/terraform-user โ Appears to be an administrator โ
โ IAM โ arn:aws:iam::049881439828:role/not-admin โ Appears to be an administrator โ
โ IAM โ arn:aws:iam::049881439828:role/CloudFox-exec-role โ can apprunner:DescribeService on * โ
โ IAM โ arn:aws:iam::049881439828:role/aws-service-role/support.amazonaws.com/AWSServiceRoleForSupport โ can apprunner:DescribeService on * โ
โ IAM โ arn:aws:iam::049881439828:role/CloudFox-exec-role โ can ec2:DescribeInstanceAttributeInput on * โ
โ IAM โ arn:aws:iam::049881439828:role/aws-reserved/sso.amazonaws.com/AWSReservedSSO_SecurityAudit_f67a30bf6639f876 โ can ec2:DescribeInstanceAttributeInput on * โ
โ IAM โ arn:aws:iam::049881439828:role/aws-service-role/ecs.amazonaws.com/AWSServiceRoleForECS โ can ec2:DescribeInstanceAttributeInput on * โ
โ IAM โ arn:aws:iam::049881439828:role/rapinoe โ can ecr:BatchGetImage on * โ
โ IAM โ arn:aws:iam::049881439828:role/rapinoe โ can ecr:GetAuthorizationToken on * โ
โ IAM โ arn:aws:iam::049881439828:role/aws-reserved/sso.amazonaws.com/AWSReservedSSO_SecurityAudit_f67a30bf6639f876 โ can ecs:DescribeTaskDefinition on * โ
โ IAM โ arn:aws:iam::049881439828:role/CloudFox-exec-role โ can ecs:DescribeTaskDefinition on * โ
โ IAM โ arn:aws:iam::049881439828:role/aws-service-role/support.amazonaws.com/AWSServiceRoleForSupport โ can ecs:DescribeTaskDefinition on * โ
โ IAM โ arn:aws:iam::049881439828:role/aws-reserved/sso.amazonaws.com/AWSReservedSSO_SecurityAudit_f67a30bf6639f876 โ can lambda:ListFunctions on * โ
โ IAM โ arn:aws:iam::049881439828:role/CloudFox-exec-role โ can lambda:ListFunctions on * โ
โ IAM โ arn:aws:iam::049881439828:role/aws-service-role/support.amazonaws.com/AWSServiceRoleForSupport โ can lambda:ListFunctions on * โ
โ IAM โ arn:aws:iam::049881439828:role/lavelle โ can lambda:ListFunctions on * โ
โ IAM โ arn:aws:iam::049881439828:role/aws-service-role/access-analyzer.amazonaws.com/AWSServiceRoleForAccessAnalyzer โ can lambda:ListFunctions on * โ
โ IAM โ arn:aws:iam::049881439828:role/aws-reserved/sso.amazonaws.com/AWSReservedSSO_interns_9b819cbe299f5da5 โ can lambda:ListFunctions on * โ
โ IAM โ arn:aws:iam::049881439828:role/aws-reserved/sso.amazonaws.com/AWSReservedSSO_interns_9b819cbe299f5da5 โ can s3:GetObject on * โ
โ IAM โ arn:aws:iam::049881439828:role/aws-service-role/trustedadvisor.amazonaws.com/AWSServiceRoleForTrustedAdvisor โ can s3:ListBucket on * โ
โ IAM โ arn:aws:iam::049881439828:role/aws-service-role/support.amazonaws.com/AWSServiceRoleForSupport โ can s3:ListBucket on * โ
โ IAM โ arn:aws:iam::049881439828:role/aws-reserved/sso.amazonaws.com/AWSReservedSSO_interns_9b819cbe299f5da5 โ can s3:ListBucket on * โ
โ IAM โ arn:aws:iam::049881439828:role/dempsey โ can ssm:StartSession on * โ
โฐโโโโโโโโโโดโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโดโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโฏ
[iam-simulator] Output written to [cloudfox-output/aws/cf-exec/table/iam-simulator.txt]
[iam-simulator] Output written to [cloudfox-output/aws/cf-exec/csv/iam-simulator.csv]
[iam-simulator] We suggest running the pmapper commands in the loot file to get the same information but taking privesc paths into account.
[iam-simulator] Loot written to [cloudfox-output/aws/cf-exec/loot/iam-simulator-pmapper-commands.txt]
Example 2: Check a specific principal against the hardcoded list of interesting permissions
โฏ cloudfox aws --profile cf-prod iam-simulator -v2 --principal arn:aws:iam::049881439828:role/OrganizationAccountAccessRole
[๐ฆ cloudfox v1.6.0 ๐ฆ ] AWS Caller Identity: arn:aws:iam::049881439828:user/terraform-user
[iam-simulator] Checking to see if arn:aws:iam::049881439828:role/OrganizationAccountAccessRole can do any actions of interest.
[iam-simulator] Status: 0/0 tasks complete (0 errors -- For details check /Users/sethart/.cloudfox/cloudfox-error.log)
โญโโโโโโโโโโฌโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโฌโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโฎ
โ Service โ Principal โ Query โ
โโโโโโโโโโโผโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโผโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโค
โ IAM โ arn:aws:iam::049881439828:role/OrganizationAccountAccessRole โ can apprunner:DescribeService on * โ
โ IAM โ arn:aws:iam::049881439828:role/OrganizationAccountAccessRole โ can ec2:DescribeInstanceAttributeInput on * โ
โ IAM โ arn:aws:iam::049881439828:role/OrganizationAccountAccessRole โ can ecr:BatchGetImage on * โ
โ IAM โ arn:aws:iam::049881439828:role/OrganizationAccountAccessRole โ can ecr:GetAuthorizationToken on * โ
โ IAM โ arn:aws:iam::049881439828:role/OrganizationAccountAccessRole โ can ecs:DescribeTaskDefinition on * โ
โ IAM โ arn:aws:iam::049881439828:role/OrganizationAccountAccessRole โ can eks:UpdateClusterConfig on * โ
โ IAM โ arn:aws:iam::049881439828:role/OrganizationAccountAccessRole โ can iam:PassRole on * โ
โ IAM โ arn:aws:iam::049881439828:role/OrganizationAccountAccessRole โ can lambda:ListFunctions on * โ
โ IAM โ arn:aws:iam::049881439828:role/OrganizationAccountAccessRole โ can s3:GetObject on * โ
โ IAM โ arn:aws:iam::049881439828:role/OrganizationAccountAccessRole โ can s3:ListBucket on * โ
โ IAM โ arn:aws:iam::049881439828:role/OrganizationAccountAccessRole โ can secretsmanager:GetSecretValue on * โ
โ IAM โ arn:aws:iam::049881439828:role/OrganizationAccountAccessRole โ can ssm:GetParameter on * โ
โ IAM โ arn:aws:iam::049881439828:role/OrganizationAccountAccessRole โ can ssm:StartSession on * โ
โ IAM โ arn:aws:iam::049881439828:role/OrganizationAccountAccessRole โ can ssm:sSendCommand on * โ
โ IAM โ arn:aws:iam::049881439828:role/OrganizationAccountAccessRole โ can sts:AssumeRole on * โ
โฐโโโโโโโโโโดโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโดโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโฏ
Example 3: Check a specific principal against a specific permission
โฏ cloudfox aws --profile cf-prod iam-simulator -v2 --principal arn:aws:iam::049881439828:role/OrganizationAccountAccessRole --action iam:PassRole
[๐ฆ cloudfox v1.6.0 ๐ฆ ] AWS Caller Identity: arn:aws:iam::049881439828:user/terraform-user
[iam-simulator] Checking to see if arn:aws:iam::049881439828:role/OrganizationAccountAccessRole can do iam:PassRole.
[iam-simulator] Status: 0/0 tasks complete (0 errors -- For details check /Users/sethart/.cloudfox/cloudfox-error.log)
โญโโโโโโโโโโฌโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโฌโโโโโโโโโโโโโโโโโโโโโโโโฎ
โ Service โ Principal โ Query โ
โโโโโโโโโโโผโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโผโโโโโโโโโโโโโโโโโโโโโโโโค
โ IAM โ arn:aws:iam::049881439828:role/OrganizationAccountAccessRole โ can iam:PassRole on * โ
โฐโโโโโโโโโโดโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโดโโโโโโโโโโโโโโโโโโโโโโโโฏ
[iam-simulator] Output written to [cloudfox-output/aws/cf-prod/table/iam-simulator-custom-1662941825.txt]
[iam-simulator] Output written to [cloudfox-output/aws/cf-prod/csv/iam-simulator-custom-1662941825.csv]
[iam-simulator] We suggest running the pmapper commands in the loot file to get the same information but taking privesc paths into account.
[iam-simulator] Loot written to [cloudfox-output/aws/cf-prod/loot/iam-simulator-pmapper-commands.txt]
Example 4: Check all principals against a specific permission
โฏ cloudfox aws --profile cf-prod iam-simulator -v2 --action ecr:putimage
[๐ฆ cloudfox v1.6.0 ๐ฆ ] AWS Caller Identity: arn:aws:iam::049881439828:user/terraform-user
[iam-simulator] Checking to see if any principal can do ecr:putimage.
[iam-simulator] Status: 2/2 tasks complete (0 errors -- For details check /Users/sethart/.cloudfox/cloudfox-error.log)
โญโโโโโโโโโโฌโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโฌโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโฎ
โ Service โ Principal โ Query โ
โโโโโโโโโโโผโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโผโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโค
โ IAM โ arn:aws:iam::049881439828:user/terraform-user โ Appears to be an administrator โ
โ IAM โ arn:aws:iam::049881439828:role/aws-reserved/sso.amazonaws.com/AWSReservedSSO_AWSAdministratorAccess_e7f5699f2cb1edb0 โ Appears to be an administrator โ
โ IAM โ arn:aws:iam::049881439828:role/OrganizationAccountAccessRole โ Appears to be an administrator โ
โฐโโโโโโโโโโดโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโดโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโฏ
[iam-simulator] Output written to [cloudfox-output/aws/cf-prod/table/iam-simulator-custom-1662941969.txt]
[iam-simulator] Output written to [cloudfox-output/aws/cf-prod/csv/iam-simulator-custom-1662941969.csv]
[iam-simulator] We suggest running the pmapper commands in the loot file to get the same information but taking privesc paths into account.
