-
Notifications
You must be signed in to change notification settings - Fork 179
AWS Commands
Seth Art edited this page Sep 12, 2022
·
31 revisions
| Command Name | Description |
|---|---|
| all-checks | Run all of the other commands with sane defaults. An homage to Powerview's Invoke-AllChecks. |
| access-keys | Lists active access keys for all users. Useful for cross referencing a key you found with which in-scope account it belongs to. |
| buckets | Lists the buckets in the account and gives you handy commands for inspecting them further. 📋 Loot: Use the commands in the loot file to list and/or download each bucket recursively as needed |
| ecr | List the most recently pushed image URI from all repositories. 📋 Loot: Use the commands in the loot file to pull selected images down for inspection. |
| endpoints | Enumerates endpoints from various services. Scan these endpoints from both an internal and external position to look for things that don't require authentication, are misconfigured, etc. 📋 Loot: Use the data in the loot file as input for your application enumeration tools like Aquatone/Gowitness, gobuster, etc. |
| env-vars | Grabs the environment variables from services that have them (App Runner, ECS, Lambda, Lightsail containers, Sagemaker are supported. If you find a sensitive secret, use cloudfox iam-simulator AND pmapper to see who has access to them. |
| filesystems | Enumerate the EFS and FSx filesystems that you might be able to mount without creds (if you have the right network access). For example, this is useful when you have ec:RunInstance but not iam:PassRole. 📋 Loot: Use the loot file to mount the identified filesystems if you have network access |
| iam-simulator | Like pmapper, but uses the IAM policy simulator. It uses AWS's evaluation logic, but notably, it doesn't consider transitive access via privesc, which is why you should also always also use pmapper. 📋 Loot: The loot file gives you a list of useful pmapper commands |
| instances | Enumerates useful information for EC2 Instances in all regions like name, public/private IPs, and instance profiles. 📋 Loot: Use the data in the loot file as input for nmap and other service enumeration tools. 📋 Loot: Generates additional loot file with userdata script data attached to every EC2 instance |
| inventory | Gain a rough understanding of size of the account and preferred regions. |
| outbound-assumed-roles | List the roles that have been assumed by principals in this account. This is an excellent way to find outbound attack paths that lead into other accounts. |
| permissions | List every IAM Policy permission a principal has (Currently does not include permissions granted via resource policies |
| principals | Enumerates IAM users and roles so you have the data at your fingertips. |
| role-trusts | Enumerates IAM role trust policies so you can look for overly permissive role trusts or find roles that trust a specific service. |
| route53 | Enumerates all records from all route53 managed zones. Use this for application and service enumeration. 📋 Loot: Use the data in the loot file as input for nmap and other service enumeration tools. |
| secrets | List secrets from SecretsManager and SSM. Look for interesting secrets in the list and then see who has access to them using use cloudfox iam-simulator and/or pmapper. |
Before you can use the AWS commands, you need to:
- Install AWS CLI
- Configure the client with your AWS API Key. It's worth noting that the API Key's owner must have read access to the AWS account.
# aws configure --profile readonly
AWS Access Key ID [None]: AKIA-[REDACTED]
AWS Secret Access Key [None]: c9gnnAG-[REDACTED]
Default region name [None]: us-east-1
Default output format [None]: json
To list AWS commands:
# ./cloudfox aws -h
For help with each command:
./cloudfox aws [command_name] -h
This command runs all other commands. All CloudFox commands are read-only and will not cause any state change operations.
./cloudfox aws --profile cf-exec all-checks
[🦊 cloudfox v1.6.0 🦊 ] AWS Caller Identity: arn:aws:iam::049881439828:user/terraform-user
[🦊 cloudfox 🦊 ] Getting a lay of the land, aka "What regions is this account using?"
[inventory] Enumerating selected services in all regions for account 049881439828.
[inventory] Supported Services: ApiGateway, ApiGatewayv2, AppRunner, CloudFormation, Cloudfront, EC2, EKS,
[inventory] ELB, ELBv2, Grafana, IAM, Lambda, Lightsail, MQ, OpenSearch, RDS, S3, SecretsManager, SSM
[inventory] Status: 336/336 tasks complete (86 errors -- For details check /Users/sethart/.cloudfox/cloudfox-error.log)
[inventory] Output written to [cloudfox-output/aws/cf-prod/table/inventory.txt]
[inventory-global] Output written to [cloudfox-output/aws/cf-prod/table/inventory-global.txt]
[inventory] 68 resources enumerated in the services we looked at. This is NOT the total number of resources in the account.
[🦊 cloudfox 🦊 ] Gathering the info you'll want for your application & service enumeration needs.
[instances] Enumerating EC2 instances in all regions for account 049881439828
[instances] Status: 21/21 tasks complete (4 errors -- For details check /Users/sethart/.cloudfox/cloudfox-error.log)
[instances] Output written to [cloudfox-output/aws/cf-prod/table/instances.txt]
[instances] Loot written to [cloudfox-output/aws/cf-prod/loot/instances-ec2PrivateIPs.txt]
[instances] Loot written to [cloudfox-output/aws/cf-prod/loot/instances-ec2PublicIPs.txt]
[instances] 7 instances found.
[route53] Enumerating Route53 for account 049881439828.
[route53] No DNS records found, skipping the creation of an output file.
[filesystems] Enumerating filesystems for account 049881439828.
[filesystems] Supported Services: EFS, FSx
[filesystems] Status: 0/0 tasks complete (0 errors -- For details check /Users/sethart/.cloudfox/cloudfox-error.log)
[filesystems] No filesystems found, skipping the creation of an output file.
[endpoints] Enumerating endpoints for account 049881439828.
[endpoints] Supported Services: App Runner, APIGateway, ApiGatewayV2, Cloudfront, EKS, ELB, ELBv2, Grafana,
[endpoints] Lambda, MQ, OpenSearch, Redshift, RDS
[endpoints] Status: 274/274 tasks complete (68 errors -- For details check /Users/sethart/.cloudfox/cloudfox-error.log)
[endpoints] Output written to [cloudfox-output/aws/cf-prod/table/endpoints.txt]
[endpoints] Loot written to [cloudfox-output/aws/cf-prod/loot/endpoints-UrlsOnly.txt]
[endpoints] 5 endpoints enumerated.
[🦊 cloudfox 🦊 ] Looking for secrets hidden between the seat cushions.
[instances] Enumerating EC2 instances in all regions for account 049881439828
[instances] Status: 21/21 tasks complete (4 errors -- For details check /Users/sethart/.cloudfox/cloudfox-error.log)
[instance-userdata] Loot written to [cloudfox-output/aws/cf-prod/loot/instance-userdata.txt]
[env-vars] Enumerating environment variables in all regions for account 049881439828.
[env-vars] Supported Services: App Runner, Elastic Container Service, Lambda, Lightsail Containers, Sagemaker
[env-vars] Status: 105/105 tasks complete (48 errors -- For details check /Users/sethart/.cloudfox/cloudfox-error.log)
[env-vars] Output written to [cloudfox-output/aws/cf-prod/table/env-vars.txt]
[env-vars] 5 environment variables found.
[🦊 cloudfox 🦊 ] Arming you with the data you'll need for privesc quests.
[buckets] Enumerating buckets for account 049881439828.
[buckets] Status: 1/1 tasks complete (0 errors -- For details check /Users/sethart/.cloudfox/cloudfox-error.log)
[buckets] Output written to [cloudfox-output/aws/cf-prod/table/buckets.txt]
[buckets] Loot written to [cloudfox-output/aws/cf-prod/loot/bucket-commands.txt]
[buckets] 3 buckets found.
[ecr] Enumerating container repositories for account 049881439828.
[ecr] Status: 21/21 regions complete (4 errors -- For details check /Users/sethart/.cloudfox/cloudfox-error.log)
[ecr] No repositories found, skipping the creation of an output file.
[secrets] Enumerating secrets for account 049881439828.
