Multi-cloud OSINT tool. Enumerate public resources in AWS, Azure, and Google Cloud.
Currently enumerates the following:
Amazon Web Services: - Open / Protected S3 Buckets - awsapps (WorkMail, WorkDocs, Connect, etc.)
Microsoft Azure: - Storage Accounts - Open Blob Storage Containers - Hosted Databases - Virtual Machines - Web Apps
Google Cloud Platform - Open / Protected GCP Buckets - Open / Protected Firebase Realtime Databases - Google App Engine sites - Cloud Functions (enumerates project/regions with existing functions, then brute forces actual function names) - Open Firebase Apps
See it in action in Codingo's video demo here.
Several non-standard libaries are required to support threaded HTTP requests and dns lookups. You'll need to install the requirements as follows:
pip3 install -r ./requirements.txt
The only required argument is at least one keyword. You can use the built-in fuzzing strings, but you will get better results if you supply your own with -m
and/or -b
.
You can provide multiple keywords by specifying the -k
argument multiple times.
Keywords are mutated automatically using strings from enum_tools/fuzz.txt
or a file you provide with the -m
flag. Services that require a second-level of brute forcing (Azure Containers and GCP Functions) will also use fuzz.txt
by default or a file you provide with the -b
flag.
Let's say you were researching "somecompany" whose website is "somecompany.io" that makes a product called "blockchaindoohickey". You could run the tool like this:
./cloud_enum.py -k somecompany -k somecompany.io -k blockchaindoohickey
HTTP scraping and DNS lookups use 5 threads each by default. You can try increasing this, but eventually the cloud providers will rate limit you. Here is an example to increase to 10.
./cloud_enum.py -k keyword -t 10
IMPORTANT: Some resources (Azure Containers, GCP Functions) are discovered per-region. To save time scanning, there is a "REGIONS" variable defined in cloudenum/azure_regions.py and cloudenum/gcp_regions.py
that is set by default to use only 1 region. You may want to look at these files and edit them to be relevant to your own work.
Complete Usage Details
usage: cloud_enum.py [-h] -k KEYWORD [-m MUTATIONS] [-b BRUTE]
Multi-cloud enumeration utility. All hail OSINT!
optional arguments:
-h, --help show this help message and exit
-k KEYWORD, --keyword KEYWORD
Keyword. Can use argument multiple times.
-kf KEYFILE, --keyfile KEYFILE
Input file with a single keyword per line.
-m MUTATIONS, --mutations MUTATIONS
Mutations. Default: enum_tools/fuzz.txt
-b BRUTE, --brute BRUTE
List to brute-force Azure container names. Default: enum_tools/fuzz.txt
-t THREADS, --threads THREADS
Threads for HTTP brute-force. Default = 5
-ns NAMESERVER, --nameserver NAMESERVER
DNS server to use in brute-force.
-l LOGFILE, --logfile LOGFILE
Will APPEND found items to specified file.
-f FORMAT, --format FORMAT
Format for log file (text,json,csv - defaults to text)
--disable-aws Disable Amazon checks.
--disable-azure Disable Azure checks.
--disable-gcp Disable Google checks.
-qs, --quickscan Disable all mutations and second-level scans
So far, I have borrowed from: - Some of the permutations from GCPBucketBrute
GATOR - GCP Attack Toolkit for Offensive Research, a tool designed to aid in research and exploiting Google Cloud Environments. It offers a comprehensive range of modules tailored to support users in various attack stages, spanning from Reconnaissance to Impact.
Resource Category | Primary Module | Command Group | Operation | Description |
---|---|---|---|---|
User Authentication | auth | - | activate | Activate a Specific Authentication Method |
- | add | Add a New Authentication Method | ||
- | delete | Remove a Specific Authentication Method | ||
- | list | List All Available Authentication Methods | ||
Cloud Functions | functions | - | list | List All Deployed Cloud Functions |
- | permissions | Display Permissions for a Specific Cloud Function | ||
- | triggers | List All Triggers for a Specific Cloud Function | ||
Cloud Storage | storage | buckets | list | List All Storage Buckets |
permissions | Display Permissions for Storage Buckets | |||
Compute Engine | compute | instances | add-ssh-key | Add SSH Key to Compute Instances |
Python 3.11 or newer should be installed. You can verify your Python version with the following command:
python --version
git clone https://github.com/anrbn/GATOR.git
cd GATOR
python setup.py install
pip install gator-red
Have a look at the GATOR Documentation for an explained guide on using GATOR and it's module!
