BishopFox/dufflebag BishopFox/dufflebag

  • Stars
    star
    274
  • Rank 149,363 (Top 3 %)
  • Language
    Go
  • License
    GNU General Publi...
  • Created about 5 years ago
  • Updated over 1 year ago
Twitter logo Share LinkedIn logo Share Facebook logo Share
BishopFox/dufflebag
github

BishopFox

Reviews

There are no reviews yet. Be the first to send feedback to the community and the maintainers!

Repository Details

Search exposed EBS volumes for secrets

Dufflebag

Dufflebag is a tool that searches through public Elastic Block Storage (EBS) snapshots for secrets that may have been accidentally left in. You may be surprised by all the passwords and secrets just laying around!

The tool is organized as an Elastic Beanstalk ("EB", not to be confused with EBS) application, and definitely won't work if you try to run it on your own machine.

Dufflebag has a lot of moving pieces because it's fairly nontrivial to actually read EBS volumes in practice. You have to be in an AWS environment, clone the snapshot, make a volume from the snapshot, attach the volume, mount the volume, etc... This is why it's made as an Elastic Beanstalk app, so it can automagically scale up or down however much you like, and so that the whole thing can be easily torn down when you're done with it.

Just keep an eye on your AWS console to make sure something it's going haywire and racking up bills. We've tried to think of every contingency and provide error handling... but you've been warned!

Getting Started

Permissions

You'll need to add some additional AWS IAM permissions to the role: aws-elasticbeanstalk-ec2-role. Alternatively, you can make a whole new role with these permissions and set EB to use that role, but it's a little more involved. In any case, you'll need to add:

  • AttachVolume (ec2)
  • CopySnapshot (ec2)
  • CreateVolume (ec2)
  • DeleteSnapshot (ec2)
  • DeleteVolume (ec2)
  • DescribeSnapshots (ec2)
  • DescribeVolumes (ec2)
  • DetachVolume (ec2)
  • PurgeQueue (sqs)
  • ListQueues (sqs)
  • ListAllMyBuckets (s3)
  • PutObject (s3)

Building

The core application is written in Go, so you'll need a Golang compiler. But the EB application is actually built into a .zip file (that's just how EB works) so the makefile will output a zip for you.

  1. Check your region. Dufflebag can only operate in one AWS region at a time. If you want to search every region, you'll have to deploy that many instances. To change the region, change the contents of the source code file region.go.

  2. Install dependencies: Ubuntu 18.04 x64:

sudo apt install make golang-go git
go get -u github.com/aws/aws-sdk-go
go get -u github.com/deckarep/golang-set
go get -u github.com/lib/pq
go get -u lukechampine.com/blake3
  1. Then build the EB app into a zip file with:
make

You should now see a dufflebag.zip file in the root project directory.

  1. Lastly, you'll need to make an S3 bucket. Setting this up automatically within Dufflebag might be possible, but it'd actually be pretty hard. So just do it yourself. You just need to make an S3 bucket with default permissions, and have the name start with dufflebag. S3 bucket names have to be globally unique, so you'll probably need to have some suffix that is a bunch of gibberish or something.

Deploying to Elastic Beanstalk

Go to your AWS console and find the Elastic Beanstalk menu option. This is probably doable via the CLI too, but this description will use the console. Select Actions -> Create Environment.

Create Environment

Then in the next window choose Worker environment and hit Select.

Worker Environment

In the next window, choose Preconfigured -> Go for the Platform.

Go Platform

Under Application Code, choose Upload your Code.

Upload You Code

Hit the Upload button and select the dufflebag.zip that you just built.

Code Origins

Finally, hit Create Environment to get starting.

It will take a few minutes for AWS to make all the things and get started. Once created, Dufflebag will get started right away. No need to do anything else.

Remove the Safety Valve

Once you have this up and running, you can try again with the safety valve removed. By default, Dufflebag only searches 20 EBS snapshots. (So that it doesn't go haywire on your very first try) In order to widen the search to the entire region, go into populate.go, remove the following line of code, and rebuild:

//#####################################################################
//####                    Safety Valve                             ####
//#### Remove this line of code below to search all of your region ####
//#####################################################################
snapshots = snapshots_result.Snapshots[0:20]

Scaling Up

One of the reasons Dufflebag is designed as an Elastic Beanstalk app is so that you can automatically scale the program up or down easily. By default, it'll just run on one instance and be pretty slow. But if you'd like to juice it up a little, adjust the autoscaling in Elastic Beanstalk. The full options of this are a little outside the scope of this document, so I'll let you play with them. But in practice, I've found that a simple CPU use trigger works pretty well.

