Ghostbuster - Eliminate dangling elastic IPs by performing analysis on your resources within all your AWS accounts

Overview

Table of Contents

Ghostbuster

Eliminate dangling elastic IPs by performing analysis on your resources within all your AWS accounts.

Ghostbuster obtains all the DNS records present in all of your AWS accounts (Route53), and can optionally take in records via CSV input, or via Cloudflare.

After these records are collected, Ghostbuster iterates through all of your AWS Elastic IPs and Network Interface Public IPs and collects this data.

By having a complete picture of the DNS records (from route53, file input or cloudflare) and having a complete picture of the AWS IPs owned by your organization, this tool can detect subdomains that are pointing to dangling elastic IPs (IPs you no longer own).

The problem

When you are deploying infrastructure to AWS, you may spin up EC2 instances which have an IP associated with them. When you create DNS records pointing to these IPs, but forget to remove the DNS records after the EC2 instance has been given a new IP or destroyed, you are susceptible to subdomain takeover attacks.

There has been a great amount of research done on elastic IP takeovers, where it is possible for attackers to continually claim elastic IPs until they obtain an IP associated with a subdomain of the company they are targeting.

While AWS frequently bans accounts that are attempting to perform this attack pattern, no long term fix has been released by AWS.

The impact of dangling elastic IP subdomain takeover attacks are more serious than a typical subdomain takeover where you can only control the content being served. With dangling elastic IP takeovers, it is possible for an attacker to do the following:

  • Claim SSL certificates for the subdomain
  • Listen for traffic on all ports (potentially discovering sensitive information still being sent to the subdomain)
  • Run server-side scripts with the ability to steal HTTPOnly cookies, typically leading to a one-click account takeover attack when cookies are scoped to *.domain.com

Project Features

  • Dynamically iterates through each AWS profile configured in .aws/config
  • Pulls A records from AWS Route53
  • Pulls A records from Cloudflare (optional)
  • Pulls A records from CSV input (optional)
  • Iterate through all regions, a single region, or a comma delimitted list of regions
  • Obtains all Elastic IPs associated with all of your AWS accounts
  • Obtains all Public IPs associated with all of your AWS accounts
  • Cross checks the DNS records, with IPs owned by your organization to detect potential takeovers
  • Slack Webhook support to send notifications of takeovers

Important:

In order for this tool to be effective, it must have a complete picture of your AWS environment. If it does not have a complete picture, it will lead to false positive findings.

Installing Ghostbuster

Installing Ghostbuster is as simple as running: pip install ghostbuster. The CLI tool will then be accessible via the ghostbuster command.

This requires a Python 3.x environment.

Using Ghostbuster

❯ ghostbuster scan aws --help     
Usage: ghostbuster scan aws [OPTIONS]

  Scan for dangling elastic IPs inside your AWS accounts.

Options:
  --skipascii             Skip printing the ASCII art when starting up
                          Ghostbuster.

  --slackwebhook TEXT     Specify a Slack webhook URL to send notifications
                          about potential takeovers.

  --records PATH          Manually specify DNS records to check against.
                          Ghostbuster will check these IPs after checking
                          retrieved DNS records. See records.csv for an
                          example.

  --cloudflaretoken TEXT  Pull DNS records from Cloudflare, provide a CF API
                          token.

  --allregions            Run on all regions.
  --exclude TEXT          Comma delimited list of profile names to exclude.
  --regions TEXT          Comma delimited list of regions to run on.
  --help                  Show this message and exit.

Example Commands

Run Ghostbuster with access to Cloudflare DNS records, send notifications to a Slack webhook, iterate through every AWS profile configured in .aws/config or .aws/credentials for all AWS regions

❯ ghostbuster scan aws --cloudflaretoken APIKEY --slackwebhook https://hooks.slack.com/services/KEY --allregions

Run Ghostbuster with a manually input list of subdomain A records (see records.csv in this repo for example file):

❯ ghostbuster scan aws --records records.csv

You can specify specific regions using --regions set to a comma delimited list of regions i.e. us-east-1,us-west-1.

