关于幽灵破坏者
Ghostbuster强大的功能Elastic通过对目标的安全审计工具AWS分析账户中的资源,消除账户中的资源Elastic悬空IP。
Ghostbuster可以帮助研究人员实现目标AWS账号(Route53)中所有的DNS通过记录和选择CSV输入或Cloudflare接收搜索到的记录。
收集到这些记录和数据之后,捉鬼敢死队将会遍历所有AWS Elastic IP公共网络接口IP,并收集这些数据。
在拿到所有DNS记录(来自route53、文件输入或cloudflare)目标组织拥有的完整信息和完整信息AWS IP在完整的信息之后,该工具将能够检测到指向悬空Elastic IP子域名(已失效)。
功能介绍
- 动态枚举".aws/config"中的每一个AWS账号;
- 从AWS Route53中提取记录;
- 从Cloudflare提取记录(可选);
- 从CSV提取输入记录(可选);
- 通过逗号分隔的所有区域、单个区域或区域列表;
- 获取与所有AWS所有帐户关联Elastic IP;
- 获取与所有AWS所有与账户相关的公众IP;
- 交叉检查DNS记录,以及组织拥有的IP,检测接管潜在风险;
- Slack Webhook支持接管通知的发送;
工具下载&安装
该工具基于Python因此,我们首先需要安装和配置本地设备Python 3.x环境。
捉鬼敢死队的下载和安装都很简单,广大研究人员可以用以下命令将项目源码克隆到本地:
git clone https://github.com/assetnote/ghostbuster.git
或直接使用以下命令进行安装:
pip install ghostbuster
然后通过"捉鬼敢死队"命令来使用Ghostbuster即可。
工具使用
? ghostbuster scan aws --help
Usage: ghostbuster scan aws [OPTIONS]
Scan for dangling elastic IPs inside your AWS accounts.
Options:
--profile TEXT 指定Ghostbuster需要扫描的AWS账号信息
--skipascii Ghostbuster启动后,不打印ASCII字符
--slackwebhook TEXT 指定一个Slack Webhook URL发送潜在接管通知信息
--records PATH 手动手动指定DNS记录。Ghostbuster检查检索到的DNS记录后检查这些IP
--cloudflaretoken TEXT 从Cloudflare中提取DNS需要提供记录CF API令牌
--allregions 扫描全范围
--exclude TEXT 要排除的配置文件名称列表用逗号分隔
--regions TEXT 扫描区域列表,用逗号分隔
--help 显示帮助信息和退出
Usage: ghostbuster scan aws [OPTIONS]
Scan for dangling elastic IPs inside your AWS accounts.
Options:
--profile TEXT 指定Ghostbuster需要扫描的AWS账号信息
--skipascii Ghostbuster启动后,不打印ASCII字符
--slackwebhook TEXT 指定一个Slack Webhook URL发送潜在接管通知信息
--records PATH 手动手动指定DNS记录。Ghostbuster检查检索到的DNS记录后检查这些IP
--cloudflaretoken TEXT 从Cloudflare中提取DNS需要提供记录CF API令牌
--allregions 扫描全范围
--exclude TEXT 要排除的配置文件名称列表用逗号分隔
--regions TEXT 扫描区域列表,用逗号分隔
--help 显示帮助信息和退出
配置Cloudflare
配置AWS账号
.aws/credentials:
[default]
aws_access_key_id = AKIAIII
aws_secret_access_key = faAaAaA
aws_access_key_id = AKIAIII
aws_secret_access_key = faAaAaA
.aws/config:
[default]
output = table
region = us-east-1
[profile account-one]
role_arn = arn:aws:iam::911111111113:role/Ec2Route53Access
source_profile = default
region = us-east-1
[profile account-two]
role_arn = arn:aws:iam::911111111112:role/Ec2Route53Access
source_profile = default
region = us-east-1
[profile account-three]
region = us-east-1
role_arn = arn:aws:iam::911111111111:role/Ec2Route53Access
source_profile = default
output = table
region = us-east-1
[profile account-one]
role_arn = arn:aws:iam::911111111113:role/Ec2Route53Access
source_profile = default
region = us-east-1
[profile account-two]
role_arn = arn:aws:iam::911111111112:role/Ec2Route53Access
source_profile = default
region = us-east-1
[profile account-three]
region = us-east-1
role_arn = arn:aws:iam::911111111111:role/Ec2Route53Access
source_profile = default
工具使用样例
运行Ghostbuster,提供Cloudflare DNS记录的访问令牌,向Slack Webhook发送通知,全部遍历AWS区域中".aws/config or .aws/credentials"每一个内部配置AWS账号:
? ghostbuster scan aws --cloudflaretoken APIKEY --slackwebhook https://hooks.slack.com/services/KEY --allregions
使用手动输入的子域名A记录列表(详见记录列表)records.csv格式)运行Ghostbuster:
? ghostbuster scan aws --records records.csv
工具输出样例
? ghostbuster scan aws --cloudflaretoken whougonnacall
Obtaining all zone names from Cloudflare.