[secrets] Supported Services: SecretsManager, SSM Parameters
[secrets] Status: 21/21 regions complete (8 errors -- For details check /Users/sethart/.cloudfox/cloudfox-error.log)
[secrets] Output written to [cloudfox-output/aws/cf-prod/table/secrets.txt]
[secrets] 7 secrets found.
[🦊 cloudfox 🦊 ] IAM is complicated. Complicated usually means misconfigurations. You'll want to pay attention here.
[principals] Enumerating IAM Users and Roles for account 049881439828.
[principals] Output written to [cloudfox-output/aws/cf-prod/table/principals.txt]
[principals] 36 IAM principals found.
[permissions] Enumerating IAM permissions for account 049881439828.
[permissions] Output written to [cloudfox-output/aws/cf-prod/table/permissions.txt]
[permissions] 3058 unique permissions identified.
[access-keys] Mapping user access keys for account: 049881439828.
[access-keys] Only active access keys are shown.
[access-keys] Output written to [cloudfox-output/aws/cf-prod/table/access-keys.txt]
[access-keys] Loot written to [cloudfox-output/aws/cf-prod/loot/access-keys.txt]
[access-keys] 5 access keys found.
[role-trusts] Enumerating role trusts for account 049881439828.
[role-trusts-principals] Output written to [cloudfox-output/aws/cf-prod/table/role-trusts-principals.txt]
[role-trusts-principals] 9 role trusts found.
[role-trusts-services] Output written to [cloudfox-output/aws/cf-prod/table/role-trusts-services.txt]
[role-trusts-services] 19 role trusts found.
[iam-simulator] Running multiple iam-simulator queries for account 049881439828. (This command can be pretty slow, FYI)
[iam-simulator] Status: 2/2 tasks complete (0 errors -- For details check /Users/sethart/.cloudfox/cloudfox-error.log)
[iam-simulator] Output written to [cloudfox-output/aws/cf-prod/table/iam-simulator.txt]
[iam-simulator] We suggest running the pmapper commands in the loot file to get the same information but taking privesc paths into account.
[iam-simulator] Loot written to [cloudfox-output/aws/cf-prod/loot/iam-simulator-pmapper-commands.txt]
[🦊 cloudfox 🦊 ] That's it! Check your output files for situational awareness and check your loot files for next steps.
[🦊 cloudfox 🦊 ] FYI, we skipped the outbound-assumed-roles command in all-checks (really long run time). Make sure to try it out manually.
This command maps all active access key IDs for all users in an AWS account. This is useful if you want to search for specific access keys in files or if you have found an access key and wants to find out which user it belongs to.
Example 1: maps all active access keys for all users in the account
❯ cloudfox aws --profile cf-exec -v2 access-keys
[🦊 cloudfox v1.6.0 🦊 ] AWS Caller Identity: arn:aws:sts::049881439828:assumed-role/CloudFox-exec-role/aws-go-sdk-1662942186266844000
[access-keys] Mapping user access keys for account: 049881439828.
[access-keys] Only active access keys are shown.
╭────────────────┬──────────────────────╮
│ User Name │ Access Key ID │
├────────────────┼──────────────────────┤
│ pele │ AKIAQXHJKLZKIJ6QPJFK │
│ terraform-user │ AKIAQXHJKLZKG2U6MIFF │
╰────────────────┴──────────────────────╯
[access-keys] Output written to [cloudfox-output/aws/cf-exec/table/access-keys.txt]
[access-keys] Output written to [cloudfox-output/aws/cf-exec/csv/access-keys.csv]
[access-keys] Loot written to [cloudfox-output/aws/cf-exec/loot/access-keys.txt]
[access-keys] 2 access keys found.
Example 2: look up a specific access key
❯ cloudfox aws --profile cf-exec -v2 access-keys --filter AKIAQXHJKLZKIJ6QPJFK
[🦊 cloudfox v1.6.0 🦊 ] AWS Caller Identity: arn:aws:sts::049881439828:assumed-role/CloudFox-exec-role/aws-go-sdk-1662942670815294000
[access-keys] Mapping user access keys for account: 049881439828.
[access-keys] Only active access keys are shown.
╭───────────┬──────────────────────╮
│ User Name │ Access Key ID │
├───────────┼──────────────────────┤
│ pele │ AKIAQXHJKLZKIJ6QPJFK │
╰───────────┴──────────────────────╯
[access-keys] Output written to [cloudfox-output/aws/cf-exec/table/access-keys.txt]
[access-keys] Output written to [cloudfox-output/aws/cf-exec/csv/access-keys.csv]
[access-keys] Loot written to [cloudfox-output/aws/cf-exec/loot/access-keys.txt]
[access-keys] 1 access keys found.
Lists the buckets in the account and gives you handy commands for inspecting them further.
Example:
❯ cloudfox aws --profile cf-exec -v2 buckets
[🦊 cloudfox v1.6.0 🦊 ] AWS Caller Identity: arn:aws:sts::049881439828:assumed-role/CloudFox-exec-role/aws-go-sdk-1662942714852430000
[buckets] Enumerating buckets for account 049881439828.
[buckets] Status: 1/1 tasks complete (0 errors -- For details check /Users/sethart/.cloudfox/cloudfox-error.log)
╭─────────┬────────┬──────────────────────────────────────╮
│ Service │ Region │ Name │
├─────────┼────────┼──────────────────────────────────────┤
│ S3 │ Global │ cf-templates-1c3fmu2nov5ko-us-east-1 │
│ S3 │ Global │ cloudfox-bucket1 │
│ S3 │ Global │ cloudfox-bucket2 │
│ S3 │ Global │ cloudfox-bucket3 │
│ S3 │ Global │ cloudfox-terraform-state │
╰─────────┴────────┴──────────────────────────────────────╯
[buckets] Output written to [cloudfox-output/aws/cf-exec/table/buckets.txt]
[buckets] Output written to [cloudfox-output/aws/cf-exec/csv/buckets.csv]
[buckets] Loot written to [cloudfox-output/aws/cf-exec/loot/bucket-commands.txt]
[buckets] 5 buckets found.
List the most recently pushed image from all repositories. Use the loot file to pull selected images down with docker/nerdctl for inspection
Example:
[🦊 cloudfox v1.6.0 🦊 ] AWS Caller Identity: arn:aws:sts::049881439828:assumed-role/CloudFox-exec-role/aws-go-sdk-1661127735075605000
[ecr] Enumerating container repositories for account 049881439828.
[ecr] Status: 21/21 regions complete (4 errors -- For details check /Users/sethart/.cloudfox/cloudfox-error.log)
Service Region Name URI PushedAt ImageTags ImageSize
-------- --------- ----- ---------------------------------------------------------- -------------------- --------- ------------
ECR us-west-2 acme1 049881439828.dkr.ecr.us-west-2.amazonaws.com/acme1:latest 2022-03-11 02:06:21 latest 329778373
ECR us-west-2 acme2 049881439828.dkr.ecr.us-west-2.amazonaws.com/acme2:latest 2021-06-11 20:09:25 latest 497924937
ECR us-west-2 acme3 049881439828.dkr.ecr.us-west-2.amazonaws.com/acme3:latest 2022-03-28 18:18:56 latest 783034852
ECR us-west-2 acme4 049881439828.dkr.ecr.us-west-2.amazonaws.com/acme4:latest 2022-03-05 17:56:09 latest 709832115
[ecr] Output written to [cloudfox-output/aws/cf-exec/table/ecr.txt]
[ecr] Loot written to [cloudfox-output/aws/cf-exec/loot/ECR-pull-commands.txt]
This command enumerates endpoints from various services. Look for public endpoints, endpoints that don't require authentication, etc.
Example:
❯ cloudfox aws --profile cf-exec -v2 endpoints
[🦊 cloudfox v1.6.0 🦊 ] AWS Caller Identity: arn:aws:sts::049881439828:assumed-role/CloudFox-exec-role/aws-go-sdk-1662942746942796000
[endpoints] Enumerating endpoints for account 049881439828.