Example Output

❯ ghostbuster scan aws --cloudflaretoken whougonnacall
Obtaining all zone names from Cloudflare.
Obtaining DNS A records for all zones from Cloudflare.
Obtained 33 DNS A records so far.
Obtaining Route53 hosted zones for AWS profile: default.
Obtaining Route53 hosted zones for AWS profile: account-five.
Obtaining Route53 hosted zones for AWS profile: account-four.
Obtaining Route53 hosted zones for AWS profile: account-four-deploy.
Obtaining Route53 hosted zones for AWS profile: account-two-deploy.
Obtaining Route53 hosted zones for AWS profile: account-one-deploy.
Obtaining Route53 hosted zones for AWS profile: account-three-deploy.
Obtaining Route53 hosted zones for AWS profile: account-six.
Obtaining Route53 hosted zones for AWS profile: account-seven.
Obtaining Route53 hosted zones for AWS profile: account-one.
Obtained 124 DNS A records so far.
Obtaining EIPs for region: us-east-1, profile: default
Obtaining IPs for network interfaces for region: us-east-1, profile: default
Obtaining EIPs for region: us-east-1, profile: account-five
Obtaining IPs for network interfaces for region: us-east-1, profile: account-five
Obtaining EIPs for region: us-east-1, profile: account-four
Obtaining IPs for network interfaces for region: us-east-1, profile: account-four
Obtaining EIPs for region: us-east-1, profile: account-four-deploy
Obtaining IPs for network interfaces for region: us-east-1, profile: account-four-deploy
Obtaining EIPs for region: us-east-1, profile: account-two-deploy
Obtaining IPs for network interfaces for region: us-east-1, profile: account-two-deploy
Obtaining EIPs for region: us-east-1, profile: account-one-deploy
Obtaining IPs for network interfaces for region: us-east-1, profile: account-one-deploy
Obtaining EIPs for region: us-east-1, profile: account-three-deploy
Obtaining IPs for network interfaces for region: us-east-1, profile: account-three-deploy
Obtaining EIPs for region: us-east-1, profile: account-six
Obtaining IPs for network interfaces for region: us-east-1, profile: account-six
Obtaining EIPs for region: us-east-1, profile: account-seven
Obtaining IPs for network interfaces for region: us-east-1, profile: account-seven
Obtaining EIPs for region: us-east-1, profile: account-one
Obtaining IPs for network interfaces for region: us-east-1, profile: account-one
Obtained 415 unique elastic IPs from AWS.


Takeover possible: {'name': 'takeover.assetnotecloud.com', 'records': ['52.54.24.193']}

Setting up your AWS accounts

The first step is creating keys or roles in your AWS accounts that grant the privileges necessary to read Route53 records and describe elastic addresses and EC2 network interfaces.

  1. To create a new IAM user in AWS, visit the following URL: https://console.aws.amazon.com/iam/home#/users$new?step=details
  2. Choose Access key - Programmatic access only, and click Next: Permissions.
  3. Click Attach existing policies directly and then click Create policy.
  4. Click JSON and then paste in the following policy:
{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "GhostbusterPolicy",
            "Effect": "Allow",
            "Action": [
                "ec2:DescribeAddresses",
                "ec2:DescribeNetworkInterfaces",
                "route53:ListResourceRecordSets",
                "route53:ListHostedZonesByName",
                "route53:GetTrafficPolicyInstance",
                "route53:GetTrafficPolicy"
            ],
            "Resource": "*"
        }
    ]
}
  1. Click Next: Tags and then Next: Review.
  2. Set the name of the policy to be GhostbusterPolicy.
  3. Click Create Policy.
  4. Go to https://console.aws.amazon.com/iam/home#/users$new?step=permissions&accessKey&userNames=ghostbuster&permissionType=policies
  5. Select GhostbusterPolicy.
  6. Click Next: Tags and then Next: Review.
  7. Click on Create user and setup the AWS credentials in your .aws/credentials file.

Repeat the above steps for each AWS account you own.

This tool will work with however you've setup your AWS configuration (multiple keys, or cross-account assume role profiles). This is managed by boto3, the library used to interface with AWS.

An example configuration looks like this:

.aws/credentials:

[default]
aws_access_key_id = AKIAIII...
aws_secret_access_key = faAaAaA...

