Merge pull request #73 from BishopFox/seth-dev

Release PR for 1.13.1
BishopFox · Jan 26, 2024 · b2c450e · b2c450e
2 parents 8e99347 + 997c13d
commit b2c450e
Show file tree

Hide file tree

Showing 16 changed files with 463 additions and 135 deletions.
diff --git a/aws/api-gws.go b/aws/api-gws.go
@@ -12,9 +12,7 @@ import (
 	"github.com/BishopFox/cloudfox/aws/sdk"
 	"github.com/BishopFox/cloudfox/internal"
 	"github.com/aws/aws-sdk-go-v2/aws"
-	"github.com/aws/aws-sdk-go-v2/service/apigateway"
 	apigatewayTypes "github.com/aws/aws-sdk-go-v2/service/apigateway/types"
-	"github.com/aws/aws-sdk-go-v2/service/apigatewayv2"
 	apigatewayV2Types "github.com/aws/aws-sdk-go-v2/service/apigatewayv2/types"
 	"github.com/aws/aws-sdk-go-v2/service/sts"
 	"github.com/bishopfox/awsservicemap"
@@ -25,8 +23,8 @@ var CURL_COMMAND string = "curl -X %s %s"
 
 type ApiGwModule struct {
 	// General configuration data
-	APIGatewayClient   *apigateway.Client
-	APIGatewayv2Client *apigatewayv2.Client
+	APIGatewayClient   sdk.APIGatewayClientInterface
+	APIGatewayv2Client sdk.APIGatewayv2ClientInterface
 
 	Caller     sts.GetCallerIdentityOutput
 	AWSRegions []string
@@ -127,13 +125,17 @@ func (m *ApiGwModule) PrintApiGws(outputDirectory string, verbosity int) {
 
 	}
 	if len(m.output.Body) > 0 {
-		m.output.FilePath = filepath.Join(outputDirectory, "cloudfox-output", "aws", fmt.Sprintf("%s-%s", m.AWSProfile, aws.ToString(m.Caller.Account)))
+		filepath := filepath.Join(outputDirectory, "cloudfox-output", "aws", fmt.Sprintf("%s-%s", m.AWSProfile, aws.ToString(m.Caller.Account)))
 
 		o := internal.OutputClient{
 			Verbosity:     verbosity,
 			CallingModule: m.output.CallingModule,
 			Table: internal.TableClient{
-				Wrap: m.WrapTable,
+				Wrap:          m.WrapTable,
+				DirectoryName: filepath,
+			},
+			Loot: internal.LootClient{
+				DirectoryName: filepath,
 			},
 		}
 		o.Table.TableFiles = append(o.Table.TableFiles, internal.TableFile{
@@ -142,9 +144,13 @@ func (m *ApiGwModule) PrintApiGws(outputDirectory string, verbosity int) {
 			Name:   m.output.CallingModule,
 		})
 		o.PrefixIdentifier = m.AWSProfile
-		o.Table.DirectoryName = filepath.Join(outputDirectory, "cloudfox-output", "aws", fmt.Sprintf("%s-%s", m.AWSProfile, aws.ToString(m.Caller.Account)))
-		o.WriteFullOutput(o.Table.TableFiles, nil)
-		m.writeLoot(o.Table.DirectoryName, verbosity)
+		loot := m.writeLoot(o.Table.DirectoryName, verbosity)
+		o.Loot.LootFiles = append(o.Loot.LootFiles, internal.LootFile{
+			Name:     m.output.CallingModule,
+			Contents: loot,
+		})
+		o.WriteFullOutput(o.Table.TableFiles, o.Loot.LootFiles)
+
 		fmt.Printf("[%s][%s] %s API gateways found.\n", cyan(m.output.CallingModule), cyan(m.AWSProfile), strconv.Itoa(len(m.output.Body)))
 	} else {
 		fmt.Printf("[%s][%s] No API gateways found, skipping the creation of an output file.\n", cyan(m.output.CallingModule), cyan(m.AWSProfile))
@@ -199,7 +205,7 @@ func (m *ApiGwModule) executeChecks(r string, wg *sync.WaitGroup, semaphore chan
 	}
 }
 
-func (m *ApiGwModule) writeLoot(outputDirectory string, verbosity int) {
+func (m *ApiGwModule) writeLoot(outputDirectory string, verbosity int) string {
 	path := filepath.Join(outputDirectory, "loot")
 	err := os.MkdirAll(path, os.ModePerm)
 	if err != nil {
@@ -237,12 +243,12 @@ func (m *ApiGwModule) writeLoot(outputDirectory string, verbosity int) {
 		out += line + "\n"
 	}
 