Obtaining DNS A records for all zones from Cloudflare.
Obtained 33 DNS A records so far.
Obtaining Route53 hosted zones for AWS profile: default.
Obtaining Route53 hosted zones for AWS profile: account-five.
Obtaining Route53 hosted zones for AWS profile: account-four.
Obtaining Route53 hosted zones for AWS profile: account-four-deploy.
Obtaining Route53 hosted zones for AWS profile: account-two-deploy.
Obtaining Route53 hosted zones for AWS profile: account-one-deploy.
Obtaining Route53 hosted zones for AWS profile: account-three-deploy.
Obtaining Route53 hosted zones for AWS profile: account-six.
Obtaining Route53 hosted zones for AWS profile: account-seven.
Obtaining Route53 hosted zones for AWS profile: account-one.
Obtained 124 DNS A records so far.
Obtaining EIPs for region: us-east-1,profile: default
Obtaining IPs for network interfaces for region: us-east-1,profile: default
Obtaining EIPs for region: us-east-1,profile: account-five
Obtaining IPs for network interfaces for region: us-east-1,profile: account-five
Obtaining EIPs for region: us-east-1,profile: account-four
Obtaining IPs for network interfaces for region: us-east-1,profile: account-four
Obtaining EIPs for region: us-east-1,profile: account-four-deploy
Obtaining IPs for network interfaces for region: us-east-1,profile: account-four-deploy
Obtaining EIPs for region: us-east-1,profile: account-two-deploy
Obtaining IPs for network interfaces for region: us-east-1,profile: account-two-deploy
Obtaining EIPs for region: us-east-1,profile: account-one-deploy
Obtaining IPs for network interfaces for region: us-east-1,profile: account-one-deploy
Obtaining EIPs for region: us-east-1,profile: account-three-deploy
Obtaining IPs for network interfaces for region: us-east-1,profile: account-three-deploy
Obtaining EIPs for region: us-east-1,profile: account-six
Obtaining IPs for network interfaces for region: us-east-1,profile: account-six
Obtaining EIPs for region: us-east-1,profile: account-seven
Obtaining IPs for network interfaces for region: us-east-1,profile: account-seven
Obtaining EIPs for region: us-east-1,profile: account-one
Obtaining IPs for network interfaces for region: us-east-1,profile: account-one
Obtained 415 unique elastic IPs from AWS.
Takeover possible: {'name': 'takeover.assetnotecloud.com','records': ['52.54.24.193']}
Obtaining all zone names from Cloudflare.
Obtaining DNS A records for all zones from Cloudflare.
Obtained 33 DNS A records so far.
Obtaining Route53 hosted zones for AWS profile: default.
Obtaining Route53 hosted zones for AWS profile: account-five.
Obtaining Route53 hosted zones for AWS profile: account-four.
Obtaining Route53 hosted zones for AWS profile: account-four-deploy.
Obtaining Route53 hosted zones for AWS profile: account-two-deploy.
Obtaining Route53 hosted zones for AWS profile: account-one-deploy.
Obtaining Route53 hosted zones for AWS profile: account-three-deploy.
Obtaining Route53 hosted zones for AWS profile: account-six.
Obtaining Route53 hosted zones for AWS profile: account-seven.
Obtaining Route53 hosted zones for AWS profile: account-one.
Obtained 124 DNS A records so far.
Obtaining EIPs for region: us-east-1,profile: default
Obtaining IPs for network interfaces for region: us-east-1,profile: default
Obtaining EIPs for region: us-east-1,profile: account-five
Obtaining IPs for network interfaces for region: us-east-1,profile: account-five
Obtaining EIPs for region: us-east-1,profile: account-four
Obtaining IPs for network interfaces for region: us-east-1,profile: account-four
Obtaining EIPs for region: us-east-1,profile: account-four-deploy
Obtaining IPs for network interfaces for region: us-east-1,profile: account-four-deploy
Obtaining EIPs for region: us-east-1,profile: account-two-deploy
Obtaining IPs for network interfaces for region: us-east-1,profile: account-two-deploy
Obtaining EIPs for region: us-east-1,profile: account-one-deploy
Obtaining IPs for network interfaces for region: us-east-1,profile: account-one-deploy
Obtaining EIPs for region: us-east-1,profile: account-three-deploy
Obtaining IPs for network interfaces for region: us-east-1,profile: account-three-deploy
Obtaining EIPs for region: us-east-1,profile: account-six
Obtaining IPs for network interfaces for region: us-east-1,profile: account-six
Obtaining EIPs for region: us-east-1,profile: account-seven
Obtaining IPs for network interfaces for region: us-east-1,profile: account-seven
Obtaining EIPs for region: us-east-1,profile: account-one
Obtaining IPs for network interfaces for region: us-east-1,profile: account-one
Obtained 415 unique elastic IPs from AWS.
Takeover possible: {'name': 'takeover.assetnotecloud.com','records': ['52.54.24.193']}
许可证协议
本项目的开发和发布遵循AGPL-3.0开源许可协议。
项目地址
捉鬼敢死队:【GitHub传送门】