Skip to content

Instantly share code, notes, and snippets.

@lawbyte

lawbyte/targeted_aws_enumeration.py

Created September 7, 2025 20:24
Show Gist options

  • Select an option

    Learn more about clone URLs
  • Save lawbyte/3e777ca6c4e40d553fc87831ecd20f7d to your computer and use it in GitHub Desktop.

Select an option

Learn more about clone URLs
Save lawbyte/3e777ca6c4e40d553fc87831ecd20f7d to your computer and use it in GitHub Desktop.
Download ZIP
Raw
targeted_aws_enumeration.py
#!/usr/bin/env python3
"""
Targeted AWS Enumeration Script
Focus on services that were accessible in the original enumeration
"""
import boto3
import json
import sys
import time
from botocore.exceptions import ClientError, NoCredentialsError, EndpointConnectionError
from datetime import datetime, timedelta
# AWS Credentials from the log
AWS_ACCESS_KEY = ""
AWS_SECRET_KEY = ""
AWS_SESSION_TOKEN = ""
AWS_REGION = "us-east-1"
def create_session():
"""Create AWS session with provided credentials"""
try:
session = boto3.Session(
aws_access_key_id=AWS_ACCESS_KEY,
aws_secret_access_key=AWS_SECRET_KEY,
aws_session_token=AWS_SESSION_TOKEN,
region_name=AWS_REGION
)
return session
except Exception as e:
print(f"❌ Error creating session: {e}")
return None
def check_cloudwatch_alarms(session):
"""Check CloudWatch alarms for any flag-related information"""
print("\nπŸ“Š CloudWatch Alarms Analysis")
print("=" * 50)
try:
cloudwatch = session.client('cloudwatch')
# Get alarm details
alarms = cloudwatch.describe_alarms()
for alarm in alarms['MetricAlarms']:
alarm_name = alarm['AlarmName']
print(f"\n🚨 Alarm: {alarm_name}")
print(f" ARN: {alarm['AlarmArn']}")
print(f" State: {alarm['StateValue']}")
print(f" Description: {alarm.get('AlarmDescription', 'N/A')}")
# Check if alarm name or description contains flag-related keywords
if any(keyword in alarm_name.lower() for keyword in ['flag', 'encrypt', 'decrypt', 'key', 'secret', 'password']):
print(f" 🚨 POTENTIAL FLAG-RELATED ALARM: {alarm_name}")
if alarm.get('AlarmDescription'):
desc = alarm['AlarmDescription']
if any(keyword in desc.lower() for keyword in ['flag', 'encrypt', 'decrypt', 'key', 'secret', 'password']):
print(f" 🚨 FLAG-RELATED DESCRIPTION: {desc}")
# Check alarm actions
if 'AlarmActions' in alarm and alarm['AlarmActions']:
print(f" Actions: {alarm['AlarmActions']}")
# Check if any action contains flag-related info
for action in alarm['AlarmActions']:
if any(keyword in action.lower() for keyword in ['flag', 'encrypt', 'decrypt', 'key', 'secret']):
print(f" 🚨 FLAG-RELATED ACTION: {action}")
except Exception as e:
print(f"❌ CloudWatch alarms analysis failed: {e}")
def check_cloudwatch_metrics(session):
"""Check CloudWatch metrics for any flag-related information"""
print("\nπŸ“ˆ CloudWatch Metrics Analysis")
print("=" * 50)
try:
cloudwatch = session.client('cloudwatch')
# List metrics
metrics = cloudwatch.list_metrics()
print(f"Found {len(metrics['Metrics'])} metrics:")
for metric in metrics['Metrics']:
namespace = metric['Namespace']
metric_name = metric['MetricName']
# Check for flag-related metrics
if any(keyword in namespace.lower() for keyword in ['flag', 'encrypt', 'decrypt', 'key', 'secret']):
print(f"🚨 FLAG-RELATED NAMESPACE: {namespace}")
print(f" Metric: {metric_name}")
print(f" Dimensions: {metric.get('Dimensions', [])}")
