AWSRecon使用教程#
软件介绍#
AWSRecon是一款专门用于AWS(Amazon Web Services)云平台侦察和信息收集的工具。它能够自动发现和枚举AWS账户中的资源,包括EC2实例、S3存储桶、RDS数据库、Lambda函数等,是云安全评估和渗透测试的重要工具。
主要功能#
- AWS账户资源枚举
- S3存储桶发现
- EC2实例信息收集
- IAM策略分析
- 安全组检测
- 漏洞识别
- 合规性检查
- 报告生成
适用场景#
- 云安全评估
- 渗透测试
- 资产发现
- 风险评估
- 合规性审计
- 威胁情报收集
入门级使用#
安装AWSRecon#
使用Go安装#
# 安装Go语言(如果未安装)
wget https://go.dev/dl/go1.21.5.linux-amd64.tar.gz
tar -C /usr/local -xzf go1.21.5.linux-amd64.tar.gz
export PATH=$PATH:/usr/local/go/bin
# 安装AWSRecon
go install github.com/darkbitio/awsrecon@latest
# 验证安装
awsrecon --version使用Docker安装#
# 使用Docker运行
docker run -it --rm darkbit/awsrecon:latest
# 或构建本地镜像
git clone https://github.com/darkbitio/awsrecon.git
cd awsrecon
docker build -t awsrecon .
docker run -it awsrecon配置AWS凭证#
创建AWS凭证#
# 安装AWS CLI
pip install awscli
# 配置AWS凭证
aws configure
# 或设置环境变量
export AWS_ACCESS_KEY_ID="your_access_key"
export AWS_SECRET_ACCESS_KEY="your_secret_key"
export AWS_DEFAULT_REGION="us-east-1"使用IAM角色#
# 如果在EC2上运行,使用IAM角色
aws sts assume-role --role-arn "arn:aws:iam::123456789012:role/ReconRole" --role-session-name recon基本侦察#
快速扫描#
# 快速扫描所有资源
awsrecon scan --all
# 扫描特定区域
awsrecon scan --region us-east-1
# 扫描特定服务
awsrecon scan --service ec2
awsrecon scan --service s3
awsrecon scan --service rds枚举S3存储桶#
# 枚举所有S3存储桶
awsrecon enum s3
# 列出存储桶内容
awsrecon enum s3 --bucket my-bucket
# 检查存储桶权限
awsrecon enum s3 --acl初级使用#
资源枚举#
EC2实例枚举#
# 枚举所有EC2实例
awsrecon enum ec2
# 枚举特定实例
awsrecon enum ec2 --instance-id i-1234567890abcdef0
# 枚举安全组
awsrecon enum ec2 --security-groups
# 枚举Volumes
awsrecon enum ec2 --volumesRDS数据库枚举#
# 枚举所有RDS实例
awsrecon enum rds
# 枚举数据库集群
awsrecon enum rds --clusters
# 枚举快照
awsrecon enum rds --snapshotsIAM分析#
枚举IAM用户#
# 枚举所有IAM用户
awsrecon enum iam --users
# 枚举IAM角色
awsrecon enum iam --roles
# 枚举IAM策略
awsrecon enum iam --policies
# 枚举访问密钥
awsrecon enum iam --access-keys分析IAM策略#
# 分析用户权限
awsrecon analyze iam --user myuser
# 分析策略文档
awsrecon analyze iam --policy arn:aws:iam::aws:policy/ReadOnlyAccess
# 检查过度权限
awsrecon analyze iam --privileged中级使用#
漏洞扫描#
检查公开存储桶#
# 检查S3存储桶ACL
awsrecon scan s3 --acl
# 检查存储桶策略
awsrecon scan s3 --policy
# 检查公开访问设置
awsrecon scan s3 --public-access检查不安全的配置#
# 检查安全组规则
awsrecon scan ec2 --security-groups --open-ports
# 检查未加密的存储
awsrecon scan ebs --unencrypted
# 检查过期的访问密钥
awsrecon scan iam --expired-keys数据导出#
导出为JSON#
# 导出所有侦察结果
awsrecon scan --all --output json > results.json