[iam-simulator] Loot written to [cloudfox-output/aws/cf-prod/loot/iam-simulator-pmapper-commands.txt]
| Command | instances |
|---|---|
| Summary | List all EC2 instances, including IP address information and associated IAM principal. |
| Introduced | v1.6.0 |
| Background | The EC2 service allows you to run virtual machines in AWS. As a penetration tester with internal access to the Virtual Private Cloud (VPC), you can use CloudFox to enumerate which IP addresses are live, and then apply your traditional penetration testing methodology here - nmap to identify services, use other tools to identify what applications are running on any open ports, etc. If you can compromise a service running on an EC2 instance and gain RCE or SSRF, you can access the temporary credentials applied to the task and perform any action that the task can perform. Additionally, EC2 instances often store scripts or other metadata in the user-data attribute, and that is often a place where you can find secrets or other sensitive information. |
| Use case 1: | Attack network services running on EC2 tasks. Use the loot files with tools like nmap, Aquatone/EyeWitness/GoWitness. If you compromise a service, try to access the task's IAM role. |
| Use case 2: | Use the --userdata flag to generate a loot file that contains the user-data for every EC2 instance in the account, so that you can look for secrets or other sensitive data |
| Use case 3: | Quickly identify which EC2 instances, including which instances have admin permissions attached and target those for privesc |
| Loot file(s): |
loot/instances-ec2PrivateIPs.txt loot/instances-ec2PrivateIPs.txt loot/instances-userdata.txt
|
Example 1: Enumerate general information about EC2 instances, including which instances have admin permissions attached
โฏ cloudfox aws -p cflab instances -v2
[๐ฆ cloudfox v1.9.0 ๐ฆ ] AWS Caller Identity: arn:aws:iam::049881439828:user/terraform-user
[instances][cflab] Enumerating EC2 instances in all regions for account 049881439828
[instances][cflab] Attempting to build a PrivEsc graph in memory using local pmapper data if it exists on the filesystem.
[instances][cflab] Found pmapper data for this account. Using it for role analysis.
[instances] Status: 17/17 tasks complete (0 errors -- For details check /Users/sethart/.cloudfox/cloudfox-error.log)
โญโโโโโโโโโโโโฌโโโโโโโโโโโโโโโโโโโโโโฌโโโโโโโโโโโโโฌโโโโโโโโโโฌโโโโโโโโโโโโโโโโโฌโโโโโโโโโโโโโโโฌโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโฌโโโโโโโโโโโโโโโฌโโโโโโโโโโโโโโโโโโโโโฎ
โ Name โ ID โ Zone โ State โ External IP โ Internal IP โ Role โ IsAdminRole? โ CanPrivEscToAdmin? โ
โโโโโโโโโโโโโผโโโโโโโโโโโโโโโโโโโโโโผโโโโโโโโโโโโโผโโโโโโโโโโผโโโโโโโโโโโโโโโโโผโโโโโโโโโโโโโโโผโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโผโโโโโโโโโโโโโโโผโโโโโโโโโโโโโโโโโโโโโค
โ โ i-02ec97d835d8738dc โ us-west-2b โ running โ 34.214.146.170 โ 172.31.29.24 โ arn:aws:iam::049881439828:role/imdvs2-challenge-role โ No โ No โ
โ instance1 โ i-06ba5dcc0b5de0257 โ us-west-2a โ running โ 52.26.221.228 โ 10.0.1.63 โ โ โ โ
โ instance2 โ i-09c4720abd8089326 โ us-west-2a โ running โ 34.221.102.135 โ 10.0.1.198 โ โ โ โ
โ instance3 โ i-08c087a559323aff9 โ us-west-2a โ running โ 52.12.121.187 โ 10.0.1.106 โ arn:aws:iam::049881439828:role/press โ YES โ YES โ
โ instance4 โ i-08ec238f610e9c915 โ us-west-2a โ running โ 54.187.4.219 โ 10.0.1.111 โ โ โ โ
โฐโโโโโโโโโโโโดโโโโโโโโโโโโโโโโโโโโโโดโโโโโโโโโโโโโดโโโโโโโโโโดโโโโโโโโโโโโโโโโโดโโโโโโโโโโโโโโโดโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโดโโโโโโโโโโโโโโโดโโโโโโโโโโโโโโโโโโโโโฏ
[instances] Output written to [cloudfox-output/aws/cflab/table/instances.txt]
[instances] Output written to [cloudfox-output/aws/cflab/csv/instances.csv]
[instances][cflab] Loot written to [cloudfox-output/aws/cflab/loot/instances-ec2PrivateIPs.txt]
[instances][cflab] Loot written to [cloudfox-output/aws/cflab/loot/instances-ec2PublicIPs.txt]
[instances][cflab] 5 instances found.
Example 2: obtain only userData attributes for EC2 instances
This is a separate flag because userData does not fit in table or CSV output formats.
โฏ cloudfox aws --profile cf-exec -v2 instances --userdata
[๐ฆ cloudfox v1.6.0 ๐ฆ ] AWS Caller Identity: arn:aws:sts::049881439828:assumed-role/CloudFox-exec-role/aws-go-sdk-1662943069534483000
[instances] Enumerating EC2 instances in all regions for account 049881439828
[instances] Status: 21/21 tasks complete (4 errors -- For details check /Users/sethart/.cloudfox/cloudfox-error.log)
=============================================
Instance Arn: arn:aws:ec2:us-west-2:049881439828:instance/i-020e69c99ce4c7a97
Region: us-west-2
Instance Profile: NoInstanceProfile
User Data:
#!/bin/bash
export RDS_USER="admin"
export RDS_PASSWORD="]M=rsDq}p9n:u{6*$dz2}}t7D:YH#k7"
=============================================
[instance-userdata] Loot written to [cloudfox-output/aws/cf-exec/loot/instance-userdata.txt]
| Command | inventory |
|---|---|
| Summary | Quickly identify the rough size and the regions used for an AWS account. |
| Introduced | v1.6.0 |
| Background | As a penetration tester, inventory is a great way to quickly get a rough idea of which regions are used by a particular AWS account, which of the more popular service are being used, and roughly how big an account is. It's important to know that CloudFox's inventory command only count's a subset of the services that AWS supports. |
| Use case 1: | Quickly learn what regions are being used. This will prevent you from completely missing huge chucks (or small chunks) of attackable surface area because you forgot to look at other regions. |
| Use case 2: | Quickly learn what the most common services are. This will help you focus your methodology on the services that are used by this particular AWS account |
Example:
โฏ cloudfox aws --profile cf-exec -v2 inventory
[๐ฆ cloudfox v1.6.0 ๐ฆ ] AWS Caller Identity: arn:aws:sts::049881439828:assumed-role/CloudFox-exec-role/aws-go-sdk-1662943145181650000
[inventory] Enumerating selected services in all regions for account 049881439828.
[inventory] Supported Services: ApiGateway, ApiGatewayv2, AppRunner, CloudFormation, Cloudfront, EC2, ECS, EKS,
[inventory] ELB, ELBv2, Grafana, IAM, Lambda, Lightsail, MQ, OpenSearch, RDS, S3, SecretsManager, SSM
[inventory] Status: 357/357 tasks complete (90 errors -- For details check /Users/sethart/.cloudfox/cloudfox-error.log)
โญโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโฌโโโโโโโโโโโโฌโโโโโโโโโโโโฎ
โ Resource Type โ us-west-2 โ us-east-1 โ
โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโผโโโโโโโโโโโโผโโโโโโโโโโโโค
โ Total โ 24 โ 10 โ
โ APIGateway RestAPIs โ - โ - โ
โ APIGatewayv2 APIs โ - โ - โ
โ AppRunner Services โ 1 โ - โ
โ CloudFormation Stacks โ 7 โ 8 โ
โ Cloudfront Distributions โ - โ - โ
โ EC2 Instances โ 4 โ 2 โ
โ ECS Tasks โ 1 โ - โ
โ EKS Clusters โ - โ - โ
โ ELB Load Balancers โ 1 โ - โ
โ ELBv2 Load Balancers โ - โ - โ
โ Grafana Workspaces โ - โ - โ
โ Lambda Functions โ 2 โ - โ
โ Lightsail Instances/Containers โ - โ - โ
โ MQ Brokers โ - โ - โ
โ OpenSearch DomainNames โ - โ - โ
โ RDS DB Instances โ 1 โ - โ
โ SecretsManager Secrets โ 3 โ - โ
โ SSM Parameters โ 4 โ - โ
โฐโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโดโโโโโโโโโโโโดโโโโโโโโโโโโฏ
[inventory] Output written to [cloudfox-output/aws/cf-exec/table/inventory.txt]
[inventory] Output written to [cloudfox-output/aws/cf-exec/csv/inventory.csv]
โญโโโโโโโโโโโโโโโโฌโโโโโโโโฎ
โ Resource Type โ Total โ
โโโโโโโโโโโโโโโโโผโโโโโโโโค
โ S3 Buckets โ 5 โ
โ IAM Users โ 2 โ
โ IAM Roles โ 29 โ
โฐโโโโโโโโโโโโโโโโดโโโโโโโโฏ
[inventory] Output written to [cloudfox-output/aws/cf-exec/table/inventory-global.txt]
[inventory] Output written to [cloudfox-output/aws/cf-exec/csv/inventory-global.csv]
[inventory] 70 resources enumerated in the services we looked at. This is NOT the total number of resources in the account.
| Command | lambda |
|---|---|
| Summary | Lists the Lambda functions in the account, including which one's have admin roles attached. Also gives you handy commands for downloading each function. |
| Introduced | v1.8.0 |
| Background | The Lambda service allows you to run code in AWS without an EC2 instance or even your own container image. You upload your code, and other things can "trigger" your lambda function to act. If you can compromise a service running on an lambda function and gain RCE, you can access the temporary credentials applied to the container running the function and perform any action that the task can perform. |
| Use case 1: | Quickly identify which Lambda instances, including which functions have admin permissions attached and target those for exploitation. |
| Loot file(s): | loot/lambda.txt |
Example:
โฏ cloudfox aws -p cflab lambda -v2
[๐ฆ cloudfox v1.9.0 ๐ฆ ] AWS Caller Identity: arn:aws:iam::049881439828:user/terraform-user
[lambdas][cflab] Enumerating lambdas for account 049881439828.
[lambdas][cflab] Attempting to build a PrivEsc graph in memory using local pmapper data if it exists on the filesystem.
[lambdas][cflab] Found pmapper data for this account. Using it for role analysis.
