BishopFox/cloudfox

Identify Potentially Accessible EC2 Ports

wdahlenburg opened this issue · 1 comments

wdahlenburg commented

As a Pentester,
I want to identify potentially accessible EC2 ports
so that I don't have to perform a comprehensive network scan on an entire VPC or even the public/private IPs

Overview

EC2 instances can be subject to security groups and network ACLs within AWS.

It would be really awesome to generate an "ec2-commands.txt" loot file that describes each instance and the potentially open ports. Why potential? A service doesn't have to be running on the defined port, but AWS will allow it to be accessed if the security groups and network ACLs permit it.

My preference would be that the loot file generates a list of nmap commands that could be ran.

This feature would be a huge time-saver as it could process the inventory and tell pentesters the potentially open port ranges on all instances. The time to fully scan each VPC or each instance's public/private IP can add up. Cloud services can have an inventory ran on them, so it'd be a much smarter methodology to just process this info.

I'd like to give it a shot at implementing this. Are there any caveats that I'm missing? Would this be useful?

Acceptance Criteria

  • The security groups and network ACLs are compared against each EC2 instance to determine allowed inbound access
  • The list of ports per instance are formatted into a basic nmap command and placed in a "*-commands.txt" loot file.

Non Functional Requirements/Wants

Screenshots / Files

External Documents / Links

https://docs.aws.amazon.com/vpc/latest/userguide/VPC_SecurityGroups.html
https://docs.aws.amazon.com/vpc/latest/userguide/vpc-network-acls.html

sethsec-bf commented

@wdahlenburg - This would be amazingly useful if you could pull it off! Exactly this has been on my todo list for a very long time.

Here's some other caveats that I've thought of:

  • security groups can trusts other security groups, so you'd have to keep recursing through those trusts until you are only left with source IP addresses as values and no more security groups.
  • You'd also have to deduplicate stuff ports which should be pretty easy i guess
  • this might apply to more than just EC2 (but ec2 is a great place to start). I'm thinking there might be more services that can host their own services on their own defined ports and use the security group model as well.

My first thought was just the external surface area:

as a penetration tester,
i want to identify only the ports that are potentially exposed
so that i can scan them remotely

But it would also be amazing (maybe a v2) if we could one day have this:

As a penetration tester,
i want to identify only the ports that are potentially exposed to me coming from a specific IP or security group,
so that i can figure out what to scan from my internal foothold in the vpc.

Anything you can do here would be super valuable.

  • 👍1