.aws/config:

[default]
output = table
region = us-east-1

[profile account-one]
role_arn = arn:aws:iam::911111111113:role/Ec2Route53Access
source_profile = default
region = us-east-1

[profile account-two]
role_arn = arn:aws:iam::911111111112:role/Ec2Route53Access
source_profile = default
region = us-east-1

[profile account-three]
region = us-east-1
role_arn = arn:aws:iam::911111111111:role/Ec2Route53Access
source_profile = default

Alternatively, instead of having roles which are assumed, you can also configure the .aws/credentials file to have a list of profiles and assocaited keys with scoped access.

Once your AWS configuration has been set with all the accounts in your AWS environment, you can then run the tool using the following command:

Setting up Cloudflare (Optional)

If you want Ghostbuster to pull in all the A records that you have set in Cloudflare, you will have to setup an API token that can read zones.

https://dash.cloudflare.com/profile/api-tokens

Setup a Cloudflare API token like shown in the screenshot below:

Once you have obtained this API token, make a note of it somewhere (password manager). In order to use it with Ghostbuster, pass it in via the cloudflaretoken argument.

Authors

  • Shubham Shah - Initial work - github

See also the list of contributors who participated in this project.

License

GNU Affero General Public License

Comments
  • Support AWS SSO and Organizations

    Support AWS SSO and Organizations

    This tool would be amazing for my organization!

    However, we leverage AWS SSO to manage access to our hundreds of accounts. It's therefore unfeasible to create specific IAM users and roles for each account.

    Instead, it would be great if I could pass an SSO role and either a list of accounts or have the tool automatically query orgs to parse all accounts within our OUs to run in each.

    Thanks for working on this (❤️ the name as well!)

    opened by chrislockard 3
  • Adding additional credentials for e.g. staging environment

    Adding additional credentials for e.g. staging environment

    Hello,

    How is it possible to add additional credentials in .aws/credentials:

    [default]
    aws_access_key_id = AKIAIII...
    aws_secret_access_key = faAaAaA...
    

    For different instance? Should just adding e.g. [staging] with their credentials suffice?

    opened by thistehneisen 1
  • Feature: Explicitly name profiles

    Feature: Explicitly name profiles

    It would be great to be able to explicitly give a --profile or --profiles argument to only target a selected account; some of us have an awful lot of accounts in our config.

    opened by QuinnyPig 1
  • allregions flag doesn't seem to be working as expected

    allregions flag doesn't seem to be working as expected

    Good afternoon! When attempting to scan my aws environment across all regions by passing the --allregions flag, I noticed the following error telling me that I needed to specify a region.

    shotop@SHOTOP-M-M5DY ansible % ghostbuster scan aws --profile kenna_us_prod --allregions
    
