AWS Enumeration and Footprinting Tool

Overview

Quiet Riot

🎶 C'mon, Feel The Noise 🎶

An enumeration tool for scalable, unauthenticated validation of AWS principals; including AWS Acccount IDs, root e-mail addresses, users, and roles.

Credit: Daniel Grzelak @dagrz for identifying the technique and Will Bengston @__muscles for inspiring me to scale it.

See the blog post here

Featureploitation Limits

Throttling

After performing extensive analysis of scaling methods using the AWS Python (Boto3) SDK, I was able to determine that the bottleneck for scanning (at least for Python and awscli -based tools) is I/O capacity of a single-threaded Python application. After modifying the program to run with multiple threads, I was able to trigger exceptions in individual threads due to throttling by the various AWS APIs. You can see the results from running a few benchmarking test scans here. APIs that I tested had wildly different throttling limits and notably, s3 bucket policy attempts took ~10x as long as similar attempts against other services.

With further testing, I settled on a combination of SNS, ECR-Public, and ECR-Private services running in US-East-1 in ~40%/50%/10% configuration split with ~700 threads. The machine I used was a 2020 Macbook Air (M1 and 16 GB RAM). This configuration yielded on average ~1100 calls/sec, though the actual number of calls can fluctuate significantly depending on a variety of factors including network connectivity. Under these configurations, I did occasionally throw an exception on a thread from throttling...but I have subsequently configured additional (4 -> 7) re-try attempts via botocore that would eliminate this issue with some performance trade-off.

Computational Difficulty

To attempt every possible Account ID in AWS (1,000,000,000,000) would require an infeasible amount of time given only one account. Even assuming absolute efficiency*, over the course of a day an attacker will only be able to make 95,040,000 validation checks. Over 30 days, this is 2,851,200,000 validation checks and we are still over 28 years away from enumerating every valid AWS Account ID. Fortunately, there is nothing stopping us from registering many AWS accounts and automating this scan. While there is an initial limit of 20 accounts per AWS organization, I was able to get this limit increased for my Organization via console self-service and approval from an AWS representative. The approval occured without any further questions and now I'm off to automating this writ large. Again, assuming absolute efficiency, the 28 years scanning could potentially be reduced down to ~100 days.

*~1100 API calls/check per second in perpetuity per account and never repeating a guessed Account ID.

Potential Supported Services

# AWS Service Description API Limits Resource Pricing Enumeration Capability
1 SNS Managed Serverless Notification Service Unknown Unknown Yes
2 KMS Encryption Key Management Service Unknown Unknown Yes
3 SecretsManager Managed Secret Store Unknown Unknown Yes
4 CodeArtifact Managed Source Code Repository Unknown Unknown Yes
5 ECR Public Managed Container Registry Unknown Unknown Yes
6 ECR Private Managed Container Registry Unknown Unknown Yes
7 Lambda Managed Serverless Function Unknown Unknown Yes
8 s3 Managed Serverless Object Store Unknown Unknown Yes
9 SES SMTP Automation Service Unknown Unknown Unknown
10 ACM Private Certificate Authority Unknown Unknown Unknown
11 CodeBuild Software Build Agent Unknown Unknown Unknown
12 AWS Backup Managed Backup Service Unknown Unknown Unknown
13 Cloud9 Managed IDE Unknown Unknown Unknown
14 Glue Managed ETL Job Service Unknown Unknown Unknown
15 EKS Managed K8s Service Unknown Unknown Unknown
16 Lex V2 Managed NLP Service Unknown Unknown Unknown
17 CloudWatch Logs Managed Log Pipeline/Monitoring Unknown Unknown Unknown
18 VPC Endpoints Managed Virtual Network Unknown Unknown Unknown
19 Elemental MediaStore Unknown Unknown Unknown Unknown
20 OpenSearch Managed ElasticSearch Unknown Unknown Unknown
21 EventBridge Managed Serverless Event Hub Unknown Unknown Unknown
22 EventBridge Schemas Managed Serverless Event Hub Unknown Unknown Unknown
23 IoT Internet-of-Things Management Unknown Unknown Unknown
24 s3 Glacier Cold Object Storage Unknown Unknown Unknown
25 ECS Managed Container Orchestration Unknown Unknown Unknown
26 Serverless Application Repository Managed Source Code Repository Unknown Unknown No
27 SQS Managed Serverless Queueing Service Unknown Unknown No
28 EFS Managed Serverless Elastic File System Unknown Unknown No

Getting Started With Quiet Riot

To get started with Quiet Riot, clone the repository to your local directory. You'll need boto3 and AWS cli tools installed. You'll need credentials configured with sufficient privileges in an AWS account to deploy the resources (SNS topic, ECR-Public repository, and ECR-Private repository). Then you just run ./main.py and follow the prompts. If you don't bring your own wordlists, feel free to use one from the wordlists/ directory and I further recommend SecLists Usernames.