[endpoints] Supported Services: App Runner, APIGateway, ApiGatewayV2, Cloudfront, EKS, ELB, ELBv2, Grafana,
[endpoints] Lambda, MQ, OpenSearch, Redshift, RDS
[endpoints] Status: 274/274 tasks complete (67 errors -- For details check /Users/sethart/.cloudfox/cloudfox-error.log)
╭────────────┬───────────┬──────────────┬───────────────────────────────────────────────────────────────────────┬──────┬──────────┬────────╮
│ Service │ Region │ Name │ Endpoint │ Port │ Protocol │ Public │
├────────────┼───────────┼──────────────┼───────────────────────────────────────────────────────────────────────┼──────┼──────────┼────────┤
│ App Runner │ us-west-2 │ example │ https://wejpymersj.us-west-2.awsapprunner.com │ 443 │ https │ True │
│ ELB │ us-west-2 │ cloudfox-elb │ http://cloudfox-elb-834557314.us-west-2.elb.amazonaws.com:80 │ 80 │ HTTP │ True │
│ Lambda │ us-west-2 │ lambda2 │ https://scyoucfcogj5mthweznc5fcuva0mpokg.lambda-url.us-west-2.on.aws/ │ 443 │ https │ True │
│ Lambda │ us-west-2 │ lambda1 │ https://jrtbo2vgw6o74nexfozi3ltgey0kupgn.lambda-url.us-west-2.on.aws/ │ 443 │ https │ True │
│ RDS │ us-west-2 │ cloudfox-rds │ cloudfox-rds.ckzvqq0tjs4a.us-west-2.rds.amazonaws.com │ 3306 │ mysql │ True │
╰────────────┴───────────┴──────────────┴───────────────────────────────────────────────────────────────────────┴──────┴──────────┴────────╯
[endpoints] Output written to [cloudfox-output/aws/cf-exec/table/endpoints.txt]
[endpoints] Output written to [cloudfox-output/aws/cf-exec/csv/endpoints.csv]
[endpoints] Loot written to [cloudfox-output/aws/cf-exec/loot/endpoints-UrlsOnly.txt]
[endpoints] 5 endpoints enumerated.
Grabs the environment variables from services that have them (App Runner, ECS, Lambda, Lightsail containers, Sagemaker are supported. If you find a sensitive secret, use cloudfox iam-simulator AND pmapper to see who has access to them.
**Example: Enumerate environment variables in multiple services **
❯ cloudfox aws --profile cf-exec -v2 env-vars
[🦊 cloudfox v1.6.0 🦊 ] AWS Caller Identity: arn:aws:sts::049881439828:assumed-role/CloudFox-exec-role/aws-go-sdk-1662942784490595000
[env-vars] Enumerating environment variables in all regions for account 049881439828.
[env-vars] Supported Services: App Runner, Elastic Container Service, Lambda, Lightsail Containers, Sagemaker
[env-vars] Status: 105/105 tasks complete (48 errors -- For details check /Users/sethart/.cloudfox/cloudfox-error.log)
╭────────────┬───────────┬─────────┬─────────────────┬─────────────────────────────────╮
│ Service │ Region │ Name │ Key │ Value │
├────────────┼───────────┼─────────┼─────────────────┼─────────────────────────────────┤
│ App Runner │ us-west-2 │ example │ secret_password │ 12345 │
│ Lambda │ us-west-2 │ lambda1 │ RDS_PASSWORD │ ]M=rsDq}p9n:u{6*$dz2}}t7D:YH#k7 │
│ Lambda │ us-west-2 │ lambda1 │ RDS_USER │ admin │
╰────────────┴───────────┴─────────┴─────────────────┴─────────────────────────────────╯
[env-vars] Output written to [cloudfox-output/aws/cf-exec/table/env-vars.txt]
[env-vars] Output written to [cloudfox-output/aws/cf-exec/csv/env-vars.csv]
[env-vars] 3 environment variables found.
Enumerate the EFS and FSx filesystems that you might be able to mount without creds (if you have the right network access). For example, this is useful when you have ec:RunInstance but not iam:PassRole.
Example: Enumerate any EFS or FSx shares
❯ cloudfox aws --profile cf-exec -v2 filesystems
[🦊 cloudfox v1.6.0 🦊 ] AWS Caller Identity: arn:aws:sts::049881439828:assumed-role/CloudFox-exec-role/aws-go-sdk-1662942818660709000
[filesystems] Enumerating filesystems for account 049881439828.
[filesystems] Supported Services: EFS, FSx
[filesystems] Status: 42/42 tasks complete (8 errors -- For details check /Users/sethart/.cloudfox/cloudfox-error.log)
╭─────────┬───────────┬──────────────┬────────────┬────────────────────────┬───────────────────────╮
│ Service │ Region │ Name │ DNS Name │ Mount Target │ Policy │
├─────────┼───────────┼──────────────┼────────────┼────────────────────────┼───────────────────────┤
│ EFS │ us-west-2 │ cloudfox-efs │ 10.0.1.115 │ fsmt-079d42aa439682a63 │ Default (No IAM auth) │
╰─────────┴───────────┴──────────────┴────────────┴────────────────────────┴───────────────────────╯
[filesystems] Output written to [cloudfox-output/aws/cf-exec/table/filesystems.txt]
[filesystems] Output written to [cloudfox-output/aws/cf-exec/csv/filesystems.csv]
[filesystems] Loot written to [cloudfox-output/aws/cf-exec/loot/filesystems-mount-commands.txt]
[filesystems] 1 filesystems found.
Like pmapper, but uses the IAM policy simulator. It uses AWS's evaluation logic, but notably, it doesn't consider transitive access via privesc, which is why you should also always also use pmapper.
