Cloudfox Versions Save

Commits

• a38451c: Typo fixes, reduced copy pasta, Neptune support (enzowritescode) #74
• 8c4bcc0: Add .idea to gitignore for GoLand (enzowritescode) #74
• 29514a9: Merge in latest and fix merge conflicts (enzowritescode) #74
• ae1dac6: Merge branch 'main' of github.com:BishopFox/cloudfox into seth-dev (sethsec-bf) #80
• ca437d3: Filter Neptune results (enzowritescode) #74
• 59afbb3: Switched RDS database command from instances to clusters, and since it grabs Neptune and DocsDB clusters, we don't need to run those api calls. (they all return the same data). Also added back port info and added role info to the RDS clusters in -o wide mode (sethsec-bf) #74
• 80c00f3: Added test for databases command (sethsec-bf) #74
• 15e0507: Merge branch 'main' into feature/aws-neptune (Seth Art) #74
• fd01647: Merge branch 'main' of github.com:BishopFox/cloudfox into seth-dev (sethsec-bf) #80
• 8d03932: Fix for #77 (sethsec-bf) #80
• a1903f6: Major update for role trusts parsing. Cleaner version has case statement on federated principal value and not soley on condition data (sethsec-bf) #80
• 6a21b96: Auth0 not ready yet - also this new version lists unknown federated types not instead of ignoring them (sethsec-bf) #80
• cec0d49: Fixing a bug in the new cached versions of the apigateway sdk calls (sethsec-bf) #80
• eaac503: bumped version to 1.13.4 for release with apigateway fix (sethsec-bf) #80
• 00e63b0: found a way to fix the apigateway types conflict with gob (sethsec-bf) #80

Commits

• 1ca5dbf: Fix bug in role-trusts command around new vendor lookup feature, enabled caching on apigateway commands (sethsec-bf)

Commits

• a656103: Bumped to version 1.31.1 before PR (sethsec-bf) #75
• b5908fc: Fixed bug in the role trusts command introduced in 1.13.1 where cloudfox only shows princiapls with :root trust and not ALL role trusts (sethsec-bf) #75
• 18e38bf: Fixed bug in env-vars command introduced in 1.13.1 with the new interesting version of the table written to disk. was still recording them all. now the second table only has interesting env-vars (sethsec-bf) #75
• 237b073: Bumped version to 1.13.2 (sethsec-bf) #75

Commits

• f13df07: Added mocks for apigw and apigwv2, and a test for the new api-gw command (sethsec-bf) #73
• 525f262: Added mocks for apigw and apigwv2, and a test for the new api-gw command (sethsec-bf) #73
• 1d53b98: Used the output2 loot mechanism for api-gws, updated tests (sethsec-bf) #73
• 97e2fef: Add data from fwd:cloudsec's known_aws_accounts repo into role-trust module (sethsec-bf) #73
• ea2ee3d: Fixed bug where instances without instance profile were not showing up (sethsec-bf) #73
• 5df1ca6: Update README.md (Seth Art)
• dd6bfef: Merge branch 'main' of github.com:BishopFox/cloudfox into seth-dev (sethsec-bf) #73
• 13a03c5: Fixed panic bug that occured when user specified a profile that did not exist (sethsec-bf) #73
• 5827abb: Hopefully this is a fix for #72 (sethsec-bf) #73
• 89789a0: updated pmapper command info (sethsec-bf) #73
• 23fc346: Update README.md (Seth Art)
• ff810ba: Update README.md (Seth Art)
• 8e99347: Update README.md (Seth Art)
• e08967b: This potential fix for #72 makes a lot more sense. Rather than overrwite the profile attribute of the struct, i have an AWSProfileProvided and a AWSProfileFake so that I can just pass the orig to other modules (since each module cleans it up itself). (sethsec-bf) #73
• 6069267: Fix for sub issue found by @cyberbutler in #72 (sethsec-bf) #73
• 1d1d198: More fixes from #72. Took the suggestion from @johnkeates and fixed the prepopulated nmap commands to NOT include a profile for the cases where the user did not specify a profile for cloudfox (sethsec-bf) #73
• 997c13d: Merge branch 'main' of github.com:BishopFox/cloudfox into seth-dev (sethsec-bf) #73

AWS

• New Commands

  • workloads - Summarize all compute workloads that have administrative access or a path to admin (EC2, Lambda, ECS for now)
  • api-gws - (Contributed by @wdahlenburg) Enumerates all of the API gateways. Grabs API keys if they exist and creates a loot file with curl commands for you to access each endpoint

• Command Updates

  • role-trusts - Added new output file for role-trusts that highlights the role that trust :root and also don't have an external ID
  • env-vars - Added new output file for env-vars that highlights interesting credentials based on the name (secret, key, password, token, etc.)
  • env-vars - Added color to screen print to highlight the interesting credentials based on the name (secret, key, password, token, etc.)
  • workloads - Added color to screen print to highlight the princpals that are assigned to workloads that also are admin or have a path to admin.
  • iam-simulator & permissions - Fixed a bug in the iam-simulator and permissions commands where they were not writing a custom filename for custom checks.
  • inventory - Supports more resources

• General AWS Updates

  • Updated default AWS output to v2 (shows table data). To suppress, use -v1 at the command line
  • Added support for roles that require MFA
  • Added ability for users to specify which columns they want displayed
  • Added a -o wide flag to all commands. Like kubectl, you get default cols without -o wide, but with it, you get a few extra columns or arns instead of names in some cases.

