Merge pull request duo-labs#100 from 0xdabbad00/public

Add public command

Author: 0xdabbad00

README.md

@@ -147,10 +147,12 @@ python cloudmapper.py collect --account-name my_account
 # Commands
 
 - `collect`: Collect metadata about an account. More details [here](https://summitroute.com/blog/2018/06/05/cloudmapper_collect/).
+- `find_admins`: Look at IAM policies to identify admin users and roles and spot potential IAM issues. More details [here](https://summitroute.com/blog/2018/06/12/cloudmapper_find_admins/).
 - `prepare`/`webserver`: See [Network Visualizations](docs/network_visualizations.md)
-- `stats`: Show counts of resources for accounts. More details [here](https://summitroute.com/blog/2018/06/06/cloudmapper_stats/).
+- `public`: Find public hosts and port ranges. More details [here](https://summitroute.com/blog/2018/06/13/cloudmapper_public/).
 - `sg_ips`: Get geoip info on CIDRs trusted in Security Groups. More details [here](https://summitroute.com/blog/2018/06/12/cloudmapper_sg_ips/).
-- `find_admins`: Look at IAM policies to identify admin users and roles and spot potential IAM issues. More details [here](https://summitroute.com/blog/2018/06/12/cloudmapper_find_admins/).
+- `stats`: Show counts of resources for accounts. More details [here](https://summitroute.com/blog/2018/06/06/cloudmapper_stats/).
+
 
 Licenses
 --------

commands/find_admins.py

@@ -102,7 +102,7 @@ def find_admins(accounts, config):
                 continue
             log_error('Problem opening iam data, skipping account', location, [file_name])
             continue
-        
+
         admin_policies = []
         policy_action_counts = {}
         for policy in iam['Policies']:
@@ -112,7 +112,7 @@ def find_admins(accounts, config):
 
             if is_admin_policy(policy_doc, location):
                 admin_policies.append(policy['Arn'])
-                if ('arn:aws:iam::aws:policy/AdministratorAccess' in policy['Arn'] or 
+                if ('arn:aws:iam::aws:policy/AdministratorAccess' in policy['Arn'] or
                     'arn:aws:iam::aws:policy/IAMFullAccess' in policy['Arn']):
                     # Ignore the admin policies that are obviously admin
                     continue

commands/prepare.py

@@ -33,6 +33,14 @@
 
 __description__ = "Generate network connection information file"
 
+MUTE = False
+
+def log(msg):
+    if MUTE:
+        return
+    print msg
+
+
 def get_vpcs(region, outputfilter):
     vpc_filter = ""
     if "vpc-ids" in outputfilter:
@@ -196,8 +204,12 @@ def get_connections(cidrs, vpc, outputfilter):
 def build_data_structure(account_data, config, outputfilter):
     cytoscape_json = []
 
+    if outputfilter.get('mute', False):
+        global MUTE
+        MUTE = True
+
     account = Account(None, account_data)
-    print("Building data for account {} ({})".format(account.name, account.local_id))
+    log("Building data for account {} ({})".format(account.name, account.local_id))
 
     cytoscape_json.append(account.cytoscape_data())
     for region_json in get_regions(account, outputfilter):
@@ -260,7 +272,7 @@ def build_data_structure(account_data, config, outputfilter):
             cytoscape_json.append(region.cytoscape_data())
             account.addChild(region)
 
-        print("- {} nodes built in region {}".format(node_count_per_region, region.local_id))
+        log("- {} nodes built in region {}".format(node_count_per_region, region.local_id))
 
     # Get VPC peerings
     for region in account.children:
@@ -301,7 +313,7 @@ def build_data_structure(account_data, config, outputfilter):
         if cidr.is_used:
             used_cidrs += 1
             cytoscape_json.append(cidr.cytoscape_data())
-    print("- {} external CIDRs built".format(used_cidrs))
+    log("- {} external CIDRs built".format(used_cidrs))
 
     total_number_of_nodes = len(cytoscape_json)
 