When setting up the environment above, you'll find the options under the Configure more options button (instead of hitting Create environment) and then hit Scaling.

Scaling

Getting The Stolen Goods

Dufflebag will copy out any interesting files out to the S3 bucket that you made earlier. (Technically, Dufflebag will use the first S3 bucket it finds who's name starts with "dufflebag".)

You can just watch the files come in one-by-one in your S3 bucket. They will be named:

originalfilename_blake3sum_volumeid

Checking on Status

If everything is going well, you shouldn't need to read the logs. But just in case, Elastic Beanstalk lets apps write to log files as they run, and these are captured by navigating to the Logs tab. Then hit Request Logs and Last 100 Lines. This will get you the most recent batch of Dufflebag logs. Hit the Download button to read it. This file will contain a bunch of other system logs, but the Dufflebag part is under "/var/log/web-1.log" at the top.

In order to see the full log history, select Full Logs instead of Last 100 Lines. (Note that EB will rotate logs away pretty aggressively by default)

Additionally, you can get a sense of overall progress by looking at the SQS queue for the environment. Elastic Beanstalk worker environments use SQS to manage the workflow. Each message in the queue for Dufflebag represents an EBS volume to process:

Code Origins

The Messages Available column shows how many volumes have not yet been processed. The Messages in Flight column shows how many volumes are being processed right now.

Tweaking what to Search For

Dufflebag is programmed to search for stuff we thought would be likely to be "interesting". Private keys, passwords, AWS keys, etc... But what if you really want to search for something specific to YOU? Like, maybe you work for bank.com and would like to see what's out there that references bank.com.

Doing so will require a minor amount of modification to the Dufflebag code, but not very much. Don't worry! The logic for what to search for happens in inspector.go. The pilfer() function is a goroutine that handles inspecting a file. The code there may look a little intimidating at first, but here's what it's doing. (And how you can modify that without much difficulty)

File name blacklists:

  1. Check the file name against a blacklist. (blacklist_exact)
  2. Check the file name against a "contains" blacklist. (Reject the file if it contains a given string) (blacklist_contains)
  3. Check the file name against a prefix blacklist. (Reject the file if it starts with a given string) (blacklist_prefix)

You can modify the searching logic here pretty easily by just changing what's in those three lists. Though I'd in general recommend leaving these in tact. These blacklists are designed to cover boring files that are present in a lot of filesystems and prevents Dufflebag from needing to inspect in-depth every single file on all of AWS. Sensitive data you're looking for MIGHT be in those files... but probably not.

File name whitelist:

  1. The IsSensitiveFileName() function checks the file name against a regular expression that finds sensitive file names. (Such as /etc/shadow, bash_history, etc...)

File contents:

  1. The function checkContentsRegex() checks the file contents against a set of regular expressions. (The file input argument is line-by-line, so the input to this function is one line of a file, not the whole file.) So to look for keywords related to your organization, just change up the regular expressions inside checkContentsRegex().

More Repositories

1

sliver

Adversary Emulation Framework
Go
8,155
star
2

unredacter

Never ever ever use pixelation as a redaction technique
TypeScript
7,687
star
3

cloudfox

Automating situational awareness for cloud penetration tests.
Go
1,867
star
4

GitGot

Semi-automated, feedback-driven tool to rapidly search through troves of public data on GitHub for sensitive secrets.
Python
1,412
star
5

jsluice

Extract URLs, paths, secrets, and other interesting bits from JavaScript
Go
1,311
star
6

eyeballer

Convolutional neural network for analyzing pentest screenshots
Python
1,017
star
7

spoofcheck

Simple script that checks a domain for email protections
Python
776
star
8

h2csmuggler

HTTP Request Smuggling over HTTP/2 Cleartext (h2c)
Python
632
star
9

bfinject

Dylib injection for iOS 11.0 - 11.1.2 with LiberiOS and Electra jailbreaks
Objective-C++
619
star
10

