-
Notifications
You must be signed in to change notification settings - Fork 179
AWS Commands
Seth Art edited this page Jan 7, 2023
·
31 revisions
https://github.com/BishopFox/cloudfox#prerequisites
Command Help
To list AWS commands: ./cloudfox aws -h
For help with each command: ./cloudfox aws [command_name] -h
This command runs all other commands. All CloudFox commands are read-only and will not cause any state change operations.
❯ cloudfox aws -p cflab all-checks
[🦊 cloudfox v1.9.0 🦊 ] AWS Caller Identity: arn:aws:iam::049881439828:user/terraform-user
[🦊 cloudfox 🦊 ] Getting a lay of the land, aka "What regions is this account using?"
[inventory][cflab] Enumerating selected services in all regions for account 049881439828.
[inventory][cflab] Supported Services: ApiGateway, ApiGatewayv2, AppRunner, CloudFormation, Cloudfront, DynamoDB,
[inventory][cflab] EC2, ECS, EKS, ELB, ELBv2, Glue, Grafana, IAM, Lambda, Lightsail, MQ,
[inventory][cflab] OpenSearch, RDS, S3, SecretsManager, SNS, SQS, SSM
[inventory] Status: 364/364 tasks complete (9 errors -- For details check /Users/sethart/.cloudfox/cloudfox-error.log)
[inventory] Output written to [cloudfox-output/aws/cflab/table/inventory.txt]
[inventory] Output written to [cloudfox-output/aws/cflab/csv/inventory.csv]
[inventory] Output written to [cloudfox-output/aws/cflab/table/inventory-global.txt]
[inventory] Output written to [cloudfox-output/aws/cflab/csv/inventory-global.csv]
[inventory][cflab] 69 resources found in the services we looked at. This is NOT the total number of resources in the account.
[tags][cflab] Enumerating tags for account 049881439828.
[tags] Status: 17/17 regions complete (0 errors -- For details check /Users/sethart/.cloudfox/cloudfox-error.log)
[tags] Output written to [cloudfox-output/aws/cflab/table/tags.txt]
[tags] Output written to [cloudfox-output/aws/cflab/csv/tags.csv]
[tags][cflab] 37 tags found.
[tags][cflab] 25 unique resources with tags found.
[🦊 cloudfox 🦊 ] Gathering the info you'll want for your application & service enumeration needs.
[instances][cflab] Enumerating EC2 instances in all regions for account 049881439828
[instances][cflab] Attempting to build a PrivEsc graph in memory using local pmapper data if it exists on the filesystem.
[instances][cflab] Found pmapper data for this account. Using it for role analysis.
[instances] Status: 17/17 tasks complete (0 errors -- For details check /Users/sethart/.cloudfox/cloudfox-error.log)
[instances] Output written to [cloudfox-output/aws/cflab/table/instances.txt]
[instances] Output written to [cloudfox-output/aws/cflab/csv/instances.csv]
[instances][cflab] Loot written to [cloudfox-output/aws/cflab/loot/instances-ec2PrivateIPs.txt]
[instances][cflab] Loot written to [cloudfox-output/aws/cflab/loot/instances-ec2PublicIPs.txt]
[instances][cflab] 5 instances found.
[lambdas][cflab] Enumerating lambdas for account 049881439828.
[lambdas][cflab] Attempting to build a PrivEsc graph in memory using local pmapper data if it exists on the filesystem.
[lambdas][cflab] Found pmapper data for this account. Using it for role analysis.
[lambdas] Status: 17/17 regions complete (0 errors -- For details check /Users/sethart/.cloudfox/cloudfox-error.log)
[lambdas] Output written to [cloudfox-output/aws/cflab/table/lambdas.txt]
[lambdas] Output written to [cloudfox-output/aws/cflab/csv/lambdas.csv]
[lambdas][cflab] Loot written to [cloudfox-output/aws/cflab/loot/lambda-get-function-commands.txt]
[lambdas][cflab] 2 lambdas found.
[route53][cflab] Enumerating Route53 for account 049881439828.
[route53][cflab] No DNS records found, skipping the creation of an output file.
[filesystems][cflab] Enumerating filesystems for account 049881439828.
[filesystems][cflab] Supported Services: EFS, FSx
[filesystems] Status: 34/34 tasks complete (0 errors -- For details check /Users/sethart/.cloudfox/cloudfox-error.log)
[filesystems] Output written to [cloudfox-output/aws/cflab/table/filesystems.txt]
[filesystems] Output written to [cloudfox-output/aws/cflab/csv/filesystems.csv]
[filesystems][cflab] Loot written to [cloudfox-output/aws/cflab/loot/filesystems-mount-commands.txt]
[filesystems][cflab] 1 filesystems found.
[endpoints][cflab] Enumerating endpoints for account 049881439828.
[endpoints][cflab] Supported Services: App Runner, APIGateway, ApiGatewayV2, Cloudfront, EKS, ELB, ELBv2, Grafana,
[endpoints][cflab] Lambda, MQ, OpenSearch, Redshift, RDS
[endpoints] Status: 212/212 tasks complete (9 errors -- For details check /Users/sethart/.cloudfox/cloudfox-error.log)
[endpoints] Output written to [cloudfox-output/aws/cflab/table/endpoints.txt]
[endpoints] Output written to [cloudfox-output/aws/cflab/csv/endpoints.csv]
[endpoints][cflab] Loot written to [cloudfox-output/aws/cflab/loot/endpoints-UrlsOnly.txt]
[endpoints][cflab] 3 endpoints found.
[ecs-tasks][cflab] Enumerating ECS tasks in all regions for account 049881439828
[ecs-tasks][cflab] Attempting to build a PrivEsc graph in memory using local pmapper data if it exists on the filesystem.
[ecs-tasks][cflab] Found pmapper data for this account. Using it for role analysis.
[ecs-tasks] Status: 17/17 tasks complete (0 errors -- For details check /Users/sethart/.cloudfox/cloudfox-error.log)
[ecs-tasks] Output written to [cloudfox-output/aws/cflab/table/ecs-tasks.txt]
[ecs-tasks] Output written to [cloudfox-output/aws/cflab/csv/ecs-tasks.csv]
[ecs-tasks][cflab] Loot written to [cloudfox-output/aws/cflab/loot/ecs-tasks-PrivateIPs.txt]
[ecs-tasks][cflab] Loot written to [cloudfox-output/aws/cflab/loot/ecs-tasks-PublicIPs.txt]
[ecs-tasks][cflab] 1 ECS tasks found.
[eks][cflab] Enumerating EKS clusters for account 049881439828.
[eks][cflab] Attempting to build a PrivEsc graph in memory using local pmapper data if it exists on the filesystem.
[eks][cflab] Found pmapper data for this account. Using it for role analysis.
[eks] Status: 17/17 regions complete (0 errors -- For details check /Users/sethart/.cloudfox/cloudfox-error.log)
[eks][cflab] No clusters found, skipping the creation of an output file.
[elastic-network-interfaces][cflab] Enumerating elastic network interfaces in all regions for account 049881439828
[elastic-network-interfaces] Status: 17/17 tasks complete (0 errors -- For details check /Users/sethart/.cloudfox/cloudfox-error.log)
[elastic-network-interfaces] Output written to [cloudfox-output/aws/cflab/table/elastic-network-interfaces.txt]
[elastic-network-interfaces] Output written to [cloudfox-output/aws/cflab/csv/elastic-network-interfaces.csv]
[elastic-network-interfaces][cflab] Loot written to [cloudfox-output/aws/cflab/loot/elastic-network-interfaces-PrivateIPs.txt]
[elastic-network-interfaces][cflab] Loot written to [cloudfox-output/aws/cflab/loot/elastic-network-interfaces-PublicIPs.txt]
[elastic-network-interfaces][cflab] 9 elastic network interfaces found.
[🦊 cloudfox 🦊 ] Looking for secrets hidden between the seat cushions.
[instances][cflab] Enumerating EC2 instances in all regions for account 049881439828
[instances][cflab] Attempting to build a PrivEsc graph in memory using local pmapper data if it exists on the filesystem.
[instances][cflab] Found pmapper data for this account. Using it for role analysis.
[instances] Status: 17/17 tasks complete (0 errors -- For details check /Users/sethart/.cloudfox/cloudfox-error.log)
[instance-userdata][cflab] Loot written to [cloudfox-output/aws/cflab/loot/instance-userdata.txt]
[env-vars][cflab] Enumerating environment variables in all regions for account 049881439828.
[env-vars][cflab] Supported Services: App Runner, Elastic Container Service, Lambda, Lightsail Containers, Sagemaker
[env-vars] Status: 82/82 tasks complete (10 errors -- For details check /Users/sethart/.cloudfox/cloudfox-error.log)
[env-vars] Output written to [cloudfox-output/aws/cflab/table/env-vars.txt]
[env-vars] Output written to [cloudfox-output/aws/cflab/csv/env-vars.csv]
[env-vars][cflab] 3 environment variables found.
[cloudformation][cflab] Enumerating cloudformation stacks for account 049881439828.
[cloudformation] Status: 17/17 regions complete (0 errors -- For details check /Users/sethart/.cloudfox/cloudfox-error.log)
[cloudformation] Output written to [cloudfox-output/aws/cflab/table/cloudformation.txt]
[cloudformation] Output written to [cloudfox-output/aws/cflab/csv/cloudformation.csv]
[cloudformation][cflab] Loot written to [cloudfox-output/aws/cflab/loot/cloudformation-data.txt]
[cloudformation][cflab] 2 cloudformation stacks found.
[🦊 cloudfox 🦊 ] Arming you with the data you'll need for privesc quests.
[buckets][cflab] Enumerating buckets for account 049881439828.
[buckets] Status: 2/2 tasks complete (0 errors -- For details check /Users/sethart/.cloudfox/cloudfox-error.log)
[buckets] Output written to [cloudfox-output/aws/cflab/table/buckets.txt]
[buckets] Output written to [cloudfox-output/aws/cflab/csv/buckets.csv]
[buckets][cflab] Loot written to [cloudfox-output/aws/cflab/loot/bucket-commands.txt]
[buckets][cflab] 9 buckets found.
[ecr][cflab] Enumerating container repositories for account 049881439828.
[ecr] Status: 17/17 regions complete (0 errors -- For details check /Users/sethart/.cloudfox/cloudfox-error.log)
[ecr] Output written to [cloudfox-output/aws/cflab/table/ecr.txt]
[ecr] Output written to [cloudfox-output/aws/cflab/csv/ecr.csv]
[ecr][cflab] Loot written to [cloudfox-output/aws/cflab/loot/ecr-pull-commands.txt]
[ecr][cflab] 1 repositories found.
[secrets][cflab] Enumerating secrets for account 049881439828.
[secrets][cflab] Supported Services: SecretsManager, SSM Parameters
[secrets] Status: 34/34 tasks complete (0 errors -- For details check /Users/sethart/.cloudfox/cloudfox-error.log)
[secrets] Output written to [cloudfox-output/aws/cflab/table/secrets.txt]
[secrets] Output written to [cloudfox-output/aws/cflab/csv/secrets.csv]
[secrets][cflab] Loot written to [cloudfox-output/aws/cflab/loot/pull-secrets-commands.txt]
[secrets][cflab] 7 secrets found.
[ram][cflab] Enumerating shared resources for account 049881439828.
[ram] Status: 17/17 regions complete (0 errors -- For details check /Users/sethart/.cloudfox/cloudfox-error.log)
[ram] Output written to [cloudfox-output/aws/cflab/table/ram.txt]
[ram] Output written to [cloudfox-output/aws/cflab/csv/ram.csv]
[ram][cflab] 2 resources found.
[🦊 cloudfox 🦊 ] IAM is complicated. Complicated usually means misconfigurations. You'll want to pay attention here.
[principals][cflab] Enumerating IAM Users and Roles for account 049881439828.
[principals] Output written to [cloudfox-output/aws/cflab/table/principals.txt]
[principals] Output written to [cloudfox-output/aws/cflab/csv/principals.csv]
[principals][cflab] 35 IAM principals found.
[permissions][cflab] Enumerating IAM permissions for account 049881439828.
[permissions] Output written to [cloudfox-output/aws/cflab/table/permissions.txt]
[permissions] Output written to [cloudfox-output/aws/cflab/csv/permissions.csv]
[permissions][cflab] 3889 unique permissions identified.
[access-keys][cflab] Mapping user access keys for account: 049881439828.
[access-keys][cflab] Only active access keys are shown.
[access-keys] Output written to [cloudfox-output/aws/cflab/table/access-keys.txt]
[access-keys] Output written to [cloudfox-output/aws/cflab/csv/access-keys.csv]
[access-keys][cflab] Loot written to [cloudfox-output/aws/cflab/loot/access-keys.txt]
[access-keys][cflab] 5 access keys found.
[role-trusts][cflab] Enumerating role trusts for account 049881439828.
[role-trusts][cflab] Looking for pmapper data for this account and building a PrivEsc graph in golang if it exists.
[role-trusts][cflab] Found pmapper data for this account. Using it for role analysis
[role-trusts] Output written to [cloudfox-output/aws/cflab/table/role-trusts-principals.txt]
[role-trusts] Output written to [cloudfox-output/aws/cflab/csv/role-trusts-principals.csv]
[role-trusts][cflab] 9 role trusts found.
[role-trusts] Output written to [cloudfox-output/aws/cflab/table/role-trusts-services.txt]
[role-trusts] Output written to [cloudfox-output/aws/cflab/csv/role-trusts-services.csv]
[role-trusts][cflab] 18 role trusts found.
[role-trusts] Output written to [cloudfox-output/aws/cflab/table/role-trusts-federated.txt]
[role-trusts] Output written to [cloudfox-output/aws/cflab/csv/role-trusts-federated.csv]
[role-trusts][cflab] 3 role trusts found.
[pmapper][cflab] Looking for pmapper data for this account and building a PrivEsc graph in golang if it exists.
[pmapper][cflab] Parsing pmapper data for account 049881439828.
[pmapper] Output written to [cloudfox-output/aws/cflab/table/pmapper.txt]
[pmapper] Output written to [cloudfox-output/aws/cflab/csv/pmapper.csv]
[pmapper][cflab] 11 principals who are admin or have a path to admin identified.
[iam-simulator][cflab] Running multiple iam-simulator queries for account 049881439828. (This command can be pretty slow, FYI)
[iam-simulator] Status: 2/2 tasks complete (0 errors -- For details check /Users/sethart/.cloudfox/cloudfox-error.log)
[iam-simulator] Output written to [cloudfox-output/aws/cflab/table/iam-simulator.txt]
[iam-simulator] Output written to [cloudfox-output/aws/cflab/csv/iam-simulator.csv]
[iam-simulator][cflab] We suggest running the pmapper commands in the loot file to get the same information but taking privesc paths into account.
[iam-simulator][cflab] Loot written to [cloudfox-output/aws/cflab/loot/iam-simulator-pmapper-commands.txt]
[🦊 cloudfox 🦊 ] That's it! Check your output files for situational awareness and check your loot files for next steps.
[🦊 cloudfox 🦊 ] FYI, we skipped the outbound-assumed-roles module in all-checks (really long run time). Make sure to try it out manually.
This command maps all active access key IDs for all users in an AWS account. This is useful if you want to search for specific access keys in files or if you have found an access key and wants to find out which user it belongs to.
Example 1: maps all active access keys for all users in the account
❯ cloudfox aws --profile cf-exec -v2 access-keys
[🦊 cloudfox v1.6.0 🦊 ] AWS Caller Identity: arn:aws:sts::049881439828:assumed-role/CloudFox-exec-role/aws-go-sdk-1662942186266844000
[access-keys] Mapping user access keys for account: 049881439828.
[access-keys] Only active access keys are shown.
╭────────────────┬──────────────────────╮
│ User Name │ Access Key ID │
├────────────────┼──────────────────────┤
│ pele │ AKIAQXHJKLZKIJ6QPJFK │
│ terraform-user │ AKIAQXHJKLZKG2U6MIFF │
╰────────────────┴──────────────────────╯
[access-keys] Output written to [cloudfox-output/aws/cf-exec/table/access-keys.txt]
[access-keys] Output written to [cloudfox-output/aws/cf-exec/csv/access-keys.csv]
[access-keys] Loot written to [cloudfox-output/aws/cf-exec/loot/access-keys.txt]
[access-keys] 2 access keys found.
Example 2: look up a specific access key
❯ cloudfox aws --profile cf-exec -v2 access-keys --filter AKIAQXHJKLZKIJ6QPJFK
[🦊 cloudfox v1.6.0 🦊 ] AWS Caller Identity: arn:aws:sts::049881439828:assumed-role/CloudFox-exec-role/aws-go-sdk-1662942670815294000
[access-keys] Mapping user access keys for account: 049881439828.
[access-keys] Only active access keys are shown.
╭───────────┬──────────────────────╮
│ User Name │ Access Key ID │
├───────────┼──────────────────────┤
│ pele │ AKIAQXHJKLZKIJ6QPJFK │
╰───────────┴──────────────────────╯
[access-keys] Output written to [cloudfox-output/aws/cf-exec/table/access-keys.txt]
[access-keys] Output written to [cloudfox-output/aws/cf-exec/csv/access-keys.csv]
[access-keys] Loot written to [cloudfox-output/aws/cf-exec/loot/access-keys.txt]
[access-keys] 1 access keys found.
Lists the buckets in the account and gives you handy commands for inspecting them further.
Example:
❯ cloudfox aws --profile cf-exec -v2 buckets
[🦊 cloudfox v1.6.0 🦊 ] AWS Caller Identity: arn:aws:sts::049881439828:assumed-role/CloudFox-exec-role/aws-go-sdk-1662942714852430000
[buckets] Enumerating buckets for account 049881439828.
[buckets] Status: 1/1 tasks complete (0 errors -- For details check /Users/sethart/.cloudfox/cloudfox-error.log)
╭─────────┬────────┬──────────────────────────────────────╮
│ Service │ Region │ Name │
├─────────┼────────┼──────────────────────────────────────┤
│ S3 │ Global │ cf-templates-1c3fmu2nov5ko-us-east-1 │
│ S3 │ Global │ cloudfox-bucket1 │
│ S3 │ Global │ cloudfox-bucket2 │
│ S3 │ Global │ cloudfox-bucket3 │
│ S3 │ Global │ cloudfox-terraform-state │
╰─────────┴────────┴──────────────────────────────────────╯
[buckets] Output written to [cloudfox-output/aws/cf-exec/table/buckets.txt]
[buckets] Output written to [cloudfox-output/aws/cf-exec/csv/buckets.csv]
[buckets] Loot written to [cloudfox-output/aws/cf-exec/loot/bucket-commands.txt]
[buckets] 5 buckets found.
Lists the cloudformation stacks in the account. Generates loot file with stack details, stack parameters, and stack output - look for secrets.
Example:
❯ cloudfox aws --profile cflab -v2 cloudformation
[🦊 cloudfox v1.8.0 🦊 ] AWS Caller Identity: arn:aws:iam::049881439828:user/seth
[cloudformation][cflab] Enumerating cloudformation stacks for account 049881439828.
[cloudformation] Status: 21/21 regions complete (4 errors -- For details check /Users/sethart/.cloudfox/cloudfox-error.log)
╭────────────────┬───────────┬─────────────────────────────┬──────╮
│ Service │ Region │ Name │ Role │
├────────────────┼───────────┼─────────────────────────────┼──────┤
│ cloudformation │ us-west-1 │ intro │ │
│ cloudformation │ us-west-2 │ privesc-cloudformationStack │ │
│ cloudformation │ us-west-2 │ token │ │
╰────────────────┴───────────┴─────────────────────────────┴──────╯
[cloudformation] Output written to [cloudfox-output/aws/cflab/table/cloudformation.txt]
[cloudformation] Output written to [cloudfox-output/aws/cflab/csv/cloudformation.csv]
[cloudformation][cflab] Loot written to [cloudfox-output/aws/cflab/loot/cloudformation-data.txt]
List the most recently pushed image from all repositories. Use the loot file to pull selected images down with docker/nerdctl for inspection
Example:
❯ cloudfox aws --profile cf-exec -v2 ecr
[🦊 cloudfox v1.9.0 🦊 ] AWS Caller Identity: arn:aws:iam::049881439828:user/terraform-user
[ecr][cflab] Enumerating container repositories for account 049881439828.
[ecr] Status: 17/17 regions complete (0 errors -- For details check /Users/sethart/.cloudfox/cloudfox-error.log)
╭─────────┬───────────┬───────────────┬───────────────────────────────────────────────────────────────────┬─────────────────────┬───────────┬───────────╮
│ Service │ Region │ Name │ URI │ PushedAt │ ImageTags │ ImageSize │
├─────────┼───────────┼───────────────┼───────────────────────────────────────────────────────────────────┼─────────────────────┼───────────┼───────────┤
│ ECR │ us-west-2 │ cloudfox-repo │ 049881439828.dkr.ecr.us-west-2.amazonaws.com/cloudfox-repo:latest │ 2022-09-12 17:51:57 │ latest │ 718945268 │
╰─────────┴───────────┴───────────────┴───────────────────────────────────────────────────────────────────┴─────────────────────┴───────────┴───────────╯
[ecr] Output written to [cloudfox-output/aws/cflab/table/ecr.txt]
[ecr] Output written to [cloudfox-output/aws/cflab/csv/ecr.csv]
[ecr][cflab] Loot written to [cloudfox-output/aws/cflab/loot/ecr-pull-commands.txt]
[ecr][cflab] 1 repositories found.
