Skip to main content

Cloud Recon Tool

Project description

Quiet Riot

:notes: C'mon, Feel The Noise :notes:

An enumeration tool for scalable, unauthenticated validation of AWS principals; including AWS Acccount IDs, root e-mail addresses, users, and roles.

Credit: Daniel Grzelak @dagrz for identifying the technique and Will Bengston @__muscles for inspiring me to scale it.

See the introductory blog post here.
See a defender's perspective blog post here.

Getting Started With Quiet Riot

Prerequisites

boto3/botocore
Sufficient AWS credentials configured via CLI

Installation:

First step is to have sufficient AWS credentials configured via CLI. If you do not have your own AWS acccount or sufficient credentials in an AWS account, Quiet Riot will not work.

Create the virtual environment, or you can directly install the quiet_riot pkg using pip.

For installing this package you can run the command pip install quiet-riot. After installing the package you can run the command quiet_riot --help

Usage:

Arguments for quiet_riot are --scan_type, --threads, --wordlist, --profile

You can provide values for arguments required to run this package. Must require argument is scan_type.

for e.g quiet_riot --scan_type 3 --threads 30 --wordlist D:\path_to_wordlist_file --profile Default

Or you can use the short form for arguments as well like --s, --t, --w, --p

--scan_type, --s

What type of scan do you want to attempt? Enter the type of scan for example

         1. AWS Account IDs
         2. Microsoft 365 Domains
         3. AWS Services Footprinting
         4. AWS Root User E-mail Address
         5. AWS IAM Principals
            4.1. IAM Roles
            4.2. IAM Users
         6. Microsoft 365 Users (e-mails)
         7. Google Workspace Users (e-mails)

--threads, --t

For number of threads you have to provide the number for e.g 23 , 30 90 etc. Approximately how many threads do you think you want to run?

Hint: 2020 M1 Macbook Air w/ 16 GB RAM optimizes @ around 700 threads from limited testing.

--wordlist, --w

Path to the world list file which will be required for scan.

--profile, --p

Provide the name of aws profile configured through cli for e.g Default,Dev

Featureploitation Limits

Throttling

After performing extensive analysis of scaling methods using the AWS Python (Boto3) SDK, I was able to determine that the bottleneck for scanning (at least for Python and awscli -based tools) is I/O capacity of a single-threaded Python application. After modifying the program to run with multiple threads, I was able to trigger exceptions in individual threads due to throttling by the various AWS APIs. You can see the results from running a few benchmarking test scans here. APIs that I tested had wildly different throttling limits and notably, s3 bucket policy attempts took ~10x as long as similar attempts against other services.

With further testing, I settled on a combination of SNS, ECR-Public, and ECR-Private services running in US-East-1 in ~40%/50%/10% configuration split with ~700 threads. The machine I used was a 2020 Macbook Air (M1 and 16 GB RAM). This configuration yielded on average ~1100 calls/sec, though the actual number of calls can fluctuate significantly depending on a variety of factors including network connectivity. Under these configurations, I did occasionally throw an exception on a thread from throttling...but I have subsequently configured additional re-try attempts (4 -> 7) via botocore that will eliminate this issue with a minor performance trade-off.

Computational Difficulty

To attempt every possible Account ID in AWS (1,000,000,000,000) would require an infeasible amount of time given only one account. Even assuming absolute efficiency*, over the course of a day an attacker will only be able to make 95,040,000 validation checks. Over 30 days, this is 2,851,200,000 validation checks and we are still over 28 years away from enumerating every valid AWS Account ID. Fortunately, there is nothing stopping us from registering many AWS accounts and automating this scan. While there is an initial limit of 20 accounts per AWS organization, I was able to get this limit increased for my Organization via console self-service and approval from an AWS representative. The approval occured without any further questions and now I'm off to automating this writ large. Again, assuming absolute efficiency, the 28 years scanning could potentially be reduced down to ~100 days.

*~1100 API calls/check per second in perpetuity per account and never repeating a guessed Account ID.