If you encounter any problems with this tool, I encourage you to let me know. Here are the steps to report an issue:
Check Existing Issues: Before reporting a new issue, please check the existing issues in this repository. Your issue might have already been reported and possibly even resolved.
Create a New Issue: If your problem hasn't been reported, please create a new issue in the GitHub repository. Click the Issues tab and then click New Issue.
Describe the Issue: When creating a new issue, please provide as much information as possible. Include a clear and descriptive title, explain the problem in detail, and provide steps to reproduce the issue if possible. Including the version of the tool you're using and your operating system can also be helpful.
Submit the Issue: After you've filled out all the necessary information, click Submit new issue.
Your feedback is important, and will help improve the tool. I appreciate your contribution!
I'll be reviewing reported issues on a regular basis and try to reproduce the issue based on your description and will communicate with you for further information if necessary. Once I understand the issue, I'll work on a fix.
Please note that resolving an issue may take some time depending on its complexity. I appreciate your patience and understanding.
I warmly welcome and appreciate contributions from the community! If you're interested in contributing on any existing or new modules, feel free to submit a pull request (PR) with any new/existing modules or features you'd like to add.
Once you've submitted a PR, I'll review it as soon as I can. I might request some changes or improvements before merging your PR. Your contributions play a crucial role in making the tool better, and I'm excited to see what you'll bring to the project!
Thank you for considering contributing to the project.
If you have any questions regarding the tool or any of its modules, please check out the documentation first. I've tried to provide clear, comprehensive information related to all of its modules. If however your query is not yet solved or you have a different question altogether please don't hesitate to reach out to me via Twitter or LinkedIn. I'm always happy to help and provide support. :)
TerraformGoat is selefra research lab's "Vulnerable by Design" multi cloud deployment tool.
Currently supported cloud vendors include Alibaba Cloud, Tencent Cloud, Huawei Cloud, Amazon Web Services, Google Cloud Platform, Microsoft Azure.
ID | Cloud Service Company | Types Of Cloud Services | Vulnerable Environment |
---|---|---|---|
1 | Alibaba Cloud | Networking | VPC Security Group Open All Ports |
2 | Alibaba Cloud | Networking | VPC Security Group Open Common Ports |
3 | Alibaba Cloud | Object Storage | Bucket HTTP Enable |
4 | Alibaba Cloud | Object Storage | Object ACL Writable |
5 | Alibaba Cloud | Object Storage | Object ACL Readable |
6 | Alibaba Cloud | Object Storage | Special Bucket Policy |
7 | Alibaba Cloud | Object Storage | Bucket Public Access |
8 | Alibaba Cloud | Object Storage | Object Public Access |
9 | Alibaba Cloud | Object Storage | Bucket Logging Disable |
10 | Alibaba Cloud | Object Storage | Bucket Policy Readable |
11 | Alibaba Cloud | Object Storage | Bucket Object Traversal |
12 | Alibaba Cloud | Object Storage | Unrestricted File Upload |
13 | Alibaba Cloud | Object Storage | Server Side Encryption No KMS Set |
14 | Alibaba Cloud | Object Storage | Server Side Encryption Not Using BYOK |
15 | Alibaba Cloud | Elastic Computing Service | ECS SSRF |
16 | Alibaba Cloud | Elastic Computing Service | ECS Unattached Disks Are Unencrypted |
17 | Alibaba Cloud | Elastic Computing Service | ECS Virtual Machine Disks Are Unencrypted |
18 | Tencent Cloud | Networking | VPC Security Group Open All Ports |
19 | Tencent Cloud | Networking | VPC Security Group Open Common Ports |
20 | Tencent Cloud | Object Storage | Bucket ACL Writable |
21 | Tencent Cloud | Object Storage | Bucket ACL Readable |
22 | Tencent Cloud | Object Storage | Bucket Public Access |
23 | Tencent Cloud | Object Storage | Object Public Access |
24 | Tencent Cloud | Object Storage | Unrestricted File Upload |
25 | Tencent Cloud | Object Storage | Bucket Object Traversal |
26 | Tencent Cloud | Object Storage | Bucket Logging Disable |
27 | Tencent Cloud | Object Storage | Server Side Encryption Disable |
28 | Tencent Cloud | Elastic Computing Service | CVM SSRF |
29 | Tencent Cloud | Elastic Computing Service | CBS Storage Are Not Used |
30 | Tencent Cloud | Elastic Computing Service | CVM Virtual Machine Disks Are Unencrypted |