# 导出特定服务
awsrecon enum ec2 --output json > ec2.json
# 导出特定区域
awsrecon scan --region us-west-2 --output json > west2.json导出为CSV#
# 导出为CSV格式
awsrecon enum ec2 --output csv > ec2.csv
# 导出存储桶列表
awsrecon enum s3 --output csv > s3.csv批量操作#
扫描多个区域#
#!/bin/bash
# 扫描多个区域的EC2实例
REGIONS=("us-east-1" "us-west-2" "eu-west-1" "ap-northeast-1")
for region in "${REGIONS[@]}"; do
echo "=== 扫描区域: $region ==="
awsrecon enum ec2 --region "$region" --output json > "ec2_$region.json"
done定期扫描#
#!/bin/bash
# 定期扫描脚本
INTERVAL=86400 # 每天扫描一次
OUTPUT_DIR="aws_recon_results"
mkdir -p "$OUTPUT_DIR"
while true; do
TIMESTAMP=$(date +%Y%m%d_%H%M%S)
echo "$(date): 开始扫描"
# 扫描所有资源
awsrecon scan --all --output json > "$OUTPUT_DIR/full_scan_$TIMESTAMP.json"
# 检查变化
if [ -f "$OUTPUT_DIR/latest.json" ]; then
diff "$OUTPUT_DIR/latest.json" "$OUTPUT_DIR/full_scan_$TIMESTAMP.json" > "$OUTPUT_DIR/changes_$TIMESTAMP.txt"
fi
cp "$OUTPUT_DIR/full_scan_$TIMESTAMP.json" "$OUTPUT_DIR/latest.json"
echo "$(date): 扫描完成"
sleep "$INTERVAL"
done中上级使用#
高级分析#
权限提升检测#
#!/bin/bash
# 检测权限提升路径
awsrecon analyze iam --privilege-escalation
# 检查可写策略
awsrecon analyze iam --writable-policies
# 检查Lambda执行角色
awsrecon analyze iam --lambda-roles风险评估#
#!/bin/bash
# AWS账户风险评估
OUTPUT_FILE="risk_assessment.txt"
echo "=== AWS账户风险评估 ===" > "$OUTPUT_FILE"
echo "评估时间: $(date)" >> "$OUTPUT_FILE"
echo "" >> "$OUTPUT_FILE"
# 检查公开S3存储桶
echo "=== 公开S3存储桶 ===" >> "$OUTPUT_FILE"
awsrecon scan s3 --public-access >> "$OUTPUT_FILE" 2>&1
echo "" >> "$OUTPUT_FILE"
# 检查开放的安全组
echo "=== 开放安全组 ===" >> "$OUTPUT_FILE"
awsrecan scan ec2 --security-groups --open-ports >> "$OUTPUT_FILE" 2>&1
echo "" >> "$OUTPUT_FILE"
# 检查过期的访问密钥
echo "=== 过期的访问密钥 ===" >> "$OUTPUT_FILE"
awsrecon scan iam --expired-keys >> "$OUTPUT_FILE" 2>&1
echo "" >> "$OUTPUT_FILE"
# 检查未加密的资源
echo "=== 未加密的资源 ===" >> "$OUTPUT_FILE"
awsrecon scan ebs --unencrypted >> "$OUTPUT_FILE" 2>&1
echo "风险评估完成,结果已保存到 $OUTPUT_FILE"自动化侦察#
完整侦察脚本#
#!/bin/bash
# 完整AWS侦察脚本
ACCOUNT_ID=$(aws sts get-caller-identity --query Account --output text)
OUTPUT_DIR="aws_recon_$ACCOUNT_ID"
mkdir -p "$OUTPUT_DIR"
echo "=== AWS账户侦察 ==="
echo "账户ID: $ACCOUNT_ID"
echo "输出目录: $OUTPUT_DIR"
# 1. 枚举EC2实例
echo "[1/10] 枚举EC2实例..."
awsrecon enum ec2 --output json > "$OUTPUT_DIR/ec2.json"
# 2. 枚举S3存储桶
echo "[2/10] 枚举S3存储桶..."
awsrecon enum s3 --output json > "$OUTPUT_DIR/s3.json"
# 3. 枚举RDS实例
echo "[3/10] 枚举RDS实例..."
awsrecon enum rds --output json > "$OUTPUT_DIR/rds.json"
# 4. 枚举Lambda函数
echo "[4/10] 枚举Lambda函数..."
awsrecon enum lambda --output json > "$OUTPUT_DIR/lambda.json"
# 5. 枚举IAM用户
echo "[5/10] 枚举IAM用户..."
awsrecon enum iam --users --output json > "$OUTPUT_DIR/iam_users.json"
# 6. 枚举IAM角色
echo "[6/10] 枚举IAM角色..."
awsrecon enum iam --roles --output json > "$OUTPUT_DIR/iam_roles.json"
# 7. 扫描安全组
echo "[7/10] 扫描安全组..."
awsrecon scan ec2 --security-groups --output json > "$OUTPUT_DIR/security_groups.json"
# 8. 检查S3权限
echo "[8/10] 检查S3权限..."
awsrecon scan s3 --acl --policy --output json > "$OUTPUT_DIR/s3_permissions.json"
# 9. 检查IAM策略
echo "[9/10] 检查IAM策略..."
awsrecon analyze iam --privileged --output json > "$OUTPUT_DIR/iam_privileged.json"
# 10. 生成汇总报告
echo "[10/10] 生成汇总报告..."
cat > "$OUTPUT_DIR/summary.txt" << EOF
AWS账户侦察汇总报告
====================
账户ID: $ACCOUNT_ID
侦察时间: $(date)
资源统计:
- EC2实例: $(jq length "$OUTPUT_DIR/ec2.json")
- S3存储桶: $(jq length "$OUTPUT_DIR/s3.json")
- RDS实例: $(jq length "$OUTPUT_DIR/rds.json")
- Lambda函数: $(jq length "$OUTPUT_DIR/lambda.json")
- IAM用户: $(jq length "$OUTPUT_DIR/iam_users.json")
- IAM角色: $(jq length "$OUTPUT_DIR/iam_roles.json")
EOF
echo "AWS侦察完成!所有结果已保存到 $OUTPUT_DIR 目录"高级使用#
云安全分析#
攻击面分析#
#!/usr/bin/env python3
import json
from collections import defaultdict
def analyze_aws_attack_surface(recon_results):
"""分析AWS攻击面"""
attack_surface = {
"public_endpoints": [],
"exposed_services": [],
"privilege_paths": [],
"data_exposure": []
}
# 分析公开的S3存储桶
for bucket in recon_results.get("s3", []):
if bucket.get("acl", {}).get("PublicAccessBlockConfiguration", {}).get("BlockPublicAcls") == False:
attack_surface["public_endpoints"].append({
"type": "s3",
"bucket": bucket["name"],
"issue": "公开访问未完全阻止"
})
# 分析开放的安全组
for sg in recon_results.get("security_groups", []):
for rule in sg.get("IpPermissions", []):
if rule.get("IpRanges") and any(ip.get("CidrIp") == "0.0.0.0/0" for ip in rule["IpRanges"]):
attack_surface["exposed_services"].append({
"type": "security_group",
"sg_id": sg["GroupId"],
"port": rule.get("FromPort", "N/A"),
"issue": "对0.0.0.0/0开放"
})
# 分析权限
for user in recon_results.get("iam_users", []):
for policy in user.get("AttachedManagedPolicies", []):
if "AdministratorAccess" in policy.get("PolicyName", ""):
attack_surface["privilege_paths"].append({
"type": "iam_user",
"user": user["UserName"],
"policy": policy["PolicyName"],
"issue": "具有管理员权限"
})
return attack_surface
# 使用示例
with open("aws_recon_results.json") as f:
results = json.load(f)
attack_surface = analyze_aws_attack_surface(results)
print(json.dumps(attack_surface, indent=2))漏洞检测#
#!/bin/bash
# AWS漏洞检测脚本
OUTPUT_FILE="vulnerability_scan.txt"
echo "=== AWS漏洞扫描报告 ===" > "$OUTPUT_FILE"
echo "扫描时间: $(date)" >> "$OUTPUT_FILE"