[lambdas] Status: 17/17 regions complete (0 errors -- For details check /Users/sethart/.cloudfox/cloudfox-error.log)
โญโโโโโโโโโโฌโโโโโโโโโโโโฌโโโโโโโโโโโโโโโฌโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโฌโโโโโโโโโโโโโโโฌโโโโโโโโโโโโโโโโโโโโโฎ
โ Service โ Region โ Resource Arn โ Role โ IsAdminRole? โ CanPrivEscToAdmin? โ
โโโโโโโโโโโผโโโโโโโโโโโโผโโโโโโโโโโโโโโโผโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโผโโโโโโโโโโโโโโโผโโโโโโโโโโโโโโโโโโโโโค
โ Lambda โ us-west-2 โ lambda2 โ arn:aws:iam::049881439828:role/adams โ YES โ YES โ
โ Lambda โ us-west-2 โ lambda1 โ arn:aws:iam::049881439828:role/aaronson โ No โ No โ
โฐโโโโโโโโโโดโโโโโโโโโโโโดโโโโโโโโโโโโโโโดโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโดโโโโโโโโโโโโโโโดโโโโโโโโโโโโโโโโโโโโโฏ
[lambdas] Output written to [cloudfox-output/aws/cflab/table/lambdas.txt]
[lambdas] Output written to [cloudfox-output/aws/cflab/csv/lambdas.csv]
[lambdas][cflab] Loot written to [cloudfox-output/aws/cflab/loot/lambda-get-function-commands.txt]
[lambdas][cflab] 2 lambdas found.
| Command | network-ports |
|---|---|
| Summary | Enumerates AWS services that are potentially exposing a network service. The security groups and the network ACLs are parsed for each resource to determine what ports are potentially exposed. |
| Introduced | v1.10.0 |
| Author | Wyatt Dahlenburg |
| Background | Network ACLs and Security Groups are frequently used to define access to AWS network services. This module attempts to parse the rules to determine if anyone can access an exposed port or range or ports. The supported services are currently: EC2, ECS, EFS, ElastiCache, ELBv2, Lightsail, and RDS. Try scanning from any or all network locations you have access to, such as within a VPC. Consider modifying the nmap flags to store the results in your preferred output format. Try out a nmap merge script to aggregate your scan results into a single file: https://github.com/CBHue/nMap_Merger/blob/master/nMapMerge.py https://github.com/opsdisk/scantron/blob/master/console/scan_results/merge_nmap_xml_files.py |
| Use case 1: | Quickly identify AWS services, which may be exposing TCP or UDP ports. |
| Loot file(s): |
loot/network-ports-private-ipv4.txt loot/network-ports-public-ipv4.txt loot/network-ports-public-ipv6.txt
|
Example:
โฏ cloudfox aws -p cflab network-ports -v2
[๐ฆ cloudfox v1.10.0 ๐ฆ ] AWS Caller Identity: arn:aws:iam::049881439828:user/terraform-user
[network-ports][cflab] Enumerating potentially accessible network services for account 049881439828.
[network-ports][cflab] Supported Services: EC2, ECS, EFS, ElastiCache, ELBv2, Lightsail, RDS
[network-ports] Status: 115/115 tasks complete (0 errors -- For details check /Users/user/.cloudfox/cloudfox-error.log)
โญโโโโโโโโโโโโฌโโโโโโโโโโโโฌโโโโโโโโโโโฌโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโฌโโโโโโโโโโโโโโโโโโโฎ
โ Service โ Region โ Protocol โ Host โ Ports โ
โโโโโโโโโโโโโผโโโโโโโโโโโโผโโโโโโโโโโโผโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโผโโโโโโโโโโโโโโโโโโโค
โ EC2 โ us-east-1 โ tcp โ 172.31.57.70 โ 80,443,8000-8010 โ
โ EC2 โ us-east-1 โ udp โ 172.31.57.70 โ 8081 โ
โ EC2 โ us-east-1 โ tcp โ 10.8.7.67 โ 0-65535 โ
โ EC2 โ us-east-1 โ udp โ 10.8.7.67 โ 0-65535 โ
โ ECS โ us-east-1 โ tcp โ 10.0.1.245 โ 8080 โ
โ Lightsail โ us-east-1 โ tcp โ 172.26.13.73 โ 0-65535 โ
โ Lightsail โ us-east-1 โ udp โ 172.26.13.73 โ 0-65535 โ
โ EC2 โ us-east-1 โ tcp โ 52.91.145.179 โ 80,443,8000-8010 โ
โ EC2 โ us-east-1 โ udp โ 52.91.145.179 โ 8081 โ
โ EC2 โ us-east-1 โ tcp โ 18.215.254.56 โ 0-65535 โ
โ EC2 โ us-east-1 โ udp โ 18.215.254.56 โ 0-65535 โ
โ ECS โ us-east-1 โ tcp โ 34.200.248.106 โ 8080 โ
โ ELBv2 โ us-east-1 โ tcp โ elb-1-a58eb4ba1c690b7e.elb.us-east-1.amazonaws.com โ 53,80,8081,9888 โ
โ ELBv2 โ us-east-1 โ udp โ elb-1-a58eb4ba1c690b7e.elb.us-east-1.amazonaws.com โ 53 โ
โ Lightsail โ us-east-1 โ tcp โ 44.192.57.241 โ 0-65535 โ
โ Lightsail โ us-east-1 โ udp โ 44.192.57.241 โ 0-65535 โ
โ EC2 โ us-east-1 โ tcp โ 2600:1f18:62ae:4900:a4c4:a17b:72a3:ce52 โ 0-65535 โ
โ EC2 โ us-east-1 โ udp โ 2600:1f18:62ae:4900:a4c4:a17b:72a3:ce52 โ 0-65535 โ
โ Lightsail โ us-east-1 โ tcp โ 2600:1f18:6770:db00:4c5b:4f32:1735:dca8 โ 0-65535 โ
โ Lightsail โ us-east-1 โ udp โ 2600:1f18:6770:db00:4c5b:4f32:1735:dca8 โ 0-65535 โ
โฐโโโโโโโโโโโโดโโโโโโโโโโโโดโโโโโโโโโโโดโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโดโโโโโโโโโโโโโโโโโโโฏ
[network-ports][cflab] Output written to [cloudfox-output/aws/cflab/table/network-ports.txt]
[network-ports][cflab] Output written to [cloudfox-output/aws/cflab/csv/network-ports.csv]
[network-ports][cflab] Loot written to [cloudfox-output/aws/cflab/loot/network-ports-private-ipv4.txt]
[network-ports][cflab] Loot written to [cloudfox-output/aws/cflab/loot/network-ports-public-ipv4.txt]
[network-ports][cflab] Loot written to [cloudfox-output/aws/cflab/loot/network-ports-public-ipv6.txt]
[network-ports][cflab] 20 network services found.
| Command | orgs |
|---|---|
| Summary | Enumerate accounts in an organization. |
| Introduced | v1.13.0 |
| Background | As a penetration tester, lateral movement is always important. In the early days all AWS accounts were individual units, but these days they can be grouped together and managed by an AWS service called Organizations. One account is converted to a management account, and that account can control child accounts. As a result, as a penetration tester, if you can find a way to gain administrative access in the organizational management account you very likely have control over all resources in all child accounts. Think of it is being similar to gaining Enterprise Admin access in an AD domain. |
| Use case 1: | When run from a child account, it can only tell you about that caller(child) and about the management account. |
| Use case 2: | When run from a management account, it will list you ALL child accounts. |
Use case 1 example: Run from child account:
โฏ cloudfox aws -p cloudfoxable orgs
[๐ฆ cloudfox v1.13.2 ๐ฆ ][cloudfoxable] AWS Caller Identity: arn:aws:iam::987990985088:user/ctf-starting-user
[๐ฆ cloudfox v1.13.2 ๐ฆ ][cloudfoxable] Account is part of an Organization and is a child account. Management Account: 289507344597
[org][cloudfoxable] Checking if account 987990985088 is the management account in an organization.
โญโโโโโโโโโโโโโโโฌโโโโโโโโโโโโโโโฌโโโโโโโโโโโโโโโโโโโโโโโฌโโโโโโโโโฌโโโโโโโโโโโโโโโโโโโโโฎ
โ Name โ ID โ isManagementAccount? โ Status โ Email โ
โโโโโโโโโโโโโโโโผโโโโโโโโโโโโโโโผโโโโโโโโโโโโโโโโโโโโโโโผโโโโโโโโโผโโโโโโโโโโโโโโโโโโโโโค
โ Mgmt Account โ 289507344597 โ true โ ACTIVE โ sart@bishopfox.com โ
โ This account โ 987990985088 โ false โ ACTIVE โ Unknown โ
โฐโโโโโโโโโโโโโโโดโโโโโโโโโโโโโโโดโโโโโโโโโโโโโโโโโโโโโโโดโโโโโโโโโดโโโโโโโโโโโโโโโโโโโโโฏ
[org][cloudfoxable] Output written to /Users/sethart/.cloudfox/cloudfox-output/aws/cloudfoxable-987990985088/table/org.txt
[org][cloudfoxable] Output written to /Users/sethart/.cloudfox/cloudfox-output/aws/cloudfoxable-987990985088/csv/org.csv
[org][cloudfoxable] Output written to /Users/sethart/.cloudfox/cloudfox-output/aws/cloudfoxable-987990985088/json/org.json
[org][cloudfoxable] 2 accounts found.
[org][cloudfoxable] For context and next steps: https://github.com/BishopFox/cloudfox/wiki/AWS-Commands#org
[๐ฆ cloudfox v1.13.2 ๐ฆ ][cloudfoxable] Cached AWS data written to /Users/sethart/.cloudfox/cached-data/aws/987990985088
Use case 2 example: Run from management account:
โฏ cloudfox aws -p playground.AWSAdministratorAccess orgs
[๐ฆ cloudfox v1.13.2 ๐ฆ ][playground.AWSAdministratorAccess] AWS Caller Identity: arn:aws:sts::289507344597:assumed-role/AWSReservedSSO_AWSAdministratorAccess_04a51e460aab782d/seth
[๐ฆ cloudfox v1.13.2 ๐ฆ ][playground.AWSAdministratorAccess] Account is part of an Organization and is the Management account
[org][playground.AWSAdministratorAccess] Checking if account 289507344597 is the management account in an organization.
โญโโโโโโโโโโโโโโโฌโโโโโโโโโโโโโโโฌโโโโโโโโโโโโโโโโโโโโโโโฌโโโโโโโโโฌโโโโโโโโโโโโโโโโโโโโโฎ
โ Name โ ID โ isManagementAccount? โ Status โ Email โ
โโโโโโโโโโโโโโโโผโโโโโโโโโโโโโโโผโโโโโโโโโโโโโโโโโโโโโโโผโโโโโโโโโผโโโโโโโโโโโโโโโโโโโโโค
โ client โ 717042662323 โ false โ ACTIVE โ [redacted] โ
โ cloudfoxable โ 987990985088 โ false โ ACTIVE โ [redacted] โ
โ playground โ 289507344597 โ true โ ACTIVE โ sart@bishopfox.com โ
โ Log Archive โ 628867649448 โ false โ ACTIVE โ [redacted] โ
โ Audit โ 002311171827 โ false โ ACTIVE โ [redacted] โ
โ dev โ 884343876563 โ false โ ACTIVE โ [redacted] โ
โ prod โ 013727781308 โ false โ ACTIVE โ [redacted] โ
โ cloudfox-lab โ 049881439828 โ false โ ACTIVE โ [redacted] โ
โ Operations โ 654654594067 โ false โ ACTIVE โ [redacted] โ
โฐโโโโโโโโโโโโโโโดโโโโโโโโโโโโโโโดโโโโโโโโโโโโโโโโโโโโโโโดโโโโโโโโโดโโโโโโโโโโโโโโโโโโโโโฏ
[org][playground.AWSAdministratorAccess] Output written to /Users/sethart/.cloudfox/cloudfox-output/aws/playground.AWSAdministratorAccess-289507344597/table/org.txt
[org][playground.AWSAdministratorAccess] Output written to /Users/sethart/.cloudfox/cloudfox-output/aws/playground.AWSAdministratorAccess-289507344597/csv/org.csv
[org][playground.AWSAdministratorAccess] Output written to /Users/sethart/.cloudfox/cloudfox-output/aws/playground.AWSAdministratorAccess-289507344597/json/org.json
[org][playground.AWSAdministratorAccess] 10 accounts found.