Potential Supported Services

# AWS Service Description API Limits Resource Pricing Enumeration Capability
1 SNS Managed Serverless Notification Service Unknown Unknown Yes
2 KMS Encryption Key Management Service Unknown Unknown Yes
3 SecretsManager Managed Secret Store Unknown Unknown Yes
4 CodeArtifact Managed Source Code Repository Unknown Unknown Yes
5 ECR Public Managed Container Registry Unknown Unknown Yes
6 ECR Private Managed Container Registry Unknown Unknown Yes
7 Lambda Managed Serverless Function Unknown Unknown Yes
8 s3 Managed Serverless Object Store Unknown Unknown Yes
9 SES SMTP Automation Service Unknown Unknown Unknown
10 ACM Private Certificate Authority Unknown Unknown Unknown
11 CodeBuild Software Build Agent Unknown Unknown Unknown
12 AWS Backup Managed Backup Service Unknown Unknown Unknown
13 Cloud9 Managed IDE Unknown Unknown Unknown
14 Glue Managed ETL Job Service Unknown Unknown Unknown
15 EKS Managed K8s Service Unknown Unknown Unknown
16 Lex V2 Managed NLP Service Unknown Unknown Unknown
17 CloudWatch Logs Managed Log Pipeline/Monitoring Unknown Unknown Unknown
18 VPC Endpoints Managed Virtual Network Unknown Unknown Unknown
19 Elemental MediaStore Unknown Unknown Unknown Unknown
20 OpenSearch Managed ElasticSearch Unknown Unknown Unknown
21 EventBridge Managed Serverless Event Hub Unknown Unknown Unknown
22 EventBridge Schemas Managed Serverless Event Hub Unknown Unknown Unknown
23 IoT Internet-of-Things Management Unknown Unknown Unknown
24 s3 Glacier Cold Object Storage Unknown Unknown Unknown
25 ECS Managed Container Orchestration Unknown Unknown Unknown
26 Serverless Application Repository Managed Source Code Repository Unknown Unknown No
27 SQS Managed Serverless Queueing Service Unknown Unknown No
28 EFS Managed Serverless Elastic File System Unknown Unknown No

Project details


Download files

Download the file for your platform. If you're not sure which to choose, learn more about installing packages.

Source Distribution

quiet_riot-1.0.6.tar.gz (268.7 kB view details)

Uploaded Source

Built Distribution

quiet_riot-1.0.6-py3-none-any.whl (270.6 kB view details)

Uploaded Python 3

File details

Details for the file quiet_riot-1.0.6.tar.gz.

File metadata

  • Download URL: quiet_riot-1.0.6.tar.gz
  • Upload date:
  • Size: 268.7 kB
  • Tags: Source
  • Uploaded using Trusted Publishing? No
  • Uploaded via: twine/4.0.1 CPython/3.10.8

File hashes

Hashes for quiet_riot-1.0.6.tar.gz
Algorithm Hash digest
SHA256 1d0b8a45434e2aedc2d57b9d3aa4de567accfdadb52ca62f79f7e00af2e1a01f
MD5 758daaed6f75f7680aa459e144ee507e
BLAKE2b-256 a9da0bf281d877fca103ca52a84b051cb79b144b79a0761ccfcc3ffad98bbbd6

See more details on using hashes here.

File details

Details for the file quiet_riot-1.0.6-py3-none-any.whl.

File metadata

  • Download URL: quiet_riot-1.0.6-py3-none-any.whl
  • Upload date:
  • Size: 270.6 kB
  • Tags: Python 3
  • Uploaded using Trusted Publishing? No
  • Uploaded via: twine/4.0.1 CPython/3.10.8

File hashes

Hashes for quiet_riot-1.0.6-py3-none-any.whl
Algorithm Hash digest
SHA256 1d5aa7a08be04c3a617dd7c243cce1839d3d8e59d529222999d9fe74ca9f9dad
MD5 bcc14a087f5b31c7f95d51776ef8c659
BLAKE2b-256 909451fed69640fd251162a039a8f1410d39a909e72454f44a1c33981523e048

See more details on using hashes here.

Supported by

AWS AWS Cloud computing and Security Sponsor Datadog Datadog Monitoring Fastly Fastly CDN Google Google Download Analytics Microsoft Microsoft PSF Sponsor Pingdom Pingdom Monitoring Sentry Sentry Error logging StatusPage StatusPage Status page