Ghostbuster - Eliminate dangling elastic IPs by performing analysis on your resources within all your AWS accounts

Overview

Table of Contents

Ghostbuster

Eliminate dangling elastic IPs by performing analysis on your resources within all your AWS accounts.

Ghostbuster obtains all the DNS records present in all of your AWS accounts (Route53), and can optionally take in records via CSV input, or via Cloudflare.

After these records are collected, Ghostbuster iterates through all of your AWS Elastic IPs and Network Interface Public IPs and collects this data.

By having a complete picture of the DNS records (from route53, file input or cloudflare) and having a complete picture of the AWS IPs owned by your organization, this tool can detect subdomains that are pointing to dangling elastic IPs (IPs you no longer own).

The problem

When you are deploying infrastructure to AWS, you may spin up EC2 instances which have an IP associated with them. When you create DNS records pointing to these IPs, but forget to remove the DNS records after the EC2 instance has been given a new IP or destroyed, you are susceptible to subdomain takeover attacks.

There has been a great amount of research done on elastic IP takeovers, where it is possible for attackers to continually claim elastic IPs until they obtain an IP associated with a subdomain of the company they are targeting.

While AWS frequently bans accounts that are attempting to perform this attack pattern, no long term fix has been released by AWS.

The impact of dangling elastic IP subdomain takeover attacks are more serious than a typical subdomain takeover where you can only control the content being served. With dangling elastic IP takeovers, it is possible for an attacker to do the following:

  • Claim SSL certificates for the subdomain
  • Listen for traffic on all ports (potentially discovering sensitive information still being sent to the subdomain)
  • Run server-side scripts with the ability to steal HTTPOnly cookies, typically leading to a one-click account takeover attack when cookies are scoped to *.domain.com

Project Features

  • Dynamically iterates through each AWS profile configured in .aws/config
  • Pulls A records from AWS Route53
  • Pulls A records from Cloudflare (optional)
  • Pulls A records from CSV input (optional)
  • Iterate through all regions, a single region, or a comma delimitted list of regions
  • Obtains all Elastic IPs associated with all of your AWS accounts
  • Obtains all Public IPs associated with all of your AWS accounts
  • Cross checks the DNS records, with IPs owned by your organization to detect potential takeovers
  • Slack Webhook support to send notifications of takeovers

Important:

In order for this tool to be effective, it must have a complete picture of your AWS environment. If it does not have a complete picture, it will lead to false positive findings.

Installing Ghostbuster

Installing Ghostbuster is as simple as running: pip install ghostbuster. The CLI tool will then be accessible via the ghostbuster command.

This requires a Python 3.x environment.

Using Ghostbuster

❯ ghostbuster scan aws --help     
Usage: ghostbuster scan aws [OPTIONS]

  Scan for dangling elastic IPs inside your AWS accounts.

Options:
  --skipascii             Skip printing the ASCII art when starting up
                          Ghostbuster.

  --slackwebhook TEXT     Specify a Slack webhook URL to send notifications
                          about potential takeovers.

  --records PATH          Manually specify DNS records to check against.
                          Ghostbuster will check these IPs after checking
                          retrieved DNS records. See records.csv for an
                          example.

  --cloudflaretoken TEXT  Pull DNS records from Cloudflare, provide a CF API
                          token.

  --allregions            Run on all regions.
  --exclude TEXT          Comma delimited list of profile names to exclude.
  --regions TEXT          Comma delimited list of regions to run on.
  --help                  Show this message and exit.

Example Commands

Run Ghostbuster with access to Cloudflare DNS records, send notifications to a Slack webhook, iterate through every AWS profile configured in .aws/config or .aws/credentials for all AWS regions

❯ ghostbuster scan aws --cloudflaretoken APIKEY --slackwebhook https://hooks.slack.com/services/KEY --allregions

Run Ghostbuster with a manually input list of subdomain A records (see records.csv in this repo for example file):

❯ ghostbuster scan aws --records records.csv

You can specify specific regions using --regions set to a comma delimited list of regions i.e. us-east-1,us-west-1.