echo "" >> "$OUTPUT_FILE"
# 1. 检测公开的S3存储桶
echo "[1] 检测公开的S3存储桶..." >> "$OUTPUT_FILE"
awsrecon scan s3 --public-access 2>&1 >> "$OUTPUT_FILE" || true
echo "" >> "$OUTPUT_FILE"
# 2. 检测开放SSH的安全组
echo "[2] 检测开放SSH的安全组..." >> "$OUTPUT_FILE"
aws ec2 describe-security-groups --filters "Name=ip-permission.from-port,Values=22" "Name=ip-permission.cidr,Values=0.0.0.0/0" --query "SecurityGroups[*].{ID:GroupId,Name:GroupName}" 2>&1 >> "$OUTPUT_FILE" || true
echo "" >> "$OUTPUT_FILE"
# 3. 检测开放RDP的安全组
echo "[3] 检测开放RDP的安全组..." >> "$OUTPUT_FILE"
aws ec2 describe-security-groups --filters "Name=ip-permission.from-port,Values=3389" "Name=ip-permission.cidr,Values=0.0.0.0/0" --query "SecurityGroups[*].{ID:GroupId,Name:GroupName}" 2>&1 >> "$OUTPUT_FILE" || true
echo "" >> "$OUTPUT_FILE"
# 4. 检测未加密的EBS卷
echo "[4] 检测未加密的EBS卷..." >> "$OUTPUT_FILE"
aws ec2 describe-volumes --filters "Name=encrypted,Values=false" --query "Volumes[*].VolumeId" 2>&1 >> "$OUTPUT_FILE" || true
echo "" >> "$OUTPUT_FILE"
# 5. 检测公开的S3存储桶策略
echo "[5] 检测公开的S3存储桶策略..." >> "$OUTPUT_FILE"
aws s3api list-buckets --query "Buckets[*].Name" --output text | tr '\t' '\n' | while read bucket; do
policy=$(aws s3api get-bucket-policy --bucket "$bucket" --query Policy --output text 2>/dev/null)
if [ -n "$policy" ]; then
echo "存储桶: $bucket" >> "$OUTPUT_FILE"
echo "$policy" >> "$OUTPUT_FILE"
fi
done
echo "" >> "$OUTPUT_FILE"
# 6. 检测公开的快照
echo "[6] 检测公开的快照..." >> "$OUTPUT_FILE"
aws ec2 describe-snapshots --OwnerIds self --query "Snapshots[*].SnapshotId" 2>&1 >> "$OUTPUT_FILE" || true
echo "" >> "$OUTPUT_FILE"
echo "漏洞扫描完成!"合规性检查#
AWS CIS基准检查#
#!/bin/bash
# AWS CIS基准检查脚本
CIS_CHECKS=(
"1.1: 确保未创建根访问密钥"
"1.2: 确保MFA已启用"
"1.3: 确保密码策略已配置"
"1.4: 确保IAM用户不使用硬编码凭证"
"2.1: 确保CloudTrail已启用"
"2.2: 确保S3存储桶日志已启用"
"2.3: 确保VPC流日志已启用"
"3.1: 确保安全组未开放SSH"
"3.2: 确保安全组未开放RDP"
"3.3: 确保没有公开的S3存储桶"
)
OUTPUT_FILE="cis_compliance.txt"
echo "=== AWS CIS基准合规性检查 ===" > "$OUTPUT_FILE"
echo "检查时间: $(date)" >> "$OUTPUT_FILE"
echo "" >> "$OUTPUT_FILE"
for check in "${CIS_CHECKS[@]}"; do
echo "检查: $check" >> "$OUTPUT_FILE"
# 这里可以添加具体的检查逻辑
echo "状态: 待实现" >> "$OUTPUT_FILE"
echo "" >> "$OUTPUT_FILE"
done
echo "合规性检查完成!"大师级使用#
威胁建模#
攻击路径分析#
#!/usr/bin/env python3
import json
from collections import defaultdict
class AWSAttackPathAnalyzer:
def __init__(self, recon_data):
self.data = recon_data
self.graph = defaultdict(list)
def build_graph(self):
"""构建攻击图"""
# 从IAM用户开始
for user in self.data.get("iam_users", []):
self.graph["user:" + user["UserName"]] = []
# 添加访问密钥
for key in user.get("AccessKeys", []):
self.graph["user:" + user["UserName"]].append(
f"key:{key['AccessKeyId']}"
)
# 从EC2实例
for instance in self.data.get("ec2", []):
self.graph["ec2:" + instance["InstanceId"]] = []
