def check_awsapps(names, threads, nameserver, cverbose=True):
"""
Checks for existence of AWS Apps
(ie. WorkDocs, WorkMail, Connect, etc.)
"""
if cverbose: print("[+] Checking for AWS Apps")
pname = ['AWS Apps ', 2]
# Start a counter to report on elapsed time
start_time = utils.start_timer()
# Initialize the list of domain names to look up
candidates = []
# Initialize the list of valid hostnames
valid_names = []
# Take each mutated keyword craft a domain name to lookup.
for name in names:
candidates.append('{}.{}'.format(name, APPS_URL))
# AWS Apps use DNS sub-domains. First, see which are valid.
valid_names = utils.fast_dns_lookup(candidates,
nameserver,
pname,
cverbose,
threads=threads)
for name in valid_names:
if cverbose:
utils.printc(" App Found: https://{}\n".format(name), 'orange')
# Stop the timer
utils.stop_timer(start_time, cverbose)
def print_s3_response(reply, cverbose=True):
"""
Parses the HTTP reply of a brute-force attempt
This function is passed into the class object so we can view results
in real-time.
"""
if reply.status_code == 404:
pass
elif 'Bad Request' in reply.reason:
pass
elif reply.status_code == 200:
if cverbose:
utils.printc(" OPEN S3 BUCKET: {}\n".format(reply.url), 'green')
if cverbose: utils.list_bucket_contents(reply.url)
elif reply.status_code == 403:
if cverbose:
utils.printc(" Protected S3 Bucket: {}\n".format(reply.url),
'orange')
elif 'Slow Down' in reply.reason:
if cverbose:
print("[!] You've been rate limited, skipping rest of check...")
return 'breakout'
else:
if cverbose:
print(" Unknown status codes being received from {}:\n"
" {}: {}".format(reply.url, reply.status_code,
reply.reason))
def print_vm_response(hostname):
"""
This function is passed into the DNS brute force as a callback,
so we can get real-time results.
"""
utils.printc(
" Registered Azure Virtual Machine DNS Name: {}\n".format(hostname),
'green')
def print_database_response(hostname, cverbose):
"""
This function is passed into the DNS brute force as a callback,
so we can get real-time results.
"""
if cverbose:
utils.printc(
" Registered Azure Database DNS Name: {}\n".format(hostname),
'green')
def print_account_response(reply):
"""
Parses the HTTP reply of a brute-force attempt
This function is passed into the class object so we can view results
in real-time.
"""
if reply.status_code == 404:
pass
elif 'Server failed to authenticate the request' in reply.reason:
utils.printc(" Auth-Only Storage Account: {}\n".format(reply.url),
'red')
elif 'The specified account is disabled' in reply.reason:
utils.printc(" Disabled Storage Account: {}\n".format(reply.url),
'red')
elif 'Value for one of the query' in reply.reason:
utils.printc(" HTTP-OK Storage Account: {}\n".format(reply.url),
'orange')
elif 'The account being accessed' in reply.reason:
utils.printc(" HTTPS-Only Storage Account: {}\n".format(reply.url),
'orange')
else:
print(" Unknown status codes being received from {}:\n"
" {}: {}".format(reply.url, reply.status_code,
reply.reason))
def print_functions_response1(reply):
"""
Parses the HTTP reply the initial Cloud Functions check
This function is passed into the class object so we can view results
in real-time.
"""
if reply.status_code == 404:
pass
elif reply.status_code == 302:
utils.printc(
" Contains at least 1 Cloud Function: {}\n".format(reply.url),
'green')
HAS_FUNCS.append(reply.url)
else:
print(" Unknown status codes being received from {}:\n"
" {}: {}".format(reply.url, reply.status_code,
reply.reason))
def print_bucket_response(reply):
"""
Parses the HTTP reply of a brute-force attempt
This function is passed into the class object so we can view results
in real-time.
"""
if reply.status_code == 404:
pass
elif reply.status_code == 200:
utils.printc(" OPEN GOOGLE BUCKET: {}\n".format(reply.url), 'green')
utils.list_bucket_contents(reply.url + '/')
elif reply.status_code == 403:
utils.printc(" Protected Google Bucket: {}\n".format(reply.url),
'orange')
else:
print(" Unknown status codes being received from {}:\n"
" {}: {}".format(reply.url, reply.status_code,
reply.reason))
def print_container_response(reply, cverbose):
"""
Parses the HTTP reply of a brute-force attempt
This function is passed into the class object so we can view results
in real-time.