[org][playground.AWSAdministratorAccess] For context and next steps: https://github.com/BishopFox/cloudfox/wiki/AWS-Commands#org
[๐ฆ cloudfox v1.13.2 ๐ฆ ][playground.AWSAdministratorAccess] Cached AWS data written to /Users/sethart/.cloudfox/cached-data/aws/289507344597
| Command | outbound-assumed-roles |
|---|---|
| Summary | List the roles that have been assumed by principals in this account. This is an excellent way to find outbound attack paths that lead into other accounts. |
| Introduced | v1.6.0 |
| Background | You can think of role assumption like Run-As in Windows/Active Directory. It's essentially like saying user A has permissions to run commands as user B. In AWS, you can create a role in one account (e.g., the development account) that can be assumed by another principal, even in a different account (e.g., the production account). So how do you find these relationships? If you have read-only style access to the development account, you can use the cloudfox role-trusts command to quickly look at all of the roles in that development account and see which roles are configured to trust which principals, which is useful info for a penetration tester. But, let's say you don't have read-only type access to production, and you want to know if there is any role in production that trusts a principal in development. One cool way to do that is by looking at the Cloudtrail logs in development for any AssumedRole events that show that a principal in development has assumed a role in production. And that's exactly what this command does. This command searches all Cloudtrail logs so in large accounts that have been around for a while, it can take a long time to run, which is why it has been removed from all-checks. Also note, that if your goal is to get to production, and you already have read-only access to production, it is much easier to just run the role-trusts command in production and look for any roles that trust something in development. |
| Use case 1: | You have access to account A, but not account B, and you want to see if there are any principals in account A that have access to assume roles in account B. If you find any, you can target those principals in account A because once you gain access ot them, you can then gain access to account B. |
Example:
โฏ cloudfox aws --profile cf-exec -v2 outbound-assumed-roles
[๐ฆ cloudfox v1.6.0 ๐ฆ ] AWS Caller Identity: arn:aws:sts::049881439828:assumed-role/CloudFox-exec-role/aws-go-sdk-1662943206814835000
[outbound-assumed-roles] Enumerating outbound assumed role entries in cloudtrail for account 049881439828.
[outbound-assumed-roles] Going back through 7 days of cloudtrail events. (This command can be pretty slow, FYI)
[outbound-assumed-roles] Status: 21/21 regions complete (4 errors -- For details check /Users/sethart/.cloudfox/cloudfox-error.log)
โญโโโโโโโโโโโโโฌโโโโโโโโโโโโฌโโโโโโโโโโฌโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโฌโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโฌโโโโโโโโโโโโโโโโโโโโโโฎ
โ Service โ Region โ Type โ Source Principal โ Destination Principal โ Log Entry Timestamp โ
โโโโโโโโโโโโโโผโโโโโโโโโโโโผโโโโโโโโโโผโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโผโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโผโโโโโโโโโโโโโโโโโโโโโโค
โ CloudTrail โ us-east-1 โ IAMUser โ arn:aws:iam::049881439828:user/terraform-user โ arn:aws:iam::049881439828:role/CloudFox-exec-role โ 2022-09-12 00:39:12 โ
โ CloudTrail โ us-east-1 โ IAMUser โ arn:aws:iam::049881439828:user/terraform-user โ arn:aws:iam::049881439828:role/CloudFox-exec-role โ 2022-09-12 00:39:11 โ
...omitted for brevity...
โฐโโโโโโโโโโโโโดโโโโโโโโโโโโดโโโโโโโโโโดโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโดโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโดโโโโโโโโโโโโโโโโโโโโโโฏ
[outbound-assumed-roles] Output written to [cloudfox-output/aws/cf-exec/table/outbound-assumed-roles.txt]
[outbound-assumed-roles] Output written to [cloudfox-output/aws/cf-exec/csv/outbound-assumed-roles.csv]
[outbound-assumed-roles] 954 log entries found.
| Command | permissions |
|---|---|
| Summary | Enumerates all of the IAM permissions available to a principal (resource-based permissions not included yet). |
| Introduced | v1.6.0 |
| Background | A principal (which means a user or a role) gets it's permissions from the policies applied to it. Each user or role can have 0, 1, or many policies applied to it, and each of those policies can grant any number of permissions. This module is very simple - It just iterates over each principal, and then iterates over every policy applied to each principal, and then prints every permission granted within each of the policies. What this gives you is a really quick and dirty way to see what permissions any principal has. It's important to note that this module does not take into account transitive access. If user A can privesc to user B, user A can really do all of the stuff that user be can do, but we don't take that into account here. We simply list the permissions that user A has been directly assigned. |
| Use case 1: | You want to know what permissions a user or role has without going to the web console and expanding each policy widget one at a tine |
| Use case 2: | You want to quickly find out all of the principals that have access to a specific service you are interested in. (You can grep the output for the specific service or permission - just be mindful that if the user has been granted ec2:* and you grep for ec2:RunInstances, your grep will not match. If you want to be more precise, use the iam-simulator command instead) |
Example:
โฏ cloudfox aws --profile cf-prod permissions -v2
[๐ฆ cloudfox v1.6.0 ๐ฆ ] AWS Caller Identity: arn:aws:sts::049881439828:assumed-role/CloudFox-exec-role/aws-go-sdk-1662946240793435000
[permissions] Enumerating IAM permissions for account 049881439828.
โญโโโโโโโโโโฌโโโโโโโโโโโโโโโโโฌโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโฌโโโโโโโโโโโโโโฌโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโฌโโโโโโโโโฌโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโฌโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโฎ
โ Service โ Principal Type โ Name โ Policy Type โ Policy Name โ Effect โ Action โ Resource โ
โโโโโโโโโโโผโโโโโโโโโโโโโโโโโผโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโผโโโโโโโโโโโโโโผโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโผโโโโโโโโโผโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโผโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโค
โ IAM โ Role โ aaronson โ Managed โ lambda-policy1 โ Allow โ logs:CreateLogGroup โ * โ
โ IAM โ Role โ aaronson โ Managed โ lambda-policy1 โ Allow โ logs:CreateLogStream โ * โ
โ IAM โ Role โ aaronson โ Managed โ lambda-policy1 โ Allow โ logs:PutLogEvents โ * โ
โ IAM โ Role โ adams โ Managed โ lambda-policy2 โ Allow โ * โ * โ
โ IAM โ Role โ AWSReservedSSO_AWSAdministratorAccess_e7f5699f2cb1edb0 โ Managed โ AdministratorAccess โ Allow โ * โ * โ
โ IAM โ Role โ AWSReservedSSO_interns_9b819cbe299f5da5 โ Managed โ the_interns โ Allow โ ec2:DescribeInstances โ * โ
โ IAM โ Role โ AWSReservedSSO_interns_9b819cbe299f5da5 โ Managed โ the_interns โ Allow โ lambda:ListFunctions โ * โ
โ IAM โ Role โ AWSReservedSSO_interns_9b819cbe299f5da5 โ Managed โ the_interns โ Allow โ lambda:ListFunctionUrlConfigs โ * โ *
...omitted for brevity...
โ IAM โ Role โ lavelle โ Managed โ lambda-admin โ Allow โ lambda:* โ * โ
โ IAM โ Role โ lloyd โ Managed โ cf-admin โ Allow โ cloudformation:* โ * โ
โ IAM โ Role โ mckennie โ Managed โ cloudformation โ Allow โ cloudformation:UpdateStack โ * โ
โ IAM โ Role โ mckennie โ Managed โ cloudformation โ Allow โ cloudformation:DescribeStacks โ * โ
โ IAM โ Role โ morgan โ Managed โ just-one-ec2 โ Allow โ ec2:DescribeInstanceAttributeInput โ arn:aws:ec2:us-east-1:049881439828:instance/i-020e69c99ce4c7a97 โ
โ IAM โ Role โ not-admin โ Managed โ not-admin-access โ Allow โ * โ * โ
โ IAM โ Role โ OrganizationAccountAccessRole โ Managed โ AdministratorAccess โ Allow โ * โ * โ
โ IAM โ Role โ press โ Managed โ service-admin โ Allow โ * โ * โ
โ IAM โ Role โ pulisic โ Managed โ privesc-ec2InstanceConnect-policy โ Allow โ ec2:DescribeInstances โ * โ
...omitted for brevity...
โ IAM โ Role โ rapinoe โ Managed โ cloudfox-ecs-role-policy โ Allow โ ecr:BatchGetImage โ * โ
โ IAM โ Role โ rapinoe โ Managed โ cloudfox-ecs-role-policy โ Allow โ ecr:GetAuthorizationToken โ * โ
โ IAM โ Role โ rapinoe โ Managed โ cloudfox-ecs-role-policy โ Allow โ ssm:TerminateSession โ * โ
โ IAM โ Role โ rapinoe โ Managed โ cloudfox-ecs-role-policy โ Allow โ ec2:DescribeSnapshots โ * โ
โ IAM โ Role โ rapinoe โ Managed โ cloudfox-ecs-role-policy โ Allow โ logs:PutLogEvents โ * โ
โ IAM โ Role โ rapinoe โ Managed โ cloudfox-ecs-role-policy โ Allow โ ecr:BatchCheckLayerAvailability โ * โ
โ IAM โ Role โ test โ Inline โ test_inline โ Allow โ s3:ListBucket โ arn:aws:s3:::* โ
โ IAM โ Role โ test โ Inline โ test_inline โ Allow โ s3:ListAllMyBuckets โ * โ
โ IAM โ User โ terraform-user โ Managed โ AdministratorAccess โ Allow โ * โ * โ
โฐโโโโโโโโโโดโโโโโโโโโโโโโโโโโดโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโดโโโโโโโโโโโโโโดโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโดโโโโโโโโโดโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโดโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโฏ
| Command | pmapper |
|---|---|
| Summary | Looks for pmapper data stored on the local filesystem, in the locations defined here. If pmapper data has been found (you already ran pmapper graph create), then this command will use this data to build a graph in cloudfox memory let you know who can privesc to admin. |
| Introduced | v1.9.0 |
| Background | As documented in our blog post IAM Vulnerable - Assessing the AWS Assessment Tools pmapper, or principalmapper, is the most accurate open source AWS policy simulator project that takes into account privilege escalation. Cloudfox will not install or run pmapper for you, but because pmapper stores it's graph data in a predictable location, this CloudFox command will look to see if that data exists, and if it does, it give you a list of all of the principals that pmapper thinks can escalate to admin. Additionally, some of the other CloudFox commands have been configured to enrich their output with pmapper data if it exists. If pmapper data does not exist, this command will try to give you the right commands to run pmapper. Also, if the pmapper data is found, a bunch of the other cloudfox commands will use the data. If the data is not found, they will use CloudFox's iam-simulator command to try to figure out who is an admin, which is really just a wrapper around AWS's IAM simulate principal policy API call. |
Example:
โฏ cloudfox aws -p cflab pmapper -v2
[๐ฆ cloudfox v1.9.0 ๐ฆ ] AWS Caller Identity: arn:aws:iam::049881439828:user/terraform-user
[pmapper][cflab] Looking for pmapper data for this account and building a PrivEsc graph in golang if it exists.