if any(keyword in metric_name.lower() for keyword in ['flag', 'encrypt', 'decrypt', 'key', 'secret']):
print(f"🚨 FLAG-RELATED METRIC: {metric_name}")
print(f" Namespace: {namespace}")
print(f" Dimensions: {metric.get('Dimensions', [])}")
except Exception as e:
print(f"❌ CloudWatch metrics analysis failed: {e}")
def check_resource_tags(session):
"""Check resource tags for any flag-related information"""
print("\n🏷️ Resource Tags Analysis")
print("=" * 50)
try:
tagging = session.client('resourcegroupstaggingapi')
# Get all resources with tags
resources = tagging.get_resources()
print(f"Found {len(resources['ResourceTagMappingList'])} resources:")
for resource in resources['ResourceTagMappingList']:
arn = resource['ResourceARN']
tags = resource.get('Tags', [])
print(f"\nπŸ“¦ Resource: {arn}")
if tags:
print(f" Tags:")
for tag in tags:
key = tag['Key']
value = tag['Value']
print(f" {key}: {value}")
# Check for flag-related tags
if any(keyword in key.lower() for keyword in ['flag', 'encrypt', 'decrypt', 'key', 'secret', 'password']):
print(f" 🚨 FLAG-RELATED TAG KEY: {key}")
if any(keyword in value.lower() for keyword in ['flag', 'encrypt', 'decrypt', 'key', 'secret', 'password']):
print(f" 🚨 FLAG-RELATED TAG VALUE: {value}")
else:
print(f" No tags")
except Exception as e:
print(f"❌ Resource tags analysis failed: {e}")
def check_ec2_instances(session):
"""Check EC2 instances for any flag-related information"""
print("\nπŸ–₯️ EC2 Instances Analysis")
print("=" * 50)
try:
ec2 = session.client('ec2')
# Describe instances
instances = ec2.describe_instances()
print(f"Found {len(instances['Reservations'])} reservations:")
for reservation in instances['Reservations']:
for instance in reservation['Instances']:
instance_id = instance['InstanceId']
print(f"\nπŸ–₯️ Instance: {instance_id}")
print(f" State: {instance['State']['Name']}")
print(f" Type: {instance['InstanceType']}")
print(f" Launch Time: {instance['LaunchTime']}")
# Check tags
if 'Tags' in instance:
print(f" Tags:")
for tag in instance['Tags']:
key = tag['Key']
value = tag['Value']
print(f" {key}: {value}")
# Check for flag-related tags
if any(keyword in key.lower() for keyword in ['flag', 'encrypt', 'decrypt', 'key', 'secret', 'password']):
print(f" 🚨 FLAG-RELATED TAG KEY: {key}")
if any(keyword in value.lower() for keyword in ['flag', 'encrypt', 'decrypt', 'key', 'secret', 'password']):
print(f" 🚨 FLAG-RELATED TAG VALUE: {value}")
# Check user data
if 'UserData' in instance and instance['UserData']:
user_data = instance['UserData']
print(f" User Data: {user_data}")
if any(keyword in user_data.lower() for keyword in ['flag', 'encrypt', 'decrypt', 'key', 'secret', 'password']):
print(f" 🚨 FLAG-RELATED USER DATA FOUND!")
# Save user data to file
with open(f"foren/instance_{instance_id}_userdata.txt", 'w') as f:
f.write(user_data)
print(f" πŸ’Ύ Saved to: foren/instance_{instance_id}_userdata.txt")
except Exception as e:
print(f"❌ EC2 instances analysis failed: {e}")
def check_ec2_security_groups(session):
"""Check EC2 security groups for any flag-related information"""
print("\nπŸ”’ EC2 Security Groups Analysis")
print("=" * 50)
try:
ec2 = session.client('ec2')
# Describe security groups
security_groups = ec2.describe_security_groups()
print(f"Found {len(security_groups['SecurityGroups'])} security groups:")