Example: Default mode checks every principal against a hardcoded list of specific permissions for any resource
❯ cloudfox aws --profile cf-exec -v2 iam-simulator
[🦊 cloudfox v1.6.0 🦊 ] AWS Caller Identity: arn:aws:sts::049881439828:assumed-role/CloudFox-exec-role/aws-go-sdk-1662942906111954000
[iam-simulator] Running multiple iam-simulator queries for account 049881439828. (This command can be pretty slow, FYI)
[iam-simulator] Status: 2/2 tasks complete (0 errors -- For details check /Users/sethart/.cloudfox/cloudfox-error.log)
╭─────────┬──────────────────────────────────────────────────────────────────────────────────────────────────────────────────────┬─────────────────────────────────────────────╮
│ Service │ Principal │ Query │
├─────────┼──────────────────────────────────────────────────────────────────────────────────────────────────────────────────────┼─────────────────────────────────────────────┤
│ IAM │ arn:aws:iam::049881439828:role/OrganizationAccountAccessRole │ Appears to be an administrator │
│ IAM │ arn:aws:iam::049881439828:role/adams │ Appears to be an administrator │
│ IAM │ arn:aws:iam::049881439828:role/aws-reserved/sso.amazonaws.com/AWSReservedSSO_AWSAdministratorAccess_e7f5699f2cb1edb0 │ Appears to be an administrator │
│ IAM │ arn:aws:iam::049881439828:role/press │ Appears to be an administrator │
│ IAM │ arn:aws:iam::049881439828:user/terraform-user │ Appears to be an administrator │
│ IAM │ arn:aws:iam::049881439828:role/not-admin │ Appears to be an administrator │
│ IAM │ arn:aws:iam::049881439828:role/CloudFox-exec-role │ can apprunner:DescribeService on * │
│ IAM │ arn:aws:iam::049881439828:role/aws-service-role/support.amazonaws.com/AWSServiceRoleForSupport │ can apprunner:DescribeService on * │
│ IAM │ arn:aws:iam::049881439828:role/CloudFox-exec-role │ can ec2:DescribeInstanceAttributeInput on * │
│ IAM │ arn:aws:iam::049881439828:role/aws-reserved/sso.amazonaws.com/AWSReservedSSO_SecurityAudit_f67a30bf6639f876 │ can ec2:DescribeInstanceAttributeInput on * │
│ IAM │ arn:aws:iam::049881439828:role/aws-service-role/ecs.amazonaws.com/AWSServiceRoleForECS │ can ec2:DescribeInstanceAttributeInput on * │
│ IAM │ arn:aws:iam::049881439828:role/rapinoe │ can ecr:BatchGetImage on * │
│ IAM │ arn:aws:iam::049881439828:role/rapinoe │ can ecr:GetAuthorizationToken on * │
│ IAM │ arn:aws:iam::049881439828:role/aws-reserved/sso.amazonaws.com/AWSReservedSSO_SecurityAudit_f67a30bf6639f876 │ can ecs:DescribeTaskDefinition on * │
│ IAM │ arn:aws:iam::049881439828:role/CloudFox-exec-role │ can ecs:DescribeTaskDefinition on * │
│ IAM │ arn:aws:iam::049881439828:role/aws-service-role/support.amazonaws.com/AWSServiceRoleForSupport │ can ecs:DescribeTaskDefinition on * │
│ IAM │ arn:aws:iam::049881439828:role/aws-reserved/sso.amazonaws.com/AWSReservedSSO_SecurityAudit_f67a30bf6639f876 │ can lambda:ListFunctions on * │
│ IAM │ arn:aws:iam::049881439828:role/CloudFox-exec-role │ can lambda:ListFunctions on * │
│ IAM │ arn:aws:iam::049881439828:role/aws-service-role/support.amazonaws.com/AWSServiceRoleForSupport │ can lambda:ListFunctions on * │
│ IAM │ arn:aws:iam::049881439828:role/lavelle │ can lambda:ListFunctions on * │
│ IAM │ arn:aws:iam::049881439828:role/aws-service-role/access-analyzer.amazonaws.com/AWSServiceRoleForAccessAnalyzer │ can lambda:ListFunctions on * │
│ IAM │ arn:aws:iam::049881439828:role/aws-reserved/sso.amazonaws.com/AWSReservedSSO_interns_9b819cbe299f5da5 │ can lambda:ListFunctions on * │
│ IAM │ arn:aws:iam::049881439828:role/aws-reserved/sso.amazonaws.com/AWSReservedSSO_interns_9b819cbe299f5da5 │ can s3:GetObject on * │
│ IAM │ arn:aws:iam::049881439828:role/aws-service-role/trustedadvisor.amazonaws.com/AWSServiceRoleForTrustedAdvisor │ can s3:ListBucket on * │
│ IAM │ arn:aws:iam::049881439828:role/aws-service-role/support.amazonaws.com/AWSServiceRoleForSupport │ can s3:ListBucket on * │
│ IAM │ arn:aws:iam::049881439828:role/aws-reserved/sso.amazonaws.com/AWSReservedSSO_interns_9b819cbe299f5da5 │ can s3:ListBucket on * │
│ IAM │ arn:aws:iam::049881439828:role/dempsey │ can ssm:StartSession on * │
╰─────────┴──────────────────────────────────────────────────────────────────────────────────────────────────────────────────────┴─────────────────────────────────────────────╯
[iam-simulator] Output written to [cloudfox-output/aws/cf-exec/table/iam-simulator.txt]
[iam-simulator] Output written to [cloudfox-output/aws/cf-exec/csv/iam-simulator.csv]
[iam-simulator] We suggest running the pmapper commands in the loot file to get the same information but taking privesc paths into account.
[iam-simulator] Loot written to [cloudfox-output/aws/cf-exec/loot/iam-simulator-pmapper-commands.txt]
Example 2: Check a specific principal against the hardcoded list of interesting permissions
❯ cloudfox aws --profile cf-prod iam-simulator -v2 --principal arn:aws:iam::049881439828:role/OrganizationAccountAccessRole
[🦊 cloudfox v1.6.0 🦊 ] AWS Caller Identity: arn:aws:iam::049881439828:user/terraform-user
[iam-simulator] Checking to see if arn:aws:iam::049881439828:role/OrganizationAccountAccessRole can do any actions of interest.
[iam-simulator] Status: 0/0 tasks complete (0 errors -- For details check /Users/sethart/.cloudfox/cloudfox-error.log)
╭─────────┬──────────────────────────────────────────────────────────────┬─────────────────────────────────────────────╮
│ Service │ Principal │ Query │
├─────────┼──────────────────────────────────────────────────────────────┼─────────────────────────────────────────────┤
│ IAM │ arn:aws:iam::049881439828:role/OrganizationAccountAccessRole │ can apprunner:DescribeService on * │
│ IAM │ arn:aws:iam::049881439828:role/OrganizationAccountAccessRole │ can ec2:DescribeInstanceAttributeInput on * │
│ IAM │ arn:aws:iam::049881439828:role/OrganizationAccountAccessRole │ can ecr:BatchGetImage on * │
│ IAM │ arn:aws:iam::049881439828:role/OrganizationAccountAccessRole │ can ecr:GetAuthorizationToken on * │
│ IAM │ arn:aws:iam::049881439828:role/OrganizationAccountAccessRole │ can ecs:DescribeTaskDefinition on * │
│ IAM │ arn:aws:iam::049881439828:role/OrganizationAccountAccessRole │ can eks:UpdateClusterConfig on * │
│ IAM │ arn:aws:iam::049881439828:role/OrganizationAccountAccessRole │ can iam:PassRole on * │
│ IAM │ arn:aws:iam::049881439828:role/OrganizationAccountAccessRole │ can lambda:ListFunctions on * │
│ IAM │ arn:aws:iam::049881439828:role/OrganizationAccountAccessRole │ can s3:GetObject on * │
│ IAM │ arn:aws:iam::049881439828:role/OrganizationAccountAccessRole │ can s3:ListBucket on * │
│ IAM │ arn:aws:iam::049881439828:role/OrganizationAccountAccessRole │ can secretsmanager:GetSecretValue on * │
│ IAM │ arn:aws:iam::049881439828:role/OrganizationAccountAccessRole │ can ssm:GetParameter on * │
│ IAM │ arn:aws:iam::049881439828:role/OrganizationAccountAccessRole │ can ssm:StartSession on * │
│ IAM │ arn:aws:iam::049881439828:role/OrganizationAccountAccessRole │ can ssm:sSendCommand on * │
│ IAM │ arn:aws:iam::049881439828:role/OrganizationAccountAccessRole │ can sts:AssumeRole on * │
╰─────────┴──────────────────────────────────────────────────────────────┴─────────────────────────────────────────────╯
Example 3: Check a specific principal against a specific permission
❯ cloudfox aws --profile cf-prod iam-simulator -v2 --principal arn:aws:iam::049881439828:role/OrganizationAccountAccessRole --action iam:PassRole
[🦊 cloudfox v1.6.0 🦊 ] AWS Caller Identity: arn:aws:iam::049881439828:user/terraform-user
[iam-simulator] Checking to see if arn:aws:iam::049881439828:role/OrganizationAccountAccessRole can do iam:PassRole.
[iam-simulator] Status: 0/0 tasks complete (0 errors -- For details check /Users/sethart/.cloudfox/cloudfox-error.log)
╭─────────┬──────────────────────────────────────────────────────────────┬───────────────────────╮
│ Service │ Principal │ Query │
├─────────┼──────────────────────────────────────────────────────────────┼───────────────────────┤
│ IAM │ arn:aws:iam::049881439828:role/OrganizationAccountAccessRole │ can iam:PassRole on * │
╰─────────┴──────────────────────────────────────────────────────────────┴───────────────────────╯
[iam-simulator] Output written to [cloudfox-output/aws/cf-prod/table/iam-simulator-custom-1662941825.txt]
[iam-simulator] Output written to [cloudfox-output/aws/cf-prod/csv/iam-simulator-custom-1662941825.csv]
[iam-simulator] We suggest running the pmapper commands in the loot file to get the same information but taking privesc paths into account.
