Scour:一款针对AWS的漏洞利用框架

admin 2021年12月24日06:34:56评论88 views字数 6869阅读22分53秒阅读模式

Scour:一款针对AWS的漏洞利用框架

关于Scour

Scour是一款针对AWS的漏洞利用框架,该工具基于Golang开发,专为红队测试和蓝队分析而设计。Scour引入了大量的现代化技术,可以用于攻击环境或建立防御检测的现代技术。

功能介绍

命令补全

动态资源列表

命令历史

蓝队模式(使用唯一用户代理标记攻击)

工具安装

Scour基于Golang开发,安装何使用都非常的简单和方便。

源码获取:

go get github.com/grines/scour

代码构建:

go build main.go

Scour基础命令

枚举存储在~/aws/credentials中的所有可用AWS资料:

token profile <profile_name> <region>

查看同一个或跨帐户角色(需要活动会话):

token AssumeRole <role_name> <region>

查看指定模块的帮助信息:

help module

使用默认参数运行指定模块:

attack evasion <tactic>

使用命令行运行Scour

进入Scour的命令行模式:

scour

设置执行命令的会话:

Not Connected <> token profile apiuser us-east-1

与一个AWS账号进行连接:

Connected <apiuser/us-east-1>

数据枚举

Scour:一款针对AWS的漏洞利用框架

IAM发现

Connected <apiuser/us-east-1> attack enum IAM
+-------------+---------------------+------------------+---------------+--------------+  |    USER     |  MANAGED POLICIES   | INLINE POLICIES  |    GROUPS     | ISPRIVILEGED |  +-------------+---------------------+------------------+---------------+--------------+  | admin       | AdministratorAccess | AllEKSInlineuser | SecurityAudit | true         |  | EC2         | AmazonEC2FullAccess |                  |               | true         |  +-------------+---------------------+------------------+---------------+--------------+

角色发现

Connected <apiuser/us-east-1> attack enum Roles
+-------------+---------------------+------------------+---------------+--------------+
| USER | MANAGED POLICIES | INLINE POLICIES | GROUPS | ISPRIVILEGED |
+-------------+---------------------+------------------+---------------+--------------+
| admin | AdministratorAccess | AllEKSInlineuser | SecurityAudit | true |
| EC2 | AmazonEC2FullAccess | | | true |
+-------------+---------------------+------------------+---------------+--------------+

EC2发现

Connected <apiuser/us-east-1> attack enum EC2
UA Tracking: exec-env/EVSWAyidC4/o18HtFPe1P/role-enum
+------------------------------------------------------------+----------------+-----------------------------------------------------+--------------+
| ROLE | PRINCIPAL TYPE | IDENTITY/SERVICE | ISPRIVILEGED |
+------------------------------------------------------------+----------------+-----------------------------------------------------+--------------+
| Amazon_CodeBuild_dW6zqYHT3m | AWS | [arn:aws:iam::861293084598:root | true |
| | | codebuild.amazonaws.com] | |
| Amazon_CodeBuild_f2DOFPjMHK | Service | [codebuild.amazonaws.com] | true |
| Amazon_ CodeBuild_HS59ko7lxn | Service | [codebuild.amazonaws.com] | true |
+------------------------------------------------------------+----------------+-----------------------------------------------------+--------------+

S3发现

Connected <apiuser/us-east-1> attack enum S3UA Tracking: exec-env/EVSWAyidC4/dudqW7y1xb/ec2-enum

+---------------------+-----------------------------------------------------+--------------+----------+---------------+----------------------+--------+---------+--------------+----------+
| INSTANCEID | INSTANCE PROFILE | VPC | PUBLICIP | PRIVATEIP | SECURITY GROUPS | PORTS | STATE | ISPRIVILEGED | ISPUBLIC |
+---------------------+-----------------------------------------------------+--------------+----------+---------------+----------------------+--------+---------+--------------+----------+
| i-0f5604708c0b51429 | None | vpc-7e830c1a | None | 172.31.53.199 | sg-09fcd28717cf4f512 | 80* | stopped | false | true |
| | | | | | | 22* | | | |
| | | | | | | 5000* | | | |
| i-03657fe3b9decdf51 | arn:aws:iam::861293084598:instance-profile/OrgAdmin | vpc-7e830c1a | None | 172.31.45.96 | sg-61b1fd07 | All* | stopped | true | true |
| | | | | | | 8888* | | | |
| i-01b265a5fdc45df57 | None | vpc-7e830c1a | None | 172.31.38.118 | sg-0392f752f9b849d3f | 3389* | stopped | false | true |
| i-0867709d6c0be74d9 | arn:aws:iam::861293084598:instance-profile/OrgAdmin | vpc-7e830c1a | None | 172.31.39.199 | sg-006543a34d2f70028 | 22* | stopped | true | true |
| i-0 d95790b5e7ddff23 | None | vpc-7e830c1a | None | 172.31.12.57 | sg-e1a50dac | 33391* | stopped | false | true |
+---------------------+-----------------------------------------------------+--------------+----------+---------------+----------------------+--------+---------+--------------+----------+

组发现

Connected <apiuser/us-east-1> attack enum Groups
UA Tracking: exec-env/EVSWAyidC4/GDGZaYQOuo/s3-enum
+-------------------------------------------+-----------+-----------+--------------+-------------+---------------------+-------------+-------------+-----------+
| BUCKET | HASPOLICY | ISWEBSITE | ALLOW PUBLIC | PERMISSIONS | ALLOW AUTHENTICATED | PERMISSIONS | REPLICATION | REGION |
+-------------------------------------------+-----------+-----------+--------------+-------------+---------------------+-------------+-------------+-----------+
| amazon-conn********3d79b01a | false | false | false | | false | | false | us-west-2 |
| aws-cloudtrail-logs-**********98-cb39df0d | true | false | false | | false | | false | |
| bullsecu********* | true | true | false | | false | | false | |
| connect-6ec*****ad67 | false | false | false | | false | | false | |
| connect-******5337c3 | false | false | false | | false | | false | |
| ransom******** | true | false | false | | false | | false | |
| red******** | false | false | false | | false | | false | |
| rep-***** | false | false | false | | false | | false | us-west-2 |
| terraform******* | false | false | false | | false | | false | |
+-------------------------------------------+-----------+-----------+--------------+-------------+---------------------+-------------+-------------+-----------+

网络发现

Connected <apiuser/us-east-1> attack enum Network
UA Tracking: exec-env/EVSWAyidC4/jAIKVdESpU/groups-enum
+-----------------------------------------------+---------------------+--------------+-----------------+--------------+
| GROUP | POLICIES | ISPRIVILEGED | INLINE POLICIES | ISPRIVILEGED |
+-----------------------------------------------+---------------------+--------------+-----------------+--------------+
| EC2 | SecurityAudit | false | | false |
| OpsWorks-dac9e9ba-8b3d-4e04-9ad9-d988ca4c0731 | | false | | false |
| TestGroup | AmazonEC2FullAccess | true | | false |
| | SecurityAudit | | | |
+-----------------------------------------------+-------- -------------+--------------+-----------------+--------------+

凭证发现

从EC2用户数据中提取凭证信息:

Connected <apiuser/us-east-1> attack creds UserData
[Sun May  9 06:10:16 2021]  INF  Stopping Instance i-0f5604708c0b51429 - State: stopped
[Sun May 9 06:10:46 2021] INF Modifying Instance Attribute UserData on i-0f5604708c0b51429
[Sun May 9 06:10:47 2021] INF Starting Instance i-0f5604708c0b51429 - State: pending

从系统管理器中提取凭证信息:

Connected <apiuser/us-east-1> attack creds SSM
UA Tracking: exec-env/yzaqX9HFvP/oL1oho99ZP/userdata-creds
+---------------------+------------------+-------------------------------------------------------------------------------+
| INSTANCEID | RULE | FINDING |
+---------------------+------------------+-------------------------------------------------------------------------------+
| i-0f5604708c0b51429 | Slack Webhook | https://hooks.slack.com/services/T00000000/B00000000/XXXXXXXXXXXXXXXXXXXXXXXX |
| i-0f5604708c0b51429 | Generic Password | password=thisisapassword |
+---------------------+------------------+-------------------------------------------------------------------------------+

从ECS中获取凭证信息:

Connected <apiuser/us-east-1> attack creds ECS
UA Tracking: exec-env/yzaqX9HFvP/FASongUCcG/ssm-params-creds
+------------+----------+----------------------+
| PARAM NAME | DATATYPE | VALUE |
+------------+----------+----------------------+
| Test | text | thismightbeapassword |
+------------+----------+----------------------+

工具运行演示

Scour:一款针对AWS的漏洞利用框架

项目地址

点击底部【阅读原文】获取

Scour:一款针对AWS的漏洞利用框架


精彩推荐





Scour:一款针对AWS的漏洞利用框架

Scour:一款针对AWS的漏洞利用框架

Scour:一款针对AWS的漏洞利用框架

Scour:一款针对AWS的漏洞利用框架

Scour:一款针对AWS的漏洞利用框架

本文始发于微信公众号(FreeBuf):Scour:一款针对AWS的漏洞利用框架

  • 左青龙
  • 微信扫一扫
  • weinxin
  • 右白虎
  • 微信扫一扫
  • weinxin
admin
  • 本文由 发表于 2021年12月24日06:34:56
  • 转载请保留本文链接(CN-SEC中文网:感谢原作者辛苦付出):
                   Scour:一款针对AWS的漏洞利用框架http://cn-sec.com/archives/473679.html

发表评论

匿名网友 填写信息