[pmapper][cflab] Parsing pmapper data for account 049881439828.
โญโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโฌโโโโโโโโโโโฌโโโโโโโโโโโโโโโโโโโโโฎ
โ Principal Arn โ IsAdmin? โ CanPrivEscToAdmin? โ
โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโผโโโโโโโโโโโผโโโโโโโโโโโโโโโโโโโโโค
โ arn:aws:iam::049881439828:user/pele โ No โ YES โ
โ arn:aws:iam::049881439828:user/terraform-user โ YES โ YES โ
โ arn:aws:iam::049881439828:role/adams โ YES โ YES โ
โ arn:aws:iam::049881439828:role/aws-reserved/sso.amazonaws.com/AWSReservedSSO_AWSAdministratorAccess_e7f5699f2cb1edb0 โ YES โ YES โ
โ arn:aws:iam::049881439828:role/aws-service-role/sso.amazonaws.com/AWSServiceRoleForSSO โ No โ YES โ
โ arn:aws:iam::049881439828:role/dempsey โ No โ YES โ
โ arn:aws:iam::049881439828:role/donovan โ No โ YES โ
โ arn:aws:iam::049881439828:role/lavelle โ No โ YES โ
โ arn:aws:iam::049881439828:role/not-admin โ YES โ YES โ
โ arn:aws:iam::049881439828:role/OrganizationAccountAccessRole โ YES โ YES โ
โ arn:aws:iam::049881439828:role/press โ YES โ YES โ
โฐโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโดโโโโโโโโโโโดโโโโโโโโโโโโโโโโโโโโโฏ
[pmapper] Output written to [cloudfox-output/aws/cflab/table/pmapper.txt]
[pmapper] Output written to [cloudfox-output/aws/cflab/csv/pmapper.csv]
[pmapper][cflab] 11 principals who are admin or have a path to admin identified.
| Command | principals |
|---|---|
| Summary | Enumerates IAM users and Roles so you have the data at your fingertips. |
| Introduced | v1.6.0 |
| Background | AWS uses the term principal to encompass IAM users and IAM roles. It's nice to have this information in a greppable form. |
Example:
โฏ cloudfox aws --profile cf-exec -v2 principals
[๐ฆ cloudfox v1.6.0 ๐ฆ ] AWS Caller Identity: arn:aws:sts::049881439828:assumed-role/CloudFox-exec-role/aws-go-sdk-1662946413386360000
[principals] Enumerating IAM Users and Roles for account 049881439828.
โญโโโโโโโโโโฌโโโโโโโฌโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโฌโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโฎ
โ Service โ Type โ Name โ Arn โ
โโโโโโโโโโโผโโโโโโโผโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโผโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโค
โ IAM โ User โ pele โ arn:aws:iam::049881439828:user/pele โ
โ IAM โ User โ terraform-user โ arn:aws:iam::049881439828:user/terraform-user โ
โ IAM โ Role โ aaronson โ arn:aws:iam::049881439828:role/aaronson โ
โ IAM โ Role โ adams โ arn:aws:iam::049881439828:role/adams โ
โ IAM โ Role โ AWSReservedSSO_AWSAdministratorAccess_e7f5699f2cb1edb0 โ arn:aws:iam::049881439828:role/aws-reserved/sso.amazonaws.com/AWSReservedSSO_AWSAdministratorAccess_e7f5699f2cb1edb0 โ
โ IAM โ Role โ AWSReservedSSO_interns_9b819cbe299f5da5 โ arn:aws:iam::049881439828:role/aws-reserved/sso.amazonaws.com/AWSReservedSSO_interns_9b819cbe299f5da5 โ
โ IAM โ Role โ AWSReservedSSO_SecurityAudit_f67a30bf6639f876 โ arn:aws:iam::049881439828:role/aws-reserved/sso.amazonaws.com/AWSReservedSSO_SecurityAudit_f67a30bf6639f876 โ
โ IAM โ Role โ AWSServiceRoleForAccessAnalyzer โ arn:aws:iam::049881439828:role/aws-service-role/access-analyzer.amazonaws.com/AWSServiceRoleForAccessAnalyzer โ
โ IAM โ Role โ AWSServiceRoleForAmazonElasticFileSystem โ arn:aws:iam::049881439828:role/aws-service-role/elasticfilesystem.amazonaws.com/AWSServiceRoleForAmazonElasticFileSystem โ
โ IAM โ Role โ AWSServiceRoleForAppRunner โ arn:aws:iam::049881439828:role/aws-service-role/apprunner.amazonaws.com/AWSServiceRoleForAppRunner โ
โ IAM โ Role โ AWSServiceRoleForECS โ arn:aws:iam::049881439828:role/aws-service-role/ecs.amazonaws.com/AWSServiceRoleForECS โ
โ IAM โ Role โ AWSServiceRoleForElastiCache โ arn:aws:iam::049881439828:role/aws-service-role/elasticache.amazonaws.com/AWSServiceRoleForElastiCache โ
โ IAM โ Role โ AWSServiceRoleForElasticLoadBalancing โ arn:aws:iam::049881439828:role/aws-service-role/elasticloadbalancing.amazonaws.com/AWSServiceRoleForElasticLoadBalancing โ
โ IAM โ Role โ AWSServiceRoleForOrganizations โ arn:aws:iam::049881439828:role/aws-service-role/organizations.amazonaws.com/AWSServiceRoleForOrganizations โ
โ IAM โ Role โ AWSServiceRoleForRDS โ arn:aws:iam::049881439828:role/aws-service-role/rds.amazonaws.com/AWSServiceRoleForRDS โ
โ IAM โ Role โ AWSServiceRoleForSSO โ arn:aws:iam::049881439828:role/aws-service-role/sso.amazonaws.com/AWSServiceRoleForSSO โ
โ IAM โ Role โ AWSServiceRoleForSupport โ arn:aws:iam::049881439828:role/aws-service-role/support.amazonaws.com/AWSServiceRoleForSupport โ
โ IAM โ Role โ AWSServiceRoleForTrustedAdvisor โ arn:aws:iam::049881439828:role/aws-service-role/trustedadvisor.amazonaws.com/AWSServiceRoleForTrustedAdvisor โ
โ IAM โ Role โ CloudFox-exec-role โ arn:aws:iam::049881439828:role/CloudFox-exec-role โ
โ IAM โ Role โ dempsey โ arn:aws:iam::049881439828:role/dempsey โ
โ IAM โ Role โ donovan โ arn:aws:iam::049881439828:role/donovan โ
โ IAM โ Role โ lavelle โ arn:aws:iam::049881439828:role/lavelle โ
โ IAM โ Role โ lloyd โ arn:aws:iam::049881439828:role/lloyd โ
โ IAM โ Role โ mckennie โ arn:aws:iam::049881439828:role/mckennie โ
โ IAM โ Role โ morgan โ arn:aws:iam::049881439828:role/morgan โ
โ IAM โ Role โ not-admin โ arn:aws:iam::049881439828:role/not-admin โ
โ IAM โ Role โ OrganizationAccountAccessRole โ arn:aws:iam::049881439828:role/OrganizationAccountAccessRole โ
โ IAM โ Role โ press โ arn:aws:iam::049881439828:role/press โ
โ IAM โ Role โ pulisic โ arn:aws:iam::049881439828:role/pulisic โ
โ IAM โ Role โ rapinoe โ arn:aws:iam::049881439828:role/rapinoe โ
โ IAM โ Role โ test โ arn:aws:iam::049881439828:role/test โ
โฐโโโโโโโโโโดโโโโโโโดโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโดโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโฏ
[principals] Output written to [cloudfox-output/aws/cf-exec/table/principals.txt]
[principals] Output written to [cloudfox-output/aws/cf-exec/csv/principals.csv]
[principals] 31 IAM principals found.
| Command | ram |
|---|---|
| Summary | List all resources in this account that are shared with other accounts, or resources from other accounts that are shared with this account. Useful for cross-account attack paths. |
| Introduced | v1.8.0 |
| Background | AWS RAM is a service that enables users to share AWS resources with other AWS accounts or within their own organization. This is useful to builders, but it also has scary security implications. It is a way poke holes the account level securiy boundry. For example, if you compromise the DEV environment, but there is a resouce from the PROD account that is shared with the DEV account, this becomes a potential path for an attacker to from DEV to PROD. |
Example:
โฏ cloudfox aws --profile cflab -v2 ram
[๐ฆ cloudfox v1.8.0 ๐ฆ ] AWS Caller Identity: arn:aws:iam::049881439828:user/seth
[ram][cflab] Enumerating shared resources for account 049881439828.
[ram] Status: 21/21 regions complete (8 errors -- For details check /Users/sethart/.cloudfox/cloudfox-error.log)
โญโโโโโโโโโโฌโโโโโโโโโโโโฌโโโโโโโโโโโโโฌโโโโโโโโโโโโโโโโโโโโฌโโโโโโโโโโโโโโโฌโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโฎ
โ Service โ Region โ Share Name โ Type โ Owner โ Share Type โ
โโโโโโโโโโโผโโโโโโโโโโโโผโโโโโโโโโโโโโผโโโโโโโโโโโโโโโโโโโโผโโโโโโโโโโโโโโโผโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโค
โ RAM โ us-east-1 โ ram_test โ ec2:Subnet โ 289507344597 โ Inbound share (Another account shared this with me) โ
โ RAM โ us-east-1 โ ram_test โ codebuild:Project โ 289507344597 โ Inbound share (Another account shared this with me) โ
โฐโโโโโโโโโโดโโโโโโโโโโโโดโโโโโโโโโโโโโดโโโโโโโโโโโโโโโโโโโโดโโโโโโโโโโโโโโโดโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโฏ
[ram] Output written to [cloudfox-output/aws/cflab/table/ram.txt]
[ram] Output written to [cloudfox-output/aws/cflab/csv/ram.csv]
[ram][cflab] 2 resources found.
| Command | resource-trusts |
|---|---|
| Summary | Enumerate resource trusts from popular services. This command does not check all AWS services that support resource trusts, but it does focus on the big ones that can be most likely abused from an offensive security perspective. |
| Introduced | v1.13.0 |
| Background | In AWS's security model, you have IAM permissions attached to IAM principals. These permissions allow access to resources. Think about this as a forward trust. An IAM policy allows user seth to perform certain actions on certain other AWS resources defined by the policy. The IAM policy is applied to seth. However, you can also have backwards trust relationships, or permissions applied on resources themselves that allow certain principals to access them. You can have an S3 bucket, or an SNS topic, or an SQS queue that grant the user seth some permissions on them. This is important because let's say that the user seth does not have ANY IAM permissions at all. You might think that seth can't do anything. But that's not true. If the s3 bucket important-stuff allows seth to list and download objects, then seth can do exactly that, even if he has no IAM permissions that allow those actions applied directly to his user. Hopefully this helped and did not make you even more confused. If it helps, consider this example. Let's say you want to make a bucket, or SNS topic, or SQS queue public. How would you do that? Resource policies. You would apply a resource policy that allows read or write permission to * or everyone. |
Example:
โฏ cloudfox aws -p cloudfoxable resource-trusts
[๐ฆ cloudfox v1.13.2 ๐ฆ ][cloudfoxable] AWS Caller Identity: arn:aws:iam::987990985088:user/ctf-starting-user
[๐ฆ cloudfox v1.13.2 ๐ฆ ][cloudfoxable] Account is part of an Organization and is a child account. Management Account: 289507344597
[resource-trusts][cloudfoxable] Enumerating Resources with resource policies for account 987990985088.