[iam-simulator] Loot written to [cloudfox-output/aws/cf-prod/loot/iam-simulator-pmapper-commands.txt]
Example 4: Check all principals against a specific permission
❯ cloudfox aws --profile cf-prod iam-simulator -v2 --action ecr:putimage
[🦊 cloudfox v1.6.0 🦊 ] AWS Caller Identity: arn:aws:iam::049881439828:user/terraform-user
[iam-simulator] Checking to see if any principal can do ecr:putimage.
[iam-simulator] Status: 2/2 tasks complete (0 errors -- For details check /Users/sethart/.cloudfox/cloudfox-error.log)
╭─────────┬──────────────────────────────────────────────────────────────────────────────────────────────────────────────────────┬────────────────────────────────╮
│ Service │ Principal │ Query │
├─────────┼──────────────────────────────────────────────────────────────────────────────────────────────────────────────────────┼────────────────────────────────┤
│ IAM │ arn:aws:iam::049881439828:user/terraform-user │ Appears to be an administrator │
│ IAM │ arn:aws:iam::049881439828:role/aws-reserved/sso.amazonaws.com/AWSReservedSSO_AWSAdministratorAccess_e7f5699f2cb1edb0 │ Appears to be an administrator │
│ IAM │ arn:aws:iam::049881439828:role/OrganizationAccountAccessRole │ Appears to be an administrator │
╰─────────┴──────────────────────────────────────────────────────────────────────────────────────────────────────────────────────┴────────────────────────────────╯
[iam-simulator] Output written to [cloudfox-output/aws/cf-prod/table/iam-simulator-custom-1662941969.txt]
[iam-simulator] Output written to [cloudfox-output/aws/cf-prod/csv/iam-simulator-custom-1662941969.csv]
[iam-simulator] We suggest running the pmapper commands in the loot file to get the same information but taking privesc paths into account.
[iam-simulator] Loot written to [cloudfox-output/aws/cf-prod/loot/iam-simulator-pmapper-commands.txt]
This command enumerates the following information for EC2 Instances in all regions of an AWS account:
- Instance ID
- Instance Name
- Instance Profile
- Zone
- Instance State
- Internal IP
- External IP
- "userData" Attribute
Example 1: Enumerate general information about EC2 instances
❯ cloudfox aws --profile cf-exec -v2 instances
[🦊 cloudfox v1.6.0 🦊 ] AWS Caller Identity: arn:aws:sts::049881439828:assumed-role/CloudFox-exec-role/aws-go-sdk-1662942995947879000
[instances] Enumerating EC2 instances in all regions for account 049881439828
[instances] Status: 21/21 tasks complete (4 errors -- For details check /Users/sethart/.cloudfox/cloudfox-error.log)
╭────────────────────────────────────────────┬─────────────────────────────────────────────────────────────────┬────────────┬────────────┬────────────────┬─────────────┬───────────────────────╮
│ Name │ Arn │ Zone │ State │ External IP │ Internal IP │ Profile │
├────────────────────────────────────────────┼─────────────────────────────────────────────────────────────────┼────────────┼────────────┼────────────────┼─────────────┼───────────────────────┤
│ instance3 │ arn:aws:ec2:us-west-2:049881439828:instance/i-0bc6da9c8ead21667 │ us-west-2a │ running │ 54.218.85.62 │ 10.0.1.238 │ service-admin-profile │
│ instance2 │ arn:aws:ec2:us-west-2:049881439828:instance/i-0229c0cc11947933c │ us-west-2a │ running │ 54.191.6.206 │ 10.0.1.23 │ NoInstanceProfile │
│ instance1 │ arn:aws:ec2:us-west-2:049881439828:instance/i-00f6b2ebbeadcf6fc │ us-west-2a │ running │ 18.237.183.237 │ 10.0.1.105 │ NoInstanceProfile │
│ instance4 │ arn:aws:ec2:us-west-2:049881439828:instance/i-020e69c99ce4c7a97 │ us-west-2a │ running │ 54.200.182.19 │ 10.0.1.45 │ NoInstanceProfile │
╰────────────────────────────────────────────┴─────────────────────────────────────────────────────────────────┴────────────┴────────────┴────────────────┴─────────────┴───────────────────────╯
[instances] Output written to [cloudfox-output/aws/cf-exec/table/instances.txt]
[instances] Output written to [cloudfox-output/aws/cf-exec/csv/instances.csv]
[instances] Loot written to [cloudfox-output/aws/cf-exec/loot/instances-ec2PrivateIPs.txt]
[instances] Loot written to [cloudfox-output/aws/cf-exec/loot/instances-ec2PublicIPs.txt]
[instances] 4 instances found.
Example 2: obtain only userData attributes for EC2 instances
This is a separate flag because userData does not fit in table or CSV output formats.
❯ cloudfox aws --profile cf-exec -v2 instances --userdata
[🦊 cloudfox v1.6.0 🦊 ] AWS Caller Identity: arn:aws:sts::049881439828:assumed-role/CloudFox-exec-role/aws-go-sdk-1662943069534483000
[instances] Enumerating EC2 instances in all regions for account 049881439828
[instances] Status: 21/21 tasks complete (4 errors -- For details check /Users/sethart/.cloudfox/cloudfox-error.log)
=============================================
Instance Arn: arn:aws:ec2:us-west-2:049881439828:instance/i-020e69c99ce4c7a97
Region: us-west-2
Instance Profile: NoInstanceProfile
User Data:
#!/bin/bash
export RDS_USER="admin"
export RDS_PASSWORD="]M=rsDq}p9n:u{6*$dz2}}t7D:YH#k7"
=============================================
[instance-userdata] Loot written to [cloudfox-output/aws/cf-exec/loot/instance-userdata.txt]
This command enumerates resource counts by service by region. Quickly find out which regions are used by the client
Example:
❯ cloudfox aws --profile cf-exec -v2 inventory
[🦊 cloudfox v1.6.0 🦊 ] AWS Caller Identity: arn:aws:sts::049881439828:assumed-role/CloudFox-exec-role/aws-go-sdk-1662943145181650000
[inventory] Enumerating selected services in all regions for account 049881439828.
[inventory] Supported Services: ApiGateway, ApiGatewayv2, AppRunner, CloudFormation, Cloudfront, EC2, ECS, EKS,
[inventory] ELB, ELBv2, Grafana, IAM, Lambda, Lightsail, MQ, OpenSearch, RDS, S3, SecretsManager, SSM
[inventory] Status: 357/357 tasks complete (90 errors -- For details check /Users/sethart/.cloudfox/cloudfox-error.log)
╭────────────────────────────────┬───────────┬───────────╮
│ Resource Type │ us-west-2 │ us-east-1 │
├────────────────────────────────┼───────────┼───────────┤
│ Total │ 24 │ 10 │
│ APIGateway RestAPIs │ - │ - │
│ APIGatewayv2 APIs │ - │ - │
│ AppRunner Services │ 1 │ - │
│ CloudFormation Stacks │ 7 │ 8 │
│ Cloudfront Distributions │ - │ - │
│ EC2 Instances │ 4 │ 2 │
│ ECS Tasks │ 1 │ - │
│ EKS Clusters │ - │ - │
│ ELB Load Balancers │ 1 │ - │
│ ELBv2 Load Balancers │ - │ - │
│ Grafana Workspaces │ - │ - │
│ Lambda Functions │ 2 │ - │
│ Lightsail Instances/Containers │ - │ - │
│ MQ Brokers │ - │ - │
│ OpenSearch DomainNames │ - │ - │
│ RDS DB Instances │ 1 │ - │
│ SecretsManager Secrets │ 3 │ - │
│ SSM Parameters │ 4 │ - │
╰────────────────────────────────┴───────────┴───────────╯
[inventory] Output written to [cloudfox-output/aws/cf-exec/table/inventory.txt]
[inventory] Output written to [cloudfox-output/aws/cf-exec/csv/inventory.csv]
╭───────────────┬───────╮
│ Resource Type │ Total │
├───────────────┼───────┤
│ S3 Buckets │ 5 │
│ IAM Users │ 2 │
│ IAM Roles │ 29 │
╰───────────────┴───────╯
[inventory] Output written to [cloudfox-output/aws/cf-exec/table/inventory-global.txt]
[inventory] Output written to [cloudfox-output/aws/cf-exec/csv/inventory-global.csv]
[inventory] 70 resources enumerated in the services we looked at. This is NOT the total number of resources in the account.