Example Output

❯ ghostbuster scan aws --cloudflaretoken whougonnacall
Obtaining all zone names from Cloudflare.
Obtaining DNS A records for all zones from Cloudflare.
Obtained 33 DNS A records so far.
Obtaining Route53 hosted zones for AWS profile: default.
Obtaining Route53 hosted zones for AWS profile: account-five.
Obtaining Route53 hosted zones for AWS profile: account-four.
Obtaining Route53 hosted zones for AWS profile: account-four-deploy.
Obtaining Route53 hosted zones for AWS profile: account-two-deploy.
Obtaining Route53 hosted zones for AWS profile: account-one-deploy.
Obtaining Route53 hosted zones for AWS profile: account-three-deploy.
Obtaining Route53 hosted zones for AWS profile: account-six.
Obtaining Route53 hosted zones for AWS profile: account-seven.
Obtaining Route53 hosted zones for AWS profile: account-one.
Obtained 124 DNS A records so far.
Obtaining EIPs for region: us-east-1, profile: default
Obtaining IPs for network interfaces for region: us-east-1, profile: default
Obtaining EIPs for region: us-east-1, profile: account-five
Obtaining IPs for network interfaces for region: us-east-1, profile: account-five
Obtaining EIPs for region: us-east-1, profile: account-four
Obtaining IPs for network interfaces for region: us-east-1, profile: account-four
Obtaining EIPs for region: us-east-1, profile: account-four-deploy
Obtaining IPs for network interfaces for region: us-east-1, profile: account-four-deploy
Obtaining EIPs for region: us-east-1, profile: account-two-deploy
Obtaining IPs for network interfaces for region: us-east-1, profile: account-two-deploy
Obtaining EIPs for region: us-east-1, profile: account-one-deploy
Obtaining IPs for network interfaces for region: us-east-1, profile: account-one-deploy
Obtaining EIPs for region: us-east-1, profile: account-three-deploy
Obtaining IPs for network interfaces for region: us-east-1, profile: account-three-deploy
Obtaining EIPs for region: us-east-1, profile: account-six
Obtaining IPs for network interfaces for region: us-east-1, profile: account-six
Obtaining EIPs for region: us-east-1, profile: account-seven
Obtaining IPs for network interfaces for region: us-east-1, profile: account-seven
Obtaining EIPs for region: us-east-1, profile: account-one
Obtaining IPs for network interfaces for region: us-east-1, profile: account-one
Obtained 415 unique elastic IPs from AWS.


Takeover possible: {'name': 'takeover.assetnotecloud.com', 'records': ['52.54.24.193']}

Setting up your AWS accounts

The first step is creating keys or roles in your AWS accounts that grant the privileges necessary to read Route53 records and describe elastic addresses and EC2 network interfaces.

  1. To create a new IAM user in AWS, visit the following URL: https://console.aws.amazon.com/iam/home#/users$new?step=details
  2. Choose Access key - Programmatic access only, and click Next: Permissions.
  3. Click Attach existing policies directly and then click Create policy.
  4. Click JSON and then paste in the following policy:
{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "GhostbusterPolicy",
            "Effect": "Allow",
            "Action": [
                "ec2:DescribeAddresses",
                "ec2:DescribeNetworkInterfaces",
                "route53:ListResourceRecordSets",
                "route53:ListHostedZonesByName",
                "route53:GetTrafficPolicyInstance",
                "route53:GetTrafficPolicy"
            ],
            "Resource": "*"
        }
    ]
}
  1. Click Next: Tags and then Next: Review.
  2. Set the name of the policy to be GhostbusterPolicy.
  3. Click Create Policy.
  4. Go to https://console.aws.amazon.com/iam/home#/users$new?step=permissions&accessKey&userNames=ghostbuster&permissionType=policies
  5. Select GhostbusterPolicy.
  6. Click Next: Tags and then Next: Review.
  7. Click on Create user and setup the AWS credentials in your .aws/credentials file.

Repeat the above steps for each AWS account you own.

This tool will work with however you've setup your AWS configuration (multiple keys, or cross-account assume role profiles). This is managed by boto3, the library used to interface with AWS.

An example configuration looks like this:

.aws/credentials:

[default]
aws_access_key_id = AKIAIII...
aws_secret_access_key = faAaAaA...

.aws/config:

[default]
output = table
region = us-east-1

[profile account-one]
role_arn = arn:aws:iam::911111111113:role/Ec2Route53Access
source_profile = default
region = us-east-1

[profile account-two]
role_arn = arn:aws:iam::911111111112:role/Ec2Route53Access
source_profile = default
region = us-east-1

[profile account-three]
region = us-east-1
role_arn = arn:aws:iam::911111111111:role/Ec2Route53Access
source_profile = default

Alternatively, instead of having roles which are assumed, you can also configure the .aws/credentials file to have a list of profiles and assocaited keys with scoped access.

Once your AWS configuration has been set with all the accounts in your AWS environment, you can then run the tool using the following command:

Setting up Cloudflare (Optional)

If you want Ghostbuster to pull in all the A records that you have set in Cloudflare, you will have to setup an API token that can read zones.

https://dash.cloudflare.com/profile/api-tokens

Setup a Cloudflare API token like shown in the screenshot below:

Once you have obtained this API token, make a note of it somewhere (password manager). In order to use it with Ghostbuster, pass it in via the cloudflaretoken argument.

Authors

  • Shubham Shah - Initial work - github

See also the list of contributors who participated in this project.