-	err = os.WriteFile(f, []byte(out), 0644)
-	if err != nil {
-		m.modLog.Error(err.Error())
-		m.CommandCounter.Error++
-		panic(err.Error())
-	}
+	// err = os.WriteFile(f, []byte(out), 0644)
+	// if err != nil {
+	// 	m.modLog.Error(err.Error())
+	// 	m.CommandCounter.Error++
+	// 	panic(err.Error())
+	// }
 
 	if verbosity > 2 {
 		fmt.Println()
@@ -253,6 +259,8 @@ func (m *ApiGwModule) writeLoot(outputDirectory string, verbosity int) {
 
 	fmt.Printf("[%s][%s] Loot written to [%s]\n", cyan(m.output.CallingModule), cyan(m.AWSProfile), f)
 
+	return out
+
 }
 
 func (m *ApiGwModule) getAPIGatewayAPIsPerRegion(r string, wg *sync.WaitGroup, semaphore chan struct{}, dataReceiver chan ApiGateway) {

diff --git a/aws/api-gws_test.go b/aws/api-gws_test.go
@@ -0,0 +1,58 @@
+package aws
+
+import (
+	"path/filepath"
+	"strings"
+	"testing"
+
+	"github.com/BishopFox/cloudfox/aws/sdk"
+	"github.com/BishopFox/cloudfox/internal"
+	"github.com/aws/aws-sdk-go-v2/aws"
+	"github.com/aws/aws-sdk-go-v2/service/sts"
+	"github.com/spf13/afero"
+)
+
+func TestApiGw(t *testing.T) {
+
+	m := ApiGwModule{
+		AWSProfile: "unittesting",
+		AWSRegions: []string{"us-east-1"},
+		Caller: sts.GetCallerIdentityOutput{
+			Arn:     aws.String("arn:aws:iam::123456789012:user/Alice"),
+			Account: aws.String("123456789012"),
+		},
+		Goroutines:         3,
+		WrapTable:          false,
+		APIGatewayClient:   &sdk.MockedAWSAPIGatewayClient{},
+		APIGatewayv2Client: &sdk.MockedAWSAPIGatewayv2Client{},
+	}
+
+	fs := internal.MockFileSystem(true)
+	defer internal.MockFileSystem(false)
+	tmpDir := "~/.cloudfox/"
+
+	m.PrintApiGws(tmpDir, 2)
+
+	resultsFilePath := filepath.Join(tmpDir, "cloudfox-output/aws/unittesting-123456789012/table/api-gw.txt")
+	resultsFile, err := afero.ReadFile(fs, resultsFilePath)
+	if err != nil {
+		t.Fatalf("Cannot read output file at %s: %s", resultsFilePath, err)
+	}
+	//print the results file to the screen
+	//fmt.Println(string(resultsFile))
+
+	// I want a test that runs the main function and checks the output to see if the following items are in the output: "https://qwerty.execute-api.us-east-1.amazonaws.com/stage1/path1", "https://asdfsdfasdf.execute-api.us-east-1.amazonaws.com/stage1/route2"
+
+	expectedResults := []string{
+		"https://qwerty.execute-api.us-east-1.amazonaws.com/stage1/path1",
+		"https://asdfsdfasdf.execute-api.us-east-1.amazonaws.com/stage1/route2",
+		"https://asdfsdfasdf.execute-api.us-east-1.amazonaws.com/stage2/route1",
+		"23oieuwefo3rfs",
+	}
+
+	for _, expected := range expectedResults {
+		if !strings.Contains(string(resultsFile), expected) {
+			t.Errorf("Expected %s to be in the results file", expected)
+		}
+	}
+}
diff --git a/aws/client-initializers.go b/aws/client-initializers.go
@@ -20,10 +20,10 @@ import (
 func initIAMSimClient(iamSimPPClient sdk.AWSIAMClientInterface, caller sts.GetCallerIdentityOutput, AWSProfile string, Goroutines int) IamSimulatorModule {
 
 	iamSimMod := IamSimulatorModule{
-		IAMClient:  iamSimPPClient,
-		Caller:     caller,
-		AWSProfile: AWSProfile,
-		Goroutines: Goroutines,
+		IAMClient:          iamSimPPClient,
+		Caller:             caller,
+		AWSProfileProvided: AWSProfile,
+		Goroutines:         Goroutines,
 	}
 
 	return iamSimMod

diff --git a/aws/iam-simulator.go b/aws/iam-simulator.go
@@ -27,9 +27,10 @@ type IamSimulatorModule struct {
 	AWSOutputType string
 	AWSTableCols  string
 
-	Goroutines int
-	AWSProfile string
-	WrapTable  bool
+	Goroutines         int
+	AWSProfileProvided string
+	AWSProfileStub     string
+	WrapTable          bool
 
 	// Main module data
 	SimulatorResults []SimulatorResult
@@ -76,16 +77,19 @@ func (m *IamSimulatorModule) PrintIamSimulator(principal string, action string,
 	m.modLog = internal.TxtLog.WithFields(logrus.Fields{
 		"module": m.output.CallingModule,
 	})
-	m.output.FilePath = filepath.Join(outputDirectory, "cloudfox-output", "aws", fmt.Sprintf("%s-%s", m.AWSProfile, aws.ToString(m.Caller.Account)))
+	m.output.FilePath = filepath.Join(outputDirectory, "cloudfox-output", "aws", fmt.Sprintf("%s-%s", m.AWSProfileStub, aws.ToString(m.Caller.Account)))
 	var filename string
 	var actionList []string
 	var pmapperCommands []string
 	var pmapperOutFileName string
 	var inputArn string
 
-	if m.AWSProfile == "" {
-		m.AWSProfile = internal.BuildAWSPath(m.Caller)
+	if m.AWSProfileProvided == "" {
+		m.AWSProfileStub = internal.BuildAWSPath(m.Caller)
+	} else {
+		m.AWSProfileStub = m.AWSProfileProvided
 	}
+
 	wg := new(sync.WaitGroup)
 	// Create a channel to signal the spinner aka task status goroutine to finish
 	spinnerDone := make(chan bool)
@@ -104,7 +108,7 @@ func (m *IamSimulatorModule) PrintIamSimulator(principal string, action string,
 	if principal != "" {
 		if action != "" {
 			// The user specified a specific --principal and a specific --action
-			fmt.Printf("[%s][%s] Checking to see if %s can do %s.\n", cyan(m.output.CallingModule), cyan(m.AWSProfile), principal, action)
+			fmt.Printf("[%s][%s] Checking to see if %s can do %s.\n", cyan(m.output.CallingModule), cyan(m.AWSProfileStub), principal, action)
 			filename = filepath.Join(fmt.Sprintf("%s-custom-%s", m.output.CallingModule, strconv.FormatInt((time.Now().Unix()), 10)))
 			actionList = append(actionList, action)
 			// if user supplied a principal name without the arn, try to create the arn as a user and as a role and run both
@@ -122,7 +126,7 @@ func (m *IamSimulatorModule) PrintIamSimulator(principal string, action string,
 
 		} else {
 			// The user specified a specific --principal, but --action was empty
-			fmt.Printf("[%s][%s] Checking to see if %s can do any actions of interest.\n", cyan(m.output.CallingModule), cyan(m.AWSProfile), principal)
+			fmt.Printf("[%s][%s] Checking to see if %s can do any actions of interest.\n", cyan(m.output.CallingModule), cyan(m.AWSProfileStub), principal)
 			filename = filepath.Join(fmt.Sprintf("%s-custom-%s", m.output.CallingModule, strconv.FormatInt((time.Now().Unix()), 10)))
 