31 | Huawei Cloud | Networking | ECS Unsafe Security Group |
32 | Huawei Cloud | Object Storage | Object ACL Writable |
33 | Huawei Cloud | Object Storage | Special Bucket Policy |
34 | Huawei Cloud | Object Storage | Unrestricted File Upload |
35 | Huawei Cloud | Object Storage | Bucket Object Traversal |
36 | Huawei Cloud | Object Storage | Wrong Policy Causes Arbitrary File Uploads |
37 | Huawei Cloud | Elastic Computing Service | ECS SSRF |
38 | Huawei Cloud | Relational Database Service | RDS Mysql Baseline Checking Environment |
39 | Amazon Web Services | Networking | VPC Security Group Open All Ports |
40 | Amazon Web Services | Networking | VPC Security Group Open Common Ports |
41 | Amazon Web Services | Object Storage | Object ACL Writable |
42 | Amazon Web Services | Object Storage | Bucket ACL Writable |
43 | Amazon Web Services | Object Storage | Bucket ACL Readable |
44 | Amazon Web Services | Object Storage | MFA Delete Is Disable |
45 | Amazon Web Services | Object Storage | Special Bucket Policy |
46 | Amazon Web Services | Object Storage | Bucket Object Traversal |
47 | Amazon Web Services | Object Storage | Unrestricted File Upload |
48 | Amazon Web Services | Object Storage | Bucket Logging Disable |
49 | Amazon Web Services | Object Storage | Bucket Allow HTTP Access |
50 | Amazon Web Services | Object Storage | Bucket Default Encryption Disable |
51 | Amazon Web Services | Elastic Computing Service | EC2 SSRF |
52 | Amazon Web Services | Elastic Computing Service | Console Takeover |
53 | Amazon Web Services | Elastic Computing Service | EBS Volumes Are Not Used |
54 | Amazon Web Services | Elastic Computing Service | EBS Volumes Encryption Is Disabled |
55 | Amazon Web Services | Elastic Computing Service | Snapshots Of EBS Volumes Are Unencrypted |
56 | Amazon Web Services | Identity and Access Management | IAM Privilege Escalation |
57 | Google Cloud Platform | Object Storage | Object ACL Writable |
58 | Google Cloud Platform | Object Storage | Bucket ACL Writable |
59 | Google Cloud Platform | Object Storage | Bucket Object Traversal |
60 | Google Cloud Platform | Object Storage | Unrestricted File Upload |
61 | Google Cloud Platform | Elastic Computing Service | VM Command Execution |
62 | Microsoft Azure | Object Storage | Blob Public Access |
63 | Microsoft Azure | Object Storage | Container Blob Traversal |
64 | Microsoft Azure | Elastic Computing Service | VM Command Execution |
TerraformGoat is deployed using Docker images and therefore requires Docker Engine environment support, Docker Engine installation can be found in https://docs.docker.com/engine/install/
Depending on the cloud service provider you are using, choose the corresponding installation command.
Alibaba Cloud
docker pull registry.cn-beijing.aliyuncs.com/huoxian_pub/terraformgoat_aliyun:0.0.4
docker run -itd --name terraformgoat_aliyun_0.0.4 registry.cn-beijing.aliyuncs.com/huoxian_pub/terraformgoat_aliyun:0.0.4
docker exec -it terraformgoat_aliyun_0.0.4 /bin/bash
Tencent Cloud
docker pull registry.cn-beijing.aliyuncs.com/huoxian_pub/terraformgoat_tencentcloud:0.0.4
docker run -itd --name terraformgoat_tencentcloud_0.0.4 registry.cn-beijing.aliyuncs.com/huoxian_pub/terraformgoat_tencentcloud:0.0.4
docker exec -it terraformgoat_tencentcloud_0.0.4 /bin/bash
Huawei Cloud
docker pull registry.cn-beijing.aliyuncs.com/huoxian_pub/terraformgoat_huaweicloud:0.0.4
docker run -itd --name terraformgoat_huaweicloud_0.0.4 registry.cn-beijing.aliyuncs.com/huoxian_pub/terraformgoat_huaweicloud:0.0.4
docker exec -it terraformgoat_huaweicloud_0.0.4 /bin/bash
Amazon Web Services
docker pull registry.cn-beijing.aliyuncs.com/huoxian_pub/terraformgoat_aws:0.0.4
docker run -itd --name terraformgoat_aws_0.0.4 registry.cn-beijing.aliyuncs.com/huoxian_pub/terraformgoat_aws:0.0.4
docker exec -it terraformgoat_aws_0.0.4 /bin/bash
Google Cloud Platform
docker pull registry.cn-beijing.aliyuncs.com/huoxian_pub/terraformgoat_gcp:0.0.4
docker run -itd --name terraformgoat_gcp_0.0.4 registry.cn-beijing.aliyuncs.com/huoxian_pub/terraformgoat_gcp:0.0.4
docker exec -it terraformgoat_gcp_0.0.4 /bin/bash
Microsoft Azure
docker pull registry.cn-beijing.aliyuncs.com/huoxian_pub/terraformgoat_azure:0.0.4
docker run -itd --name terraformgoat_azure_0.0.4 registry.cn-beijing.aliyuncs.com/huoxian_pub/terraformgoat_azure:0.0.4
docker exec -it terraformgoat_azure_0.0.4 /bin/bash
After entering the container, cd to the corresponding scenario directory and you can start deploying the scenario.