"""
# Stop brute forcing disabled accounts
if 'The specified account is disabled' in reply.reason:
if cverbose: print(" [!] Breaking out early, account disabled.")
return 'breakout'
# Stop brute forcing accounts without permission
if ('not authorized to perform this operation' in reply.reason
or 'not have sufficient permissions' in reply.reason
or 'Public access is not permitted' in reply.reason
or 'Server failed to authenticate the request' in reply.reason):
if cverbose: print(" [!] Breaking out early, auth required.")
return 'breakout'
# Stop brute forcing unsupported accounts
if 'Blob API is not yet supported' in reply.reason:
if cverbose:
print(" [!] Breaking out early, Hierarchical namespace account")
return 'breakout'
# Handle other responses
if reply.status_code == 404:
pass
elif reply.status_code == 200:
if cverbose:
utils.printc(" OPEN AZURE CONTAINER: {}\n".format(reply.url),
'green')
utils.list_bucket_contents(reply.url, cverbose)
elif 'One of the request inputs is out of range' in reply.reason:
pass
elif 'The request URI is invalid' in reply.reason:
pass
else:
if cverbose:
print(" Unknown status codes being received from {}:\n"
" {}: {}".format(reply.url, reply.status_code,
reply.reason))
def print_awsapps_response(reply):
"""
Parses the HTTP reply of a brute-force attempt
This function is passed into the class object so we can view results
in real-time.
"""
if reply.status_code == 404:
pass
elif 'Bad Request' in reply.reason:
pass
elif reply.status_code == 200:
utils.printc(" App Found: {}\n".format(reply.url), 'orange')
elif 'Slow Down' in reply.reason:
print("[!] You've been rate limited, skipping rest of check...")
return 'breakout'
else:
print(" Unknown status codes being received from {}:\n"
" {}: {}".format(reply.url, reply.status_code,
reply.reason))
def print_appspot_response(reply):
"""
Parses the HTTP reply of a brute-force attempt
This function is passed into the class object so we can view results
in real-time.
"""
if reply.status_code == 404:
pass
elif reply.status_code == 500 or reply.status_code == 503:
utils.printc(
" Google App Engine app with a 50x error: {}\n".format(
reply.url), 'orange')
elif reply.status_code == 200 or reply.status_code == 302:
utils.printc(" Google App Engine app: {}\n".format(reply.url),
'green')
else:
print(" Unknown status codes being received from {}:\n"
" {}: {}".format(reply.url, reply.status_code,
reply.reason))
def print_functions_response2(reply):
"""
Parses the HTTP reply from the secondary, brute-force Cloud Functions check
This function is passed into the class object so we can view results
in real-time.
"""
if 'accounts.google.com/ServiceLogin' in reply.url:
pass
elif reply.status_code == 403 or reply.status_code == 401:
utils.printc(
" Auth required Cloud Function: {}\n".format(reply.url),
'orange')
elif reply.status_code == 405:
utils.printc(
" UNAUTHENTICATED Cloud Function (POST-Only): {}\n".format(
reply.url), 'green')
elif reply.status_code == 200 or reply.status_code == 404:
utils.printc(
" UNAUTHENTICATED Cloud Function (GET-OK): {}\n".format(
reply.url), 'green')
else:
print(" Unknown status codes being received from {}:\n"
" {}: {}".format(reply.url, reply.status_code,
reply.reason))
def print_fbrtdb_response(reply):
"""
Parses the HTTP reply of a brute-force attempt
This function is passed into the class object so we can view results
in real-time.
"""
if reply.status_code == 404:
pass
elif reply.status_code == 200:
utils.printc(" OPEN GOOGLE FIREBASE RTDB: {}\n".format(reply.url),
'green')
elif reply.status_code == 401:
utils.printc(
" Protected Google Firebase RTDB: {}\n".format(reply.url),
'orange')
elif reply.status_code == 402:
utils.printc(
" Payment required on Google Firebase RTDB: {}\n".format(
reply.url), 'orange')
else:
print(" Unknown status codes being received from {}:\n"
" {}: {}".format(reply.url, reply.status_code,
reply.reason))