 			// if user supplied a principal name without the arn, try to create the arn as a user and as a role and run both
@@ -142,23 +146,31 @@ func (m *IamSimulatorModule) PrintIamSimulator(principal string, action string,
 	} else {
 		if action != "" {
 			// The did not specify a specific --principal, but they did specify an --action
-			fmt.Printf("[%s][%s] Checking to see if any principal can do %s.\n", cyan(m.output.CallingModule), cyan(m.AWSProfile), action)
+			fmt.Printf("[%s][%s] Checking to see if any principal can do %s.\n", cyan(m.output.CallingModule), cyan(m.AWSProfileStub), action)
 			filename = filepath.Join(fmt.Sprintf("%s-custom-%s", m.output.CallingModule, strconv.FormatInt((time.Now().Unix()), 10)))
 			actionList = append(actionList, action)
 			wg.Add(1)
 			m.getIAMUsers(wg, actionList, resource, dataReceiver)
 			wg.Add(1)
 			m.getIAMRoles(wg, actionList, resource, dataReceiver)
 			pmapperOutFileName = filepath.Join(filename, "loot", fmt.Sprintf("pmapper-output-%s.txt", action))
-			pmapperCommands = append(pmapperCommands, fmt.Sprintf("pmapper --profile %s query \"who can do %s with %s\" | tee %s\n", m.AWSProfile, action, resource, pmapperOutFileName))
+			if m.AWSProfileProvided != "" {
+				pmapperCommands = append(pmapperCommands, fmt.Sprintf("pmapper --profile %s query \"who can do %s with %s\" | tee %s\n", m.AWSProfileProvided, action, resource, pmapperOutFileName))
+			} else {
+				pmapperCommands = append(pmapperCommands, fmt.Sprintf("pmapper query \"who can do %s with %s\" | tee %s\n", action, resource, pmapperOutFileName))
+			}
 		} else {
 			// Both --principal and --action are empty. Run in default mode!
-			fmt.Printf("[%s][%s] Running multiple iam-simulator queries for account %s. (This command can be pretty slow, FYI)\n", cyan(m.output.CallingModule), cyan(m.AWSProfile), aws.ToString(m.Caller.Account))
+			fmt.Printf("[%s][%s] Running multiple iam-simulator queries for account %s. (This command can be pretty slow, FYI)\n", cyan(m.output.CallingModule), cyan(m.AWSProfileStub), aws.ToString(m.Caller.Account))
 			filename = m.output.CallingModule
 			m.executeChecks(wg, resource, dataReceiver)
 			for _, action := range defaultActionNames {
 				pmapperOutFileName = filepath.Join(filename, "loot", fmt.Sprintf("pmapper-output-%s.txt", action))
-				pmapperCommands = append(pmapperCommands, fmt.Sprintf("pmapper --profile %s query \"who can do %s with %s\" | tee %s\n", m.AWSProfile, action, resource, pmapperOutFileName))
+				if m.AWSProfileProvided != "" {
+					pmapperCommands = append(pmapperCommands, fmt.Sprintf("pmapper --profile %s query \"who can do %s with %s\" | tee %s\n", m.AWSProfileProvided, action, resource, pmapperOutFileName))
+				} else {
+					pmapperCommands = append(pmapperCommands, fmt.Sprintf("pmapper query \"who can do %s with %s\" | tee %s\n", action, resource, pmapperOutFileName))
+				}
 			}
 
 		}
@@ -225,7 +237,7 @@ func (m *IamSimulatorModule) PrintIamSimulator(principal string, action string,
 
 	}
 	if len(m.output.Body) > 0 {
-		m.output.FilePath = filepath.Join(outputDirectory, "cloudfox-output", "aws", fmt.Sprintf("%s-%s", m.AWSProfile, aws.ToString(m.Caller.Account)))
+		m.output.FilePath = filepath.Join(outputDirectory, "cloudfox-output", "aws", fmt.Sprintf("%s-%s", m.AWSProfileStub, aws.ToString(m.Caller.Account)))
 
 		o := internal.OutputClient{
 			Verbosity:     verbosity,
@@ -240,20 +252,20 @@ func (m *IamSimulatorModule) PrintIamSimulator(principal string, action string,
 			TableCols: tableCols,
 			Name:      filename,
 		})
-		o.PrefixIdentifier = m.AWSProfile
-		o.Table.DirectoryName = filepath.Join(outputDirectory, "cloudfox-output", "aws", fmt.Sprintf("%s-%s", m.AWSProfile, aws.ToString(m.Caller.Account)))
+		o.PrefixIdentifier = m.AWSProfileStub
+		o.Table.DirectoryName = filepath.Join(outputDirectory, "cloudfox-output", "aws", fmt.Sprintf("%s-%s", m.AWSProfileStub, aws.ToString(m.Caller.Account)))
 		o.WriteFullOutput(o.Table.TableFiles, nil)
-		fmt.Printf("[%s][%s] We suggest running the pmapper commands in the loot file to get the same information but taking privesc paths into account.\n", cyan(m.output.CallingModule), cyan(m.AWSProfile))
+		fmt.Printf("[%s][%s] We suggest running the pmapper commands in the loot file to get the same information but taking privesc paths into account.\n", cyan(m.output.CallingModule), cyan(m.AWSProfileStub))
 		// fmt.Printf("[%s]\t\tpmapper --profile %s graph create\n", cyan(m.output.CallingModule),  cyan(m.AWSProfile), m.AWSProfile)
 		// for _, line := range pmapperCommands {
 		// 	fmt.Printf("[%s]\t\t%s", cyan(m.output.CallingModule),  cyan(m.AWSProfile), line)
 		// }
 		m.writeLoot(o.Table.DirectoryName, verbosity, pmapperCommands)
 