Here is a demonstration of the Alibaba Cloud Bucket Object Traversal scenario build.
docker pull registry.cn-beijing.aliyuncs.com/huoxian_pub/terraformgoat_aliyun:0.0.4
docker run -itd --name terraformgoat_aliyun_0.0.4 registry.cn-beijing.aliyuncs.com/huoxian_pub/terraformgoat_aliyun:0.0.4
docker exec -it terraformgoat_aliyun_0.0.4 /bin/bash
cd /TerraformGoat/aliyun/oss/bucket_object_traversal/
aliyun configure
terraform init
terraform apply
The program prompts Enter a value:
, type yes
and enter, use curl to access the bucket, you can see the object traversed.
To avoid the cloud service from continuing to incur charges, remember to destroy the scenario in time after using it.
terraform destroy
If you are in a container, first execute the exit
command to exit the container, and then execute the following command under the host.
docker stop $(docker ps -a -q -f "name=terraformgoat*")
docker rm $(docker ps -a -q -f "name=terraformgoat*")
docker rmi $(docker images -a -q -f "reference=registry.cn-beijing.aliyuncs.com/huoxian_pub/terraformgoat*")
Contributions are welcomed and greatly appreciated. Further reading β CONTRIBUTING.md for details on contribution workflow.
TerraformGoat is under the Apache 2.0 license. See the LICENSE file for details.
Welcome to the OWASP WrongSecrets p0wnable app. With this app, we have packed various ways of how to not store your secrets. These can help you to realize whether your secret management is ok. The challenge is to find all the different secrets by means of various tools and techniques.
Can you solve all the 16 challenges?Β
Need support? Contact us via OWASP Slack for which you sign up here, file a PR, file an issue , or use discussions. Please note that this is an OWASP volunteer based project, so it might take a little while before we respond.
Can be used for challenges 1-4, 8, 12-15
For the basic docker exercises you currently require:
You can install it by doing:
docker run -p 8080:8080 jeroenwillemsen/wrongsecrets:1.4.0-no-vault
Now you can try to find the secrets by means of solving the challenge offered at:
Note that these challenges are still very basic, and so are their explanations. Feel free to file a PR to make them look better ;-).
You can test them out at https://wrongsecrets.herokuapp.com/ as well! But please understand that we have NO guarantees that this works. Given we run in Heroku free-tier, please do not fuzz and/or try to bring it down: you would be spoiling it for others that want to testdrive it.
Can be used for challenges 1-6, 8, 12-16
Make sure you have the following installed:
The K8S setup currently is based on using Minikube for local fun:
minikube start
kubectl apply -f k8s/secrets-config.yml
kubectl apply -f k8s/secrets-secret.yml
kubectl apply -f k8s/secret-challenge-deployment.yml
while [[ $(kubectl get pods -l app=secret-challenge -o 'jsonpath={..status.conditions[?(@.type=="Ready")].status}') != "True" ]]; do echo "waiting for secret-challenge" && sleep 2; done
kubectl expose deployment secret-challenge --type=LoadBalancer --port=8080
minikube service secret-challenge
now you can use the provided IP address and port to further play with the K8s variant (instead of localhost).