License

GNU Affero General Public License

Owner
Assetnote
Assetnote
A Characther powerful in saints saiya anime and modular telegram group management bot built using python3

Kaneki Ken A Powerful and Modular Saint Aries is a Characther powerful in saints saiya anime and modular telegram group management bot built using pyt

1 Dec 20, 2021
An information scroller Twitter trends, news, weather for raspberry pi and Pimoroni Unicorn Hat Mini and Scroll Phat HD.

uticker An information scroller Twitter trends, news, weather for raspberry pi and Pimoroni Unicorn Hat Mini and Scroll Phat HD. Features include: Twi

kottuora 2 Dec 03, 2021
Using DST's API with Python

A short guide on how to access Denmark's Statistics API with python, together with a helper class that facilitates the collection of data and metadata from any DST's table

Alessandro Martinello 12 Jan 05, 2022
Auto-Approved-Bot - Auto Approved Invaite Link Request Telegram Bot

🤖 𝗔𝘂𝘁𝗼-𝗔𝗽𝗽𝗿𝗼𝘃𝗲-𝗕𝗼𝘁 🤖 ℹ️ 𝗨𝘀𝗲𝗴𝗲 ℹ️ When a join request invita

Muhammed 2 Jan 31, 2022
This Lambda will Pull propagated routes from TGW and update VPC route table

AWS-Transitgateway-Route-Propagation This Lambda will Pull propagated routes from TGW and update VPC route table. Tested on python 3.8 Lambda AWS INST

4 Jan 14, 2022
A Python Tumblr API v2 Client

PyTumblr Installation Install via pip: $ pip install pytumblr Install from source: $ git clone https://github.com/tumblr/pytumblr.git $ cd pytumblr $

Tumblr 644 Jan 15, 2022
𝐀 𝐦𝐨𝐝𝐮𝐥𝐚𝐫 𝐓𝐞𝐥𝐞𝐠𝐫𝐚𝐦 𝐆𝐫𝐨𝐮𝐩 𝐦𝐚𝐧𝐚𝐠𝐞𝐦𝐞𝐧𝐭 𝐛𝐨𝐭 𝐰𝐢𝐭𝐡 𝐮𝐥𝐭𝐢𝐦𝐚𝐭𝐞 𝐟𝐞𝐚𝐭𝐮𝐫𝐞𝐬 !!

𝐇𝐨𝐰 𝐓𝐨 𝐃𝐞𝐩𝐥𝐨𝐲 For easiest way to deploy this Bot click on the below button 𝐌𝐚𝐝𝐞 𝐁𝐲 𝐒𝐮𝐩𝐩𝐨𝐫𝐭 𝐆𝐫𝐨𝐮𝐩 𝐒𝐨𝐮𝐫𝐜𝐞𝐬 𝐆𝐞𝐧𝐞?

Mukesh Solanki 1 Dec 09, 2021
⚡️ Get notified as soon as your next CPU, GPU, or game console is in stock

Inventory Hunter This bot helped me snag an RTX 3070... hopefully it will help you get your hands on your next CPU, GPU, or game console. Requirements

Eric Marti 1.1k Jan 18, 2022
Spore Api

SporeApi Spore Api Simple example: import asyncio from spore_api.client import SporeClient async def main() - None: async with SporeClient() a

LEv145 16 Jan 02, 2022
A Discord bot to play bluffing games like Dobbins or Bobbins

Usage: pip install -r requirements.txt python3 bot.py DISCORD_BOT_TOKEN Gameplay: All commands are case-insensitive, with trailing punctuation and spa

3 Aug 25, 2021
Enumerate Microsoft 365 Groups in a tenant with their metadata

Enumerate Microsoft 365 Groups in a tenant with their metadata Description The all_groups.py script allows to enumerate all Microsoft 365 Groups in a

Clément Notin 45 Dec 14, 2021
An enhanced discord.py, based off of the now-archived discord.py project

enhanced-discord.py A modern, maintained, easy to use, feature-rich, and async ready API wrapper for Discord written in Python. The Future of enhanced

Devision 240 Feb 02, 2022
A Discord bot written in Python that can be used to control event management on a server.

Event Management Discord Bot A Discord bot written in Python that can be used to control event management on a Discord server. Made originally for GDS

Suvaditya Mukherjee 2 Dec 06, 2021
Auto Moderation is a powerfull moderation bot

Auto Moderation.py Auto Moderation a powerful Moderation Discord Bot 🎭 Futures Moderation Auto Moderation 🚀 Installation git clone https://github.co

G∙MAX 1 Jul 17, 2021
HelpDESK Dynamics

Helpdesk Application The project is a Helpdesk application (Helpdesk dynamics) where staff of an organization can raise and assign job/trouble tickets

Okeoma Ihunwo 0 Nov 13, 2021
Discord bot for user notes.

Noter A discord bot for handling notes for users. Want to keep track of things about your discord users? Then this bot is for you! Links DB Browser fo

Ori 3 Jan 27, 2022
If you only have hash, you can still operate exchange

PTH Exchange If you only have hash, you can still operate exchange This project module is the same as my other project Exchange_SSRF, This project use

Jumbo 28 Dec 16, 2021
💻 A fully functional local AWS cloud stack. Develop and test your cloud & Serverless apps offline!

LocalStack - A fully functional local AWS cloud stack LocalStack provides an easy-to-use test/mocking framework for developing Cloud applications. Cur

LocalStack 38.2k Jan 20, 2022
LavaAPI - A simple library for accepting payments and using the LAVA Wallet

This library was created to simplify the LAVA api provided on the official websi

Vlad Baccara 2 Jan 19, 2022
Automatically scrape all of your artifacts in Genshin Impact.

Genshin Artifact Scraper Automatically scrape all of your artifacts in Genshin Impact. Features: Simple recalibration (2 steps). GUI to select OCR reg

18 Dec 02, 2021