@@ -312,17 +324,17 @@ def build_data_structure(account_data, config, outputfilter):
             continue
         c._json = reasons
         cytoscape_json.append(c.cytoscape_data())
-    print("- {} connections built".format(len(connections)))
+    log("- {} connections built".format(len(connections)))
 
     # Check if we have a lot of data, and if so, show a warning
     # Numbers chosen here are arbitrary
     MAX_NODES_FOR_WARNING = 200
     MAX_EDGES_FOR_WARNING = 500
     if total_number_of_nodes > MAX_NODES_FOR_WARNING or len(connections) > MAX_EDGES_FOR_WARNING:
-        print("WARNING: There are {} total nodes and {} total edges.".format(total_number_of_nodes, len(connections)))
-        print("  This will be difficult to display and may be too complex to make sense of.")
-        print("  Consider reducing the number of items in the diagram by viewing a single")
-        print("   region, ignoring internal edges, or other filtering.")
+        log("WARNING: There are {} total nodes and {} total edges.".format(total_number_of_nodes, len(connections)))
+        log("  This will be difficult to display and may be too complex to make sense of.")
+        log("  Consider reducing the number of items in the diagram by viewing a single")
+        log("   region, ignoring internal edges, or other filtering.")
 
     return cytoscape_json
 

commands/public.py

@@ -0,0 +1,127 @@
+from __future__ import print_function
+import sys
+import json
+import pyjq
+from shared.common import parse_arguments
+from commands.prepare import build_data_structure
+
+__description__ = "Find publicly exposed services and their ports"
+
+# TODO Look for IPv6 also
+# TODO Look at more services from https://github.com/arkadiyt/aws_public_ips
+# TODO Integrate into something to more easily port scan and screenshot web services
+
+def regroup_ranges(rgs):
+    """
+    Functions to reduce sets of ranges.
+
+    Examples:
+    [[80,80],[80,80]] -> [80,80]
+    [[80,80],[0,65000]] -> [0,65000]
+
+    Taken from https://stackoverflow.com/questions/47656430/given-a-list-of-tuples-representing-ranges-condense-the-ranges-write-a-functio
+    """
+
+    def overlap(r1, r2):
+        """
+        Check for overlap in ranges.
+        Returns -1 to ensure ranges like (2, 3) and (4, 5) merge into (2, 5)
+        """
+        return r1[1] >= r2[0] - 1
+
+    def merge_range(r1, r2):
+        s1, e1 = r1
+        s2, e2 = r2
+        return (min(s1, s2), max(e1, e2))
+
+    assert all([s <= e for s, e in rgs])
+    if len(rgs) == 0:
+        return rgs
+
+    rgs.sort()
+
+    regrouped = [rgs[0]]
+
+    for r2 in rgs[1:]:
+        r1 = regrouped.pop()
+        if overlap(r1, r2):
+            regrouped.append(merge_range(r1, r2))
+        else:
+            regrouped.append(r1)
+            regrouped.append(r2)
+
+    return regrouped
+
+
+def port_ranges_string(port_ranges):
+    """
+    Given an array of tuple port ranges return a string that makes this more readable.
+    Ex. [[80,80],[443,445]] -> "80,443-445"
+    """
+
+    def port_range_string(port_range):
+        if port_range[0] == port_range[1]:
+            return '{}'.format(port_range[0])
+        return '{}-{}'.format(port_range[0], port_range[1])
+    return ','.join(map(port_range_string, port_ranges))
+
+
+def log_warning(msg):
+    print('WARNING: {}'.format(msg), file=sys.stderr)
+
+
+def public(accounts, config):
+    for account in accounts:
+        # Get the data from the `prepare` command
+        outputfilter = {'internal_edges': False, 'read_replicas': False, 'inter_rds_edges': False, 'azs': False, 'collapse_by_tag': None, 'mute': True}
+        network = build_data_structure(account, config, outputfilter)
+
+        # Look at all the edges for ones connected to the public Internet (0.0.0.0/0)
+        for edge in pyjq.all('.[].data|select(.type=="edge")|select(.source=="0.0.0.0/0")', network):