List the roles that have been assumed by principals in this account. This is an excellent way to find outbound attack paths that lead into other accounts.
Example:
./cloudfox aws --profile default outbound-assumed-roles -d7 -v2
[🦊 cloudfox v1.6.0 🦊 ] AWS Caller Identity: arn:aws:sts::111111111111:assumed-role/CloudFox-exec-role/aws-go-sdk-1661128226589890000
[outbuond-assumed-roles] Caller Identity: arn:aws:iam::111111111111:user/seth
[outbuond-assumed-roles] Enumerating outbound assumed role entries in cloudtrail for account 111111111111.
[outbuond-assumed-roles] Going back through 7 days of cloudtrail events. (This command can be pretty slow, FYI)
Service Region Type Source Principal Destination Principal Log Entry Timestamp
------------ ----------- ------------- ------------------------------------------------------------------------ ------------------------------------------------------------------------ ---------------------
CloudTrail us-east-1 AssumedRole arn:aws:iam::111111111111:role/privesc14-UpdatingAssumeRolePolicy-role arn:aws:iam::111111111111:role/privesc-AssumeRole-ending-role 2022-05-30 13:08:51
CloudTrail us-east-1 IAMUser arn:aws:iam::111111111111:user/seth arn:aws:iam::111111111111:role/privesc14-UpdatingAssumeRolePolicy-role 2022-05-30 13:04:33
CloudTrail us-east-1 AssumedRole arn:aws:iam::111111111111:role/privesc14-UpdatingAssumeRolePolicy-role arn:aws:iam::111111111111:role/privesc-AssumeRole-ending-role 2022-05-30 13:04:33
CloudTrail us-east-1 IAMUser arn:aws:iam::111111111111:user/seth arn:aws:iam::222222222222:role/OrganizationAccountAccessRole 2022-05-29 19:27:58
[outbuond-assumed-roles] Output written to [cloudfox-output/aws/default/outbound-assumed-roles.txt]
Enumerates all of the IAM permissions available to a principal (resource-based permissions not included yet)
Example:
❯ cloudfox aws --profile cf-prod permissions -v2
[🦊 cloudfox v1.6.0 🦊 ] AWS Caller Identity: arn:aws:iam::049881439828:user/terraform-user
[permissions] Enumerating IAM permissions for account 049881439828.
Service Principal Type Name Policy Type Policy Name Effect Action Resource
--------- ---------------- -------------------------------------------------------- ------------- --------------------------------------------------- -------- --------------------------------------------------------------------- -------------------------------------------------------------------------------------
IAM Role AWSReservedSSO_AWSAdministratorAccess_e7f5699f2cb1edb0 Managed AdministratorAccess Allow * *
IAM Role AWSReservedSSO_interns_9b819cbe299f5da5 Managed the_interns Allow lambda:ListFunctions *
IAM Role AWSReservedSSO_interns_9b819cbe299f5da5 Managed the_interns Allow lambda:ListFunctionUrlConfigs *
IAM Role AWSReservedSSO_interns_9b819cbe299f5da5 Managed the_interns Allow ec2:DescribeInstances *
IAM Role AWSReservedSSO_interns_9b819cbe299f5da5 Managed the_interns Allow s3:ListAllMyBuckets *
IAM Role AWSReservedSSO_interns_9b819cbe299f5da5 Managed the_interns Allow iam:ListRoles *
IAM Role AWSReservedSSO_interns_9b819cbe299f5da5 Managed the_interns Allow iam:ListUsers *
IAM Role AWSReservedSSO_SecurityAudit_f67a30bf6639f876 Managed SecurityAudit Allow access-analyzer:GetAnalyzedResource *
IAM Role AWSReservedSSO_SecurityAudit_f67a30bf6639f876 Managed SecurityAudit Allow access-analyzer:GetAnalyzer *
IAM Role AWSReservedSSO_SecurityAudit_f67a30bf6639f876 Managed SecurityAudit Allow access-analyzer:GetArchiveRule *
IAM Role AWSReservedSSO_SecurityAudit_f67a30bf6639f876 Managed SecurityAudit Allow access-analyzer:GetFinding *
IAM Role AWSReservedSSO_SecurityAudit_f67a30bf6639f876 Managed SecurityAudit Allow access-analyzer:ListAnalyzedResources *
IAM Role AWSReservedSSO_SecurityAudit_f67a30bf6639f876 Managed SecurityAudit Allow access-analyzer:ListAnalyzers *
...omitted for brevity...
IAM Role just-one-ec2 Managed just-one-ec2 Allow ec2:DescribeInstanceAttributeInput arn:aws:ec2:us-east-1:049881439828:instance/i-03ebea4567d4d99f2
IAM Role lambda-admin-role Managed lambda-admin Allow lambda:* *
IAM Role lambda-role Managed lambda Allow lambda:UpdateFunctionCode *
IAM Role lambda-role Managed lambda Allow lambda:UpdateFunctionConfiguration *
IAM Role lambda-role1 Managed lambda-policy1 Allow logs:CreateLogGroup *
IAM Role lambda-role1 Managed lambda-policy1 Allow logs:CreateLogStream *
IAM Role lambda-role1 Managed lambda-policy1 Allow logs:PutLogEvents *
IAM Role lambda-role2 Managed lambda-policy2 Allow * *
IAM Role not-admin Managed not-admin-access Allow * *
IAM Role OrganizationAccountAccessRole Managed AdministratorAccess Allow * *
IAM Role ssmStartSession-role Managed ssmStartSession-policy Allow ec2:DescribeInstances *
IAM Role ssmStartSession-role Managed ssmStartSession-policy Allow ssm:StartSession *
IAM Role ssmStartSession-role Managed ssmStartSession-policy Allow ssm:DescribeSessions *
IAM Role ssmStartSession-role Managed ssmStartSession-policy Allow ssm:GetConnectionStatus *
IAM Role ssmStartSession-role Managed ssmStartSession-policy Allow ssm:DescribeInstanceProperties *
IAM Role ssmStartSession-role Managed ssmStartSession-policy Allow ssm:TerminateSession *
IAM Role ssmStartSession-role Managed ssmStartSession-policy Allow ssm:ResumeSession *
IAM Role test Inline test_inline Allow s3:ListBucket arn:aws:s3:::*
IAM Role test Inline test_inline Allow s3:ListAllMyBuckets *
IAM User shepard-ec2_ssrf_cgidckf1bcz8io Managed cg-shepard-policy-ec2_ssrf_cgidckf1bcz8io Allow lambda:Get* *
IAM User shepard-ec2_ssrf_cgidckf1bcz8io Managed cg-shepard-policy-ec2_ssrf_cgidckf1bcz8io Allow lambda:Invoke* *
IAM User shepard-ec2_ssrf_cgidckf1bcz8io Managed cg-shepard-policy-ec2_ssrf_cgidckf1bcz8io Allow lambda:List* *
IAM User solus-ec2_ssrf_cgidckf1bcz8io Managed cg-solus-policy-ec2_ssrf_cgidckf1bcz8io Allow lambda:Get* *
IAM User solus-ec2_ssrf_cgidckf1bcz8io Managed cg-solus-policy-ec2_ssrf_cgidckf1bcz8io Allow lambda:List* *
IAM User terraform-user Managed AdministratorAccess Allow * *
IAM User wrex-ec2_ssrf_cgidckf1bcz8io Managed cg-wrex-policy-ec2_ssrf_cgidckf1bcz8io Allow ec2:* *
[permissions] Output written to [cloudfox-output/aws/cf-prod/table/permissions.txt]
[permissions] 3058 unique permissions identified.