List all ecs tasks. This returns a list of ecs tasks and associated cluster, task definition, container instance, launch type, and associated IAM principal.
This command was contributed by: Dominic Breuker
Example:
❯ cloudfox aws -p cflab ecs-tasks -v2
[🦊 cloudfox v1.9.0 🦊 ] AWS Caller Identity: arn:aws:iam::049881439828:user/terraform-user
[ecs-tasks][cflab] Enumerating ECS tasks in all regions for account 049881439828
[ecs-tasks][cflab] Attempting to build a PrivEsc graph in memory using local pmapper data if it exists on the filesystem.
[ecs-tasks][cflab] Found pmapper data for this account. Using it for role analysis.
[ecs-tasks] Status: 17/17 tasks complete (0 errors -- For details check /Users/sethart/.cloudfox/cloudfox-error.log)
╭──────────────────┬────────────────┬────────────┬──────────────────────────────────┬──────────────┬─────────────┬────────────────────────────────────────┬──────────────┬────────────────────╮
│ Cluster │ TaskDefinition │ LaunchType │ ID │ External IP │ Internal IP │ RoleArn │ IsAdminRole? │ CanPrivEscToAdmin? │
├──────────────────┼────────────────┼────────────┼──────────────────────────────────┼──────────────┼─────────────┼────────────────────────────────────────┼──────────────┼────────────────────┤
│ cloudfox-cluster │ webapp:13 │ FARGATE │ 44050e9c230a408593b9e7709be01ddf │ 35.92.101.69 │ 10.0.1.113 │ arn:aws:iam::049881439828:role/rapinoe │ No │ No │
╰──────────────────┴────────────────┴────────────┴──────────────────────────────────┴──────────────┴─────────────┴────────────────────────────────────────┴──────────────┴────────────────────╯
[ecs-tasks] Output written to [cloudfox-output/aws/cflab/table/ecs-tasks.txt]
[ecs-tasks] Output written to [cloudfox-output/aws/cflab/csv/ecs-tasks.csv]
[ecs-tasks][cflab] Loot written to [cloudfox-output/aws/cflab/loot/ecs-tasks-PrivateIPs.txt]
[ecs-tasks][cflab] Loot written to [cloudfox-output/aws/cflab/loot/ecs-tasks-PublicIPs.txt]
[ecs-tasks][cflab] 1 ECS tasks found.
List all EKS clusters, see if they expose their endpoint publicly, and check the associated IAM roles attached to reach cluster or node group. Generates a loot file with the aws eks udpate-kubeconfig command needed to connect to each cluster.
Example:
❯ cloudfox aws -p cflab eks -v2
[🦊 cloudfox v1.9.0 🦊 ] AWS Caller Identity: arn:aws:iam::049881439828:user/terraform-user
[eks][cflab] Enumerating EKS clusters for account 049881439828.
[eks][cflab] Attempting to build a PrivEsc graph in memory using local pmapper data if it exists on the filesystem.
[eks][cflab] Found pmapper data for this account. Using it for role analysis.
[eks] Status: 17/17 regions complete (0 errors -- For details check /Users/sethart/.cloudfox/cloudfox-error.log)
╭─────────┬───────────┬──────────┬────────┬───────────────┬─────────────────────────────────────────┬──────────────┬────────────────────╮
│ Service │ Region │ Name │ Public │ NodeGroup │ Role │ IsAdminRole? │ CanPrivEscToAdmin? │
├─────────┼───────────┼──────────┼────────┼───────────────┼─────────────────────────────────────────┼──────────────┼────────────────────┤
│ EKS │ us-east-1 │ test-eks │ true │ nodegroup1 │ arn:aws:iam::049881439828:role/role1 │ No │ No │
│ EKS │ us-east-1 │ test-eks │ true │ nodegroup2 │ arn:aws:iam::049881439828:role/role2 │ No │ No │
╰─────────┴───────────┴──────────┴────────┴───────────────┴─────────────────────────────────────────┴──────────────┴────────────────────╯
[eks] Output written to [cloudfox-output/aws/cflab/table/eks.txt]
[eks] Output written to [cloudfox-output/aws/cflab/csv/eks.csv]
[eks][cflab] Loot written to [cloudfox-output/aws/cflab/loot/eks-kubeconfig-commands.txt]
[eks][cflab] 1 clusters with a total of 2 node groups found.
List all elastic network interfaces, including eni ID, type, external IP, private IP, VPCID, attached instance and a description.
This command was contributed by: Dominic Breuker
Example:
❯ cloudfox aws -p cflab eni -v2
[🦊 cloudfox v1.9.0 🦊 ] AWS Caller Identity: arn:aws:iam::049881439828:user/terraform-user
[elastic-network-interfaces][cflab] Enumerating elastic network interfaces in all regions for account 049881439828
[elastic-network-interfaces] Status: 17/17 tasks complete (0 errors -- For details check /Users/sethart/.cloudfox/cloudfox-error.log)
╭───────────────────────┬───────────┬────────────────┬──────────────┬───────────────────────┬─────────────────────┬────────────────────────────────────────────────────────────────────────────────────╮
│ ID │ Type │ External IP │ Internal IP │ VPC ID │ Attached Instance │ Description │
├───────────────────────┼───────────┼────────────────┼──────────────┼───────────────────────┼─────────────────────┼────────────────────────────────────────────────────────────────────────────────────┤
│ eni-0d53e3af1ccb2ff78 │ interface │ 34.221.102.135 │ 10.0.1.198 │ vpc-0a5b555f19236f968 │ i-09c4720abd8089326 │ │
│ eni-00ba66c87a55bb1a0 │ interface │ NoExternalIP │ 10.0.1.160 │ vpc-0a5b555f19236f968 │ │ EFS mount target for fs-056221b8056f6cb13 (fsmt-0e32c91201616cd48) │
│ eni-0c9cedc3ea703c03f │ interface │ 52.12.121.187 │ 10.0.1.106 │ vpc-0a5b555f19236f968 │ i-08c087a559323aff9 │ │
│ eni-0b315774508ae9615 │ interface │ 54.187.4.219 │ 10.0.1.111 │ vpc-0a5b555f19236f968 │ i-08ec238f610e9c915 │ │
│ eni-0b409f9e9de0325d0 │ interface │ 52.26.221.228 │ 10.0.1.63 │ vpc-0a5b555f19236f968 │ i-06ba5dcc0b5de0257 │ │
│ eni-0ae4d60fd191fee82 │ interface │ 52.41.51.204 │ 10.0.1.205 │ vpc-0a5b555f19236f968 │ │ arn:aws:ecs:us-west-2:049881439828:attachment/15b7c6be-e4c5-4a40-9da2-226fd2f7fab2 │
│ eni-0da7f0c3498e8688d │ interface │ 34.214.146.170 │ 172.31.29.24 │ vpc-0c924df8a157859e0 │ i-02ec97d835d8738dc │ │
╰───────────────────────┴───────────┴────────────────┴──────────────┴───────────────────────┴─────────────────────┴────────────────────────────────────────────────────────────────────────────────────╯
[elastic-network-interfaces] Output written to [cloudfox-output/aws/cflab/table/elastic-network-interfaces.txt]
[elastic-network-interfaces] Output written to [cloudfox-output/aws/cflab/csv/elastic-network-interfaces.csv]
[elastic-network-interfaces][cflab] Loot written to [cloudfox-output/aws/cflab/loot/elastic-network-interfaces-PrivateIPs.txt]
[elastic-network-interfaces][cflab] Loot written to [cloudfox-output/aws/cflab/loot/elastic-network-interfaces-PublicIPs.txt]
[elastic-network-interfaces][cflab] 7 elastic network interfaces found.
This command enumerates endpoints from various services. Look for public endpoints, endpoints that don't require authentication, etc.
Example:
❯ cloudfox aws --profile cf-exec -v2 endpoints
[🦊 cloudfox v1.9.0 🦊 ] AWS Caller Identity: arn:aws:iam::049881439828:user/terraform-user
[endpoints][cflab] Enumerating endpoints for account 049881439828.
[endpoints][cflab] Supported Services: App Runner, APIGateway, ApiGatewayV2, Cloudfront, EKS, ELB, ELBv2, Grafana,
[endpoints][cflab] Lambda, MQ, OpenSearch, Redshift, RDS
[endpoints] Status: 212/212 tasks complete (9 errors -- For details check /Users/sethart/.cloudfox/cloudfox-error.log)
╭────────────┬───────────┬──────────────┬───────────────────────────────────────────────────────────────────────┬──────┬──────────┬────────╮
│ Service │ Region │ Name │ Endpoint │ Port │ Protocol │ Public │
├────────────┼───────────┼──────────────┼───────────────────────────────────────────────────────────────────────┼──────┼──────────┼────────┤
│ App Runner │ us-west-2 │ example │ https://wejpymersj.us-west-2.awsapprunner.com │ 443 │ https │ True │
│ ELB │ us-west-2 │ cloudfox-elb │ http://cloudfox-elb-834557314.us-west-2.elb.amazonaws.com:80 │ 80 │ HTTP │ True │
│ Lambda │ us-west-2 │ lambda2 │ https://scyoucfcogj5mthweznc5fcuva0mpokg.lambda-url.us-west-2.on.aws/ │ 443 │ https │ True │
│ Lambda │ us-west-2 │ lambda1 │ https://jrtbo2vgw6o74nexfozi3ltgey0kupgn.lambda-url.us-west-2.on.aws/ │ 443 │ https │ True │
│ RDS │ us-west-2 │ cloudfox-rds │ cloudfox-rds.ckzvqq0tjs4a.us-west-2.rds.amazonaws.com │ 3306 │ mysql │ True │
╰────────────┴───────────┴──────────────┴───────────────────────────────────────────────────────────────────────┴──────┴──────────┴────────╯
[endpoints] Output written to [cloudfox-output/aws/cf-exec/table/endpoints.txt]
[endpoints] Output written to [cloudfox-output/aws/cf-exec/csv/endpoints.csv]
[endpoints] Loot written to [cloudfox-output/aws/cf-exec/loot/endpoints-UrlsOnly.txt]
[endpoints] 5 endpoints enumerated.
Grabs the environment variables from services that have them (App Runner, ECS, Lambda, Lightsail containers, Sagemaker are supported. If you find a sensitive secret, use cloudfox iam-simulator AND pmapper to see who has access to them.
**Example: Enumerate environment variables in multiple services **
❯ cloudfox aws --profile cf-exec -v2 env-vars
[🦊 cloudfox v1.6.0 🦊 ] AWS Caller Identity: arn:aws:sts::049881439828:assumed-role/CloudFox-exec-role/aws-go-sdk-1662942784490595000
[env-vars] Enumerating environment variables in all regions for account 049881439828.
