Merge pull request #30 from initstring/dev

AWS Apps functionality from @travispeska
initstring · Apr 29, 2020 · 98fe026 · 98fe026
2 parents 306013b + 095cfcb
commit 98fe026
Show file tree

Hide file tree

Showing 5 changed files with 38 additions and 3 deletions.
diff --git a/README.md b/README.md
@@ -6,6 +6,7 @@ Currently enumerates the following:
 **Amazon Web Services**:
 - Open S3 Buckets
 - Protected S3 Buckets
+- awsapps (WorkMail, WorkDocs, Connect, etc.)
 
 **Microsoft Azure**:
 - Storage Accounts

diff --git a/enum_tools/aws_checks.py b/enum_tools/aws_checks.py
@@ -13,6 +13,7 @@
 
 # Known S3 domain names
 S3_URL = 's3.amazonaws.com'
+APPS_URL = 'awsapps.com'
 
 # Known AWS region names. This global will be used unless the user passes
 # in a specific region name. (NOT YET IMPLEMENTED)
@@ -87,6 +88,36 @@ def check_s3_buckets(names, threads):
     # Stop the time
     utils.stop_timer(start_time)
 
+def check_awsapps(names, threads, nameserver):
+    """
+    Checks for existence of AWS Apps
+    (ie. WorkDocs, WorkMail, Connect, etc.)
+    """
+    print("[+] Checking for AWS Apps")
+
+    # Start a counter to report on elapsed time
+    start_time = utils.start_timer()
+
+    # Initialize the list of domain names to look up
+    candidates = []
+
+    # Initialize the list of valid hostnames
+    valid_names = []
+
+    # Take each mutated keyword craft a domain name to lookup.
+    for name in names:
+        candidates.append('{}.{}'.format(name, APPS_URL))
+
+    # AWS Apps use DNS sub-domains. First, see which are valid.
+    valid_names = utils.fast_dns_lookup(candidates, nameserver,
+                                        threads=threads)
+
+    for name in valid_names:
+        utils.printc("    App Found: https://{}\n" .format(name), 'orange')
+
+    # Stop the timer
+    utils.stop_timer(start_time)
+
 def run_all(names, args):
     """
     Function is called by main program
@@ -97,4 +128,4 @@ def run_all(names, args):
     #if not regions:
     #    regions = AWS_REGIONS
     check_s3_buckets(names, args.threads)
-    return ''
+    check_awsapps(names, args.threads, args.nameserver)
diff --git a/enum_tools/fuzz.txt b/enum_tools/fuzz.txt
@@ -28,6 +28,7 @@ alpha
 amazon
 analytics
 android
+api
 app
 appengine
 appspot
@@ -70,6 +71,7 @@ consultants
 contact
 container
 content
+core
 corp
 corporate
 data
@@ -105,6 +107,7 @@ fileshare
 filestore
 firestore
 functions
+gateway
 gcp
 gcp-logs
 gcplogs
@@ -115,6 +118,7 @@ gke
 graphite
 graphql
 gs
+gw
 help
 hub
 iam

diff --git a/enum_tools/gcp_checks.py b/enum_tools/gcp_checks.py
@@ -115,4 +115,3 @@ def run_all(names, args):
 
     check_gcp_buckets(names, args.threads)
     check_appspot(names, args.threads)
-    return ''
diff --git a/enum_tools/utils.py b/enum_tools/utils.py
@@ -117,7 +117,7 @@ def dns_lookup(nameserver, name):
     except dns.resolver.NXDOMAIN:
         return ''
     except dns.exception.Timeout:
-        print("    [!] DNS Timeut on {}. Investigate if there are many"
+        print("    [!] DNS Timeout on {}. Investigate if there are many"
               " of these.".format(name))
 
 def fast_dns_lookup(names, nameserver, callback='', threads=5):
Original file line number	Diff line number	Diff line change
Expand Up		@@ -115,4 +115,3 @@ def run_all(names, args):

		check_gcp_buckets(names, args.threads)
		check_appspot(names, args.threads)
		return ''