Commits

• 17011f3: Additional enumeration on API gateways compared to the endpoints module (Wyatt Dahlenburg) #64
• 5eff1c7: Merging with main + minor updates (Wyatt Dahlenburg) #64
• 2ce1f0f: Codespell (Wyatt Dahlenburg) #64
• b1c248b: Used SDK, added more counters (sethsec-bf) #64
• 7343852: Updated endpoints to use the newly created sdk functions (sethsec-bf) #64
• Added a new output file for role trusts that just highlights the overly permissive root trusts without external ID #67 (sethsec-bf)
• First draft of new workloads command - summarizes all workloads #67 (sethsec-bf)
• 82738db: Fixed a bug where when pmapper data was missing iam simulator was not getting IAM roles properly. Also got workloads command working (sethsec-bf) #67
• 98af839: Added intersting functionality to env-vars and workloads (sethsec-bf) #67
• a690ad3: bumped version to 1.13.0-prerelease (sethsec-bf) #67
• ae7ed9e: Merge branch 'main' of github.com:BishopFox/cloudfox into seth-dev (sethsec-bf) #67
• 6e146a5: add mfatoken param from recent update to api-gw code (sethsec-bf) #67
• cef6c9e: Fixed a bug where iam-simulator custom commands were overwriting the files for the default run. (sethsec-bf) #67
• 2b19d0a: For 1.13, switching default AWS verbosity to 2 (with the exception of all-checks which will be hardocded to a versbosity of 1) (sethsec-bf) #67
• d1af1bb: Fixed a bug where permissions custom runs were overwriting the files for the default run. (sethsec-bf) #67
• d648e5b: Added ability to supply just a princpal name, and the command will try it as a role and a user (sethsec-bf) #67
• 5c4d0fd: go get -u and fixes (sethsec-bf) #67
• cba252d: Normalize/clean up console messages. Also re-order the way the messages print in multi-profile mode (sethsec-bf) #67
• 06f8e36: bumped version to 1.13.0 (sethsec-bf) #67
• f1b6eae: codespell was tripping up on a has from go.sum (sethsec-bf) #67

Fixes:

• Fixed a bad bug in ECR that was only looking at the fist repo
• role trusts were not sorting by service anymore
• fix for #65 - now supports roles that require MFA token
• fixed bug in cache load. was skipping cache load if any single file was messed up. now just skips bad files
• fixed caching of glue resource policies
• fixed error where cache load was loading json files along with the gob files and erroring. skipping the json files.
• fixed bug in #53 - buckets with no policy were not creating policy cache stubs so each bucket without a policy would always look for a new policy

Updates:

• Added ability for users to specify which columns they want displayed
• Now supports profiles for roles that require MFA tokens