[env-vars] Supported Services: App Runner, Elastic Container Service, Lambda, Lightsail Containers, Sagemaker
[env-vars] Status: 105/105 tasks complete (48 errors -- For details check /Users/sethart/.cloudfox/cloudfox-error.log)
╭────────────┬───────────┬─────────┬─────────────────┬─────────────────────────────────╮
│ Service │ Region │ Name │ Key │ Value │
├────────────┼───────────┼─────────┼─────────────────┼─────────────────────────────────┤
│ App Runner │ us-west-2 │ example │ secret_password │ 12345 │
│ Lambda │ us-west-2 │ lambda1 │ RDS_PASSWORD │ ]M=rsDq}p9n:u{6*$dz2}}t7D:YH#k7 │
│ Lambda │ us-west-2 │ lambda1 │ RDS_USER │ admin │
╰────────────┴───────────┴─────────┴─────────────────┴─────────────────────────────────╯
[env-vars] Output written to [cloudfox-output/aws/cf-exec/table/env-vars.txt]
[env-vars] Output written to [cloudfox-output/aws/cf-exec/csv/env-vars.csv]
[env-vars] 3 environment variables found.
Enumerate the EFS and FSx filesystems that you might be able to mount without creds (if you have the right network access). For example, this is useful when you have ec:RunInstance but not iam:PassRole.
Example: Enumerate any EFS or FSx shares
❯ cloudfox aws --profile cf-exec -v2 filesystems
[🦊 cloudfox v1.6.0 🦊 ] AWS Caller Identity: arn:aws:sts::049881439828:assumed-role/CloudFox-exec-role/aws-go-sdk-1662942818660709000
[filesystems] Enumerating filesystems for account 049881439828.
[filesystems] Supported Services: EFS, FSx
[filesystems] Status: 42/42 tasks complete (8 errors -- For details check /Users/sethart/.cloudfox/cloudfox-error.log)
╭─────────┬───────────┬──────────────┬────────────┬────────────────────────┬───────────────────────╮
│ Service │ Region │ Name │ DNS Name │ Mount Target │ Policy │
├─────────┼───────────┼──────────────┼────────────┼────────────────────────┼───────────────────────┤
│ EFS │ us-west-2 │ cloudfox-efs │ 10.0.1.115 │ fsmt-079d42aa439682a63 │ Default (No IAM auth) │
╰─────────┴───────────┴──────────────┴────────────┴────────────────────────┴───────────────────────╯
[filesystems] Output written to [cloudfox-output/aws/cf-exec/table/filesystems.txt]
[filesystems] Output written to [cloudfox-output/aws/cf-exec/csv/filesystems.csv]
[filesystems] Loot written to [cloudfox-output/aws/cf-exec/loot/filesystems-mount-commands.txt]
[filesystems] 1 filesystems found.
Like pmapper, but uses the IAM policy simulator. It uses AWS's evaluation logic, but notably, it doesn't consider transitive access via privesc, which is why you should also always also use pmapper.
Example: Default mode checks every principal against a hardcoded list of specific permissions for any resource
❯ cloudfox aws --profile cf-exec -v2 iam-simulator
[🦊 cloudfox v1.6.0 🦊 ] AWS Caller Identity: arn:aws:sts::049881439828:assumed-role/CloudFox-exec-role/aws-go-sdk-1662942906111954000
[iam-simulator] Running multiple iam-simulator queries for account 049881439828. (This command can be pretty slow, FYI)
[iam-simulator] Status: 2/2 tasks complete (0 errors -- For details check /Users/sethart/.cloudfox/cloudfox-error.log)
╭─────────┬──────────────────────────────────────────────────────────────────────────────────────────────────────────────────────┬─────────────────────────────────────────────╮
│ Service │ Principal │ Query │
├─────────┼──────────────────────────────────────────────────────────────────────────────────────────────────────────────────────┼─────────────────────────────────────────────┤
│ IAM │ arn:aws:iam::049881439828:role/OrganizationAccountAccessRole │ Appears to be an administrator │
│ IAM │ arn:aws:iam::049881439828:role/adams │ Appears to be an administrator │
│ IAM │ arn:aws:iam::049881439828:role/aws-reserved/sso.amazonaws.com/AWSReservedSSO_AWSAdministratorAccess_e7f5699f2cb1edb0 │ Appears to be an administrator │
│ IAM │ arn:aws:iam::049881439828:role/press │ Appears to be an administrator │
│ IAM │ arn:aws:iam::049881439828:user/terraform-user │ Appears to be an administrator │
│ IAM │ arn:aws:iam::049881439828:role/not-admin │ Appears to be an administrator │
│ IAM │ arn:aws:iam::049881439828:role/CloudFox-exec-role │ can apprunner:DescribeService on * │
│ IAM │ arn:aws:iam::049881439828:role/aws-service-role/support.amazonaws.com/AWSServiceRoleForSupport │ can apprunner:DescribeService on * │
│ IAM │ arn:aws:iam::049881439828:role/CloudFox-exec-role │ can ec2:DescribeInstanceAttributeInput on * │
│ IAM │ arn:aws:iam::049881439828:role/aws-reserved/sso.amazonaws.com/AWSReservedSSO_SecurityAudit_f67a30bf6639f876 │ can ec2:DescribeInstanceAttributeInput on * │
│ IAM │ arn:aws:iam::049881439828:role/aws-service-role/ecs.amazonaws.com/AWSServiceRoleForECS │ can ec2:DescribeInstanceAttributeInput on * │
│ IAM │ arn:aws:iam::049881439828:role/rapinoe │ can ecr:BatchGetImage on * │
│ IAM │ arn:aws:iam::049881439828:role/rapinoe │ can ecr:GetAuthorizationToken on * │
│ IAM │ arn:aws:iam::049881439828:role/aws-reserved/sso.amazonaws.com/AWSReservedSSO_SecurityAudit_f67a30bf6639f876 │ can ecs:DescribeTaskDefinition on * │
│ IAM │ arn:aws:iam::049881439828:role/CloudFox-exec-role │ can ecs:DescribeTaskDefinition on * │
│ IAM │ arn:aws:iam::049881439828:role/aws-service-role/support.amazonaws.com/AWSServiceRoleForSupport │ can ecs:DescribeTaskDefinition on * │
│ IAM │ arn:aws:iam::049881439828:role/aws-reserved/sso.amazonaws.com/AWSReservedSSO_SecurityAudit_f67a30bf6639f876 │ can lambda:ListFunctions on * │
│ IAM │ arn:aws:iam::049881439828:role/CloudFox-exec-role │ can lambda:ListFunctions on * │
│ IAM │ arn:aws:iam::049881439828:role/aws-service-role/support.amazonaws.com/AWSServiceRoleForSupport │ can lambda:ListFunctions on * │
│ IAM │ arn:aws:iam::049881439828:role/lavelle │ can lambda:ListFunctions on * │
│ IAM │ arn:aws:iam::049881439828:role/aws-service-role/access-analyzer.amazonaws.com/AWSServiceRoleForAccessAnalyzer │ can lambda:ListFunctions on * │
│ IAM │ arn:aws:iam::049881439828:role/aws-reserved/sso.amazonaws.com/AWSReservedSSO_interns_9b819cbe299f5da5 │ can lambda:ListFunctions on * │
│ IAM │ arn:aws:iam::049881439828:role/aws-reserved/sso.amazonaws.com/AWSReservedSSO_interns_9b819cbe299f5da5 │ can s3:GetObject on * │
│ IAM │ arn:aws:iam::049881439828:role/aws-service-role/trustedadvisor.amazonaws.com/AWSServiceRoleForTrustedAdvisor │ can s3:ListBucket on * │
│ IAM │ arn:aws:iam::049881439828:role/aws-service-role/support.amazonaws.com/AWSServiceRoleForSupport │ can s3:ListBucket on * │
│ IAM │ arn:aws:iam::049881439828:role/aws-reserved/sso.amazonaws.com/AWSReservedSSO_interns_9b819cbe299f5da5 │ can s3:ListBucket on * │
│ IAM │ arn:aws:iam::049881439828:role/dempsey │ can ssm:StartSession on * │
╰─────────┴──────────────────────────────────────────────────────────────────────────────────────────────────────────────────────┴─────────────────────────────────────────────╯
[iam-simulator] Output written to [cloudfox-output/aws/cf-exec/table/iam-simulator.txt]
[iam-simulator] Output written to [cloudfox-output/aws/cf-exec/csv/iam-simulator.csv]
[iam-simulator] We suggest running the pmapper commands in the loot file to get the same information but taking privesc paths into account.
[iam-simulator] Loot written to [cloudfox-output/aws/cf-exec/loot/iam-simulator-pmapper-commands.txt]
Example 2: Check a specific principal against the hardcoded list of interesting permissions
❯ cloudfox aws --profile cf-prod iam-simulator -v2 --principal arn:aws:iam::049881439828:role/OrganizationAccountAccessRole
[🦊 cloudfox v1.6.0 🦊 ] AWS Caller Identity: arn:aws:iam::049881439828:user/terraform-user
[iam-simulator] Checking to see if arn:aws:iam::049881439828:role/OrganizationAccountAccessRole can do any actions of interest.
[iam-simulator] Status: 0/0 tasks complete (0 errors -- For details check /Users/sethart/.cloudfox/cloudfox-error.log)
╭─────────┬──────────────────────────────────────────────────────────────┬─────────────────────────────────────────────╮
│ Service │ Principal │ Query │
├─────────┼──────────────────────────────────────────────────────────────┼─────────────────────────────────────────────┤
│ IAM │ arn:aws:iam::049881439828:role/OrganizationAccountAccessRole │ can apprunner:DescribeService on * │
│ IAM │ arn:aws:iam::049881439828:role/OrganizationAccountAccessRole │ can ec2:DescribeInstanceAttributeInput on * │
│ IAM │ arn:aws:iam::049881439828:role/OrganizationAccountAccessRole │ can ecr:BatchGetImage on * │
│ IAM │ arn:aws:iam::049881439828:role/OrganizationAccountAccessRole │ can ecr:GetAuthorizationToken on * │
│ IAM │ arn:aws:iam::049881439828:role/OrganizationAccountAccessRole │ can ecs:DescribeTaskDefinition on * │
│ IAM │ arn:aws:iam::049881439828:role/OrganizationAccountAccessRole │ can eks:UpdateClusterConfig on * │
│ IAM │ arn:aws:iam::049881439828:role/OrganizationAccountAccessRole │ can iam:PassRole on * │
│ IAM │ arn:aws:iam::049881439828:role/OrganizationAccountAccessRole │ can lambda:ListFunctions on * │
│ IAM │ arn:aws:iam::049881439828:role/OrganizationAccountAccessRole │ can s3:GetObject on * │
│ IAM │ arn:aws:iam::049881439828:role/OrganizationAccountAccessRole │ can s3:ListBucket on * │
│ IAM │ arn:aws:iam::049881439828:role/OrganizationAccountAccessRole │ can secretsmanager:GetSecretValue on * │
│ IAM │ arn:aws:iam::049881439828:role/OrganizationAccountAccessRole │ can ssm:GetParameter on * │
│ IAM │ arn:aws:iam::049881439828:role/OrganizationAccountAccessRole │ can ssm:StartSession on * │
│ IAM │ arn:aws:iam::049881439828:role/OrganizationAccountAccessRole │ can ssm:sSendCommand on * │
│ IAM │ arn:aws:iam::049881439828:role/OrganizationAccountAccessRole │ can sts:AssumeRole on * │
╰─────────┴──────────────────────────────────────────────────────────────┴─────────────────────────────────────────────╯
Example 3: Check a specific principal against a specific permission
❯ cloudfox aws --profile cf-prod iam-simulator -v2 --principal arn:aws:iam::049881439828:role/OrganizationAccountAccessRole --action iam:PassRole
[🦊 cloudfox v1.6.0 🦊 ] AWS Caller Identity: arn:aws:iam::049881439828:user/terraform-user
[iam-simulator] Checking to see if arn:aws:iam::049881439828:role/OrganizationAccountAccessRole can do iam:PassRole.