    Obtaining Route53 hosted zones for AWS profile: kenna_us_prod.
    Obtained 324 DNS A records so far.
    Traceback (most recent call last):
      File "/usr/local/bin/ghostbuster", line 8, in <module>
        sys.exit(cli())
      File "/usr/local/lib/python3.9/site-packages/click/core.py", line 829, in __call__
        return self.main(*args, **kwargs)
      File "/usr/local/lib/python3.9/site-packages/click/core.py", line 782, in main
        rv = self.invoke(ctx)
      File "/usr/local/lib/python3.9/site-packages/click/core.py", line 1259, in invoke
        return _process_result(sub_ctx.command.invoke(sub_ctx))
      File "/usr/local/lib/python3.9/site-packages/click/core.py", line 1259, in invoke
        return _process_result(sub_ctx.command.invoke(sub_ctx))
      File "/usr/local/lib/python3.9/site-packages/click/core.py", line 1066, in invoke
        return ctx.invoke(self.callback, **ctx.params)
      File "/usr/local/lib/python3.9/site-packages/click/core.py", line 610, in invoke
        return callback(*args, **kwargs)
      File "/usr/local/lib/python3.9/site-packages/click/decorators.py", line 73, in new_func
        return ctx.invoke(f, obj, *args, **kwargs)
      File "/usr/local/lib/python3.9/site-packages/click/core.py", line 610, in invoke
        return callback(*args, **kwargs)
      File "/usr/local/lib/python3.9/site-packages/ghostbuster/scan.py", line 265, in aws
        ec2 = boto3.client("ec2")
      File "/usr/local/lib/python3.9/site-packages/boto3/__init__.py", line 93, in client
        return _get_default_session().client(*args, **kwargs)
      File "/usr/local/lib/python3.9/site-packages/boto3/session.py", line 270, in client
        return self._session.create_client(
      File "/usr/local/lib/python3.9/site-packages/botocore/session.py", line 870, in create_client
        client = client_creator.create_client(
      File "/usr/local/lib/python3.9/site-packages/botocore/client.py", line 91, in create_client
        client_args = self._get_client_args(
      File "/usr/local/lib/python3.9/site-packages/botocore/client.py", line 360, in _get_client_args
        return args_creator.get_client_args(
      File "/usr/local/lib/python3.9/site-packages/botocore/args.py", line 71, in get_client_args
        final_args = self.compute_client_args(
      File "/usr/local/lib/python3.9/site-packages/botocore/args.py", line 148, in compute_client_args
        endpoint_config = self._compute_endpoint_config(
      File "/usr/local/lib/python3.9/site-packages/botocore/args.py", line 234, in _compute_endpoint_config
        return self._resolve_endpoint(**resolve_endpoint_kwargs)
      File "/usr/local/lib/python3.9/site-packages/botocore/args.py", line 320, in _resolve_endpoint
        return endpoint_bridge.resolve(
      File "/usr/local/lib/python3.9/site-packages/botocore/client.py", line 441, in resolve
        resolved = self.endpoint_resolver.construct_endpoint(
      File "/usr/local/lib/python3.9/site-packages/botocore/regions.py", line 181, in construct_endpoint
        result = self._endpoint_for_partition(
      File "/usr/local/lib/python3.9/site-packages/botocore/regions.py", line 215, in _endpoint_for_partition
        raise NoRegionError()
    botocore.exceptions.NoRegionError: You must specify a region.
    opened by shotop 1
  • feat(cli): Add flag to return result in JSON

    feat(cli): Add flag to return result in JSON

    When running this tool in an automated fashion, it would be useful to have a program-readable output format, so this commit adds --json flag to do that.

    opened by fardin01 1
  • Support additional types of public IPs

    Support additional types of public IPs

    There may be other ways that public IPs get assigned to resources in an AWS account that would be worth adding to the enumeration logic:

    • Nat Gateways
    • Eks Clusters
    • Elastic Load Balancers
    • Redshift Clusters

    These are ones that I'm aware of, there may be others.

    opened by danielpops 3
Owner
Assetnote
Assetnote
DIAL(Did I Alert Lambda?) is a centralised security misconfiguration detection framework which completely runs on AWS Managed services like AWS API Gateway, AWS Event Bridge & AWS Lambda

DIAL(Did I Alert Lambda?) is a centralised security misconfiguration detection framework which completely runs on AWS Managed services like AWS API Gateway, AWS Event Bridge & AWS Lambda

CRED 71 Dec 29, 2022
AWS Auto Inventory allows you to quickly and easily generate inventory reports of your AWS resources.

Photo by Denny Müller on Unsplash AWS Automated Inventory ( aws-auto-inventory ) Automates creation of detailed inventories from AWS resources. Table

AWS Samples 123 Dec 26, 2022
Dumps to CSV all the resources in an organization's member accounts

AWS Org Inventory Dumps to CSV all the resources in an organization's member accounts. Set your environment's AWS_PROFILE and AWS_DEFAULT_REGION varia

Iain Samuel McLean Elder 2 Dec 24, 2021
Implement backup and recovery with AWS Backup across your AWS Organizations using a CI/CD pipeline (AWS CodePipeline).

Backup and Recovery with AWS Backup This repository provides you with a management and deployment solution for implementing Backup and Recovery with A

AWS Samples 8 Nov 22, 2022
Automated AWS account hardening with AWS Control Tower and AWS Step Functions

Automate activities in Control Tower provisioned AWS accounts Table of contents Introduction Architecture Prerequisites Tools and services Usage Clean

AWS Samples 20 Dec 7, 2022
Project to list all resources in an AWS account with tags.

