AWS Enumeration and Footprinting Tool

Overview

Quiet Riot

🎶 C'mon, Feel The Noise 🎶

An enumeration tool for scalable, unauthenticated validation of AWS principals; including AWS Acccount IDs, root e-mail addresses, users, and roles.

Credit: Daniel Grzelak @dagrz for identifying the technique and Will Bengston @__muscles for inspiring me to scale it.

See the blog post here

Featureploitation Limits

Throttling

After performing extensive analysis of scaling methods using the AWS Python (Boto3) SDK, I was able to determine that the bottleneck for scanning (at least for Python and awscli -based tools) is I/O capacity of a single-threaded Python application. After modifying the program to run with multiple threads, I was able to trigger exceptions in individual threads due to throttling by the various AWS APIs. You can see the results from running a few benchmarking test scans here. APIs that I tested had wildly different throttling limits and notably, s3 bucket policy attempts took ~10x as long as similar attempts against other services.

With further testing, I settled on a combination of SNS, ECR-Public, and ECR-Private services running in US-East-1 in ~40%/50%/10% configuration split with ~700 threads. The machine I used was a 2020 Macbook Air (M1 and 16 GB RAM). This configuration yielded on average ~1100 calls/sec, though the actual number of calls can fluctuate significantly depending on a variety of factors including network connectivity. Under these configurations, I did occasionally throw an exception on a thread from throttling...but I have subsequently configured additional (4 -> 7) re-try attempts via botocore that would eliminate this issue with some performance trade-off.

Computational Difficulty

To attempt every possible Account ID in AWS (1,000,000,000,000) would require an infeasible amount of time given only one account. Even assuming absolute efficiency*, over the course of a day an attacker will only be able to make 95,040,000 validation checks. Over 30 days, this is 2,851,200,000 validation checks and we are still over 28 years away from enumerating every valid AWS Account ID. Fortunately, there is nothing stopping us from registering many AWS accounts and automating this scan. While there is an initial limit of 20 accounts per AWS organization, I was able to get this limit increased for my Organization via console self-service and approval from an AWS representative. The approval occured without any further questions and now I'm off to automating this writ large. Again, assuming absolute efficiency, the 28 years scanning could potentially be reduced down to ~100 days.

*~1100 API calls/check per second in perpetuity per account and never repeating a guessed Account ID.

Potential Supported Services

# AWS Service Description API Limits Resource Pricing Enumeration Capability
1 SNS Managed Serverless Notification Service Unknown Unknown Yes
2 KMS Encryption Key Management Service Unknown Unknown Yes
3 SecretsManager Managed Secret Store Unknown Unknown Yes
4 CodeArtifact Managed Source Code Repository Unknown Unknown Yes
5 ECR Public Managed Container Registry Unknown Unknown Yes
6 ECR Private Managed Container Registry Unknown Unknown Yes
7 Lambda Managed Serverless Function Unknown Unknown Yes
8 s3 Managed Serverless Object Store Unknown Unknown Yes
9 SES SMTP Automation Service Unknown Unknown Unknown
10 ACM Private Certificate Authority Unknown Unknown Unknown
11 CodeBuild Software Build Agent Unknown Unknown Unknown
12 AWS Backup Managed Backup Service Unknown Unknown Unknown
13 Cloud9 Managed IDE Unknown Unknown Unknown
14 Glue Managed ETL Job Service Unknown Unknown Unknown
15 EKS Managed K8s Service Unknown Unknown Unknown
16 Lex V2 Managed NLP Service Unknown Unknown Unknown
17 CloudWatch Logs Managed Log Pipeline/Monitoring Unknown Unknown Unknown
18 VPC Endpoints Managed Virtual Network Unknown Unknown Unknown
19 Elemental MediaStore Unknown Unknown Unknown Unknown
20 OpenSearch Managed ElasticSearch Unknown Unknown Unknown
21 EventBridge Managed Serverless Event Hub Unknown Unknown Unknown
22 EventBridge Schemas Managed Serverless Event Hub Unknown Unknown Unknown
23 IoT Internet-of-Things Management Unknown Unknown Unknown
24 s3 Glacier Cold Object Storage Unknown Unknown Unknown
25 ECS Managed Container Orchestration Unknown Unknown Unknown
26 Serverless Application Repository Managed Source Code Repository Unknown Unknown No
27 SQS Managed Serverless Queueing Service Unknown Unknown No
28 EFS Managed Serverless Elastic File System Unknown Unknown No

Getting Started With Quiet Riot

To get started with Quiet Riot, clone the repository to your local directory. You'll need boto3 and AWS cli tools installed. You'll need credentials configured with sufficient privileges in an AWS account to deploy the resources (SNS topic, ECR-Public repository, and ECR-Private repository). Then you just run ./main.py and follow the prompts. If you don't bring your own wordlists, feel free to use one from the wordlists/ directory and I further recommend SecLists Usernames.

Prerequisites

awscli boto3 botocore Sufficient AWS credentials configured via CLI

You might also like...
SSH-Restricted deploys an SSH compliance rule (AWS Config) with auto-remediation via AWS Lambda if SSH access is public.
SSH-Restricted deploys an SSH compliance rule (AWS Config) with auto-remediation via AWS Lambda if SSH access is public.