[iam-simulator] Status: 0/0 tasks complete (0 errors -- For details check /Users/sethart/.cloudfox/cloudfox-error.log)
╭─────────┬──────────────────────────────────────────────────────────────┬───────────────────────╮
│ Service │ Principal │ Query │
├─────────┼──────────────────────────────────────────────────────────────┼───────────────────────┤
│ IAM │ arn:aws:iam::049881439828:role/OrganizationAccountAccessRole │ can iam:PassRole on * │
╰─────────┴──────────────────────────────────────────────────────────────┴───────────────────────╯
[iam-simulator] Output written to [cloudfox-output/aws/cf-prod/table/iam-simulator-custom-1662941825.txt]
[iam-simulator] Output written to [cloudfox-output/aws/cf-prod/csv/iam-simulator-custom-1662941825.csv]
[iam-simulator] We suggest running the pmapper commands in the loot file to get the same information but taking privesc paths into account.
[iam-simulator] Loot written to [cloudfox-output/aws/cf-prod/loot/iam-simulator-pmapper-commands.txt]
Example 4: Check all principals against a specific permission
❯ cloudfox aws --profile cf-prod iam-simulator -v2 --action ecr:putimage
[🦊 cloudfox v1.6.0 🦊 ] AWS Caller Identity: arn:aws:iam::049881439828:user/terraform-user
[iam-simulator] Checking to see if any principal can do ecr:putimage.
[iam-simulator] Status: 2/2 tasks complete (0 errors -- For details check /Users/sethart/.cloudfox/cloudfox-error.log)
╭─────────┬──────────────────────────────────────────────────────────────────────────────────────────────────────────────────────┬────────────────────────────────╮
│ Service │ Principal │ Query │
├─────────┼──────────────────────────────────────────────────────────────────────────────────────────────────────────────────────┼────────────────────────────────┤
│ IAM │ arn:aws:iam::049881439828:user/terraform-user │ Appears to be an administrator │
│ IAM │ arn:aws:iam::049881439828:role/aws-reserved/sso.amazonaws.com/AWSReservedSSO_AWSAdministratorAccess_e7f5699f2cb1edb0 │ Appears to be an administrator │
│ IAM │ arn:aws:iam::049881439828:role/OrganizationAccountAccessRole │ Appears to be an administrator │
╰─────────┴──────────────────────────────────────────────────────────────────────────────────────────────────────────────────────┴────────────────────────────────╯
[iam-simulator] Output written to [cloudfox-output/aws/cf-prod/table/iam-simulator-custom-1662941969.txt]
[iam-simulator] Output written to [cloudfox-output/aws/cf-prod/csv/iam-simulator-custom-1662941969.csv]
[iam-simulator] We suggest running the pmapper commands in the loot file to get the same information but taking privesc paths into account.
[iam-simulator] Loot written to [cloudfox-output/aws/cf-prod/loot/iam-simulator-pmapper-commands.txt]
This command enumerates the following information for EC2 Instances in all regions of an AWS account:
- Instance ID
- Instance Name
- Instance Profile
- Zone
- Instance State
- Internal IP
- External IP
- "userData" Attribute
Example 1: Enumerate general information about EC2 instances, including which instances have admin permissions attached
❯ cloudfox aws -p cflab instances -v2
[🦊 cloudfox v1.9.0 🦊 ] AWS Caller Identity: arn:aws:iam::049881439828:user/terraform-user
[instances][cflab] Enumerating EC2 instances in all regions for account 049881439828
[instances][cflab] Attempting to build a PrivEsc graph in memory using local pmapper data if it exists on the filesystem.
[instances][cflab] Found pmapper data for this account. Using it for role analysis.
[instances] Status: 17/17 tasks complete (0 errors -- For details check /Users/sethart/.cloudfox/cloudfox-error.log)
╭───────────┬─────────────────────┬────────────┬─────────┬────────────────┬──────────────┬──────────────────────────────────────────────────────┬──────────────┬────────────────────╮
│ Name │ ID │ Zone │ State │ External IP │ Internal IP │ Role │ IsAdminRole? │ CanPrivEscToAdmin? │
├───────────┼─────────────────────┼────────────┼─────────┼────────────────┼──────────────┼──────────────────────────────────────────────────────┼──────────────┼────────────────────┤
│ │ i-02ec97d835d8738dc │ us-west-2b │ running │ 34.214.146.170 │ 172.31.29.24 │ arn:aws:iam::049881439828:role/imdvs2-challenge-role │ No │ No │
│ instance1 │ i-06ba5dcc0b5de0257 │ us-west-2a │ running │ 52.26.221.228 │ 10.0.1.63 │ │ │ │
│ instance2 │ i-09c4720abd8089326 │ us-west-2a │ running │ 34.221.102.135 │ 10.0.1.198 │ │ │ │
│ instance3 │ i-08c087a559323aff9 │ us-west-2a │ running │ 52.12.121.187 │ 10.0.1.106 │ arn:aws:iam::049881439828:role/press │ YES │ YES │
│ instance4 │ i-08ec238f610e9c915 │ us-west-2a │ running │ 54.187.4.219 │ 10.0.1.111 │ │ │ │
╰───────────┴─────────────────────┴────────────┴─────────┴────────────────┴──────────────┴──────────────────────────────────────────────────────┴──────────────┴────────────────────╯
[instances] Output written to [cloudfox-output/aws/cflab/table/instances.txt]
[instances] Output written to [cloudfox-output/aws/cflab/csv/instances.csv]
[instances][cflab] Loot written to [cloudfox-output/aws/cflab/loot/instances-ec2PrivateIPs.txt]
[instances][cflab] Loot written to [cloudfox-output/aws/cflab/loot/instances-ec2PublicIPs.txt]
[instances][cflab] 5 instances found.
Example 2: obtain only userData attributes for EC2 instances
This is a separate flag because userData does not fit in table or CSV output formats.
❯ cloudfox aws --profile cf-exec -v2 instances --userdata
[🦊 cloudfox v1.6.0 🦊 ] AWS Caller Identity: arn:aws:sts::049881439828:assumed-role/CloudFox-exec-role/aws-go-sdk-1662943069534483000
[instances] Enumerating EC2 instances in all regions for account 049881439828
[instances] Status: 21/21 tasks complete (4 errors -- For details check /Users/sethart/.cloudfox/cloudfox-error.log)
=============================================
Instance Arn: arn:aws:ec2:us-west-2:049881439828:instance/i-020e69c99ce4c7a97
Region: us-west-2
Instance Profile: NoInstanceProfile
User Data:
#!/bin/bash
export RDS_USER="admin"
export RDS_PASSWORD="]M=rsDq}p9n:u{6*$dz2}}t7D:YH#k7"
=============================================
[instance-userdata] Loot written to [cloudfox-output/aws/cf-exec/loot/instance-userdata.txt]
This command enumerates resource counts by service by region. Quickly find out which regions are used by the client
Example:
❯ cloudfox aws --profile cf-exec -v2 inventory
[🦊 cloudfox v1.6.0 🦊 ] AWS Caller Identity: arn:aws:sts::049881439828:assumed-role/CloudFox-exec-role/aws-go-sdk-1662943145181650000
[inventory] Enumerating selected services in all regions for account 049881439828.
[inventory] Supported Services: ApiGateway, ApiGatewayv2, AppRunner, CloudFormation, Cloudfront, EC2, ECS, EKS,
[inventory] ELB, ELBv2, Grafana, IAM, Lambda, Lightsail, MQ, OpenSearch, RDS, S3, SecretsManager, SSM
[inventory] Status: 357/357 tasks complete (90 errors -- For details check /Users/sethart/.cloudfox/cloudfox-error.log)
╭────────────────────────────────┬───────────┬───────────╮
│ Resource Type │ us-west-2 │ us-east-1 │
├────────────────────────────────┼───────────┼───────────┤
│ Total │ 24 │ 10 │
│ APIGateway RestAPIs │ - │ - │
│ APIGatewayv2 APIs │ - │ - │
│ AppRunner Services │ 1 │ - │
│ CloudFormation Stacks │ 7 │ 8 │
│ Cloudfront Distributions │ - │ - │
│ EC2 Instances │ 4 │ 2 │
│ ECS Tasks │ 1 │ - │
│ EKS Clusters │ - │ - │
│ ELB Load Balancers │ 1 │ - │
│ ELBv2 Load Balancers │ - │ - │
│ Grafana Workspaces │ - │ - │
│ Lambda Functions │ 2 │ - │
│ Lightsail Instances/Containers │ - │ - │
│ MQ Brokers │ - │ - │
│ OpenSearch DomainNames │ - │ - │
│ RDS DB Instances │ 1 │ - │
│ SecretsManager Secrets │ 3 │ - │
│ SSM Parameters │ 4 │ - │
╰────────────────────────────────┴───────────┴───────────╯
[inventory] Output written to [cloudfox-output/aws/cf-exec/table/inventory.txt]
[inventory] Output written to [cloudfox-output/aws/cf-exec/csv/inventory.csv]
╭───────────────┬───────╮
│ Resource Type │ Total │
├───────────────┼───────┤
│ S3 Buckets │ 5 │
│ IAM Users │ 2 │
│ IAM Roles │ 29 │
╰───────────────┴───────╯
[inventory] Output written to [cloudfox-output/aws/cf-exec/table/inventory-global.txt]
[inventory] Output written to [cloudfox-output/aws/cf-exec/csv/inventory-global.csv]
[inventory] 70 resources enumerated in the services we looked at. This is NOT the total number of resources in the account.
Lists the lambda functions in the account, including which one's have admin roles attached. Also gives you handy commands for downloading each function.
Example:
❯ cloudfox aws -p cflab lambda -v2
[🦊 cloudfox v1.9.0 🦊 ] AWS Caller Identity: arn:aws:iam::049881439828:user/terraform-user
[lambdas][cflab] Enumerating lambdas for account 049881439828.
