Merge pull request #104 from sethsec/main

v1.16.0 - Addes multiple resource types to resource-trusts command thanks to @edops973

Author: jbarciabf

Makefile

@@ -32,28 +32,34 @@ release: clean
 	mkdir -p ./cloudfox
 
 	GOOS=windows GOARCH=amd64 go build -o ./cloudfox/cloudfox.exe .
-	zip ./cloudfox/cloudfox-windows-amd64.zip ./cloudfox/cloudfox.exe
-	rm -rf ./cloudfox/cloudfox.exe
+	sha1sum ./cloudfox/cloudfox.exe > ./cloudfox/sha1sum.txt
+	zip ./cloudfox/cloudfox-windows-amd64.zip ./cloudfox/cloudfox.exe ./cloudfox/sha1sum.txt
+	rm -rf ./cloudfox/cloudfox.exe ./cloudfox/sha1sum.txt
 
 	GOOS=linux GOARCH=amd64 go build -o ./cloudfox/cloudfox .
-	zip ./cloudfox/cloudfox-linux-amd64.zip ./cloudfox/cloudfox .
-	rm -rf ./cloudfox/cloudfox
+	sha1sum ./cloudfox/cloudfox > ./cloudfox/sha1sum.txt
+	zip ./cloudfox/cloudfox-linux-amd64.zip ./cloudfox/cloudfox ./cloudfox/sha1sum.txt
+	rm -rf ./cloudfox/cloudfox ./cloudfox/sha1sum.txt
 
 	GOOS=linux GOARCH=386 go build -o ./cloudfox/cloudfox .
-	zip ./cloudfox/cloudfox-linux-386.zip ./cloudfox/cloudfox .
-	rm -rf ./cloudfox/cloudfox
+	sha1sum ./cloudfox/cloudfox > ./cloudfox/sha1sum.txt
+	zip ./cloudfox/cloudfox-linux-386.zip ./cloudfox/cloudfox ./cloudfox/sha1sum.txt
+	rm -rf ./cloudfox/cloudfox ./cloudfox/sha1sum.txt
 
 	GOOS=linux GOARCH=arm64 go build -o ./cloudfox/cloudfox .
-	zip ./cloudfox/cloudfox-linux-arm64.zip ./cloudfox/cloudfox .
-	rm -rf ./cloudfox/cloudfox
+	sha1sum ./cloudfox/cloudfox > ./cloudfox/sha1sum.txt
+  zip ./cloudfox/cloudfox-linux-arm64.zip ./cloudfox/cloudfox ./cloudfox/sha1sum.txt
+	rm -rf ./cloudfox/cloudfox ./cloudfox/sha1sum.txt
 
 	GOOS=darwin GOARCH=amd64 go build -o ./cloudfox/cloudfox .
-	zip ./cloudfox/cloudfox-macos-amd64.zip ./cloudfox/cloudfox
-	rm -rf ./cloudfox/cloudfox
+	sha1sum ./cloudfox/cloudfox > ./cloudfox/sha1sum.txt
+	zip ./cloudfox/cloudfox-macos-amd64.zip ./cloudfox/cloudfox ./cloudfox/sha1sum.txt
+	rm -rf ./cloudfox/cloudfox ./cloudfox/sha1sum.txt
 
 	GOOS=darwin GOARCH=arm64 go build -o ./cloudfox/cloudfox .
-	zip ./cloudfox/cloudfox-macos-arm64.zip ./cloudfox/cloudfox
-	rm -rf ./cloudfox/cloudfox
+	sha1sum ./cloudfox/cloudfox > ./cloudfox/sha1sum.txt
+	zip ./cloudfox/cloudfox-macos-arm64.zip ./cloudfox/cloudfox ./cloudfox/sha1sum.txt
+	rm -rf ./cloudfox/cloudfox ./cloudfox/sha1sum.txt
 
 clean:
 	rm -rf ./cloudfox

README.md

@@ -133,7 +133,7 @@ Additional policy notes (as of 09/2022):
 | AWS | [pmapper](https://github.com/BishopFox/cloudfox/wiki/AWS-Commands#pmapper) | Looks for pmapper data stored on the local filesystem, [in the locations defined here](https://github.com/nccgroup/PMapper/wiki/Frequently-Asked-Questions#where-does-pmapper-store-its-data). If pmapper data has been found (you already ran `pmapper graph create`), then this command will use this data to build a graph in cloudfox memory let you know who can privesc to admin. 
 | AWS | [principals](https://github.com/BishopFox/cloudfox/wiki/AWS-Commands#principals) | Enumerates IAM users and Roles so you have the data at your fingertips. |
 | AWS | [ram](https://github.com/BishopFox/cloudfox/wiki/AWS-Commands#ram) | List all resources in this account that are shared with other accounts, or resources from other accounts that are shared with this account. Useful for cross-account attack paths. |
-| AWS | [resource-trusts](https://github.com/BishopFox/cloudfox/wiki/AWS-Commands#resource-trusts) | Looks through multiple services that support resource policies and helps you find any overly permissive resource trusts.|
+| AWS | [resource-trusts](https://github.com/BishopFox/cloudfox/wiki/AWS-Commands#resource-trusts) | Looks through multiple services that support resource policies and helps you find any overly permissive resource trusts. KMS is supported but disabled by default. To include KMS resource policies in the output, add this flag to the command: `cloudfox aws resource-trusts --include-kms`.|
 | AWS | [role-trusts](https://github.com/BishopFox/cloudfox/wiki/AWS-Commands#role-trusts) | Enumerates IAM role trust policies so you can look for overly permissive role trusts or find roles that trust a specific service. |
 | AWS | [route53](https://github.com/BishopFox/cloudfox/wiki/AWS-Commands#route53) | Enumerate all records from all route53 managed zones. Use this for application and service enumeration. |
 | AWS | [secrets](https://github.com/BishopFox/cloudfox/wiki/AWS-Commands#secrets) | List secrets from SecretsManager and SSM. Look for interesting secrets in the list and then see who has access to them using use `cloudfox iam-simulator` and/or `pmapper`. |