[resource-trusts][cloudfoxable] Supported Services: CodeBuild, ECR, EFS, Glue, Lambda, SecretsManager, S3, SNS, SQS
[resource-trusts] Status: 137/137 tasks complete (8 errors -- For details check /Users/sethart/.cloudfox/cloudfox-error.log)
โญโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโฌโโโโโโโโโฌโโโโโโโโโโโโโโฌโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโฎ
โ ARN โ Public โ Interesting โ Resource Policy Summary โ
โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโผโโโโโโโโโผโโโโโโโโโโโโโโผโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโค
โ arn:aws:sns:us-west-2:987990985088:eventbridge-sns โ No โ Yes โ Everyone can sns:Subscribe & can sns:Publish โ
โ โ โ โ -> Only when aws:SourceIp IpAddress 74.69.129.103/32 โ
โ arn:aws:sns:us-west-2:987990985088:executioner โ No โ Yes โ Everyone can sns:Subscribe & can sns:Publish โ
โ โ โ โ -> Only when aws:PrincipalAccount = 987990985088 โ
โ arn:aws:sns:us-west-2:987990985088:public โ Yes โ Yes โ * can sns:Publish โ
โ arn:aws:sqs:us-west-2:987990985088:internal_message_bus โ No โ Yes โ Everyone can sqs:SendMessage & can sqs:ReceiveMessage โ
โ โ โ โ -> Only when aws:SourceIp IpAddress 74.69.129.103/32 โ
โ arn:aws:sqs:us-west-2:987990985088:process_orders โ Yes โ Yes โ * can sqs:SendMessage โ
โ arn:aws:lambda:us-west-2:987990985088:function:auth-me โ No โ Yes โ Everyone can lambda:InvokeFunctionUrl โ
โ โ โ โ -> Only when lambda:FunctionUrlAuthType = NONE โ
โ arn:aws:lambda:us-west-2:987990985088:function:furls1 โ No โ Yes โ Everyone can lambda:InvokeFunctionUrl โ
โ โ โ โ -> Only when lambda:FunctionUrlAuthType = NONE โ
โ arn:aws:s3:::aws-cloudtrail-logs-987990985088-308a6ed7 โ No โ No โ Statement 0 says: cloudtrail.amazonaws.com can s3:GetBucketAcl โ
โ โ โ โ -> Only when AWS:SourceArn = arn:aws:cloudtrail:us-west-2:987990985088:trail/management-events โ
โ โ โ โ โ
โ โ โ โ Statement 1 says: cloudtrail.amazonaws.com can s3:PutObject โ
โ โ โ โ -> Only when AWS:SourceArn = arn:aws:cloudtrail:us-west-2:987990985088:trail/management-events โ
โ โ โ โ -> Only when s3:x-amz-acl = bucket-owner-full-control โ
โ arn:aws:sns:us-west-2:987990985088:user-updates-topic โ No โ No โ Statement 0 says: * can sns:Publish โ
โ โ โ โ -> Only when AWS:SourceOwner = 111111111111 โ
โ โ โ โ โ
โ โ โ โ Statement 1 says: * can sns:Subscribe โ
โ โ โ โ -> Only when AWS:SourceOwner = 111111111111 โ
โ arn:aws:sns:us-west-2:987990985088:user-updates-topic.fifo โ No โ No โ Default resource policy: Not exploitable โ
โ arn:aws:lambda:us-west-2:987990985088:function:executioner โ No โ No โ sns.amazonaws.com can lambda:InvokeFunction โ
โ โ โ โ -> Only when AWS:SourceArn is like arn:aws:sns:us-west-2:987990985088:executioner โ
โฐโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโดโโโโโโโโโดโโโโโโโโโโโโโโดโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโฏ
[resource-trusts][cloudfoxable] Output written to /Users/sethart/.cloudfox/cloudfox-output/aws/cloudfoxable-987990985088/table/resource-trusts.txt
[resource-trusts][cloudfoxable] Output written to /Users/sethart/.cloudfox/cloudfox-output/aws/cloudfoxable-987990985088/csv/resource-trusts.csv
[resource-trusts][cloudfoxable] Output written to /Users/sethart/.cloudfox/cloudfox-output/aws/cloudfoxable-987990985088/json/resource-trusts.json
[resource-trusts][cloudfoxable] 11 resource policies found.
[resource-trusts][cloudfoxable] For context and next steps: https://github.com/BishopFox/cloudfox/wiki/AWS-Commands#resource-trusts
[๐ฆ cloudfox v1.13.2 ๐ฆ ][cloudfoxable] Cached AWS data written to /Users/sethart/.cloudfox/cached-data/aws/987990985088
| Command | role-trusts |
|---|---|
| Summary | This command will give you three tables. One for roles that trust one or more principals. Another one for roles that trust an AWS service. And a third for roles that trust a federated identity. It is possible that one role shows up in multiple tables because one role can trust one or more of these entities. |
| Introduced | v1.6.0 |
| Background | You can think of role assumption like Run-As in Windows/Active Directory. It's essentially like saying user A has permissions to run commands as user B. In AWS, you can create a role in one account (e.g., the development account) that can be assumed by another principal, even in a different account (e.g., the production account). So how do you find these relationships? If you have read-only style access to the development account, you can use the cloudfox role-trusts command to quickly look at all of the roles in that development account and see which roles are configured to trust which principals, which is useful info for a penetration tester. And you can do the same in any other in-scope account where you have read-only access. |
| Use case 1 | Use this data to search IAM role trust policies for trusts to a specific principal or an AWS account. This is particularly useful when assessing privilege escalation paths through assume role actions. In most cases, the assuming role will also need to have the sts:AssumeRole permission, however if the trusted principal is specifically named in the trust policy and belongs in the same account as the trusting role, the the trusted role does not need the sts:AssumeRole permission. |
Example:
โฏ cloudfox aws -p cflab role-trusts -v2
[๐ฆ cloudfox v1.9.0 ๐ฆ ] AWS Caller Identity: arn:aws:iam::049881439828:user/terraform-user
[role-trusts][cflab] Enumerating role trusts for account 049881439828.
[role-trusts][cflab] Looking for pmapper data for this account and building a PrivEsc graph in golang if it exists.
[role-trusts][cflab] Found pmapper data for this account. Using it for role analysis
โญโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโฌโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโฌโโโโโโโโโโโโโฌโโโโโโโโโโโฌโโโโโโโโโโโโโโโโโโโโโฎ
โ Role โ Trusted Principal โ ExternalID โ IsAdmin? โ CanPrivEscToAdmin? โ
โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโผโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโผโโโโโโโโโโโโโผโโโโโโโโโโโผโโโโโโโโโโโโโโโโโโโโโค
โ arn:aws:iam::049881439828:role/morgan โ arn:aws:iam::049881439828:user/pele โ โ No โ No โ
โ arn:aws:iam::049881439828:role/not-admin โ arn:aws:iam::049881439828:user/pele โ โ YES โ YES โ
โ arn:aws:iam::049881439828:role/CloudFox-exec-role โ arn:aws:iam::049881439828:user/security โ โ No โ No โ
โ arn:aws:iam::049881439828:role/dempsey โ arn:aws:iam::049881439828:user/terraform-user โ โ No โ YES โ
โ arn:aws:iam::049881439828:role/donovan โ arn:aws:iam::049881439828:user/terraform-user โ โ No โ YES โ
โ arn:aws:iam::049881439828:role/mckennie โ arn:aws:iam::049881439828:user/terraform-user โ โ No โ No โ
โ arn:aws:iam::049881439828:role/pulisic โ arn:aws:iam::049881439828:user/terraform-user โ โ No โ No โ
โ arn:aws:iam::049881439828:role/OrganizationAccountAccessRole โ arn:aws:iam::289507344597:root โ โ YES โ YES โ
โ arn:aws:iam::049881439828:role/test โ arn:aws:sts::049881439828:assumed-role/AWSReservedSSO_interns_9b819cbe299f5da5/seth โ โ No โ No โ
โฐโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโดโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโดโโโโโโโโโโโโโดโโโโโโโโโโโดโโโโโโโโโโโโโโโโโโโโโฏ
[role-trusts] Output written to [cloudfox-output/aws/cflab/table/role-trusts-principals.txt]
[role-trusts] Output written to [cloudfox-output/aws/cflab/csv/role-trusts-principals.csv]
[role-trusts][cflab] 9 role trusts found.
โญโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโฌโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโฌโโโโโโโโโโโโโฌโโโโโโโโโโโฌโโโโโโโโโโโโโโโโโโโโโฎ
โ Role โ Trusted Service โ ExternalID โ IsAdmin? โ CanPrivEscToAdmin? โ
โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโผโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโผโโโโโโโโโโโโโผโโโโโโโโโโโผโโโโโโโโโโโโโโโโโโโโโค
โ arn:aws:iam::049881439828:role/aws-service-role/access-analyzer.amazonaws.com/AWSServiceRoleForAccessAnalyzer โ access-analyzer.amazonaws.com โ โ No โ No โ
โ arn:aws:iam::049881439828:role/aws-service-role/apprunner.amazonaws.com/AWSServiceRoleForAppRunner โ apprunner.amazonaws.com โ โ No โ No โ
โ arn:aws:iam::049881439828:role/lloyd โ cloudformation.amazonaws.com โ โ No โ No โ
โ arn:aws:iam::049881439828:role/press โ ec2.amazonaws.com โ โ YES โ YES โ
โ arn:aws:iam::049881439828:role/imdvs2-challenge-role โ ec2.amazonaws.com โ โ No โ No โ
โ arn:aws:iam::049881439828:role/rapinoe โ ecs-tasks.amazonaws.com โ โ No โ No โ
โ arn:aws:iam::049881439828:role/aws-service-role/ecs.amazonaws.com/AWSServiceRoleForECS โ ecs.amazonaws.com โ โ No โ No โ
โ arn:aws:iam::049881439828:role/aws-service-role/elasticache.amazonaws.com/AWSServiceRoleForElastiCache โ elasticache.amazonaws.com โ โ No โ No โ
โ arn:aws:iam::049881439828:role/aws-service-role/elasticfilesystem.amazonaws.com/AWSServiceRoleForAmazonElasticFileSystem โ elasticfilesystem.amazonaws.com โ โ No โ No โ
โ arn:aws:iam::049881439828:role/aws-service-role/elasticloadbalancing.amazonaws.com/AWSServiceRoleForElasticLoadBalancing โ elasticloadbalancing.amazonaws.com โ โ No โ No โ
โ arn:aws:iam::049881439828:role/aaronson โ lambda.amazonaws.com โ โ No โ No โ
โ arn:aws:iam::049881439828:role/adams โ lambda.amazonaws.com โ โ YES โ YES โ
โ arn:aws:iam::049881439828:role/lavelle โ lambda.amazonaws.com โ โ No โ YES โ
โ arn:aws:iam::049881439828:role/aws-service-role/organizations.amazonaws.com/AWSServiceRoleForOrganizations โ organizations.amazonaws.com โ โ No โ No โ
โ arn:aws:iam::049881439828:role/aws-service-role/rds.amazonaws.com/AWSServiceRoleForRDS โ rds.amazonaws.com โ โ No โ No โ
โ arn:aws:iam::049881439828:role/aws-service-role/sso.amazonaws.com/AWSServiceRoleForSSO โ sso.amazonaws.com โ โ No โ YES โ
โ arn:aws:iam::049881439828:role/aws-service-role/support.amazonaws.com/AWSServiceRoleForSupport โ support.amazonaws.com โ โ No โ No โ
โ arn:aws:iam::049881439828:role/aws-service-role/trustedadvisor.amazonaws.com/AWSServiceRoleForTrustedAdvisor โ trustedadvisor.amazonaws.com โ โ No โ No โ
โฐโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโดโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโดโโโโโโโโโโโโโดโโโโโโโโโโโดโโโโโโโโโโโโโโโโโโโโโฏ
[role-trusts] Output written to [cloudfox-output/aws/cflab/table/role-trusts-services.txt]
[role-trusts] Output written to [cloudfox-output/aws/cflab/csv/role-trusts-services.csv]
[role-trusts][cflab] 18 role trusts found.
โญโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโฌโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโฌโโโโโโโโโโโโโโโโโโฌโโโโโโโโโโโฌโโโโโโโโโโโโโโโโโโโโโฎ
โ Role โ Trusted Provider โ Trusted Subject โ IsAdmin? โ CanPrivEscToAdmin? โ
โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโผโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโผโโโโโโโโโโโโโโโโโโผโโโโโโโโโโโผโโโโโโโโโโโโโโโโโโโโโค
โ arn:aws:iam::049881439828:role/aws-reserved/sso.amazonaws.com/AWSReservedSSO_AWSAdministratorAccess_e7f5699f2cb1edb0 โ AWS SSO (arn:aws:iam::049881439828:saml-provider/AWSSSO_6cc8120b9b76e4be_DO_NOT_DELETE) โ Not applicable โ YES โ YES โ
โ arn:aws:iam::049881439828:role/aws-reserved/sso.amazonaws.com/AWSReservedSSO_interns_9b819cbe299f5da5 โ AWS SSO (arn:aws:iam::049881439828:saml-provider/AWSSSO_6cc8120b9b76e4be_DO_NOT_DELETE) โ Not applicable โ No โ No โ
โ arn:aws:iam::049881439828:role/aws-reserved/sso.amazonaws.com/AWSReservedSSO_SecurityAudit_f67a30bf6639f876 โ AWS SSO (arn:aws:iam::049881439828:saml-provider/AWSSSO_6cc8120b9b76e4be_DO_NOT_DELETE) โ Not applicable โ No โ No โ
โฐโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโดโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโดโโโโโโโโโโโโโโโโโโดโโโโโโโโโโโดโโโโโโโโโโโโโโโโโโโโโฏ
| Command | route53 |
|---|---|
| Summary | This command lists the DNS records for all public and private zones managed by Route53. Use this for application and service enumeration |
| Introduced | v1.6.0 |
| Background | Route53 is AWS's DNS registrar service. There is no requirement that you need to use route53 in your AWS account, but many organizations that use AWS also use route53 for their hosted zones. As a penetratin tester, it is really great news when a client uses Route53 because we can simply enumerate all of the hosted zones using our read-only access and use that to find potentiallh exploitable endpoints. |
Example:
โฏ cloudfox aws --profile default route53 -v2
[๐ฆ cloudfox v1.6.0 ๐ฆ ] AWS Caller Identity: arn:aws:iam::111111111111:user/seth
[route53] Enumerating Route53 for account 111111111111.
Service Name Type Value PrivateZone
--------- ----------------------- ------ --------------------------------------------------------------------------------- -------------
Route53 test2.internal. NS ns-1536.awsdns-00.co.uk. True
Route53 test2.internal. NS ns-0.awsdns-00.com. True
Route53 test2.internal. NS ns-1024.awsdns-00.org. True
Route53 test2.internal. NS ns-512.awsdns-00.net. True
Route53 test2.internal. SOA ns-1536.awsdns-00.co.uk. awsdns-hostmaster.amazon.com. 1 7200 900 1209600 86400 True
Route53 host1.test2.internal. A 192.168.0.1 True
Route53 host2.test2.internal. A 8.8.8.8 True
Route53 test1.internal. NS ns-1536.awsdns-00.co.uk. True
Route53 test1.internal. NS ns-0.awsdns-00.com. True
Route53 test1.internal. NS ns-1024.awsdns-00.org. True
Route53 test1.internal. NS ns-512.awsdns-00.net. True
Route53 test1.internal. SOA ns-1536.awsdns-00.co.uk. awsdns-hostmaster.amazon.com. 1 7200 900 1209600 86400 True
Route53 host1.test1.internal. A 10.0.0.1 True
Route53 host2.test1.internal. A 10.0.0.2 True
[route53] Output written to [cloudfox-output/aws/default/table/route53.txt]
[route53] Loot written to [cloudfox-output/aws/default/loot/route53-A-records-public-Zones.txt]
[route53] Loot written to [cloudfox-output/aws/default/loot/route53-A-records-private-Zones.txt]
[route53] 14 DNS records found.
| Command | secrets |
|---|---|
| Summary | This command lists secrets from SecretsManager and SSM. Look for interesting secrets in the list and then see who has access to them |
| Introduced | v1.6.0 |
| Background | AWS SecretsManager and SSM Paremeters two different ways to store secrets in AWS that can be used by other services. They have some differences that make one a better fit for some use cases, and the other a better fit for others, but as a penetration tester, you can think about them as roughly the same. These services allow you to store secrets as resources, and then rather than hardcoding these secrets in your lambda functions and other resources, you can code the secret name into your lambda function (or lambda function environment variable) so that the secret is only pulled at runtime (rather than being hardcoded). As a penetration tester, it's really helpful to look at what secrets are stored in these services, and if you find something that looks interesting, you can spend your time trying to gain access to a principal that has access to that secret. For instnace, you might find a secret in an AWS account that is a hardcoded credential to a GCP or Azure account. If you can gain admin in this AWS account, that means you can also gain access to anything those secrets provide access to as well. |
Example:
โฏ cloudfox aws --profile cf-exec -v2 secrets
[๐ฆ cloudfox v1.6.0 ๐ฆ ] AWS Caller Identity: arn:aws:sts::049881439828:assumed-role/CloudFox-exec-role/aws-go-sdk-1662946619726857000
[secrets] Enumerating secrets for account 049881439828.
[secrets] Supported Services: SecretsManager, SSM Parameters
[secrets] Status: 21/21 regions complete (8 errors -- For details check /Users/sethart/.cloudfox/cloudfox-error.log)
โญโโโโโโโโโโโโโโโโโฌโโโโโโโโโโโโฌโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโฌโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโฎ
โ Service โ Region โ Name โ Description โ
โโโโโโโโโโโโโโโโโโผโโโโโโโโโโโโผโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโผโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโค
โ SecretsManager โ us-west-2 โ database-secret โ โ
โ SecretsManager โ us-west-2 โ app-secret โ โ
โ SecretsManager โ us-west-2 โ iam-vulnerable โ Super strong password that nobody would ever be able to guess โ
โ SSM โ us-west-2 โ /production/database/password โ โ
โ SSM โ us-west-2 โ /production/database/username โ โ
โ SSM โ us-west-2 โ /staging/database/password โ โ
โ SSM โ us-west-2 โ /staging/database/user โ โ
โฐโโโโโโโโโโโโโโโโโดโโโโโโโโโโโโดโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโดโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโฏ
[secrets] Output written to [cloudfox-output/aws/cf-exec/table/secrets.txt]
[secrets] Output written to [cloudfox-output/aws/cf-exec/csv/secrets.csv]
[secrets] Loot written to [cloudfox-output/aws/cf-exec/loot/pull-secrets-commands.txt]
[secrets] 7 secrets found.
| Command | secrets |
|---|---|
| Summary | This command enumerates all of the sns topics and gives you the commands to subscribe to a topic or send messages to a topic (if you have the permissions needed). This command only deals with topics, and not the SMS functionality. This command also attempts to summarize topic resource policies if they exist. |
| Introduced | v1.10.0 |
| Author | Dominic Breuker and BF team |
| Background | AWS SNS is pub/sub service. This command only deas with topics, and not the SMS functionality. The way topics work is that you have publishers, or applications/services authorized to send messages to a topic, and you have subscribers, or applications/services that receive messages from a topic. The interesting thing about SNS topics is that you can have one or more publishers and one or more subscribers. As a penetration tester, you usually become interested in SNS topics if you find you have compromised a principal that has some SNS permissions, like sns:subscribe or sns:publish. If you have sns:subscribe, you can add yourself as a subscriber. The cool thing here is that adding yourself as a subscriber does not affect the other subscribers, so it's kind of like adding a network tap on an ethernet cable. You just get a copy of all of the messages sent to the topic. Why would you do this? Well two reasons: First, you can look for sensitive information in the messages.And secondly, if you also have sns:publish you can first subscribe and see if there are any injection points in the message that might get you some type of SSRF/RCE type vuln in the service that is consuming the SNS messages |
Example:
โฏ cloudfox aws -p cflab -v2 sns
[๐ฆ cloudfox v1.10.0-prerelease ๐ฆ ] AWS Caller Identity: arn:aws:iam::049881439828:user/terraform-user
[sns][cflab] Enumerating SNS topics for account 049881439828.
[sns] Status: 17/17 regions complete (0 errors -- For details check /Users/sethart/.cloudfox/cloudfox-error.log)
โญโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโฌโโโโโโโโโโฌโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโฎ
โ ARN โ Public? โ Resource Policy Summary โ
โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโผโโโโโโโโโโผโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโค
โ arn:aws:sns:us-west-2:049881439828:lambda-sns โ No โ Default resource policy: Not exploitable โ
โ arn:aws:sns:us-west-2:049881439828:user-updates-topic โ No โ * can perform 8 actions โ
โ โ โ -> Only when AWS:PrincipalAccount = 049881439828 โ
โ arn:aws:sns:us-west-2:049881439828:user-updates-topic.fifo โ No โ Default resource policy: Not exploitable โ
โฐโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโดโโโโโโโโโโดโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโฏ
[sns][cflab] Output written to [cloudfox-output/aws/cflab/table/sns.txt]
[sns][cflab] Output written to [cloudfox-output/aws/cflab/csv/sns.csv]
[sns][cflab] Loot written to [cloudfox-output/aws/cflab/loot/sns-commands.txt]
[sns][cflab] 3 topics found.