[lambdas][cflab] Attempting to build a PrivEsc graph in memory using local pmapper data if it exists on the filesystem.
[lambdas][cflab] Found pmapper data for this account. Using it for role analysis.
[lambdas] Status: 17/17 regions complete (0 errors -- For details check /Users/sethart/.cloudfox/cloudfox-error.log)
╭─────────┬───────────┬──────────────┬─────────────────────────────────────────┬──────────────┬────────────────────╮
│ Service │ Region │ Resource Arn │ Role │ IsAdminRole? │ CanPrivEscToAdmin? │
├─────────┼───────────┼──────────────┼─────────────────────────────────────────┼──────────────┼────────────────────┤
│ Lambda │ us-west-2 │ lambda2 │ arn:aws:iam::049881439828:role/adams │ YES │ YES │
│ Lambda │ us-west-2 │ lambda1 │ arn:aws:iam::049881439828:role/aaronson │ No │ No │
╰─────────┴───────────┴──────────────┴─────────────────────────────────────────┴──────────────┴────────────────────╯
[lambdas] Output written to [cloudfox-output/aws/cflab/table/lambdas.txt]
[lambdas] Output written to [cloudfox-output/aws/cflab/csv/lambdas.csv]
[lambdas][cflab] Loot written to [cloudfox-output/aws/cflab/loot/lambda-get-function-commands.txt]
[lambdas][cflab] 2 lambdas found.
List the roles that have been assumed by principals in this account. This is an excellent way to find outbound attack paths that lead into other accounts.
Example:
❯ cloudfox aws --profile cf-exec -v2 outbound-assumed-roles
[🦊 cloudfox v1.6.0 🦊 ] AWS Caller Identity: arn:aws:sts::049881439828:assumed-role/CloudFox-exec-role/aws-go-sdk-1662943206814835000
[outbound-assumed-roles] Enumerating outbound assumed role entries in cloudtrail for account 049881439828.
[outbound-assumed-roles] Going back through 7 days of cloudtrail events. (This command can be pretty slow, FYI)
[outbound-assumed-roles] Status: 21/21 regions complete (4 errors -- For details check /Users/sethart/.cloudfox/cloudfox-error.log)
╭────────────┬───────────┬─────────┬───────────────────────────────────────────────┬───────────────────────────────────────────────────┬─────────────────────╮
│ Service │ Region │ Type │ Source Principal │ Destination Principal │ Log Entry Timestamp │
├────────────┼───────────┼─────────┼───────────────────────────────────────────────┼───────────────────────────────────────────────────┼─────────────────────┤
│ CloudTrail │ us-east-1 │ IAMUser │ arn:aws:iam::049881439828:user/terraform-user │ arn:aws:iam::049881439828:role/CloudFox-exec-role │ 2022-09-12 00:39:12 │
│ CloudTrail │ us-east-1 │ IAMUser │ arn:aws:iam::049881439828:user/terraform-user │ arn:aws:iam::049881439828:role/CloudFox-exec-role │ 2022-09-12 00:39:11 │
...omitted for brevity...
╰────────────┴───────────┴─────────┴───────────────────────────────────────────────┴───────────────────────────────────────────────────┴─────────────────────╯
[outbound-assumed-roles] Output written to [cloudfox-output/aws/cf-exec/table/outbound-assumed-roles.txt]
[outbound-assumed-roles] Output written to [cloudfox-output/aws/cf-exec/csv/outbound-assumed-roles.csv]
[outbound-assumed-roles] 954 log entries found.
Enumerates all of the IAM permissions available to a principal (resource-based permissions not included yet)
Example:
❯ cloudfox aws --profile cf-prod permissions -v2
[🦊 cloudfox v1.6.0 🦊 ] AWS Caller Identity: arn:aws:sts::049881439828:assumed-role/CloudFox-exec-role/aws-go-sdk-1662946240793435000
[permissions] Enumerating IAM permissions for account 049881439828.
╭─────────┬────────────────┬────────────────────────────────────────────────────────┬─────────────┬──────────────────────────────────────────┬────────┬─────────────────────────────────────────────────────────────────────┬─────────────────────────────────────────────────────────────────────────────────────╮
│ Service │ Principal Type │ Name │ Policy Type │ Policy Name │ Effect │ Action │ Resource │
├─────────┼────────────────┼────────────────────────────────────────────────────────┼─────────────┼──────────────────────────────────────────┼────────┼─────────────────────────────────────────────────────────────────────┼─────────────────────────────────────────────────────────────────────────────────────┤
│ IAM │ Role │ aaronson │ Managed │ lambda-policy1 │ Allow │ logs:CreateLogGroup │ * │
│ IAM │ Role │ aaronson │ Managed │ lambda-policy1 │ Allow │ logs:CreateLogStream │ * │
│ IAM │ Role │ aaronson │ Managed │ lambda-policy1 │ Allow │ logs:PutLogEvents │ * │
│ IAM │ Role │ adams │ Managed │ lambda-policy2 │ Allow │ * │ * │
│ IAM │ Role │ AWSReservedSSO_AWSAdministratorAccess_e7f5699f2cb1edb0 │ Managed │ AdministratorAccess │ Allow │ * │ * │
│ IAM │ Role │ AWSReservedSSO_interns_9b819cbe299f5da5 │ Managed │ the_interns │ Allow │ ec2:DescribeInstances │ * │
│ IAM │ Role │ AWSReservedSSO_interns_9b819cbe299f5da5 │ Managed │ the_interns │ Allow │ lambda:ListFunctions │ * │
│ IAM │ Role │ AWSReservedSSO_interns_9b819cbe299f5da5 │ Managed │ the_interns │ Allow │ lambda:ListFunctionUrlConfigs │ * │ *
...omitted for brevity...
│ IAM │ Role │ lavelle │ Managed │ lambda-admin │ Allow │ lambda:* │ * │
│ IAM │ Role │ lloyd │ Managed │ cf-admin │ Allow │ cloudformation:* │ * │
│ IAM │ Role │ mckennie │ Managed │ cloudformation │ Allow │ cloudformation:UpdateStack │ * │
│ IAM │ Role │ mckennie │ Managed │ cloudformation │ Allow │ cloudformation:DescribeStacks │ * │
│ IAM │ Role │ morgan │ Managed │ just-one-ec2 │ Allow │ ec2:DescribeInstanceAttributeInput │ arn:aws:ec2:us-east-1:049881439828:instance/i-020e69c99ce4c7a97 │
│ IAM │ Role │ not-admin │ Managed │ not-admin-access │ Allow │ * │ * │
│ IAM │ Role │ OrganizationAccountAccessRole │ Managed │ AdministratorAccess │ Allow │ * │ * │
│ IAM │ Role │ press │ Managed │ service-admin │ Allow │ * │ * │
│ IAM │ Role │ pulisic │ Managed │ privesc-ec2InstanceConnect-policy │ Allow │ ec2:DescribeInstances │ * │
...omitted for brevity...
│ IAM │ Role │ rapinoe │ Managed │ cloudfox-ecs-role-policy │ Allow │ ecr:BatchGetImage │ * │
│ IAM │ Role │ rapinoe │ Managed │ cloudfox-ecs-role-policy │ Allow │ ecr:GetAuthorizationToken │ * │
│ IAM │ Role │ rapinoe │ Managed │ cloudfox-ecs-role-policy │ Allow │ ssm:TerminateSession │ * │
│ IAM │ Role │ rapinoe │ Managed │ cloudfox-ecs-role-policy │ Allow │ ec2:DescribeSnapshots │ * │
│ IAM │ Role │ rapinoe │ Managed │ cloudfox-ecs-role-policy │ Allow │ logs:PutLogEvents │ * │
│ IAM │ Role │ rapinoe │ Managed │ cloudfox-ecs-role-policy │ Allow │ ecr:BatchCheckLayerAvailability │ * │
│ IAM │ Role │ test │ Inline │ test_inline │ Allow │ s3:ListBucket │ arn:aws:s3:::* │
│ IAM │ Role │ test │ Inline │ test_inline │ Allow │ s3:ListAllMyBuckets │ * │
│ IAM │ User │ terraform-user │ Managed │ AdministratorAccess │ Allow │ * │ * │
╰─────────┴────────────────┴────────────────────────────────────────────────────────┴─────────────┴──────────────────────────────────────────┴────────┴─────────────────────────────────────────────────────────────────────┴─────────────────────────────────────────────────────────────────────────────────────╯
Looks for pmapper data stored on the local filesystem, in the locations defined here. If pmapper data has been found (you already ran pmapper graph create), then this command will use this data to build a graph in cloudfox memory let you know who can privesc to admin.
Example:
❯ cloudfox aws -p cflab pmapper -v2
[🦊 cloudfox v1.9.0 🦊 ] AWS Caller Identity: arn:aws:iam::049881439828:user/terraform-user
[pmapper][cflab] Looking for pmapper data for this account and building a PrivEsc graph in golang if it exists.
[pmapper][cflab] Parsing pmapper data for account 049881439828.
╭──────────────────────────────────────────────────────────────────────────────────────────────────────────────────────┬──────────┬────────────────────╮
│ Principal Arn │ IsAdmin? │ CanPrivEscToAdmin? │
├──────────────────────────────────────────────────────────────────────────────────────────────────────────────────────┼──────────┼────────────────────┤
│ arn:aws:iam::049881439828:user/pele │ No │ YES │
│ arn:aws:iam::049881439828:user/terraform-user │ YES │ YES │
│ arn:aws:iam::049881439828:role/adams │ YES │ YES │
│ arn:aws:iam::049881439828:role/aws-reserved/sso.amazonaws.com/AWSReservedSSO_AWSAdministratorAccess_e7f5699f2cb1edb0 │ YES │ YES │
│ arn:aws:iam::049881439828:role/aws-service-role/sso.amazonaws.com/AWSServiceRoleForSSO │ No │ YES │
│ arn:aws:iam::049881439828:role/dempsey │ No │ YES │
│ arn:aws:iam::049881439828:role/donovan │ No │ YES │
│ arn:aws:iam::049881439828:role/lavelle │ No │ YES │
│ arn:aws:iam::049881439828:role/not-admin │ YES │ YES │
│ arn:aws:iam::049881439828:role/OrganizationAccountAccessRole │ YES │ YES │
│ arn:aws:iam::049881439828:role/press │ YES │ YES │
╰──────────────────────────────────────────────────────────────────────────────────────────────────────────────────────┴──────────┴────────────────────╯
[pmapper] Output written to [cloudfox-output/aws/cflab/table/pmapper.txt]
[pmapper] Output written to [cloudfox-output/aws/cflab/csv/pmapper.csv]
[pmapper][cflab] 11 principals who are admin or have a path to admin identified.
Enumerates IAM users and Roles so you have the data at your fingertips.
