關於Ghostbuster
Ghostbuster是一款功能強大的Elastic安全審計工具,該工具可以通過對目標AWS賬號中的資源進行分析,從而消除Elastic懸空IP。
Ghostbuster可以幫助廣大研究人員獲取目標AWS賬號(Route53)中所有的DNS記錄,並能夠選擇通過CSV輸入或Cloudflare來接收搜索到的記錄。
收集到這些記錄和數據之後,Ghostbuster將會遍歷所有AWS Elastic IP和網絡接口公共IP,並收集這些數據。
在拿到所有DNS記錄(來自route53、文件輸入或cloudflare)的完整信息,以及目標組織擁有的AWS IP的完整信息之後,該工具將能夠檢測出指向懸空Elastic IP(已失效)的子域名了。
功能介紹
1、動態枚舉「.aws/config」中的每一個AWS賬號;
2、從AWS Route53中提取記錄;
3、從Cloudflare中提取記錄(可選);
4、從CSV輸入中提取記錄(可選);
5、遍歷所有區域、單個區域或以逗號分隔的區域列表;
6、獲取與所有AWS帳戶關聯的所有Elastic IP;
7、獲取與所有AWS帳戶關聯的所有公共IP;
8、交叉檢查DNS記錄,以及組織擁有的IP,以檢測潛在的接管風險;
9、Slack Webhook支持發送接管通知;
工具下載&安裝
該工具基於Python開發,因此我們首先需要在本地設備上安裝並配置好Python 3.x環境。
Ghostbuster的下載和安裝都非常簡單,廣大研究人員可以使用下列命令將該項目源碼克隆至本地:
git clone https://github.com/assetnote/ghostbuster.git或者直接使用下列命令進行安裝:
然後通過「ghostbuster」命令來使用Ghostbuster即可。
工具使用❯ ghostbuster scan aws --help Usage: ghostbuster scan aws [OPTIONS] Scan for dangling elastic IPs inside your AWS accounts.Options: --profile TEXT 指定Ghostbuster需要掃描的AWS賬號信息 --skipascii Ghostbuster啟動之後,不打印ASCII字符 --slackwebhook TEXT 指定一個Slack Webhook URL以發送潛在接管的通知信息 --records PATH 手動指定要檢查的DNS記錄。Ghostbuster將在檢查檢索到的DNS記錄後檢查這些IP --cloudflaretoken TEXT 從Cloudflare中提取DNS記錄,需提供CF API令牌 --allregions 掃描全範圍 --exclude TEXT 要排除的配置文件名稱列表,用逗號分隔 --regions TEXT 要掃描的區域列表,用逗號分隔 --help 顯示幫助信息和退出配置Cloudflare
配置AWS賬號.aws/credentials:[default]aws_access_key_id = AKIAIII...aws_secret_access_key = faAaAaA....aws/config:[default]output = tableregion = us-east-1[profile account-one]role_arn = arn:aws:iam::911111111113:role/Ec2Route53Accesssource_profile = defaultregion = us-east-1[profile account-two]role_arn = arn:aws:iam::911111111112:role/Ec2Route53Accesssource_profile = defaultregion = us-east-1[profile account-three]region = us-east-1role_arn = arn:aws:iam::911111111111:role/Ec2Route53Accesssource_profile = default工具使用樣例
運行Ghostbuster,提供Cloudflare DNS記錄的訪問令牌,向Slack Webhook發送通知,遍歷的所有AWS區域中「.aws/config or .aws/credentials」內配置的每一個AWS賬號:
❯ ghostbuster scan aws --cloudflaretoken APIKEY --slackwebhook https://hooks.slack.com/services/KEY --allregions使用手動輸入的子域名A記錄列表(具體可參考records.csv格式)運行Ghostbuster:❯ ghostbuster scan aws --records records.csv工具輸出樣例❯ ghostbuster scan aws --cloudflaretoken whougonnacallObtaining all zone names from Cloudflare.Obtaining DNS A records for all zones from Cloudflare.Obtained 33 DNS A records so far.Obtaining Route53 hosted zones for AWS profile: default.Obtaining Route53 hosted zones for AWS profile: account-five.Obtaining Route53 hosted zones for AWS profile: account-four.Obtaining Route53 hosted zones for AWS profile: account-four-deploy.Obtaining Route53 hosted zones for AWS profile: account-two-deploy.Obtaining Route53 hosted zones for AWS profile: account-one-deploy.Obtaining Route53 hosted zones for AWS profile: account-three-deploy.Obtaining Route53 hosted zones for AWS profile: account-six.Obtaining Route53 hosted zones for AWS profile: account-seven.Obtaining Route53 hosted zones for AWS profile: account-one.Obtained 124 DNS A records so far.Obtaining EIPs for region: us-east-1, profile: defaultObtaining IPs for network interfaces for region: us-east-1, profile: defaultObtaining EIPs for region: us-east-1, profile: account-fiveObtaining IPs for network interfaces for region: us-east-1, profile: account-fiveObtaining EIPs for region: us-east-1, profile: account-fourObtaining IPs for network interfaces for region: us-east-1, profile: account-fourObtaining EIPs for region: us-east-1, profile: account-four-deployObtaining IPs for network interfaces for region: us-east-1, profile: account-four-deployObtaining EIPs for region: us-east-1, profile: account-two-deployObtaining IPs for network interfaces for region: us-east-1, profile: account-two-deployObtaining EIPs for region: us-east-1, profile: account-one-deployObtaining IPs for network interfaces for region: us-east-1, profile: account-one-deployObtaining EIPs for region: us-east-1, profile: account-three-deployObtaining IPs for network interfaces for region: us-east-1, profile: account-three-deployObtaining EIPs for region: us-east-1, profile: account-sixObtaining IPs for network interfaces for region: us-east-1, profile: account-sixObtaining EIPs for region: us-east-1, profile: account-sevenObtaining IPs for network interfaces for region: us-east-1, profile: account-sevenObtaining EIPs for region: us-east-1, profile: account-oneObtaining IPs for network interfaces for region: us-east-1, profile: account-oneObtained 415 unique elastic IPs from AWS.Takeover possible: {'name': 'takeover.assetnotecloud.com', 'records': ['52.54.24.193']}許可證協議
本項目的開發與發布遵循AGPL-3.0開源許可證協議。
項目地址
https://github.com/assetnote/ghostbuster
參考資料
https://console.aws.amazon.com/iam/home#/users$new?step=details
https://console.aws.amazon.com/iam/home#/users$new?step=permissions&accessKey&userNames=ghostbuster&permissionType=policies
https://dash.cloudflare.com/profile/api-tokens
https://github.com/infosec-au
留言列表