for sg in security_groups['SecurityGroups']:
group_id = sg['GroupId']
group_name = sg['GroupName']
description = sg['Description']
print(f"\nπŸ”’ Security Group: {group_id}")
print(f" Name: {group_name}")
print(f" Description: {description}")
# Check for flag-related information
if any(keyword in group_name.lower() for keyword in ['flag', 'encrypt', 'decrypt', 'key', 'secret', 'password']):
print(f" 🚨 FLAG-RELATED GROUP NAME: {group_name}")
if any(keyword in description.lower() for keyword in ['flag', 'encrypt', 'decrypt', 'key', 'secret', 'password']):
print(f" 🚨 FLAG-RELATED DESCRIPTION: {description}")
# Check tags
if 'Tags' in sg:
print(f" Tags:")
for tag in sg['Tags']:
key = tag['Key']
value = tag['Value']
print(f" {key}: {value}")
# Check for flag-related tags
if any(keyword in key.lower() for keyword in ['flag', 'encrypt', 'decrypt', 'key', 'secret', 'password']):
print(f" 🚨 FLAG-RELATED TAG KEY: {key}")
if any(keyword in value.lower() for keyword in ['flag', 'encrypt', 'decrypt', 'key', 'secret', 'password']):
print(f" 🚨 FLAG-RELATED TAG VALUE: {value}")
except Exception as e:
print(f"❌ EC2 security groups analysis failed: {e}")
def check_elasticbeanstalk(session):
"""Check Elastic Beanstalk for any flag-related information"""
print("\n🌱 Elastic Beanstalk Analysis")
print("=" * 50)
try:
eb = session.client('elasticbeanstalk')
# Describe applications
applications = eb.describe_applications()
print(f"Found {len(applications['Applications'])} applications:")
for app in applications['Applications']:
app_name = app['ApplicationName']
description = app.get('Description', 'N/A')
print(f"\n🌱 Application: {app_name}")
print(f" Description: {description}")
# Check for flag-related information
if any(keyword in app_name.lower() for keyword in ['flag', 'encrypt', 'decrypt', 'key', 'secret', 'password']):
print(f" 🚨 FLAG-RELATED APP NAME: {app_name}")
if any(keyword in description.lower() for keyword in ['flag', 'encrypt', 'decrypt', 'key', 'secret', 'password']):
print(f" 🚨 FLAG-RELATED DESCRIPTION: {description}")
# Describe environments
environments = eb.describe_environments()
print(f"\nFound {len(environments['Environments'])} environments:")
for env in environments['Environments']:
env_name = env['EnvironmentName']
app_name = env['ApplicationName']
status = env['Status']
print(f"\n🌱 Environment: {env_name}")
print(f" Application: {app_name}")
print(f" Status: {status}")
# Check for flag-related information
if any(keyword in env_name.lower() for keyword in ['flag', 'encrypt', 'decrypt', 'key', 'secret', 'password']):
print(f" 🚨 FLAG-RELATED ENV NAME: {env_name}")
except Exception as e:
print(f"❌ Elastic Beanstalk analysis failed: {e}")
def main():
"""Main targeted enumeration function"""
print("🎯 Targeted AWS Enumeration Script")
print("=" * 80)
print(f"Region: {AWS_REGION}")
print(f"Timestamp: {datetime.now()}")
# Create session
session = create_session()
if not session:
sys.exit(1)
# Run targeted enumerations on accessible services
check_cloudwatch_alarms(session)
check_cloudwatch_metrics(session)
check_resource_tags(session)
check_ec2_instances(session)
check_ec2_security_groups(session)
check_elasticbeanstalk(session)
print("\nβœ… Targeted enumeration complete!")
if __name__ == "__main__":
main()
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment