From de492fa6e978814454a4412959d042ea77f559ca Mon Sep 17 00:00:00 2001 From: Bastien Faure Date: Tue, 2 Apr 2024 11:49:45 -0700 Subject: [PATCH 1/4] Add Directory Service support for AWS --- README.md | 3 +- aws/directory-services.go | 276 ++++++++++++++++++++++++++++++++++++++ aws/sdk/ds.go | 95 +++++++++++++ cli/aws.go | 32 +++++ go.mod | 9 +- go.sum | 10 ++ 6 files changed, 420 insertions(+), 5 deletions(-) create mode 100644 aws/directory-services.go create mode 100644 aws/sdk/ds.go diff --git a/README.md b/README.md index f7fc3c0..c644cf0 100644 --- a/README.md +++ b/README.md @@ -48,7 +48,7 @@ For the full documentation please refer to our [wiki](https://github.com/BishopF | Provider| CloudFox Commands | | - | - | -| AWS | 33 | +| AWS | 34 | | Azure | 4 | | GCP | Support Planned | | Kubernetes | Support Planned | @@ -140,6 +140,7 @@ Additional policy notes (as of 09/2022): | AWS | [sqs](https://github.com/BishopFox/cloudfox/wiki/AWS-Commands#sqs) | This command enumerates all of the sqs queues and gives you the commands to receive messages from a queue and send messages to a queue (if you have the permissions needed). This command also attempts to summarize queue resource policies if they exist.| | AWS | [tags](https://github.com/BishopFox/cloudfox/wiki/AWS-Commands#tags) | List all resources with tags, and all of the tags. This can be used similar to inventory as another method to identify what types of resources exist in an account. | | AWS | [workloads](https://github.com/BishopFox/cloudfox/wiki/AWS-Commands#workloads) | List all of the compute workloads and what role they have. Tells you if any of the roles are admin (bad) and if you have pmapper data locally, it will tell you if any of the roles can privesc to admin (also bad) | +| AWS | [ds](https://github.com/BishopFox/cloudfox/wiki/AWS-Commands#workloads) | List all of the AWS-managed directories and their attributes. Also summarizes the current trusts with their directions and types. | # Azure Commands diff --git a/aws/directory-services.go b/aws/directory-services.go new file mode 100644 index 0000000..582f01c --- /dev/null +++ b/aws/directory-services.go @@ -0,0 +1,276 @@ +package aws + +import ( + "fmt" + "path/filepath" + "strconv" + "strings" + "sync" + + "github.com/BishopFox/cloudfox/aws/sdk" + "github.com/BishopFox/cloudfox/internal" + "github.com/aws/aws-sdk-go-v2/aws" + "github.com/aws/aws-sdk-go-v2/service/sts" + dsTypes "github.com/aws/aws-sdk-go-v2/service/directoryservice/types" + "github.com/bishopfox/awsservicemap" + "github.com/sirupsen/logrus" +) + +type DirectoryModule struct { + // General configuration data + DSClient sdk.AWSDSClientInterface + Caller sts.GetCallerIdentityOutput + AWSRegions []string + AWSProfile string + Goroutines int + WrapTable bool + AWSOutputType string + AWSTableCols string + AWSMFAToken string + AWSConfig aws.Config + AWSProfileProvided string + AWSProfileStub string + CloudFoxVersion string + + Directories []Directory + CommandCounter internal.CommandCounter + output internal.OutputData2 + modLog *logrus.Entry +} + +type Directory struct { + DirectoryId string + DNS string + NetBios string + AccessURL string + Alias string + OsVersion string + Region string + TrustInfo string +} + +func (m *DirectoryModule) PrintDirectories(outputDirectory string, verbosity int) { + // These struct values are used by the output module + m.output.Verbosity = verbosity + m.output.Directory = outputDirectory + m.output.CallingModule = "directory-services" + m.modLog = internal.TxtLog.WithFields(logrus.Fields{ + "module": m.output.CallingModule, + }) + + if m.AWSProfileProvided == "" { + m.AWSProfileStub = internal.BuildAWSPath(m.Caller) + } else { + m.AWSProfileStub = m.AWSProfileProvided + } + m.output.FilePath = filepath.Join(outputDirectory, "cloudfox-output", "aws", fmt.Sprintf("%s-%s", m.AWSProfileProvided, aws.ToString(m.Caller.Account))) + + fmt.Printf("[%s][%s] Enumerating Cloud Directories with resource policies for account %s.\n", cyan(m.output.CallingModule), cyan(m.AWSProfileStub), aws.ToString(m.Caller.Account)) + wg := new(sync.WaitGroup) + semaphore := make(chan struct{}, m.Goroutines) + + // Create a channel to signal the spinner aka task status goroutine to finish + spinnerDone := make(chan bool) + //fire up the the task status spinner/updated + go internal.SpinUntil(m.output.CallingModule, &m.CommandCounter, spinnerDone, "tasks") + + //create a channel to receive the objects + dataReceiver := make(chan Directory) + + // Create a channel to signal to stop + receiverDone := make(chan bool) + go m.Receiver(dataReceiver, receiverDone) + + for _, region := range m.AWSRegions { + wg.Add(1) + m.CommandCounter.Pending++ + go m.executeChecks(region, wg, semaphore, dataReceiver) + + } + + wg.Wait() + // Send a message to the spinner goroutine to close the channel and stop + spinnerDone <- true + <-spinnerDone + // Send a message to the data receiver goroutine to close the channel and stop + receiverDone <- true + <-receiverDone + + // add - if struct is not empty do this. otherwise, dont write anything. + m.output.Headers = []string{ + "Account", + "Name", + "Alias", + "Domain", + "NetBIOS name", + "Access URL", + "Version", + "Trusts", + } + + // If the user specified table columns, use those. + // If the user specified -o wide, use the wide default cols for this module. + // Otherwise, use the hardcoded default cols for this module. + var tableCols []string + // If the user specified table columns, use those. + if m.AWSTableCols != "" { + // If the user specified wide as the output format, use these columns. + // remove any spaces between any commas and the first letter after the commas + m.AWSTableCols = strings.ReplaceAll(m.AWSTableCols, ", ", ",") + m.AWSTableCols = strings.ReplaceAll(m.AWSTableCols, ", ", ",") + tableCols = strings.Split(m.AWSTableCols, ",") + } else if m.AWSOutputType == "wide" { + tableCols = []string{ + "Account", + "Name", + "Alias", + "Domain", + "NetBIOS name", + "Access URL", + "Version", + "Trusts", + } + } else { + tableCols = []string{ + "Account", + "Name", + "Domain", + "NetBIOS name", + "Access URL", + "Version", + "Trusts", + } + } + + + // Table rows + for i := range m.Directories { + m.output.Body = append( + m.output.Body, + []string{ + aws.ToString(m.Caller.Account), + m.Directories[i].DirectoryId, + m.Directories[i].Alias, + m.Directories[i].DNS, + m.Directories[i].NetBios, + m.Directories[i].AccessURL, + m.Directories[i].OsVersion, + m.Directories[i].TrustInfo, + }, + ) + + } + if len(m.output.Body) > 0 { + o := internal.OutputClient{ + Verbosity: verbosity, + CallingModule: m.output.CallingModule, + Table: internal.TableClient{ + Wrap: m.WrapTable, + }, + } + o.Table.TableFiles = append(o.Table.TableFiles, internal.TableFile{ + Header: m.output.Headers, + Body: m.output.Body, + TableCols: tableCols, + Name: m.output.CallingModule, + }) + o.PrefixIdentifier = m.AWSProfileStub + o.Table.DirectoryName = filepath.Join(outputDirectory, "cloudfox-output", "aws", fmt.Sprintf("%s-%s", m.AWSProfileStub, aws.ToString(m.Caller.Account))) + o.WriteFullOutput(o.Table.TableFiles, nil) + //m.writeLoot(o.Table.DirectoryName, verbosity) + fmt.Printf("[%s][%s] %s directories found.\n", cyan(m.output.CallingModule), cyan(m.AWSProfileStub), strconv.Itoa(len(m.output.Body))) + //fmt.Printf("[%s][%s] Resource policies stored to: %s\n", cyan(m.output.CallingModule), cyan(m.AWSProfile), m.getLootDir()) + } else { + fmt.Printf("[%s][%s] No directories found, skipping the creation of an output file.\n", cyan(m.output.CallingModule), cyan(m.AWSProfileStub)) + } + fmt.Printf("[%s][%s] For context and next steps: https://github.com/BishopFox/cloudfox/wiki/AWS-Commands#%s\n", cyan(m.output.CallingModule), cyan(m.AWSProfileStub), m.output.CallingModule) + +} + +func (m *DirectoryModule) executeChecks(r string, wg *sync.WaitGroup, semaphore chan struct{}, dataReceiver chan Directory) { + defer wg.Done() + + servicemap := &awsservicemap.AwsServiceMap{ + JsonFileSource: "DOWNLOAD_FROM_AWS", + } + res, err := servicemap.IsServiceInRegion("ec2", r) + if err != nil { + m.modLog.Error(err) + } + if res { + m.CommandCounter.Total++ + wg.Add(1) + m.getDirectoriesPerRegion(r, wg, semaphore, dataReceiver) + } +} + +func (m *DirectoryModule) Receiver(receiver chan Directory, receiverDone chan bool) { + defer close(receiverDone) + for { + select { + case data := <-receiver: + m.Directories = append(m.Directories, data) + case <-receiverDone: + receiverDone <- true + return + } + } +} +func (m *DirectoryModule) getDirectoriesPerRegion(r string, wg *sync.WaitGroup, semaphore chan struct{}, dataReceiver chan Directory) { + defer func() { + m.CommandCounter.Executing-- + m.CommandCounter.Complete++ + wg.Done() + + }() + semaphore <- struct{}{} + defer func() { + <-semaphore + }() + + // Get directorys + directories, err := sdk.CachedDSDescribeDirectories(m.DSClient, aws.ToString(m.Caller.Account), r) + if err != nil { + m.modLog.Error(err) + } + for _, directory := range directories { + trusts, err := sdk.CachedDSDescribeTrusts(m.DSClient, aws.ToString(m.Caller.Account), r, *directory.DirectoryId) + if err != nil { + m.modLog.Error(err) + } + dataReceiver <- Directory{ + DirectoryId: *directory.DirectoryId, + DNS: *directory.Name, + NetBios: *directory.ShortName, + Region: r, + AccessURL: *directory.AccessUrl, + Alias: *directory.Alias, + OsVersion: fmt.Sprintf("%s", directory.OsVersion), + TrustInfo: m.formatTrusts(trusts), + } + } +} + +func (m *DirectoryModule) formatTrusts(t []dsTypes.Trust) string { + var output string = "" + for idx, trust := range t { + if idx != 0 { + output = output + "\n" + } + if trust.TrustDirection == "One-Way: Outgoing" { + output = output + "→" + } else if trust.TrustDirection == "One-Way: Ingoing" { + output = output + "←" + } else { + output = output + "↔" + } + output = fmt.Sprintf("%s %s", output, *trust.RemoteDomainName) + // check trust type (external or forest) + if trust.TrustType == "External" { + output = fmt.Sprintf("%s (%s)", output, "Domain") + } else { + output = fmt.Sprintf("%s (%s)", output, "Forest") + } + } + return output +} diff --git a/aws/sdk/ds.go b/aws/sdk/ds.go new file mode 100644 index 0000000..8c66b21 --- /dev/null +++ b/aws/sdk/ds.go @@ -0,0 +1,95 @@ +package sdk + +import ( + "context" + "encoding/gob" + "fmt" + + "github.com/patrickmn/go-cache" + "github.com/BishopFox/cloudfox/internal" + "github.com/aws/aws-sdk-go-v2/service/directoryservice" + dsTypes "github.com/aws/aws-sdk-go-v2/service/directoryservice/types" +) + +type AWSDSClientInterface interface { + DescribeDirectories(context.Context, *directoryservice.DescribeDirectoriesInput, ...func(*directoryservice.Options)) (*directoryservice.DescribeDirectoriesOutput, error) + DescribeTrusts(context.Context, *directoryservice.DescribeTrustsInput, ...func(*directoryservice.Options)) (*directoryservice.DescribeTrustsOutput, error) +} + +func init() { + gob.Register([]dsTypes.DirectoryDescription{}) + gob.Register([]dsTypes.Trust{}) + +} + +func CachedDSDescribeDirectories(client AWSDSClientInterface, accountID string, region string) ([]dsTypes.DirectoryDescription, error) { + var PaginationControl *string + var directories []dsTypes.DirectoryDescription + cacheKey := fmt.Sprintf("%s-ds-DescribeDirectories-%s", accountID, region) + cached, found := internal.Cache.Get(cacheKey) + if found { + return cached.([]dsTypes.DirectoryDescription), nil + } + for { + DescribeDirectories, err := client.DescribeDirectories( + context.TODO(), + &directoryservice.DescribeDirectoriesInput{ + NextToken: PaginationControl, + }, + func(o *directoryservice.Options) { + o.Region = region + }, + ) + + if err != nil { + return directories, err + } + + directories = append(directories, DescribeDirectories.DirectoryDescriptions...) + + //pagination + if DescribeDirectories.NextToken == nil { + break + } + PaginationControl = DescribeDirectories.NextToken + } + + internal.Cache.Set(cacheKey, directories, cache.DefaultExpiration) + return directories, nil +} + +func CachedDSDescribeTrusts(client AWSDSClientInterface, accountID string, region string, directoryId string) ([]dsTypes.Trust, error) { + var PaginationControl *string + var trusts []dsTypes.Trust + cacheKey := fmt.Sprintf("%s-ds-DescribeTrusts-%s-%s", accountID, region, directoryId) + cached, found := internal.Cache.Get(cacheKey) + if found { + return cached.