Prerequisites

awscli boto3 botocore Sufficient AWS credentials configured via CLI

Owner
Wes Ladd
Cloud Security Architect
Wes Ladd
Discord Bot for League of Legends live match tracker

SABot Dicord Bot for League of Legends match auto tracker Features: Search Summoners statistics in League of Legends. Auto-notifications provide when

Jungyu Choi 4 Sep 27, 2022
The best Discord bot, created for r/Jailbreak

Bloo Setup instructions These instructions assume you are on macOS or Linux. Windows users, good luck. With Docker (recommended!) You will need the fo

GIR 33 Dec 16, 2022
Balsam Python client API & SDK

balsam No description provided (generated by Openapi Generator https://github.com/openapitools/openapi-generator) This Python package is automatically

Darren Govoni 1 Oct 22, 2021
A Rich renderable for viewing Multiple Sequence Alignments in the terminal.

rich-msa A simple module to render colorful Multiple Sequence Alignment with rich in the terminal. 🔧 Installing Install the rich-msa package directly

Martin Larralde 64 Dec 04, 2022
Auxiliator is telegram bot for basic web-application analysis

Auxiliator Auxiliator is telegram bot for basic web-application analysis What for? Sometimes there is no access to your main PC, where you can scan we

Revoltage 13 Dec 26, 2021
DoriBot -Discord Chat Bot

DoriBot -Discord Chat Bot Please do not use these source files for commercial use. Be sure to mark the source. 이제 더이상의 메이저 업데이트는 없습니다. 마이너 업데이트들은 존재합니

queenanna1999 0 Mar 30, 2022
Change your discord avatar every x h/d based on a list of images

Discord-Avatar-Autochange Introduction A simple script that automatically keeps changing your discord avatar after a given amount of time based on the

Armin Amiri 5 Apr 30, 2022
A continued fork of Disco

Orca Orca is an extensive and extendable Python 3.x library for the Discord API. orca boasts the following major features: Expressive, functional inte

RPS 4 Apr 03, 2022
Black-hat with python

black-hat_python Advantages - More advance tool Easy to use allows updating tool update - run bash update.sh Here -: Command to install tool main- clo

Hackers Tech 2 Feb 10, 2022
A collection of automation aids to connect various database systems into Lookout for Metrics

A collection of automation aids to connect various database systems into Lookout for Metrics

AWS Samples 3 Apr 28, 2022
YuuScource - A Discord bot made with Pycord

Yuu A Discord bot made with Pycord Features Not much lol • Easy to use commands

kekda 9 Feb 17, 2022
Project to list all resources in an AWS account with tags.

AWS-ListAll Project to list all resources in an AWS account with tags. This script works on any system Get started: Install python3 and pip3 along wit

Connor Shubham Verlekar 3 Jan 30, 2022
The fastest nuker on discord, Proxy support and more

About okuru nuker is a nuker for discord written in python, It uses methods such as threading and requests to ban faster and perform at higher speeds.

63 Dec 31, 2022
Network simulation tools

Overview I'm building my network simulation environments with Vagrant using libvirt plugin on a Ubuntu 20.04 system... and I always hated how boring i

Ivan Pepelnjak 219 Jan 07, 2023
Python API wrapper around Trello's API

A wrapper around the Trello API written in Python. Each Trello object is represented by a corresponding Python object. The attributes of these objects

Richard Kolkovich 904 Jan 02, 2023
A Discord bot that may save your day by predicting it.

Sage A Discord bot that may save your day by predicting it.

1 Nov 17, 2022
A Telegram Bot written in Python for mirroring files on the Internet to your Google Drive or Telegram

Original Repo mirror-leech-telegram-bot This is a Telegram Bot written in Python for mirroring files on the Internet to your Google Drive or Telegram.

0 Jan 03, 2022
This Mirror Bot is a multipurpose Telegram Bot writen in Python for mirroring files on the Internet to our beloved Google Drive.

MIRROR HUNTER This Mirror Bot is a multipurpose Telegram Bot writen in Python for mirroring files on the Internet to our beloved Google Drive. Repo la

anime republic 130 May 28, 2022
使用appium进行抖音粉丝的自动化获取

DYfans 使用appium进行抖音粉丝的自动化获取 工具: appium appium inspector Fiddler 夜神模拟器或者安卓手机 mitmdump mitmproxy 推荐使用安卓5.0夜神模拟器 库: appium selenium json 环境: jdk 安卓sdk 安卓

kaba 0 Mar 25, 2022
Crystal Orb is a discord bot made from discord.py and python

Crystal orb Replacing barbot Overview Crystal Orb is a discord bot made from discord.py and python, Crystal Orb is for anti alt detection and other st

AlexyDaCoder 3 Nov 28, 2021