Enumerates IAM users and Roles so you have the data at your fingertips.
Example:
❯ cloudfox aws --profile cf-exec principals -v2
[🦊 cloudfox v1.6.0 🦊 ] AWS Caller Identity: arn:aws:sts::049881439828:assumed-role/CloudFox-exec-role/aws-go-sdk-1661128439690920000
[principals] Enumerating IAM Users and Roles for account 049881439828.
Service Type Name Arn
--------- ------ -------------------------------------------------------- --------------------------------------------------------------------------------------------------------------------------
IAM User pele arn:aws:iam::049881439828:user/pele
IAM User shepard-ec2_ssrf_cgidckf1bcz8io arn:aws:iam::049881439828:user/shepard-ec2_ssrf_cgidckf1bcz8io
IAM User solus-ec2_ssrf_cgidckf1bcz8io arn:aws:iam::049881439828:user/solus-ec2_ssrf_cgidckf1bcz8io
IAM User terraform-user arn:aws:iam::049881439828:user/terraform-user
IAM User wrex-ec2_ssrf_cgidckf1bcz8io arn:aws:iam::049881439828:user/wrex-ec2_ssrf_cgidckf1bcz8io
IAM Role AWSReservedSSO_AWSAdministratorAccess_e7f5699f2cb1edb0 arn:aws:iam::049881439828:role/aws-reserved/sso.amazonaws.com/AWSReservedSSO_AWSAdministratorAccess_e7f5699f2cb1edb0
IAM Role AWSReservedSSO_interns_9b819cbe299f5da5 arn:aws:iam::049881439828:role/aws-reserved/sso.amazonaws.com/AWSReservedSSO_interns_9b819cbe299f5da5
IAM Role AWSReservedSSO_SecurityAudit_f67a30bf6639f876 arn:aws:iam::049881439828:role/aws-reserved/sso.amazonaws.com/AWSReservedSSO_SecurityAudit_f67a30bf6639f876
IAM Role AWSServiceRoleForAccessAnalyzer arn:aws:iam::049881439828:role/aws-service-role/access-analyzer.amazonaws.com/AWSServiceRoleForAccessAnalyzer
IAM Role AWSServiceRoleForAppRunner arn:aws:iam::049881439828:role/aws-service-role/apprunner.amazonaws.com/AWSServiceRoleForAppRunner
IAM Role AWSServiceRoleForECS arn:aws:iam::049881439828:role/aws-service-role/ecs.amazonaws.com/AWSServiceRoleForECS
IAM Role AWSServiceRoleForElastiCache arn:aws:iam::049881439828:role/aws-service-role/elasticache.amazonaws.com/AWSServiceRoleForElastiCache
IAM Role AWSServiceRoleForElasticLoadBalancing arn:aws:iam::049881439828:role/aws-service-role/elasticloadbalancing.amazonaws.com/AWSServiceRoleForElasticLoadBalancing
IAM Role AWSServiceRoleForOrganizations arn:aws:iam::049881439828:role/aws-service-role/organizations.amazonaws.com/AWSServiceRoleForOrganizations
IAM Role AWSServiceRoleForRDS arn:aws:iam::049881439828:role/aws-service-role/rds.amazonaws.com/AWSServiceRoleForRDS
IAM Role AWSServiceRoleForSSO arn:aws:iam::049881439828:role/aws-service-role/sso.amazonaws.com/AWSServiceRoleForSSO
IAM Role AWSServiceRoleForSupport arn:aws:iam::049881439828:role/aws-service-role/support.amazonaws.com/AWSServiceRoleForSupport
IAM Role AWSServiceRoleForTrustedAdvisor arn:aws:iam::049881439828:role/aws-service-role/trustedadvisor.amazonaws.com/AWSServiceRoleForTrustedAdvisor
IAM Role cf-admin-role arn:aws:iam::049881439828:role/cf-admin-role
IAM Role cg-ec2-role-ec2_ssrf_cgidckf1bcz8io arn:aws:iam::049881439828:role/cg-ec2-role-ec2_ssrf_cgidckf1bcz8io
IAM Role cg-ecs-takeover-ecs_takeover_cgide8huu94lcu-ecs-agent arn:aws:iam::049881439828:role/cg-ecs-takeover-ecs_takeover_cgide8huu94lcu-ecs-agent
IAM Role cg-ecs-takeover-ecs_takeover_cgide8huu94lcu-privd arn:aws:iam::049881439828:role/cg-ecs-takeover-ecs_takeover_cgide8huu94lcu-privd
IAM Role cg-lambda-role-ec2_ssrf_cgidckf1bcz8io-service-role arn:aws:iam::049881439828:role/cg-lambda-role-ec2_ssrf_cgidckf1bcz8io-service-role
IAM Role cloudformation-role arn:aws:iam::049881439828:role/cloudformation-role
IAM Role CloudFox-exec-role arn:aws:iam::049881439828:role/CloudFox-exec-role
IAM Role ec2-admin-role arn:aws:iam::049881439828:role/ec2-admin-role
IAM Role ec2InstanceConnect arn:aws:iam::049881439828:role/ec2InstanceConnect
IAM Role just-one-ec2 arn:aws:iam::049881439828:role/just-one-ec2
IAM Role lambda-admin-role arn:aws:iam::049881439828:role/lambda-admin-role
IAM Role lambda-role arn:aws:iam::049881439828:role/lambda-role
IAM Role lambda-role1 arn:aws:iam::049881439828:role/lambda-role1
IAM Role lambda-role2 arn:aws:iam::049881439828:role/lambda-role2
IAM Role not-admin arn:aws:iam::049881439828:role/not-admin
IAM Role OrganizationAccountAccessRole arn:aws:iam::049881439828:role/OrganizationAccountAccessRole
IAM Role ssmStartSession-role arn:aws:iam::049881439828:role/ssmStartSession-role
IAM Role test arn:aws:iam::049881439828:role/test
[principals] Output written to [cloudfox-output/aws/cf-exec/table/principals.txt]
[principals] 36 IAM principals found.
This command will search IAM role trust policies for trusts to a specific principal or an AWS account. This is particularly useful when assessing privilege escalation paths through assume role actions. In most cases, the assuming role will also need to have the "sts:AssumeRole" permission, however if the trusted principal is specifically named in the trust policy and belongs in the same account as the trusting role, the the trusted role does not need the "sts:AssumeRole" permission.
Example 1: map all prod account role trusts
❯ cloudfox aws --profile cf-prod role-trusts -v2
[🦊 cloudfox v1.6.0 🦊 ] AWS Caller Identity: arn:aws:iam::049881439828:user/terraform-user
[role-trusts] Enumerating role trusts for account 049881439828.
Role Trusted Principal Conditions
-------------------------------------------------------------- ----------------------------------------------- ------------
arn:aws:iam::049881439828:role/test arn:aws:iam::049881439828:root {}
arn:aws:iam::049881439828:role/just-one-ec2 arn:aws:iam::049881439828:user/pele {}
arn:aws:iam::049881439828:role/not-admin arn:aws:iam::049881439828:user/pele {}
arn:aws:iam::049881439828:role/cloudformation-role arn:aws:iam::049881439828:user/terraform-user {}
arn:aws:iam::049881439828:role/CloudFox-exec-role arn:aws:iam::049881439828:user/terraform-user {}
arn:aws:iam::049881439828:role/ec2InstanceConnect arn:aws:iam::049881439828:user/terraform-user {}
arn:aws:iam::049881439828:role/lambda-role arn:aws:iam::049881439828:user/terraform-user {}
arn:aws:iam::049881439828:role/ssmStartSession-role arn:aws:iam::049881439828:user/terraform-user {}
arn:aws:iam::049881439828:role/OrganizationAccountAccessRole arn:aws:iam::289507344597:root {}
[role-trusts-principals] Output written to [cloudfox-output/aws/cf-prod/table/role-trusts-principals.txt]
[role-trusts-principals] 9 role trusts found.