# 添加安全组
for sg in instance.get("SecurityGroups", []):
self.graph["ec2:" + instance["InstanceId"]].append(
f"sg:{sg['GroupId']}"
)
# 从S3存储桶
for bucket in self.data.get("s3", []):
self.graph["s3:" + bucket["name"]] = []
return self.graph
def find_privilege_escalation(self):
"""查找权限提升路径"""
escalation_paths = []
# 检查具有IAM写入权限的用户
for user in self.data.get("iam_users", []):
for policy in user.get("AttachedManagedPolicies", []):
if "iam:AttachUserPolicy" in policy.get("PolicyName", "") or \
"iam:PutUserPolicy" in policy.get("PolicyName", ""):
escalation_paths.append({
"user": user["UserName"],
"path": "可以直接附加管理员策略",
"risk": "高"
})
return escalation_paths
def find_data_exposure(self):
"""查找数据暴露路径"""
exposure_paths = []
# 检查公开的S3存储桶
for bucket in self.data.get("s3", []):
if bucket.get("PublicAccessBlockConfiguration", {}).get("BlockPublicAcls") == False:
exposure_paths.append({
"bucket": bucket["name"],
"issue": "S3存储桶可能公开访问",
"risk": "高"
})
# 检查开放的安全组
for sg in self.data.get("security_groups", []):
for rule in sg.get("IpPermissions", []):
if rule.get("IpRanges") and any(ip.get("CidrIp") == "0.0.0.0/0" for ip in rule["IpRanges"]):
if rule.get("FromPort") in [22, 3389, 80, 443]:
exposure_paths.append({
"security_group": sg["GroupId"],
"port": rule.get("FromPort"),
"issue": f"端口{rule.get('FromPort')}对公网开放",
"risk": "中"
})
return exposure_paths
# 使用示例
with open("aws_recon_results.json") as f:
data = json.load(f)
analyzer = AWSAttackPathAnalyzer(data)
graph = analyzer.build_graph()
escalation = analyzer.find_privilege_escalation()
exposure = analyzer.find_data_exposure()
print("=== 权限提升路径 ===")
for path in escalation:
print(json.dumps(path, indent=2))
print("\n=== 数据暴露路径 ===")
for path in exposure:
print(json.dumps(path, indent=2))持续监控#
实时监控脚本#
#!/bin/bash
# AWS资源实时监控脚本
ACCOUNT_ID=$(aws sts get-caller-identity --query Account --output text)
OUTPUT_DIR="aws_monitoring"
mkdir -p "$OUTPUT_DIR"
INTERVAL=300 # 每5分钟检查一次
while true; do
TIMESTAMP=$(date +%Y%m%d_%H%M%S)
LOG_FILE="$OUTPUT_DIR/monitor_$TIMESTAMP.log"
echo "$(date): 开始监控" > "$LOG_FILE"
# 监控EC2实例状态
echo "=== EC2实例状态 ===" >> "$LOG_FILE"
aws ec2 describe-instances --query "Reservations[*].Instances[*].{ID:InstanceId,State:State.Name,IP:PublicIpAddress}" >> "$LOG_FILE"
# 监控安全组变更
echo "=== 安全组变更 ===" >> "$LOG_FILE"
aws ec2 describe-security-groups --query "SecurityGroups[*].{ID:GroupId,Name:GroupName}" >> "$LOG_FILE"
# 监控S3存储桶
echo "=== S3存储桶 ===" >> "$LOG_FILE"
aws s3api list-buckets --query "Buckets[*].Name" >> "$LOG_FILE"
# 监控IAM变更
echo "=== IAM用户 ===" >> "$LOG_FILE"
aws iam list-users --query "Users[*].UserName" >> "$LOG_FILE"
# 检查异常
echo "=== 异常检测 ===" >> "$LOG_FILE"
# 检测新的公开S3存储桶
aws s3api list-buckets --query "Buckets[*].Name" --output text | tr '\t' '\n' | while read bucket; do