+
+            # Find the node at the other end of this edge
+            target = {'arn': edge['target'], 'account': account['name']}
+            target_node = pyjq.first('.[].data|select(.id=="{}")'.format(target['arn']), network, {})
+
+            # Depending on the type of node, identify what the IP or hostname is
+            if target_node['type'] == 'elb':
+                target['type'] = 'elb'
+                target['hostname'] = target_node['node_data']['DNSName']
+            elif target_node['type'] == 'autoscaling':
+                target['type'] = 'autoscaling'
+                target['hostname'] = target_node['node_data'].get('PublicIpAddress', '')
+                if target['hostname'] == '':
+                    target['hostname'] = target_node['node_data']['PublicDnsName']
+            elif target_node['type'] == 'rds':
+                target['type'] = 'rds'
+                target['hostname'] = target_node['node_data']['Endpoint']['Address']
+            elif target_node['type'] == 'ec2':
+                target['type'] = 'ec2'
+                dns_name = target_node['node_data'].get('PublicDnsName', '')
+                target['hostname'] = target_node['node_data'].get('PublicIpAddress', dns_name)
+            else:
+                print(pyjq.first('.[].data|select(.id=="{}")|[.type, (.node_data|keys)]'.format(target['arn']), network, {}))
+
+            # Check if any protocol is allowed (indicated by IpProtocol == -1)
+            ingress = pyjq.all('.[].IpPermissions[]', edge.get('node_data', {}))
+            if pyjq.first('.[]|select(.IpProtocol=="-1")|.IpProtocol', ingress, '1') == '-1':
+                log_warning('All protocols allowed access to {}'.format(target))
+                range_string = '0-65535'
+            else:
+                # from_port and to_port mean the beginning and end of a port range
+                # We only care about TCP (6) and UDP (17)
+                # For more info see https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/security-group-rules-reference.html
+                selection = 'select((.IpProtocol=="tcp") or (.IpProtocol=="udp")) | select(.IpRanges[].CidrIp=="0.0.0.0/0")'
+                port_ranges = pyjq.all('.[]|{}| [.FromPort,.ToPort]'.format(selection), ingress)
+                range_string = port_ranges_string(regroup_ranges(port_ranges))
+
+            target['ports'] = range_string
+            if target['ports'] == "":
+                issue_msg = 'No ports open for tcp or udp (probably can only be pinged). Rules that are not tcp or udp: {} -- {}'
+                log_warning(issue_msg.format(json.dumps(pyjq.all('.[]|select((.IpProtocol!="tcp") and (.IpProtocol!="udp"))'.format(selection), ingress)), account))
+            print(json.dumps(target, indent=4, sort_keys=True))
+
+
+def run(arguments):
+    _, accounts, config = parse_arguments(arguments)
+    public(accounts, config)

utils/nmap_scan.sh

@@ -0,0 +1,11 @@
+#!/bin/bash
+# Expected format:
+# ```
+# 127.0.0.1:22,80,443
+# ```
+
+# Convert the `public` output with:
+# python cloudmapper.py public --account demo | jq -r '.hostname+":"+.ports' | sort | uniq > /tmp/host_ports.txt
+# ./utils/nmap_scan.sh /tmp/host_ports.txt 
+
+cat $1 | while read line;do IP=$(echo -n $line | awk -F\: '{ print $1 }'); PLIST=$(echo -n $line | awk -F\: '{ print $2 }'); nmap -sV -oG - -PN -p$PLIST $IP;done

utils/screenshot.sh

@@ -0,0 +1,9 @@
+#!/bin/bash
+# Screenshot the host passed as a parameter.
+# Kills any existing Firefox, and tries to run it in headless mode for 10 seconds.
+# Must set `toolkit.startup.max_resumed_crashes` to `-1` in `about:config`
+
+killall firefox-bin
+echo $1
+mkdir -p screenshots
+gtimeout -s9 10 /Applications/Firefox.app/Contents/MacOS/firefox-bin --headless --window-size=1024,1024 --screenshot screenshots/$1.png $1