([]dsTypes.Trust), nil + } + for { + DescribeDirectoryTrusts, err := client.DescribeTrusts( + context.TODO(), + &directoryservice.DescribeTrustsInput{ + DirectoryId: &directoryId, + NextToken: PaginationControl, + }, + func(o *directoryservice.Options) { + o.Region = region + }, + ) + if err != nil { + return trusts, err + } + + trusts = append(trusts, DescribeDirectoryTrusts.Trusts...) + + //pagination + if DescribeDirectoryTrusts.NextToken == nil { + break + } + PaginationControl = DescribeDirectoryTrusts.NextToken + } + internal.Cache.Set(cacheKey, trusts, cache.DefaultExpiration) + + return trusts, nil +} diff --git a/cli/aws.go b/cli/aws.go index e673569..96c0a69 100644 --- a/cli/aws.go +++ b/cli/aws.go @@ -24,6 +24,7 @@ import ( "github.com/aws/aws-sdk-go-v2/service/codedeploy" "github.com/aws/aws-sdk-go-v2/service/datapipeline" "github.com/aws/aws-sdk-go-v2/service/dynamodb" + "github.com/aws/aws-sdk-go-v2/service/directoryservice" "github.com/aws/aws-sdk-go-v2/service/ec2" "github.com/aws/aws-sdk-go-v2/service/ecr" "github.com/aws/aws-sdk-go-v2/service/ecs" @@ -464,6 +465,15 @@ var ( PostRun: awsPostRun, } + DirectoryServicesCommand = &cobra.Command{ + Use: "ds", + Short: "Enumerate AWS-managed Active Directory instances and trusts", + Long: "\nUse case examples:\n" + os.Args[0] + " aws clouddirectory --profile readonly_profile", + PreRun: awsPreRun, + Run: runDirectoryServicesCommand, + PostRun: awsPostRun, + } + AllChecksCommand = &cobra.Command{ Use: "all-checks", @@ -1301,6 +1311,27 @@ func runWorkloadsCommand(cmd *cobra.Command, args []string) { } } +func runDirectoryServicesCommand(cmd *cobra.Command, args []string) { + for _, profile := range AWSProfiles { + var AWSConfig = internal.AWSConfigFileLoader(profile, cmd.Root().Version, AWSMFAToken) + caller, err := internal.AWSWhoami(profile, cmd.Root().Version, AWSMFAToken) + if err != nil { + continue + } + m := aws.DirectoryModule{ + DSClient: directoryservice.NewFromConfig(AWSConfig), + Caller: *caller, + AWSRegions: internal.GetEnabledRegions(profile, cmd.Root().Version, AWSMFAToken), + AWSProfile: profile, + Goroutines: Goroutines, + WrapTable: AWSWrapTable, + AWSOutputType: AWSOutputType, + AWSTableCols: AWSTableCols, + } + m.PrintDirectories(AWSOutputDirectory, Verbosity) + } +} + func runECSTasksCommand(cmd *cobra.Command, args []string) { for _, profile := range AWSProfiles { caller, err := internal.AWSWhoami(profile, cmd.Root().Version, AWSMFAToken) @@ -1997,6 +2028,7 @@ func init() { OrgsCommand, DatabasesCommand, WorkloadsCommand, + DirectoryServicesCommand, ) } diff --git a/go.mod b/go.mod index a1db75b..987cebc 100644 --- a/go.mod +++ b/go.mod @@ -10,7 +10,7 @@ require ( github.com/Azure/go-autorest/autorest v0.11.29 github.com/Azure/go-autorest/autorest/azure/auth v0.5.12 github.com/aquasecurity/table v1.8.0 - github.com/aws/aws-sdk-go-v2 v1.24.1 + github.com/aws/aws-sdk-go-v2 v1.26.1 github.com/aws/aws-sdk-go-v2/config v1.26.2 github.com/aws/aws-sdk-go-v2/service/apigateway v1.21.6 github.com/aws/aws-sdk-go-v2/service/apigatewayv2 v1.18.6 @@ -50,7 +50,7 @@ require ( github.com/aws/aws-sdk-go-v2/service/sqs v1.29.6 github.com/aws/aws-sdk-go-v2/service/ssm v1.44.6 github.com/aws/aws-sdk-go-v2/service/sts v1.26.6 - github.com/aws/smithy-go v1.19.0 + github.com/aws/smithy-go v1.20.2 github.com/bishopfox/awsservicemap v1.0.3 github.com/bishopfox/knownawsaccountslookup v0.0.0-20231228165844-c37ef8df33cb github.com/dominikbraun/graph v0.23.0 @@ -65,6 +65,7 @@ require ( ) require ( + github.com/aws/aws-sdk-go-v2/service/directoryservice v1.24.4 // indirect github.com/golang-jwt/jwt/v5 v5.2.0 // indirect gopkg.in/yaml.v2 v2.4.0 // indirect ) @@ -85,8 +86,8 @@ require ( github.com/aws/aws-sdk-go-v2/aws/protocol/eventstream v1.5.4 // indirect github.com/aws/aws-sdk-go-v2/credentials v1.16.13 github.com/aws/aws-sdk-go-v2/feature/ec2/imds v1.14.10 // indirect - github.com/aws/aws-sdk-go-v2/internal/configsources v1.2.10 // indirect - github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.5.10 // indirect + github.com/aws/aws-sdk-go-v2/internal/configsources v1.3.5 // indirect + github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.6.5 // indirect github.com/aws/aws-sdk-go-v2/internal/ini v1.7.2 // indirect github.com/aws/aws-sdk-go-v2/internal/v4a v1.2.9 // indirect github.com/aws/aws-sdk-go-v2/service/athena v1.37.3 diff --git a/go.sum b/go.sum index dbc9be4..913fe25 100644 --- a/go.sum +++ b/go.sum @@ -51,6 +51,8 @@ github.com/asaskevich/govalidator v0.0.0-20230301143203-a9d515a09cc2 h1:DklsrG3d github.com/asaskevich/govalidator v0.0.0-20230301143203-a9d515a09cc2/go.mod h1:WaHUgvxTVq04UNunO+XhnAqY/wQc+bxr74GqbsZ/Jqw= github.com/aws/aws-sdk-go-v2 v1.24.1 h1:xAojnj+ktS95YZlDf0zxWBkbFtymPeDP+rvUQIH3uAU= github.com/aws/aws-sdk-go-v2 v1.24.1/go.mod h1:LNh45Br1YAkEKaAqvmE1m8FUx6a5b/V0oAKV7of29b4= +github.com/aws/aws-sdk-go-v2 v1.26.1 h1:5554eUqIYVWpU0YmeeYZ0wU64H2VLBs8TlhRB2L+EkA= +github.com/aws/aws-sdk-go-v2 v1.26.1/go.mod h1:ffIFB97e2yNsv4aTSGkqtHnppsIJzw7G7BReUZ3jCXM= github.com/aws/aws-sdk-go-v2/aws/protocol/eventstream v1.5.4 h1:OCs21ST2LrepDfD3lwlQiOqIGp6JiEUqG84GzTDoyJs= github.com/aws/aws-sdk-go-v2/aws/protocol/eventstream v1.5.4/go.mod h1:usURWEKSNNAcAZuzRn/9ZYPT8aZQkR7xcCtunK/LkJo= github.com/aws/aws-sdk-go-v2/config v1.26.2 h1:+RWLEIWQIGgrz2pBPAUoGgNGs1TOyF4Hml7hCnYj2jc= @@ -61,8 +63,12 @@ github.com/aws/aws-sdk-go-v2/feature/ec2/imds v1.14.10 h1:w98BT5w+ao1/r5sUuiH6Jk github.com/aws/aws-sdk-go-v2/feature/ec2/imds v1.14.10/go.mod h1:K2WGI7vUvkIv1HoNbfBA1bvIZ+9kL3YVmWxeKuLQsiw= github.com/aws/aws-sdk-go-v2/internal/configsources v1.2.10 h1:vF+Zgd9s+H4vOXd5BMaPWykta2a6Ih0AKLq/X6NYKn4= github.com/aws/aws-sdk-go-v2/internal/configsources