scans Amazon Route53 to detect:
- Alias records for CloudFront distributions with missing S3 origin
- CNAME records for CloudFront distributions with missing S3 origin
- ElasticBeanstalk Alias records vulnerable to takeover
- ElasticBeanstalk CNAMES vulnerable to takeover
- S3 Alias records vulnerable to takeover
- S3 CNAMES vulnerable to takeover
- Registered domains with missing hosted zones
- Subdomain NS delegations vulnerable to takeover
- optionally create and activate a virtual environment
python -m venv .venv
source .venv/bin/activate
- install dependencies
pip install -r manual_scans/aws/requirements.txt
- set PYTHONPATH to import modules
- identify your current path from the root of the domain-protect directory
$ pwd
/Users/paul/src/github.com/ovotech/domain-protect
- set PYTHONPATH environment variable
$ export PYTHONPATH="${PYTHONPATH}:/Users/paul/src/github.com/domain-protect/domain-protect"
- run manual scans from root of domain-protect folder
- replace PROFILE_NAME by your AWS CLI profile name
python manual_scans/aws/aws-alias-cloudfront-s3.py --profile PROFILE_NAME
- replace PROFILE_NAME by your AWS CLI profile name
python manual_scans/aws/aws-cname-cloudfront-s3.py --profile PROFILE_NAME
- replace PROFILE_NAME by your AWS CLI profile name
python manual_scans/aws/aws-alias-eb.py --profile PROFILE_NAME
- replace PROFILE_NAME by your AWS CLI profile name
python manual_scans/aws/aws-cname-eb.py --profile PROFILE_NAME
- replace PROFILE_NAME by your AWS CLI profile name
python manual_scans/aws/aws_alias_s3.py --profile PROFILE_NAME
- replace PROFILE_NAME by your AWS CLI profile name
python manual_scans/aws/aws-cname-s3.py --profile PROFILE_NAME
- replace PROFILE_NAME by your AWS CLI profile name
python manual_scans/aws/aws-ns-domain.py --profile PROFILE_NAME
- replace PROFILE_NAME by your AWS CLI profile name
python manual_scans/aws/aws-ns-subdomain.py --profile PROFILE_NAME
- log in to the AWS console in the audit account
- start CloudShell in a region which supports it, e.g. eu-west-1
- upload relevant files from your desktop
- edit the example below with the AWS account number of the target account, the role name, and the role session name
aws sts assume-role --role-arn arn:aws:iam::012345678901:role/securityaudit --role-session-name domainprotect
- copy and paste the returned temporary credentials to your desktop
- create AWS cli credentials in CloudShell
vi .aws/credentials
- enter details in the following format
[profile_name]
aws_access_key_id = XXXXXXXXXXXXXXXXXXXXXX
aws_secret_access_key = XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
aws_session_token = XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
- save and exit vi
:wq!
- install dependencies and proceed with the scans, e.g.
sudo pip3 install dnspython
python3 manual_scans/aws/aws-ns-domain.py --profile profile_name
- NS subdomain takeover detection based on NSDetect