Commits

• 1ff35a7: Upgrade GitHub Actions (Christian Clauss) #50
• f78f149: Fix typos discovered by codespell (Christian Clauss) #51
• 217ac7a: GitHub Action to run codespell (Christian Clauss) #52
• 6d1b471: Update codespell.yml (Christian Clauss) #52
• 8d145b1: Update README.md with more install methods (Seth Art)
• 187299a: Update README.md (Seth Art) #56
• bcfa318: cache load was loading json files along with the gob files and erroring. skipping the json files. also, updated ioutil library to os library (sethsec-bf) #59
• 818c3a8: fixed cache load issue, updated aws instances command to use cached data (sethsec-bf) #59
• 50493e6: fixed bug in #53 - buckets with no policy were not creating policy cache stubs so each bucket without a policy would always look for a new policy (sethsec-bf) #59
• dad2277: moved policy analysis behind a feature flag in the buckets command (sethsec-bf) #59
• 57d9e91: removed newline from buckets policy analyis (sethsec-bf) #59
• 4ee0da8: added user controled columns to buckets, role-trusts, permissions (sethsec-bf) #59
• 9095908: added user controled columns to cloudformation, and access keys (sethsec-bf) #59
• 7d3a61a: fixed caching issues in sdk/ecs (sethsec-bf) #59
• 1215a27: completed --cols & -o wide support for ALL aws commands (sethsec-bf) #59
• b43d6ad: go get -u and fixes (sethsec-bf) #59
• 7656267: fixes #36. -o wide will give you the arn, and the default (-o brief) will only give you the name for brevity (sethsec-bf) #59
• 2dc20ea: fixed codespell items (sethsec-bf) #59
• 54f7849: added accountID col to every table and removed the service col in all commands that are single service. (sethsec-bf) #61
• 06344b9: added secrets manager to resourcetrusts and cloud9 to inventory (sethsec-bf) #61
• 6a6f758: Fixed a bad bug in ECR that was only looking at the fist repo (sethsec-bf) #61
• d505bc4: Updating the tests/mocks for ECR (sethsec-bf) #61
• e0f0627: new idea for resource trusts field (sethsec-bf) #61
• 8f5a571: fixed issue where role trusts was not sorting services correctly anymore (sethsec-bf) #66
• f51c1e9: Update README.md (Seth Art)
• 1819b11: Merge branch 'main' of github.com:BishopFox/cloudfox into seth-dev (sethsec-bf) #66
• ff38b2c: fix for #65 -- adds config.WithAssumeRoleCredentialOptions section to the LoadDefaultConfig loader (sethsec-bf) #66
• 5e1ed54: fixed bug in cache loading that would error out if even a single cache file was not accounted for (sethsec-bf) #66
• 2ed0796: fixed bug where glue resource policy data was not caching properly. (sethsec-bf) #66
• a9a0c7a: more updates for #65. Added a cli flag --mfa-token so you can pass the token at the cloudfox command line. Ended up reworking AWSConfigFileLoader to use a map to store fetched configs which should have other performance improvemnts (sethsec-bf) #66
• 27a5110: for #65, decided to add a prompt to ask for MFA token if the user does not specify it at runtime (sethsec-bf) #66
• 9be3792: bumped version to 1.12.3 (sethsec-bf) #66

Commits

• 9f8ae08: another fix to pass brew tests (sethsec-bf) #49
• 40e0c92: another fix to pass brew tests (sethsec-bf) #49

Commits

• 42d7cfe: hacky fix to have error log written to local dir if user dir does not exist (so it can pass brew test) (sethsec-bf) #48

AWS

• Updates
  • Inventory - Inventory's rows are now dynamic. It will only show you rows if at least one of that resource type exists. Also added a bunch of new resources to inventory!
  • Caching - Continued to transfer more functions to cached versions.

Azure

• Updates
  • Global - Updated the -t tentant and -s subscription to accept common names for subscription ID and tentant ID in addition to the ID's themselves. Should make for a much better user experience.
  • Global -Completely reworked the logging directory structure to use the common names for subscription and ID, and to nest subscriptions within their tentants.
  • vms - Renamed the instances command to vms command to be more inline with azure terminology
  • vms - Added user-data extraction to the vms command

Commits

• 471da59: Updated ecs-tasks and eni to use cached functions (sethsec-bf) #46
• 602332a: Updated ecs-tasks and eni to use cached functions (sethsec-bf) #46
• 06a7e7e: Updated sdk package to do the gob initializations in self contained init functions (sethsec-bf) #46
• 659b2e7: Completed inventory migration to use sdk, also finally removed need for second global table (sethsec-bf) #46
• fc52e01: updated tests, added new sdk functions, added started the migration of keeping all mocks in _mocks.go files (sethsec-bf) #46
• e88cb77: updated inventory to include more ec2, ecs, and ecr resources (sethsec-bf) #46
• cef1aa3: updated inventory to include more ec2, ecs, and ecr resources (sethsec-bf) #46
• 60daff3: updated inventory to include more redshift, route53, updated route53 to use new cached functions and to include CNAME records in loot (sethsec-bf) #46
• 00ed8a7: Added many new resources to inventory. Made inventory rows dynamic. Only non-empty rows will print (sethsec-bf) #46
• d94fafe: go get -u (sethsec-bf) #46
• 3a19fdb: reworking the tenant/subscription file structure (sethsec-bf) #46
• 102b91e: Got rbac working with the new directory stucture and accepting common names for tentant and subscirption as input params (sethsec-bf) #46
• 08b5cd1: renamed rbac and storage, and converted instances and storage over to user names in addition to IDs as input params. (sethsec-bf) #46
• 5132622: updated azure to use same home directory logic as the aws command (sethsec-bf) #46
• 01d320d: inventory now supports tenant mode, both merged and split. fixed all tests (sethsec-bf) #46
• 5aab3b4: updated logging path for tenant data to make it more clear (sethsec-bf) #46
• aa42c8b: renamed azure instances -> vms, got userdata loot working on azure vms command (sethsec-bf) #46
• 8221b5f: bumped version to 1.12.0 (sethsec-bf) #46

Commits

• dc0396f: updated logging path to have profile come before account-id to make it easier to find the right data (sethsec-bf) #45