Example:
❯ cloudfox aws --profile cf-exec -v2 principals
[🦊 cloudfox v1.6.0 🦊 ] AWS Caller Identity: arn:aws:sts::049881439828:assumed-role/CloudFox-exec-role/aws-go-sdk-1662946413386360000
[principals] Enumerating IAM Users and Roles for account 049881439828.
╭─────────┬──────┬────────────────────────────────────────────────────────┬──────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────╮
│ Service │ Type │ Name │ Arn │
├─────────┼──────┼────────────────────────────────────────────────────────┼──────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────┤
│ IAM │ User │ pele │ arn:aws:iam::049881439828:user/pele │
│ IAM │ User │ terraform-user │ arn:aws:iam::049881439828:user/terraform-user │
│ IAM │ Role │ aaronson │ arn:aws:iam::049881439828:role/aaronson │
│ IAM │ Role │ adams │ arn:aws:iam::049881439828:role/adams │
│ IAM │ Role │ AWSReservedSSO_AWSAdministratorAccess_e7f5699f2cb1edb0 │ arn:aws:iam::049881439828:role/aws-reserved/sso.amazonaws.com/AWSReservedSSO_AWSAdministratorAccess_e7f5699f2cb1edb0 │
│ IAM │ Role │ AWSReservedSSO_interns_9b819cbe299f5da5 │ arn:aws:iam::049881439828:role/aws-reserved/sso.amazonaws.com/AWSReservedSSO_interns_9b819cbe299f5da5 │
│ IAM │ Role │ AWSReservedSSO_SecurityAudit_f67a30bf6639f876 │ arn:aws:iam::049881439828:role/aws-reserved/sso.amazonaws.com/AWSReservedSSO_SecurityAudit_f67a30bf6639f876 │
│ IAM │ Role │ AWSServiceRoleForAccessAnalyzer │ arn:aws:iam::049881439828:role/aws-service-role/access-analyzer.amazonaws.com/AWSServiceRoleForAccessAnalyzer │
│ IAM │ Role │ AWSServiceRoleForAmazonElasticFileSystem │ arn:aws:iam::049881439828:role/aws-service-role/elasticfilesystem.amazonaws.com/AWSServiceRoleForAmazonElasticFileSystem │
│ IAM │ Role │ AWSServiceRoleForAppRunner │ arn:aws:iam::049881439828:role/aws-service-role/apprunner.amazonaws.com/AWSServiceRoleForAppRunner │
│ IAM │ Role │ AWSServiceRoleForECS │ arn:aws:iam::049881439828:role/aws-service-role/ecs.amazonaws.com/AWSServiceRoleForECS │
│ IAM │ Role │ AWSServiceRoleForElastiCache │ arn:aws:iam::049881439828:role/aws-service-role/elasticache.amazonaws.com/AWSServiceRoleForElastiCache │
│ IAM │ Role │ AWSServiceRoleForElasticLoadBalancing │ arn:aws:iam::049881439828:role/aws-service-role/elasticloadbalancing.amazonaws.com/AWSServiceRoleForElasticLoadBalancing │
│ IAM │ Role │ AWSServiceRoleForOrganizations │ arn:aws:iam::049881439828:role/aws-service-role/organizations.amazonaws.com/AWSServiceRoleForOrganizations │
│ IAM │ Role │ AWSServiceRoleForRDS │ arn:aws:iam::049881439828:role/aws-service-role/rds.amazonaws.com/AWSServiceRoleForRDS │
│ IAM │ Role │ AWSServiceRoleForSSO │ arn:aws:iam::049881439828:role/aws-service-role/sso.amazonaws.com/AWSServiceRoleForSSO │
│ IAM │ Role │ AWSServiceRoleForSupport │ arn:aws:iam::049881439828:role/aws-service-role/support.amazonaws.com/AWSServiceRoleForSupport │
│ IAM │ Role │ AWSServiceRoleForTrustedAdvisor │ arn:aws:iam::049881439828:role/aws-service-role/trustedadvisor.amazonaws.com/AWSServiceRoleForTrustedAdvisor │
│ IAM │ Role │ CloudFox-exec-role │ arn:aws:iam::049881439828:role/CloudFox-exec-role │
│ IAM │ Role │ dempsey │ arn:aws:iam::049881439828:role/dempsey │
│ IAM │ Role │ donovan │ arn:aws:iam::049881439828:role/donovan │
│ IAM │ Role │ lavelle │ arn:aws:iam::049881439828:role/lavelle │
│ IAM │ Role │ lloyd │ arn:aws:iam::049881439828:role/lloyd │
│ IAM │ Role │ mckennie │ arn:aws:iam::049881439828:role/mckennie │
│ IAM │ Role │ morgan │ arn:aws:iam::049881439828:role/morgan │
│ IAM │ Role │ not-admin │ arn:aws:iam::049881439828:role/not-admin │
│ IAM │ Role │ OrganizationAccountAccessRole │ arn:aws:iam::049881439828:role/OrganizationAccountAccessRole │
│ IAM │ Role │ press │ arn:aws:iam::049881439828:role/press │
│ IAM │ Role │ pulisic │ arn:aws:iam::049881439828:role/pulisic │
│ IAM │ Role │ rapinoe │ arn:aws:iam::049881439828:role/rapinoe │
│ IAM │ Role │ test │ arn:aws:iam::049881439828:role/test │
╰─────────┴──────┴────────────────────────────────────────────────────────┴──────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────╯
[principals] Output written to [cloudfox-output/aws/cf-exec/table/principals.txt]
[principals] Output written to [cloudfox-output/aws/cf-exec/csv/principals.csv]
[principals] 31 IAM principals found.
List all resources in this account that are shared with other accounts, or resources from other accounts that are shared with this account. Useful for cross-account attack paths.
Example:
❯ cloudfox aws --profile cflab -v2 ram
[🦊 cloudfox v1.8.0 🦊 ] AWS Caller Identity: arn:aws:iam::049881439828:user/seth
[ram][cflab] Enumerating shared resources for account 049881439828.
[ram] Status: 21/21 regions complete (8 errors -- For details check /Users/sethart/.cloudfox/cloudfox-error.log)
╭─────────┬───────────┬────────────┬───────────────────┬──────────────┬─────────────────────────────────────────────────────╮
│ Service │ Region │ Share Name │ Type │ Owner │ Share Type │
├─────────┼───────────┼────────────┼───────────────────┼──────────────┼─────────────────────────────────────────────────────┤
│ RAM │ us-east-1 │ ram_test │ ec2:Subnet │ 289507344597 │ Inbound share (Another account shared this with me) │
│ RAM │ us-east-1 │ ram_test │ codebuild:Project │ 289507344597 │ Inbound share (Another account shared this with me) │
╰─────────┴───────────┴────────────┴───────────────────┴──────────────┴─────────────────────────────────────────────────────╯
[ram] Output written to [cloudfox-output/aws/cflab/table/ram.txt]
[ram] Output written to [cloudfox-output/aws/cflab/csv/ram.csv]
[ram][cflab] 2 resources found.
This command will give you three tables. One for roles that trust one or more principals. Another one for roles that trust an AWS service. And a third for roles that trust a federated identity. It is possible that one role shows up in multiple tables because one role can trust one or more of these entities.
Use this data to search IAM role trust policies for trusts to a specific principal or an AWS account. This is particularly useful when assessing privilege escalation paths through assume role actions. In most cases, the assuming role will also need to have the "sts:AssumeRole" permission, however if the trusted principal is specifically named in the trust policy and belongs in the same account as the trusting role, the the trusted role does not need the "sts:AssumeRole" permission.
Example:
❯ cloudfox aws -p cflab role-trusts -v2
[🦊 cloudfox v1.9.0 🦊 ] AWS Caller Identity: arn:aws:iam::049881439828:user/terraform-user
[role-trusts][cflab] Enumerating role trusts for account 049881439828.
[role-trusts][cflab] Looking for pmapper data for this account and building a PrivEsc graph in golang if it exists.
[role-trusts][cflab] Found pmapper data for this account. Using it for role analysis
╭──────────────────────────────────────────────────────────────┬─────────────────────────────────────────────────────────────────────────────────────┬────────────┬──────────┬────────────────────╮
│ Role │ Trusted Principal │ ExternalID │ IsAdmin? │ CanPrivEscToAdmin? │
├──────────────────────────────────────────────────────────────┼─────────────────────────────────────────────────────────────────────────────────────┼────────────┼──────────┼────────────────────┤
│ arn:aws:iam::049881439828:role/morgan │ arn:aws:iam::049881439828:user/pele │ │ No │ No │
│ arn:aws:iam::049881439828:role/not-admin │ arn:aws:iam::049881439828:user/pele │ │ YES │ YES │
│ arn:aws:iam::049881439828:role/CloudFox-exec-role │ arn:aws:iam::049881439828:user/security │ │ No │ No │
│ arn:aws:iam::049881439828:role/dempsey │ arn:aws:iam::049881439828:user/terraform-user │ │ No │ YES │
│ arn:aws:iam::049881439828:role/donovan │ arn:aws:iam::049881439828:user/terraform-user │ │ No │ YES │
│ arn:aws:iam::049881439828:role/mckennie │ arn:aws:iam::049881439828:user/terraform-user │ │ No │ No │
│ arn:aws:iam::049881439828:role/pulisic │ arn:aws:iam::049881439828:user/terraform-user │ │ No │ No │
│ arn:aws:iam::049881439828:role/OrganizationAccountAccessRole │ arn:aws:iam::289507344597:root │ │ YES │ YES │
│ arn:aws:iam::049881439828:role/test │ arn:aws:sts::049881439828:assumed-role/AWSReservedSSO_interns_9b819cbe299f5da5/seth │ │ No │ No │
╰──────────────────────────────────────────────────────────────┴─────────────────────────────────────────────────────────────────────────────────────┴────────────┴──────────┴────────────────────╯
[role-trusts] Output written to [cloudfox-output/aws/cflab/table/role-trusts-principals.txt]
[role-trusts] Output written to [cloudfox-output/aws/cflab/csv/role-trusts-principals.csv]
[role-trusts][cflab] 9 role trusts found.