Role Trusted Service Conditions
-------------------------------------------------------------------------------------------------------------------------- ------------------------------------ ------------
arn:aws:iam::049881439828:role/aws-service-role/access-analyzer.amazonaws.com/AWSServiceRoleForAccessAnalyzer access-analyzer.amazonaws.com {}
arn:aws:iam::049881439828:role/aws-service-role/apprunner.amazonaws.com/AWSServiceRoleForAppRunner apprunner.amazonaws.com {}
arn:aws:iam::049881439828:role/cf-admin-role cloudformation.amazonaws.com {}
arn:aws:iam::049881439828:role/ec2-admin-role ec2.amazonaws.com {}
arn:aws:iam::049881439828:role/cg-ecs-takeover-ecs_takeover_cgide8huu94lcu-ecs-agent ec2.amazonaws.com {}
arn:aws:iam::049881439828:role/cg-ec2-role-ec2_ssrf_cgidckf1bcz8io ec2.amazonaws.com {}
arn:aws:iam::049881439828:role/cg-ecs-takeover-ecs_takeover_cgide8huu94lcu-privd ecs-tasks.amazonaws.com {}
arn:aws:iam::049881439828:role/aws-service-role/ecs.amazonaws.com/AWSServiceRoleForECS ecs.amazonaws.com {}
arn:aws:iam::049881439828:role/aws-service-role/elasticache.amazonaws.com/AWSServiceRoleForElastiCache elasticache.amazonaws.com {}
arn:aws:iam::049881439828:role/aws-service-role/elasticloadbalancing.amazonaws.com/AWSServiceRoleForElasticLoadBalancing elasticloadbalancing.amazonaws.com {}
arn:aws:iam::049881439828:role/cg-lambda-role-ec2_ssrf_cgidckf1bcz8io-service-role lambda.amazonaws.com {}
arn:aws:iam::049881439828:role/lambda-admin-role lambda.amazonaws.com {}
arn:aws:iam::049881439828:role/lambda-role1 lambda.amazonaws.com {}
arn:aws:iam::049881439828:role/lambda-role2 lambda.amazonaws.com {}
arn:aws:iam::049881439828:role/aws-service-role/organizations.amazonaws.com/AWSServiceRoleForOrganizations organizations.amazonaws.com {}
arn:aws:iam::049881439828:role/aws-service-role/rds.amazonaws.com/AWSServiceRoleForRDS rds.amazonaws.com {}
arn:aws:iam::049881439828:role/aws-service-role/sso.amazonaws.com/AWSServiceRoleForSSO sso.amazonaws.com {}
arn:aws:iam::049881439828:role/aws-service-role/support.amazonaws.com/AWSServiceRoleForSupport support.amazonaws.com {}
arn:aws:iam::049881439828:role/aws-service-role/trustedadvisor.amazonaws.com/AWSServiceRoleForTrustedAdvisor trustedadvisor.amazonaws.com {}
[role-trusts-services] Output written to [cloudfox-output/aws/cf-prod/table/role-trusts-services.txt]
[role-trusts-services] 19 role trusts found.
Example 2: map all PROD (111111111111) account role trusts to principal "test_dev1"
$ ./cloudfox aws principal-trusts --filter test_dev1 --profile prod -v2
[*] Caller Identity: arn:aws:iam::111111111111:user/readonly-user
[*] Mapping role trusts for account: 111111111111. Filtering by principal/service test_dev1.
[*] Principal trusts requiring external ID are not shown.
[*] Preparing output.
Role Name Trusted Principal
------------------------------ -----------------------------
111111111111:role/test_prod1 222222222222:role/test_dev1
111111111111:role/test_prod2 222222222222:role/test_dev1
Example 3: map all PROD (111111111111) account role trusts to root principals
$ ./cloudfox aws principal-trusts --filter root --profile prod -v2
[*] Caller Identity: arn:aws:iam::111111111111:user/readonly-user
[*] Mapping role trusts for account: 111111111111. Filtering by principal/service root.
[*] Principal trusts requiring external ID are not shown.
[*] Preparing output.
Role Name Trusted Principal
------------------------------ ----------------------------------
111111111111:role/test_prod1 222222222222:federated-user/root
111111111111:role/test_prod2 222222222222:federated-user/root
111111111111:role/test_prod2 111111111111:federated-user/root
Example 4: map all PROD (111111111111) account role trusts to the EC2 service
./cloudfox aws principal-trusts --filter ec2 --profile prod -v2
Example 5: map all PROD (111111111111) account role trusts to the DEV (222222222222) account
./cloudfox aws principal-trusts --filter 222222222222 --profile prod -v2
This command lists the DNS records for all public and private zones managed by Route53. Use this for application and service enumeration
Example:
❯ cloudfox aws --profile default route53 -v2
[🦊 cloudfox v1.6.0 🦊 ] AWS Caller Identity: arn:aws:iam::111111111111:user/seth
[route53] Enumerating Route53 for account 111111111111.
Service Name Type Value PrivateZone
--------- ----------------------- ------ --------------------------------------------------------------------------------- -------------
Route53 test2.internal. NS ns-1536.awsdns-00.co.uk. True
Route53 test2.internal. NS ns-0.awsdns-00.com. True
Route53 test2.internal. NS ns-1024.awsdns-00.org. True
Route53 test2.internal. NS ns-512.awsdns-00.net. True
Route53 test2.internal. SOA ns-1536.awsdns-00.co.uk. awsdns-hostmaster.amazon.com. 1 7200 900 1209600 86400 True
Route53 host1.test2.internal. A 192.168.0.1 True
Route53 host2.test2.internal. A 8.8.8.8 True
Route53 test1.internal. NS ns-1536.awsdns-00.co.uk. True
Route53 test1.internal. NS ns-0.awsdns-00.com. True
Route53 test1.internal. NS ns-1024.awsdns-00.org. True
Route53 test1.internal. NS ns-512.awsdns-00.net. True
Route53 test1.internal. SOA ns-1536.awsdns-00.co.uk. awsdns-hostmaster.amazon.com. 1 7200 900 1209600 86400 True
Route53 host1.test1.internal. A 10.0.0.1 True
Route53 host2.test1.internal. A 10.0.0.2 True
[route53] Output written to [cloudfox-output/aws/default/table/route53.txt]
[route53] Loot written to [cloudfox-output/aws/default/loot/route53-A-records-public-Zones.txt]
[route53] Loot written to [cloudfox-output/aws/default/loot/route53-A-records-private-Zones.txt]
[route53] 14 DNS records found.
This command lists secrets from SecretsManager and SSM. Look for interesting secrets in the list and then see who has access to them
Example:
❯ cloudfox aws --profile cf-exec secrets -v2
[🦊 cloudfox v1.6.0 🦊 ] AWS Caller Identity: arn:aws:sts::049881439828:assumed-role/CloudFox-exec-role/aws-go-sdk-1661128807463349000
[secrets] Enumerating secrets for account 049881439828.
[secrets] Supported Services: SecretsManager, SSM Parameters
[secrets] Status: 21/21 regions complete (8 errors -- For details check /Users/sethart/.cloudfox/cloudfox-error.log)
Service Region Name Description
---------------- ----------- ------------------------------- ---------------------------------------------------------------
SecretsManager us-west-2 app-secret
SecretsManager us-west-2 database-secret
SecretsManager us-west-2 iam-vulnerable Super strong password that nobody would ever be able to guess
SSM us-west-2 /production/database/password
SSM us-west-2 /production/database/username
SSM us-west-2 /staging/database/password
SSM us-west-2 /staging/database/user
[secrets] Output written to [cloudfox-output/aws/cf-exec/table/secrets.txt]
[secrets] 7 secrets found.