aws/ecs-tasks.go

@@ -50,6 +50,7 @@ type MappedECSTask struct {
 	Cluster               string
 	TaskDefinitionName    string
 	TaskDefinitionContent string
+	ContainerName         string
 	LaunchType            string
 	ID                    string
 	ExternalIP            string
@@ -145,6 +146,7 @@ func (m *ECSTasksModule) printECSTaskData(outputDirectory string, dataReceiver c
 		"Account",
 		"Cluster",
 		"TaskDefinition",
+		"ContainerName",
 		"LaunchType",
 		"ID",
 		"External IP",
@@ -171,6 +173,7 @@ func (m *ECSTasksModule) printECSTaskData(outputDirectory string, dataReceiver c
 			"Account",
 			"Cluster",
 			"TaskDefinition",
+			"ContainerName",
 			"LaunchType",
 			"ID",
 			"External IP",
@@ -184,6 +187,7 @@ func (m *ECSTasksModule) printECSTaskData(outputDirectory string, dataReceiver c
 		tableCols = []string{
 			"Cluster",
 			"TaskDefinition",
+			"ContainerName",
 			"LaunchType",
 			"External IP",
 			"Internal IP",
@@ -206,6 +210,7 @@ func (m *ECSTasksModule) printECSTaskData(outputDirectory string, dataReceiver c
 				aws.ToString(m.Caller.Account),
 				ecsTask.Cluster,
 				ecsTask.TaskDefinitionName,
+				ecsTask.ContainerName,
 				ecsTask.LaunchType,
 				ecsTask.ID,
 				ecsTask.ExternalIP,
@@ -368,7 +373,7 @@ func (m *ECSTasksModule) loadTasksData(clusterARN string, taskARNs []string, reg
 		return
 	}
 
-	eniIDs := []string{}
+	var eniIDs []string
 	for _, task := range Tasks {
 		eniID := getElasticNetworkInterfaceIDOfECSTask(task)
 		if eniID != "" {
@@ -394,6 +399,7 @@ func (m *ECSTasksModule) loadTasksData(clusterARN string, taskARNs []string, reg
 			Cluster:               getNameFromARN(clusterARN),
 			TaskDefinitionName:    getNameFromARN(aws.ToString(task.TaskDefinitionArn)),
 			TaskDefinitionContent: getTaskDefinitionContent(taskDefinition),
+			ContainerName:         getContainerNamesFromECSTask(task),
 			LaunchType:            string(task.LaunchType),
 			ID:                    getIDFromECSTask(aws.ToString(task.TaskArn)),
 			PrivateIP:             getPrivateIPv4AddressFromECSTask(task),
@@ -505,8 +511,18 @@ func getIDFromECSTask(arn string) string {
 	return tokens[2]
 }
 
+func getContainerNamesFromECSTask(task types.Task) string {
+	var names []string
+
+	for _, container := range task.Containers {
+		names = append(names, aws.ToString(container.Name))
+	}
+
+	return strings.Join(names, "|")
+}
+
 func getPrivateIPv4AddressFromECSTask(task types.Task) string {
-	ips := []string{}
+	var ips []string
 
 	for _, attachment := range task.Attachments {
 		if aws.ToString(attachment.Type) != "ElasticNetworkInterface" || aws.ToString(attachment.Status) != "ATTACHED" {

aws/ecs-tasks_test.go

@@ -23,7 +23,6 @@ func TestECSTasks(t *testing.T) {
 			outputDirectory: ".",
 			verbosity:       2,
 			testModule: ECSTasksModule{
-
 				AWSProfile:     "default",
 				AWSRegions:     []string{"us-east-1", "us-west-1"},
 				Caller:         sts.GetCallerIdentityOutput{Arn: aws.String("arn:aws:iam::123456789012:user/cloudfox_unit_tests")},
@@ -33,10 +32,11 @@ func TestECSTasks(t *testing.T) {
 				ECSClient:      &sdk.MockedECSClient{},
 			},
 			expectedResult: []MappedECSTask{{
-				Cluster:    "MyCluster",
-				ID:         "74de0355a10a4f979ac495c14EXAMPLE",
-				ExternalIP: "203.0.113.12",
-				Role:       "test123",
+				Cluster:       "MyCluster",
+				ID:            "74de0355a10a4f979ac495c14EXAMPLE",
+				ContainerName: "web",
+				ExternalIP:    "203.0.113.12",
+				Role:          "test123",
 			}},
 		},
 	}
@@ -48,6 +48,9 @@ func TestECSTasks(t *testing.T) {
 				if expectedTask.Cluster != subtest.testModule.MappedECSTasks[index].Cluster {
 					log.Fatal("Cluster name does not match expected value")
 				}
+				if expectedTask.ContainerName != subtest.testModule.MappedECSTasks[index].ContainerName {
+					log.Fatal("Container name does not match expected value")
+				}
 			}
 		})
 	}