╭──────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────┬────────────────────────────────────┬────────────┬──────────┬────────────────────╮
│ Role │ Trusted Service │ ExternalID │ IsAdmin? │ CanPrivEscToAdmin? │
├──────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────┼────────────────────────────────────┼────────────┼──────────┼────────────────────┤
│ arn:aws:iam::049881439828:role/aws-service-role/access-analyzer.amazonaws.com/AWSServiceRoleForAccessAnalyzer │ access-analyzer.amazonaws.com │ │ No │ No │
│ arn:aws:iam::049881439828:role/aws-service-role/apprunner.amazonaws.com/AWSServiceRoleForAppRunner │ apprunner.amazonaws.com │ │ No │ No │
│ arn:aws:iam::049881439828:role/lloyd │ cloudformation.amazonaws.com │ │ No │ No │
│ arn:aws:iam::049881439828:role/press │ ec2.amazonaws.com │ │ YES │ YES │
│ arn:aws:iam::049881439828:role/imdvs2-challenge-role │ ec2.amazonaws.com │ │ No │ No │
│ arn:aws:iam::049881439828:role/rapinoe │ ecs-tasks.amazonaws.com │ │ No │ No │
│ arn:aws:iam::049881439828:role/aws-service-role/ecs.amazonaws.com/AWSServiceRoleForECS │ ecs.amazonaws.com │ │ No │ No │
│ arn:aws:iam::049881439828:role/aws-service-role/elasticache.amazonaws.com/AWSServiceRoleForElastiCache │ elasticache.amazonaws.com │ │ No │ No │
│ arn:aws:iam::049881439828:role/aws-service-role/elasticfilesystem.amazonaws.com/AWSServiceRoleForAmazonElasticFileSystem │ elasticfilesystem.amazonaws.com │ │ No │ No │
│ arn:aws:iam::049881439828:role/aws-service-role/elasticloadbalancing.amazonaws.com/AWSServiceRoleForElasticLoadBalancing │ elasticloadbalancing.amazonaws.com │ │ No │ No │
│ arn:aws:iam::049881439828:role/aaronson │ lambda.amazonaws.com │ │ No │ No │
│ arn:aws:iam::049881439828:role/adams │ lambda.amazonaws.com │ │ YES │ YES │
│ arn:aws:iam::049881439828:role/lavelle │ lambda.amazonaws.com │ │ No │ YES │
│ arn:aws:iam::049881439828:role/aws-service-role/organizations.amazonaws.com/AWSServiceRoleForOrganizations │ organizations.amazonaws.com │ │ No │ No │
│ arn:aws:iam::049881439828:role/aws-service-role/rds.amazonaws.com/AWSServiceRoleForRDS │ rds.amazonaws.com │ │ No │ No │
│ arn:aws:iam::049881439828:role/aws-service-role/sso.amazonaws.com/AWSServiceRoleForSSO │ sso.amazonaws.com │ │ No │ YES │
│ arn:aws:iam::049881439828:role/aws-service-role/support.amazonaws.com/AWSServiceRoleForSupport │ support.amazonaws.com │ │ No │ No │
│ arn:aws:iam::049881439828:role/aws-service-role/trustedadvisor.amazonaws.com/AWSServiceRoleForTrustedAdvisor │ trustedadvisor.amazonaws.com │ │ No │ No │
╰──────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────┴────────────────────────────────────┴────────────┴──────────┴────────────────────╯
[role-trusts] Output written to [cloudfox-output/aws/cflab/table/role-trusts-services.txt]
[role-trusts] Output written to [cloudfox-output/aws/cflab/csv/role-trusts-services.csv]
[role-trusts][cflab] 18 role trusts found.
╭──────────────────────────────────────────────────────────────────────────────────────────────────────────────────────┬─────────────────────────────────────────────────────────────────────────────────────────┬─────────────────┬──────────┬────────────────────╮
│ Role │ Trusted Provider │ Trusted Subject │ IsAdmin? │ CanPrivEscToAdmin? │
├──────────────────────────────────────────────────────────────────────────────────────────────────────────────────────┼─────────────────────────────────────────────────────────────────────────────────────────┼─────────────────┼──────────┼────────────────────┤
│ arn:aws:iam::049881439828:role/aws-reserved/sso.amazonaws.com/AWSReservedSSO_AWSAdministratorAccess_e7f5699f2cb1edb0 │ AWS SSO (arn:aws:iam::049881439828:saml-provider/AWSSSO_6cc8120b9b76e4be_DO_NOT_DELETE) │ Not applicable │ YES │ YES │
│ arn:aws:iam::049881439828:role/aws-reserved/sso.amazonaws.com/AWSReservedSSO_interns_9b819cbe299f5da5 │ AWS SSO (arn:aws:iam::049881439828:saml-provider/AWSSSO_6cc8120b9b76e4be_DO_NOT_DELETE) │ Not applicable │ No │ No │
│ arn:aws:iam::049881439828:role/aws-reserved/sso.amazonaws.com/AWSReservedSSO_SecurityAudit_f67a30bf6639f876 │ AWS SSO (arn:aws:iam::049881439828:saml-provider/AWSSSO_6cc8120b9b76e4be_DO_NOT_DELETE) │ Not applicable │ No │ No │
╰──────────────────────────────────────────────────────────────────────────────────────────────────────────────────────┴─────────────────────────────────────────────────────────────────────────────────────────┴─────────────────┴──────────┴────────────────────╯
This command lists the DNS records for all public and private zones managed by Route53. Use this for application and service enumeration
Example:
❯ cloudfox aws --profile default route53 -v2
[🦊 cloudfox v1.6.0 🦊 ] AWS Caller Identity: arn:aws:iam::111111111111:user/seth
[route53] Enumerating Route53 for account 111111111111.
Service Name Type Value PrivateZone
--------- ----------------------- ------ --------------------------------------------------------------------------------- -------------
Route53 test2.internal. NS ns-1536.awsdns-00.co.uk. True
Route53 test2.internal. NS ns-0.awsdns-00.com. True
Route53 test2.internal. NS ns-1024.awsdns-00.org. True
Route53 test2.internal. NS ns-512.awsdns-00.net. True
Route53 test2.internal. SOA ns-1536.awsdns-00.co.uk. awsdns-hostmaster.amazon.com. 1 7200 900 1209600 86400 True
Route53 host1.test2.internal. A 192.168.0.1 True
Route53 host2.test2.internal. A 8.8.8.8 True
Route53 test1.internal. NS ns-1536.awsdns-00.co.uk. True
Route53 test1.internal. NS ns-0.awsdns-00.com. True
Route53 test1.internal. NS ns-1024.awsdns-00.org. True
Route53 test1.internal. NS ns-512.awsdns-00.net. True
Route53 test1.internal. SOA ns-1536.awsdns-00.co.uk. awsdns-hostmaster.amazon.com. 1 7200 900 1209600 86400 True
Route53 host1.test1.internal. A 10.0.0.1 True
Route53 host2.test1.internal. A 10.0.0.2 True
[route53] Output written to [cloudfox-output/aws/default/table/route53.txt]
[route53] Loot written to [cloudfox-output/aws/default/loot/route53-A-records-public-Zones.txt]
[route53] Loot written to [cloudfox-output/aws/default/loot/route53-A-records-private-Zones.txt]
[route53] 14 DNS records found.
This command lists secrets from SecretsManager and SSM. Look for interesting secrets in the list and then see who has access to them
Example:
❯ cloudfox aws --profile cf-exec -v2 secrets
[🦊 cloudfox v1.6.0 🦊 ] AWS Caller Identity: arn:aws:sts::049881439828:assumed-role/CloudFox-exec-role/aws-go-sdk-1662946619726857000
[secrets] Enumerating secrets for account 049881439828.
[secrets] Supported Services: SecretsManager, SSM Parameters
[secrets] Status: 21/21 regions complete (8 errors -- For details check /Users/sethart/.cloudfox/cloudfox-error.log)
╭────────────────┬───────────┬───────────────────────────────┬───────────────────────────────────────────────────────────────╮
│ Service │ Region │ Name │ Description │
├────────────────┼───────────┼───────────────────────────────┼───────────────────────────────────────────────────────────────┤
│ SecretsManager │ us-west-2 │ database-secret │ │
│ SecretsManager │ us-west-2 │ app-secret │ │
│ SecretsManager │ us-west-2 │ iam-vulnerable │ Super strong password that nobody would ever be able to guess │
│ SSM │ us-west-2 │ /production/database/password │ │
│ SSM │ us-west-2 │ /production/database/username │ │
│ SSM │ us-west-2 │ /staging/database/password │ │
│ SSM │ us-west-2 │ /staging/database/user │ │
╰────────────────┴───────────┴───────────────────────────────┴───────────────────────────────────────────────────────────────╯
[secrets] Output written to [cloudfox-output/aws/cf-exec/table/secrets.txt]
[secrets] Output written to [cloudfox-output/aws/cf-exec/csv/secrets.csv]
[secrets] Loot written to [cloudfox-output/aws/cf-exec/loot/pull-secrets-commands.txt]
[secrets] 7 secrets found.
List all resources with tags and all of the tags. This can be used similar to inventory as another method to identify what types of resources exist in an account.
Example:
❯ cloudfox aws --profile cflab -v2 tags
[🦊 cloudfox v1.8.0 🦊 ] AWS Caller Identity: arn:aws:iam::049881439828:user/seth
[tags][cflab] Enumerating tags for account 049881439828.
[tags] Status: 21/21 regions complete (4 errors -- For details check /Users/sethart/.cloudfox/cloudfox-error.log)
╭──────────────────────┬───────────┬─────────────────────────┬───────────────────────────────┬──────────────────────────────────────────────────────────────────────────────────────────────────────────────────────╮
│ Service │ Region │ Type │ Key │ Value │
├──────────────────────┼───────────┼─────────────────────────┼───────────────────────────────┼──────────────────────────────────────────────────────────────────────────────────────────────────────────────────────┤
│ ec2 │ us-west-2 │ subnet │ Name │ cloudfox Operational Subnet 2 │
│ ec2 │ us-west-2 │ route-table │ Name │ cloudfox Public Route Table │
│ ec2 │ us-west-2 │ security-group │ Name │ allow_ssh_from_world │
│ ec2 │ us-west-2 │ instance │ Name │ instance2 │
│ ec2 │ us-west-2 │ instance │ Name │ instance3 │
│ ec2 │ us-west-2 │ instance │ aws:cloudformation:stack-name │ token │
... omitted for brevity...
│ secretsmanager │ us-west-2 │ secret │ Name │ App Secret │
│ secretsmanager │ us-west-2 │ secret │ aws:cloudformation:stack-id │ arn:aws:cloudformation:us-west-2:049881439828:stack/privesc-cloudformationStack/24092300-4a49-11ed-a9d0-0666e24333c1 │
│ secretsmanager │ us-west-2 │ secret │ aws:cloudformation:logical-id │ Secret1 │
│ secretsmanager │ us-west-2 │ secret │ Name │ Database Secret │
│ secretsmanager │ us-west-2 │ secret │ aws:cloudformation:stack-name │ privesc-cloudformationStack │
│ secretsmanager │ us-west-2 │ secret │ Name │ scenario1 Secret │
│ sqs │ us-west-2 │ terraform-example-queue │ Environment │ production
╰──────────────────────┴───────────┴─────────────────────────┴───────────────────────────────┴──────────────────────────────────────────────────────────────────────────────────────────────────────────────────────╯
[tags] Output written to [cloudfox-output/aws/cflab/table/tags.txt]
[tags] Output written to [cloudfox-output/aws/cflab/csv/tags.csv]
[tags][cflab] 39 tags found.
[tags][cflab] 26 unique resources with tags found.