v1.2.10/go.mod h1:6BkRjejp/GR4411UGqkX8+wFMbFbqsUIimfK4XjOKR4= +github.com/aws/aws-sdk-go-v2/internal/configsources v1.3.5 h1:aw39xVGeRWlWx9EzGVnhOR4yOjQDHPQ6o6NmBlscyQg= +github.com/aws/aws-sdk-go-v2/internal/configsources v1.3.5/go.mod h1:FSaRudD0dXiMPK2UjknVwwTYyZMRsHv3TtkabsZih5I= github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.5.10 h1:nYPe006ktcqUji8S2mqXf9c/7NdiKriOwMvWQHgYztw= github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.5.10/go.mod h1:6UV4SZkVvmODfXKql4LCbaZUpF7HO2BX38FgBf9ZOLw= +github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.6.5 h1:PG1F3OD1szkuQPzDw3CIQsRIrtTlUC3lP84taWzHlq0= +github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.6.5/go.mod h1:jU1li6RFryMz+so64PpKtudI+QzbKoIEivqdf6LNpOc= github.com/aws/aws-sdk-go-v2/internal/ini v1.7.2 h1:GrSw8s0Gs/5zZ0SX+gX4zQjRnRsMJDJ2sLur1gRBhEM= github.com/aws/aws-sdk-go-v2/internal/ini v1.7.2/go.mod h1:6fQQgfuGmw8Al/3M2IgIllycxV7ZW7WCdVSqfBeUiCY= github.com/aws/aws-sdk-go-v2/internal/v4a v1.2.9 h1:ugD6qzjYtB7zM5PN/ZIeaAIyefPaD82G8+SJopgvUpw= @@ -93,6 +99,8 @@ github.com/aws/aws-sdk-go-v2/service/codedeploy v1.22.2 h1:3b8fwDhM0bJoOVglvM1w4 github.com/aws/aws-sdk-go-v2/service/codedeploy v1.22.2/go.mod h1:RiusqJl55/p7S8LNMh2J3ZsDHDqxRiPdsfIaZRKeEUo= github.com/aws/aws-sdk-go-v2/service/datapipeline v1.19.5 h1:zkIKbco/gM4fmbU90ajz4ah3ErgAgot7aTE0PpIxNuE= github.com/aws/aws-sdk-go-v2/service/datapipeline v1.19.5/go.mod h1:+G+TF84SIgMdGDjZKKYPpx6LwXSN4QcywQGa8e2vJ1U= +github.com/aws/aws-sdk-go-v2/service/directoryservice v1.24.4 h1:XBgx3sdaA0SoPXsZSNSUL14H0UnYnTSVArieaYNv0EI= +github.com/aws/aws-sdk-go-v2/service/directoryservice v1.24.4/go.mod h1:Lm/qj7nCC0zEFoAdjbun8xLkflPFNbbspQVZgQQiOz8= github.com/aws/aws-sdk-go-v2/service/docdb v1.29.5 h1:txsajy47TIyoL7/BQt0VwqmzLPIsfAT/RWI9iD4q5vU= github.com/aws/aws-sdk-go-v2/service/docdb v1.29.5/go.mod h1:8d1RpdlgxFU6VO2aWru1ckR0Vsm4EgqCZgOamw5OHpw= github.com/aws/aws-sdk-go-v2/service/dynamodb v1.26.7 h1:X60rMbnylU1xmmhv4+/N78t+lKOCC4ELst5eR25dyqg= @@ -179,6 +187,8 @@ github.com/aws/aws-sdk-go-v2/service/sts v1.26.6 h1:HJeiuZ2fldpd0WqngyMR6KW7ofkX github.com/aws/aws-sdk-go-v2/service/sts v1.26.6/go.mod h1:XX5gh4CB7wAs4KhcF46G6C8a2i7eupU19dcAAE+EydU= github.com/aws/smithy-go v1.19.0 h1:KWFKQV80DpP3vJrrA9sVAHQ5gc2z8i4EzrLhLlWXcBM= github.com/aws/smithy-go v1.19.0/go.mod h1:NukqUGpCZIILqqiV0NIjeFh24kd/FAa4beRb6nbIUPE= +github.com/aws/smithy-go v1.20.2 h1:tbp628ireGtzcHDDmLT/6ADHidqnwgF57XOXZe6tp4Q= +github.com/aws/smithy-go v1.20.2/go.mod h1:krry+ya/rV9RDcV/Q16kpu6ypI4K2czasz0NC3qS14E= github.com/bishopfox/awsservicemap v1.0.3 h1:0T+mJLwG+vQV9+o3dzwzxhWJWE40VpoCLWtaPBwixYc= github.com/bishopfox/awsservicemap v1.0.3/go.mod h1:oy9Fyqh6AozQjShSx+zRNouTlp7k3z3YEMoFkN8rquc= github.com/bishopfox/knownawsaccountslookup v0.0.0-20231228165844-c37ef8df33cb h1:ot96tC/kdm0GKV1kl+aXJorqJbyx92R9bjRQvbBmLKU= From 608f07804e5abdba69f32fa9a74d40aad89cdc38 Mon Sep 17 00:00:00 2001 From: Bastien Faure Date: Tue, 2 Apr 2024 12:00:45 -0700 Subject: [PATCH 2/4] AWS