SSH-Restricted SSH-Restricted deploys an SSH compliance rule with auto-remediation via AWS Lambda if SSH access is public. SSH-Auto-Restricted checks

aws-lambda-scheduler lets you call any existing AWS Lambda Function you have in a future time.

aws-lambda-scheduler aws-lambda-scheduler lets you call any existing AWS Lambda Function you have in the future. This functionality is achieved by dyn

POC de uma AWS lambda que executa a consulta de preços de criptomoedas, e é implantada na AWS usando Github actions.
POC de uma AWS lambda que executa a consulta de preços de criptomoedas, e é implantada na AWS usando Github actions.

Cryptocurrency Prices Overview Instalação Repositório Configuração CI/CD Roadmap Testes Overview A ideia deste projeto é aplicar o conteúdo estudado s

Python + AWS Lambda Hands OnPython + AWS Lambda Hands On
Python + AWS Lambda Hands OnPython + AWS Lambda Hands On

Python + AWS Lambda Hands On Python Criada em 1990, por Guido Van Rossum. "Bala de prata" (quase). Muito utilizado em: Automatizações - Selenium, Beau

Aws-lambda-requests-wrapper - Request/Response wrapper for AWS Lambda with API Gateway

AWS Lambda Requests Wrapper Request/Response wrapper for AWS Lambda with API Gat

AWS-serverless-starter - AWS Lambda serverless stack via Serverless framework
AWS-serverless-starter - AWS Lambda serverless stack via Serverless framework

Serverless app via AWS Lambda, ApiGateway and Serverless framework Configuration

AWS CloudSaga - Simulate security events in AWS

AWS CloudSaga - Simulate security events in AWS AWS CloudSaga is for customers to test security controls and alerts within their Amazon Web Services (

A tool that helps keeping track of your AWS quota utilization
A tool that helps keeping track of your AWS quota utilization

aws-quota-checker A tool that helps keeping track of your AWS quota utilization. It'll determine the limits of your AWS account and compare them to th

AWS Workmail Migration Tool

WMigrate A tool for migrating AWS Workmail Users and Groups cross region and cross accounts. It also creates user and group aliases and adds the users

Comments
  • Initial uplift work

    Initial uplift work

    Moved to using Python click. We are putting this in the staging branch so we can migrate all the stuff over from main to here, with an initial focus on the enum and global_enum commands, and updating the backend logic to reflect the current updates from main branch.

    opened by kmcquade 1
  • Fix/pytest failures due to unsorted list

    Fix/pytest failures due to unsorted list

    Pytest was failing because the wordlist was from an unsorted set. Rather than sorting the wordlist (which would take a long time for large data sets), I decided to verify the list contents differently. Now the tests pass.

    opened by kmcquade 0
  • Add Terraform for integration testing

    Add Terraform for integration testing

    This Terraform populates an AWS Account that has all the different IAM resources that we enumerate for, and nothing else. It will have all the SLRs that we check for, some dummy users, and other stuff.

    We can use these for integration tests. Since AWS Account IDs are clearly no longer sensitive, the account ID that we use is: 227156886084.

    opened by kmcquade 0
Owner
Wes Ladd
Cloud Security Architect
Wes Ladd
DIAL(Did I Alert Lambda?) is a centralised security misconfiguration detection framework which completely runs on AWS Managed services like AWS API Gateway, AWS Event Bridge & AWS Lambda

DIAL(Did I Alert Lambda?) is a centralised security misconfiguration detection framework which completely runs on AWS Managed services like AWS API Gateway, AWS Event Bridge & AWS Lambda

CRED 71 Dec 29, 2022
Automated AWS account hardening with AWS Control Tower and AWS Step Functions

Automate activities in Control Tower provisioned AWS accounts Table of contents Introduction Architecture Prerequisites Tools and services Usage Clean

AWS Samples 20 Dec 7, 2022
Implement backup and recovery with AWS Backup across your AWS Organizations using a CI/CD pipeline (AWS CodePipeline).

Backup and Recovery with AWS Backup This repository provides you with a management and deployment solution for implementing Backup and Recovery with A

AWS Samples 8 Nov 22, 2022
Aws-cidr-finder - A Python CLI tool for finding unused CIDR blocks in AWS VPCs

aws-cidr-finder Overview An Example Installation Configuration Contributing Over

Cooper Walbrun 18 Jul 31, 2022
Project template for using aws-cdk, Chalice and React in concert, including RDS Postgresql and AWS Cognito

What is This? This repository is an opinonated project template for using aws-cdk, Chalice and React in concert. Where aws-cdk and Chalice are in Pyth

Rasmus Jones 4 Nov 7, 2022
AWS Auto Inventory allows you to quickly and easily generate inventory reports of your AWS resources.

Photo by Denny Müller on Unsplash AWS Automated Inventory ( aws-auto-inventory ) Automates creation of detailed inventories from AWS resources. Table

AWS Samples 123 Dec 26, 2022
A suite of utilities for AWS Lambda Functions that makes tracing with AWS X-Ray, structured logging and creating custom metrics asynchronously easier

A suite of utilities for AWS Lambda Functions that makes tracing with AWS X-Ray, structured logging and creating custom metrics asynchronously easier

Amazon Web Services - Labs 1.9k Jan 7, 2023
AWS Blog post code for running feature-extraction on images using AWS Batch and Cloud Development Kit (CDK).

Batch processing with AWS Batch and CDK Welcome This repository demostrates provisioning the necessary infrastructure for running a job on AWS Batch u

AWS Samples 7 Oct 18, 2022
Automatically compile an AWS Service Control Policy that ONLY allows AWS services that are compliant with your preferred compliance frameworks.

aws-allowlister Automatically compile an AWS Service Control Policy that ONLY allows AWS services that are compliant with your preferred compliance fr

Salesforce 189 Dec 8, 2022