GadgetProbe

Probe endpoints consuming Java serialized objects to identify classes, libraries, and library versions on remote Java classpaths.
Java
578
star
11

badPods

A collection of manifests that will create pods with elevated privileges.
Shell
574
star
12

iam-vulnerable

Use Terraform to create your own vulnerable by design AWS IAM privilege escalation playground.
HCL
457
star
13

bfdecrypt

Utility to decrypt App Store apps on jailbroken iOS 11.x
C
439
star
14

iSpy

A reverse engineering framework for iOS
Logos
438
star
15

rmiscout

RMIScout uses wordlist and bruteforce strategies to enumerate Java RMI functions and exploit RMI parameter unmarshalling vulnerabilities
Java
422
star
16

sj

A tool for auditing endpoints defined in exposed (Swagger/OpenAPI) definition files.
Go
354
star
17

smogcloud

Find cloud assets that no one wants exposed 🔎 ☁️
Go
329
star
18

cloudfoxable

Create your own vulnerable by design AWS penetration testing playground
Python
311
star
19

sliver-gui

A Sliver GUI Client
TypeScript
288
star
20

zigdiggity

A ZigBee hacking toolkit by Bishop Fox
Python
258
star
21

deephack

PoC code from DEF CON 25 presentation
Python
240
star
22

rickmote

The Rickmote Controller: Hijack TVs using Google Chromecast
Python
220
star
23

CVE-2023-3519

RCE exploit for CVE-2023-3519
Python
216
star
24

json-interop-vuln-labs

Companion labs to "An Exploration of JSON Interoperability Vulnerabilities"
Python
193
star
25

Imperva_gzip_WAF_Bypass

Python
154
star
26

pwn-pulse

Exploit for Pulse Connect Secure SSL VPN arbitrary file read vulnerability (CVE-2019-11510)
Shell
136
star
27

firecat

Firecat is a penetration testing tool that allows you to punch reverse TCP tunnels out of a compromised network.
C
126
star
28

CVE-2023-27997-check

Safely detect whether a FortiGate SSL VPN instance is vulnerable to CVE-2023-27997 based on response timing
Python
124
star
29

asminject

Heavily-modified fork of David Buchanan's dlinject project. Injects arbitrary assembly (or precompiled binary) payloads directly into x86-64, x86, and ARM32 Linux processes without the use of ptrace by accessing /proc/<pid>/mem. Useful for certain post-exploitation scenarios, recovering content from process memory, etc..
Python
112
star
30

cve-2024-21762-check

Safely detect whether a FortiGate SSL VPN is vulnerable to CVE-2024-21762
Python
93
star
31

anti-anti-automation

Anti-Anti-Automation Framework
Python
92
star
32

mellon

OSDP attack tool (and the Elvish word for friend)
HTML
87
star
33

forticrack

Decrypt encrypted Fortienet FortiOS firmware images
Python
83
star
34

cyberdic

An auxiliary spellcheck dictionary that corresponds with the Bishop Fox Cybersecurity Style Guide
83
star
35

llm-testing-findings

LLM Testing Findings Templates
HTML
65
star
36

bigip-scanner

Determine the running software version of a remote F5 BIG-IP management interface.
Python
61
star
37

IDontSpeakSSL-deprecated

Simple tool based on sslyze to scan large scope and provide SSL/TLS vulnerabilities
Python
51
star
38

spfmap

A program to map out SPF and DKIM records for a large number of domains
Go
37
star
39

CVE-2021-35211

Python
36
star
40

SpoofcheckSelfTest

Web application that lets you test if your domain is vulnerable to email spoofing
Python
33
star
41

ca-clone

Scripts to clone CA certificates for use in HTTPS client attacks.
Shell
33
star
42

ProxyListReliabilityCheck

Perl script to test the reliability of a list of open web proxies.
Perl
27
star
43

ispy-shell

C
24
star
44

coldfusion-10-11-xss

Proof of Concept code for CVE-2015-0345 (APSB15-07)
22
star
45

CVE-2022-22274_CVE-2023-0656

Python
18
star
46

awsservicemap

Go module that returns supported regions for a service or supported services for a region
Go
14
star
47

wordlist-sanitizer

Remove Offensive and Profane Words from Wordlists
Go
12
star
48

sliver-overlord

Go
9
star
49

burpcage

Kotlin
7
star
50

guardian-ci

Shell
4
star
51

You-re-Doing-IoT-RNG

Results and device code from the DEF CON 29 presentation "You're Doing IoT RNG"
C
4
star
52

VulnerableGWTApp

An intentionally-vulnerable GWT-based web application to test tooling and techniques
Java
3
star
53

.github

Bishop Fox Engineering
2
star
54

knownawsaccountslookup

Go module that provides two lookup functions for the data in https://github.com/fwdcloudsec/known_aws_accounts
Go
1
star