Want to run vanilla on your own k8s? Use the commands below:
kubectl apply -f k8s/secrets-config.yml
kubectl apply -f k8s/secrets-secret.yml
kubectl apply -f k8s/secret-challenge-deployment.yml
while [[ $(kubectl get pods -l app=secret-challenge -o 'jsonpath={..status.conditions[?(@.type=="Ready")].status}') != "True" ]]; do echo "waiting for secret-challenge" && sleep 2; done
kubectl port-forward \
$(kubectl get pod -l app=secret-challenge -o jsonpath="{.items[0].metadata.name}") \
8080:8080
now you can use the provided IP address and port to further play with the K8s variant (instead of localhost).
Can be used for challenges 1-8, 12-16 Make sure you have the following installed:
Run ./k8s-vault-minkube-start.sh
, when the script is done, then the challenges will wait for you at http://localhost:8080 . This will allow you to run challenges 1-8, 12-15.
When you stopped the k8s-vault-minikube-start.sh
script and want to resume the port forward run: k8s-vault-minikube-resume.sh
. This is because if you run the start script again it will replace the secret in the vault and not update the secret-challenge application with the new secret.
Can be used for challenges 1-16
READ THIS: Given that the exercises below contain IAM privilege escalation exercises, never run this on an account which is related to your production environment or can influence your account-over-arching resources.
Follow the steps in the README in the AWS subfolder.
Follow the steps in the README in the GCP subfolder.
Follow the steps in the README in the Azure subfolder.
When you want to include your own Canarytokens for your cloud-deployment, do the following:
AWS Keys
, in the webHook URL field add <your-domain-created-at-step1>/canaries/tokencallback
.Each challenge has a Show hints
button and a What's wrong?
button. These buttons help to simplify the challenges and give explanation to the reader. Though, the explanations can spoil the fun if you want to do this as a hacking exercise. Therefore, you can manipulate them by overriding the following settings in your env:
hints_enabled=false
will turn off the Show hints
button.reason_enabled=false
will turn of the What's wrong?
explanation button.Leaders:
Top contributors:
Testers:
Special mentions for helping out:
You can help us by the following methods:
As tons of secret detection tools are coming up for both Docker and Git, we are creating a Benchmark testbed for it. Want to know if your tool detects everything? We will keep track of the embedded secrets in this issue and have a branch in which we put additional secrets for your tool to detect. The branch will contain a Docker container generation script using which you can eventually test your container secret scanning.
For development on local machine use the local
profile ./mvnw spring-boot:run -Dspring-boot.run.profiles=local
If you want to test against vault without K8s: start vault locally with
export VAULT_ADDR='http://127.0.0.1:8200'
export VAULT_API_ADDR='http://127.0.0.1:8200'
vault server -dev
and in your next terminal, do (with the token from the previous commands):
export VAULT_ADDR='http://127.0.0.1:8200'
export VAULT_TOKEN='<TOKENHERE>'
vault token create -id="00000000-0000-0000-0000-000000000000" -policy="root"
vault kv put secret/secret-challenge vaultpassword.password="$(openssl rand -base64 16)"
Now use the local-vault
profile to do your development.
./mvnw spring-boot:run -Dspring-boot.run.profiles=local,local-vault
If you want to dev without a Vault instance, use additionally the without-vault
profile to do your development:
./mvnw spring-boot:run -Dspring-boot.run.profiles=local,without-vault
Want to push a container? See .github/scripts/docker-create-and-push.sh
for a script that generates and pushes all containers. Do not forget to rebuild the app before composing the container
We have CycloneDX and OWASP Dependency-check integrated to check dependencies for vulnerabilities. You can use the OWASP Dependency-checker by calling mvn dependency-check:aggregate
and mvn cyclonedx:makeBom
to use CycloneDX to create an SBOM.
To make changes made load faster we added spring-dev-tools
to the Maven project. To enable this in IntelliJ automatically, make sure:
You can also manually invoke: Build -> Recompile the file you just changed, this will also force reloading of the application.
Follow the steps below on adding a challenge:
org.owasp.wrongsecrets.challenges
folder. Make sure you add an explanation in src/main/resources/explanations
and refer to it from your new Challenge class.@Order
annotation to your challenge ;-).If you want to move existing cloud challenges to another cloud: extend Challenge classes in the org.owasp.wrongsecrets.challenges.cloud
package and make sure you add the required Terraform in a folder with the separate cloud identified. Make sure that the environment is added to org.owasp.wrongsecrets.RuntimeEnvironment
. Collaborate with the others at the project to get your container running so you can test at the cloud account.