uses a mix of clouddirectory and directoryservices for Directory services --- aws/directory-services.go | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/aws/directory-services.go b/aws/directory-services.go index 582f01c..854a552 100644 --- a/aws/directory-services.go +++ b/aws/directory-services.go @@ -193,7 +193,7 @@ func (m *DirectoryModule) executeChecks(r string, wg *sync.WaitGroup, semaphore servicemap := &awsservicemap.AwsServiceMap{ JsonFileSource: "DOWNLOAD_FROM_AWS", } - res, err := servicemap.IsServiceInRegion("ec2", r) + res, err := servicemap.IsServiceInRegion("clouddirectory", r) if err != nil { m.modLog.Error(err) } From 57832ada7cfe6b2fc09eff57f11df91af2772f5c Mon Sep 17 00:00:00 2001 From: Bastien Faure Date: Tue, 2 Apr 2024 12:01:31 -0700 Subject: [PATCH 3/4] Codespell fix --- aws/directory-services.go | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/aws/directory-services.go b/aws/directory-services.go index 854a552..d822ac6 100644 --- a/aws/directory-services.go +++ b/aws/directory-services.go @@ -228,7 +228,7 @@ func (m *DirectoryModule) getDirectoriesPerRegion(r string, wg *sync.WaitGroup, <-semaphore }() - // Get directorys + // Get directories directories, err := sdk.CachedDSDescribeDirectories(m.DSClient, aws.ToString(m.Caller.Account), r) if err != nil { m.modLog.Error(err) From 67af1bd7fbb585158f3cb49cad6a5ece5a2d7571 Mon Sep 17 00:00:00 2001 From: sethsec-bf <46326948+sethsec-bf@users.noreply.github.com> Date: Tue, 16 Apr 2024 10:23:06 -0400 Subject: [PATCH 4/4] update gcp package with vuln --- go.mod | 2 +- go.sum | 4 ++-- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/go.mod b/go.mod index 434dfa1..7e4b27e 100644 --- a/go.mod +++ b/go.mod @@ -84,7 +84,7 @@ require ( golang.org/x/oauth2 v0.15.0 google.golang.org/api v0.152.0 google.golang.org/genproto v0.0.0-20231106174013-bbf56f31fb17 - google.golang.org/protobuf v1.31.0 + google.golang.org/protobuf v1.33.0 ) require ( diff --git a/go.sum b/go.sum index b48fe85..b4ae1aa 100644 --- a/go.sum +++ b/go.sum @@ -505,8 +505,8 @@ google.golang.org/protobuf v1.23.1-0.20200526195155-81db48ad09cc/go.mod h1:EGpAD google.golang.org/protobuf v1.25.0/go.mod h1:9JNX74DMeImyA3h4bdi1ymwjUzf21/xIlbajtzgsN7c= google.golang.org/protobuf v1.26.0-rc.1/go.mod h1:jlhhOSvTdKEhbULTjvd4ARK9grFBp09yW+WbY/TyQbw= google.golang.org/protobuf v1.26.0/go.mod h1:9q0QmTI4eRPtz6boOQmLYwt+qCgq0jsYwAQnmE0givc= -google.golang.org/protobuf v1.31.0 h1:g0LDEJHgrBl9N9r17Ru3sqWhkIx2NB67okBHPwC7hs8= -google.golang.org/protobuf v1.31.0/go.mod h1:HV8QOd/L58Z+nl8r43ehVNZIU/HEI6OcFqwMG9pJV4I= +google.golang.org/protobuf v1.33.0 h1:uNO2rsAINq/JlFpSdYEKIZ0uKD/R9cpdv0T+yoGwGmI= +google.golang.org/protobuf v1.33.0/go.mod h1:c6P6GXX6sHbq/GpV6MGZEdwhWPcYBgnhAHhKbcUYpos= gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0= gopkg.in/check.v1 v1.0.0-20201130134442-10cb98267c6c h1:Hei/4ADfdWqJk1ZMxUNpqntNwaWcugrBjAiHlqqRiVk= gopkg.in/check.v1 v1.0.0-20201130134442-10cb98267c6c/go.mod h1:JHkPIbrfpd72SG/EVd6muEfDQjcINNoR0C8j2r3qZ4Q=