 	} else if principal != "" || action != "" {
-		fmt.Printf("[%s][%s] No allowed permissions identified, skipping the creation of an output file.\n", cyan(m.output.CallingModule), cyan(m.AWSProfile))
+		fmt.Printf("[%s][%s] No allowed permissions identified, skipping the creation of an output file.\n", cyan(m.output.CallingModule), cyan(m.AWSProfileStub))
 	}
-	fmt.Printf("[%s][%s] For context and next steps: https://github.com/BishopFox/cloudfox/wiki/AWS-Commands#%s\n", cyan(m.output.CallingModule), cyan(m.AWSProfile), m.output.CallingModule)
+	fmt.Printf("[%s][%s] For context and next steps: https://github.com/BishopFox/cloudfox/wiki/AWS-Commands#%s\n", cyan(m.output.CallingModule), cyan(m.AWSProfileStub), m.output.CallingModule)
 }
 
 func (m *IamSimulatorModule) writeLoot(outputDirectory string, verbosity int, pmapperCommands []string) {
@@ -266,7 +278,11 @@ func (m *IamSimulatorModule) writeLoot(outputDirectory string, verbosity int, pm
 
 	outFile := filepath.Join(path, "iam-simulator-pmapper-commands.txt")
 	var out string
-	out = out + fmt.Sprintf("pmapper --profile %s graph create\n", m.AWSProfile)
+	if m.AWSProfileProvided != "" {
+		out = out + fmt.Sprintf("pmapper --profile %s graph create\n", m.AWSProfileProvided)
+	} else {
+		out = out + fmt.Sprintf("pmapper graph create\n")
+	}
 	for _, line := range pmapperCommands {
 		out = out + line
 	}
@@ -278,12 +294,12 @@ func (m *IamSimulatorModule) writeLoot(outputDirectory string, verbosity int, pm
 
 	if verbosity > 2 {
 		fmt.Println()
-		fmt.Printf("[%s][%s] %s \n", cyan(m.output.CallingModule), cyan(m.AWSProfile), green("We suggest running these pmapper commands in the loot file to get the same information but taking privesc paths into account."))
+		fmt.Printf("[%s][%s] %s \n", cyan(m.output.CallingModule), cyan(m.AWSProfileStub), green("We suggest running these pmapper commands in the loot file to get the same information but taking privesc paths into account."))
 		fmt.Print(out)
-		fmt.Printf("[%s][%s] %s \n\n", cyan(m.output.CallingModule), cyan(m.AWSProfile), green("End of loot file."))
+		fmt.Printf("[%s][%s] %s \n\n", cyan(m.output.CallingModule), cyan(m.AWSProfileStub), green("End of loot file."))
 	}
 
-	fmt.Printf("[%s][%s] Loot written to [%s]\n", cyan(m.output.CallingModule), cyan(m.AWSProfile), outFile)
+	fmt.Printf("[%s][%s] Loot written to [%s]\n", cyan(m.output.CallingModule), cyan(m.AWSProfileStub), outFile)
 
 }
 

diff --git a/aws/instances.go b/aws/instances.go
@@ -512,6 +512,21 @@ func (m *InstancesModule) loadInstanceData(instance types.Instance, region strin
 
 	if instance.IamInstanceProfile == nil {
 		profile = "NoInstanceProfile"
+		dataReceiver <- MappedInstance{
+			ID:               aws.ToString(instance.InstanceId),
+			Name:             aws.ToString(&name),
+			Arn:              fmt.Sprintf("arn:aws:ec2:%s:%s:instance/%s", region, aws.ToString(m.Caller.Account), aws.ToString(instance.InstanceId)),
+			AvailabilityZone: aws.ToString(instance.Placement.AvailabilityZone),
+			State:            string(instance.State.Name),
+			ExternalIP:       externalIP,
+			PrivateIP:        aws.ToString(instance.PrivateIpAddress),
+			Profile:          profile,
+			Role:             "",
+			Region:           region,
+			Admin:            adminRole,
+			CanPrivEsc:       "",
+		}
+
 	} else {
 		profileArn = aws.ToString(instance.IamInstanceProfile.Arn)