AWS-ListAll Project to list all resources in an AWS account with tags. This script works on any system Get started: Install python3 and pip3 along wit

Connor Shubham Verlekar 3 Jan 30, 2022
domhttpx is a google search engine dorker with HTTP toolkit built with python, can make it easier for you to find many URLs/IPs at once with fast time.

domhttpx is a google search engine dorker with HTTP toolkit built with python, can make it easier for you to find many URLs/IPs at once with fast time

Naufal Ardhani 59 Dec 4, 2022
A python script fetches all your starred repositories from your GitHub account and clones them to your server so you will never lose important resources

A python script fetches all your starred repositories from your GitHub account and clones them to your server so you will never lose important resources

Ringo Hoffmann 27 Oct 1, 2022
Create a Neo4J graph of users and roles trust policies within an AWS Organization.

AWS_ORG_MAPPER This tool uses sso-oidc to authenticate to the AWS organization. Once authenticated the tool will attempt to enumerate all users and ro

Ruse 24 Jul 28, 2022
Automatically compile an AWS Service Control Policy that ONLY allows AWS services that are compliant with your preferred compliance frameworks.

aws-allowlister Automatically compile an AWS Service Control Policy that ONLY allows AWS services that are compliant with your preferred compliance fr

Salesforce 189 Dec 8, 2022
hydrotoolbox is a Python script for hydrologic calculations and analysis or by function calls within Python.

hydrotoolbox is a Python script for hydrologic calculations and analysis or by function calls within Python.

Tim Cera 4 Aug 20, 2022
SSH-Restricted deploys an SSH compliance rule (AWS Config) with auto-remediation via AWS Lambda if SSH access is public.

SSH-Restricted SSH-Restricted deploys an SSH compliance rule with auto-remediation via AWS Lambda if SSH access is public. SSH-Auto-Restricted checks

Adrian Hornsby 30 Nov 8, 2022
A suite of utilities for AWS Lambda Functions that makes tracing with AWS X-Ray, structured logging and creating custom metrics asynchronously easier

A suite of utilities for AWS Lambda Functions that makes tracing with AWS X-Ray, structured logging and creating custom metrics asynchronously easier

Amazon Web Services - Labs 1.9k Jan 7, 2023
aws-lambda-scheduler lets you call any existing AWS Lambda Function you have in a future time.

aws-lambda-scheduler aws-lambda-scheduler lets you call any existing AWS Lambda Function you have in the future. This functionality is achieved by dyn

Oğuzhan Yılmaz 57 Dec 17, 2022
Project template for using aws-cdk, Chalice and React in concert, including RDS Postgresql and AWS Cognito

What is This? This repository is an opinonated project template for using aws-cdk, Chalice and React in concert. Where aws-cdk and Chalice are in Pyth

Rasmus Jones 4 Nov 7, 2022
POC de uma AWS lambda que executa a consulta de preços de criptomoedas, e é implantada na AWS usando Github actions.

Cryptocurrency Prices Overview Instalação Repositório Configuração CI/CD Roadmap Testes Overview A ideia deste projeto é aplicar o conteúdo estudado s

Gustavo Santos 3 Aug 31, 2022
Python + AWS Lambda Hands OnPython + AWS Lambda Hands On

Python + AWS Lambda Hands On Python Criada em 1990, por Guido Van Rossum. "Bala de prata" (quase). Muito utilizado em: Automatizações - Selenium, Beau

Marcelo Ortiz de Santana 8 Sep 9, 2022
Unauthenticated enumeration of services, roles, and users in an AWS account or in every AWS account in existence.

Quiet Riot ?? C'mon, Feel The Noise ?? An enumeration tool for scalable, unauthenticated validation of AWS principals; including AWS Acccount IDs, roo

Wes Ladd 89 Jan 5, 2023
AWS Blog post code for running feature-extraction on images using AWS Batch and Cloud Development Kit (CDK).

Batch processing with AWS Batch and CDK Welcome This repository demostrates provisioning the necessary infrastructure for running a job on AWS Batch u

AWS Samples 7 Oct 18, 2022