[sns][cflab] Access policies stored to: cloudfox-output/aws/cflab/loot/sns-policies
[sns][cflab] For context and next steps: https://github.com/BishopFox/cloudfox/wiki/AWS-Commands#sns
| Command | secrets |
|---|---|
| Summary | This command enumerates all of the sqs queues and gives you the commands to receive messages from a queue and send messages to a queue (if you have the permissions needed). This command also attempts to summarize queue resource policies if they exist. |
| Introduced | v1.10.0 |
| Author | Dominic Breuker and BF team |
| Background | AWS SQS let's you send, store, and receive messages from a queue. It is often used in application to application communication. The way queues work is that you have applications/services authorized to send messages to a queue, and you have applications/services that pull (and subsequently delete) messages from a queue. As a penetration tester, you usually become interested in SQS queues if you find you have compromised a principal that has some SQS permissions, like sqs:ReceiveMessage or sqs:SendMessage. If you have sqs:ReceiveMessage, you can read messages off of the queue, however this should be done with caution in a production environment. Receiving a message does not delete it from the queue, but this action can potentially cause latency or it could DoS applications that consume the queue messages depending on the queue type. The first reason you would want to read messages off of the queue is that you can look for sensitive information in the messages. .And secondly, if you also have sqs:SendMessage you can inspect received messages to see if there are any injection points in the message that might get you some type of SSRF/RCE type vuln in the service that is consuming the SNS messages, and then use sqs:SendMessage to send malicious messages. |
Example:
โฏ cloudfox aws -p cflab -v2 sqs
[๐ฆ cloudfox v1.10.0-prerelease ๐ฆ ] AWS Caller Identity: arn:aws:iam::049881439828:user/terraform-user
[sqs][cflab] Enumerating SQS queues for account 049881439828.
[sqs] Status: 17/17 regions complete (0 errors -- For details check /Users/sethart/.cloudfox/cloudfox-error.log)
โญโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโฌโโโโโโโโโโฌโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโฎ
โ Arn โ Public? โ Resource Policy Summary โ
โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโผโโโโโโโโโโผโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโค
โ arn:aws:sqs:us-west-2:049881439828:lambda-sqs โ No โ โ
โ arn:aws:sqs:us-west-2:049881439828:terraform-example-queue โ YES โ Statement 0 says: s3.amazonaws.com can SQS:SendMessage โ
โ โ โ Statement 1 says: arn:aws:iam::049881439828:root can SQS:* โ
โ โ โ Statement 2 says: Everyone can perform 2 actions โ
โ arn:aws:sqs:us-west-2:049881439828:terraform-example-queue-deadletter โ No โ โ
โ arn:aws:sqs:us-west-2:049881439828:terraform-example-queue.fifo โ No โ โ
โฐโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโดโโโโโโโโโโดโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโฏ
[sqs][cflab] Output written to [cloudfox-output/aws/cflab/table/sqs.txt]
[sqs][cflab] Output written to [cloudfox-output/aws/cflab/csv/sqs.csv]
[sqs][cflab] Loot written to [cloudfox-output/aws/cflab/loot/sqs-commands.txt]
[sqs][cflab] 4 queues found.
[sqs][cflab] Access policies stored to: cloudfox-output/aws/cflab/loot/sqs-policies
[sqs][cflab] For context and next steps: https://github.com/BishopFox/cloudfox/wiki/AWS-Commands#sqs
| Command | tags |
|---|---|
| Summary | List all resources with tags and all of the tags. This can be used similar to inventory as another method to identify what types of resources exist in an account. |
| Introduced | v1.6.0 |
| Background | AWS allows you to put tags on resources, and sometimes these tags can be really helpful in gaining situational awareness. The tag values might give you hint's as to what is going on in the target AWS account that are not obvious otherwise. |
Example:
โฏ cloudfox aws --profile cflab -v2 tags
[๐ฆ cloudfox v1.8.0 ๐ฆ ] AWS Caller Identity: arn:aws:iam::049881439828:user/seth
[tags][cflab] Enumerating tags for account 049881439828.
[tags] Status: 21/21 regions complete (4 errors -- For details check /Users/sethart/.cloudfox/cloudfox-error.log)
โญโโโโโโโโโโโโโโโโโโโโโโโฌโโโโโโโโโโโโฌโโโโโโโโโโโโโโโโโโโโโโโโโโฌโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโฌโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโฎ
โ Service โ Region โ Type โ Key โ Value โ
โโโโโโโโโโโโโโโโโโโโโโโโผโโโโโโโโโโโโผโโโโโโโโโโโโโโโโโโโโโโโโโโผโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโผโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโค
โ ec2 โ us-west-2 โ subnet โ Name โ cloudfox Operational Subnet 2 โ
โ ec2 โ us-west-2 โ route-table โ Name โ cloudfox Public Route Table โ
โ ec2 โ us-west-2 โ security-group โ Name โ allow_ssh_from_world โ
โ ec2 โ us-west-2 โ instance โ Name โ instance2 โ
โ ec2 โ us-west-2 โ instance โ Name โ instance3 โ
โ ec2 โ us-west-2 โ instance โ aws:cloudformation:stack-name โ token โ
... omitted for brevity...
โ secretsmanager โ us-west-2 โ secret โ Name โ App Secret โ
โ secretsmanager โ us-west-2 โ secret โ aws:cloudformation:stack-id โ arn:aws:cloudformation:us-west-2:049881439828:stack/privesc-cloudformationStack/24092300-4a49-11ed-a9d0-0666e24333c1 โ
โ secretsmanager โ us-west-2 โ secret โ aws:cloudformation:logical-id โ Secret1 โ
โ secretsmanager โ us-west-2 โ secret โ Name โ Database Secret โ
โ secretsmanager โ us-west-2 โ secret โ aws:cloudformation:stack-name โ privesc-cloudformationStack โ
โ secretsmanager โ us-west-2 โ secret โ Name โ scenario1 Secret โ
โ sqs โ us-west-2 โ terraform-example-queue โ Environment โ production
โฐโโโโโโโโโโโโโโโโโโโโโโโดโโโโโโโโโโโโดโโโโโโโโโโโโโโโโโโโโโโโโโโดโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโดโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโฏ
[tags] Output written to [cloudfox-output/aws/cflab/table/tags.txt]
[tags] Output written to [cloudfox-output/aws/cflab/csv/tags.csv]
[tags][cflab] 39 tags found.
[tags][cflab] 26 unique resources with tags found.
| Command | workloads |
|---|---|
| Summary | Finds workloads with admin permissions or a path to admin permissions. To find paths to to admin you need to run pmapper first on the same host that you will run cloudfox. |
| Introduced | v1.13.0 |
| Background | AWS allows you assign IAM roles to workloads. This is more secure than hardcoding credentials into the workloads, however, if the workload becomes compromised, it still means that the attacker will gain access to all of the IAM permissions given to the workload. That's why it's important to use the principle of least privilege when assigning permissions to workloads, and why you rarely want ANY cloud workload running with administrative permissions. |
Example:
โฏ cloudfox aws --profile cflab workloads
[๐ฆ cloudfox v1.14.0-prerelease ๐ฆ ][cloudfoxable] AWS Caller Identity: arn:aws:iam::987990985088:user/ctf-starting-user
[๐ฆ cloudfox v1.14.0-prerelease ๐ฆ ][cloudfoxable] Account is part of an Organization and is a child account. Management Account: 289507344597
[workloads][cloudfoxable] Enumerating compute workloads in all regions for account 987990985088.
[workloads][cloudfoxable] Supported Services: App Runner, EC2, ECS, Lambda
[workloads] Status: 68/68 tasks complete (0 errors -- For details check /Users/sethart/.cloudfox/cloudfox-error.log)
โญโโโโโโโโโโฌโโโโโโโโโโโโฌโโโโโโโโโโโโโโโฌโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโฌโโโโโโโโโโโโโโโฌโโโโโโโโโโโโโโโโโโโโโฎ
โ Service โ Region โ Name โ Role โ IsAdminRole? โ CanPrivEscToAdmin? โ
โโโโโโโโโโโผโโโโโโโโโโโโผโโโโโโโโโโโโโโโผโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโผโโโโโโโโโโโโโโโผโโโโโโโโโโโโโโโโโโโโโค
โ EC2 โ us-west-2 โ bastion โ arn:aws:iam::987990985088:role/reyna โ No โ No โ
โ Lambda โ us-west-2 โ consumer โ arn:aws:iam::987990985088:role/swanson โ No โ No โ
โ Lambda โ us-west-2 โ auth-me โ arn:aws:iam::987990985088:role/sauerbrunn โ No โ No โ
โ Lambda โ us-west-2 โ test โ arn:aws:iam::987990985088:role/service-role/test-role-yrxw8win โ No โ No โ
โ Lambda โ us-west-2 โ producer โ arn:aws:iam::987990985088:role/producer โ No โ No โ
โ Lambda โ us-west-2 โ furls1 โ arn:aws:iam::987990985088:role/aaronson โ No โ No โ
โ Lambda โ us-west-2 โ executioner โ arn:aws:iam::987990985088:role/ream โ No โ No โ
โ Lambda โ us-east-2 โ cloudfoxtest โ arn:aws:iam::987990985088:role/service-role/lambdaAdmin โ YES โ YES โ
โฐโโโโโโโโโโดโโโโโโโโโโโโดโโโโโโโโโโโโโโโดโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโดโโโโโโโโโโโโโโโดโโโโโโโโโโโโโโโโโโโโโฏ
[workloads][cloudfoxable] Output written to /Users/sethart/.cloudfox/cloudfox-output/aws/cloudfoxable-987990985088/table/workloads.txt
[workloads][cloudfoxable] Output written to /Users/sethart/.cloudfox/cloudfox-output/aws/cloudfoxable-987990985088/table/workloads-admin.txt
[workloads][cloudfoxable] Output written to /Users/sethart/.cloudfox/cloudfox-output/aws/cloudfoxable-987990985088/csv/workloads.csv
[workloads][cloudfoxable] Output written to /Users/sethart/.cloudfox/cloudfox-output/aws/cloudfoxable-987990985088/csv/workloads-admin.csv
[workloads][cloudfoxable] Output written to /Users/sethart/.cloudfox/cloudfox-output/aws/cloudfoxable-987990985088/json/workloads.json
[workloads][cloudfoxable] Output written to /Users/sethart/.cloudfox/cloudfox-output/aws/cloudfoxable-987990985088/json/workloads-admin.json
[workloads][cloudfoxable] 8 compute workloads found.
[workloads][cloudfoxable] For context and next steps: https://github.com/BishopFox/cloudfox/wiki/AWS-Commands#workloads
[๐ฆ cloudfox v1.14.0-prerelease ๐ฆ ][cloudfoxable] Cached AWS data written to /Users/sethart/.cloudfox/cached-data/aws/987990985088