block_config=$(aws s3api get-public-access-block --bucket "$bucket" --query PublicAccessBlockConfiguration 2>/dev/null)
if [ -n "$block_config" ]; then
if echo "$block_config" | grep -q "false"; then
echo "警告: 存储桶 $bucket 可能公开访问" >> "$LOG_FILE"
fi
fi
done
# 检测开放的高危端口
aws ec2 describe-security-groups --filters "Name=ip-permission.from-port,Values=22" "Name=ip-permission.cidr,Values=0.0.0.0/0" --query "SecurityGroups[*].GroupId" --output text | tr '\t' '\n' | while read sg; do
if [ -n "$sg" ]; then
echo "警告: 安全组 $sg 开放SSH到公网" >> "$LOG_FILE"
fi
done
echo "$(date): 监控完成" >> "$LOG_FILE"
sleep "$INTERVAL"
done实战案例#
案例1: AWS账户安全评估#
场景描述#
对AWS账户进行全面的安全评估,识别潜在的安全风险和配置问题。
实施步骤#
#!/bin/bash
# AWS安全评估脚本
ACCOUNT_ID=$(aws sts get-caller-identity --query Account --output text)
OUTPUT_DIR="aws_security_assessment_$ACCOUNT_ID"
mkdir -p "$OUTPUT_DIR"
echo "=== AWS安全评估 ==="
echo "账户ID: $ACCOUNT_ID"
echo "输出目录: $OUTPUT_DIR"
echo ""
# 1. 身份和访问管理评估
echo "[1/8] 评估IAM配置..."
cat > "$OUTPUT_DIR/iam_assessment.sh" << 'EOF'
#!/bin/bash
echo "=== IAM安全评估 ==="
# 检查根账户
echo "根账户状态:"
aws iam get-account-summary | jq .
# 检查MFA
echo "MFA状态:"
aws iam list-virtual-mfa-devices
# 检查访问密钥
echo "访问密钥检查:"
aws iam list-access-keys
# 检查未使用的凭证
echo "未使用的凭证:"
for user in $(aws iam list-users --query "Users[*].UserName" --output text); do
last_used=$(aws iam get-access-key-last-used --access-key-id $(aws iam list-access-keys --user-name "$user" --query "AccessKeyMetadata[0].AccessKeyId" --output text) 2>/dev/null)
if [ -n "$last_used" ]; then
echo "用户 $user: $last_used"
fi
done
EOF
chmod +x "$OUTPUT_DIR/iam_assessment.sh"
"$OUTPUT_DIR/iam_assessment.sh" > "$OUTPUT_DIR/iam_report.txt" 2>&1
# 2. 网络安全评估
echo "[2/8] 评估网络安全..."
cat > "$OUTPUT_DIR/network_assessment.sh" << 'EOF'
#!/bin/bash
echo "=== 网络安全评估 ==="
# 检查安全组
echo "安全组:"
aws ec2 describe-security-groups --query "SecurityGroups[*].{ID:GroupId,Name:GroupName}"
# 检查开放端口
echo "开放SSH的安全组:"
aws ec2 describe-security-groups --filters "Name=ip-permission.from-port,Values=22" "Name=ip-permission.cidr,Values=0.0.0.0/0" --query "SecurityGroups[*].{ID:GroupId,Name:GroupName}"
# 检查开放RDP的安全组
echo "开放RDP的安全组:"
aws ec2 describe-security-groups --filters "Name=ip-permission.from-port,Values=3389" "Name=ip-permission.cidr,Values=0.0.0.0/0" --query "SecurityGroups[*].{ID:GroupId,Name:GroupName}"
# 检查VPC
echo "VPC列表:"
aws ec2 describe-vpcs --query "Vpcs[*].VpcId"
# 检查子网
echo "子网列表:"
aws ec2 describe-subnets --query "Subnets[*].{ID:SubnetId,VPC:VpcId,CIDR:CidrBlock}"
EOF
chmod +x "$OUTPUT_DIR/network_assessment.sh"
"$OUTPUT_DIR/network_assessment.sh" > "$OUTPUT_DIR/network_report.txt" 2>&1
# 3. 存储安全评估
echo "[3/8] 评估存储安全..."
cat > "$OUTPUT_DIR/storage_assessment.sh" << 'EOF'
#!/bin/bash
echo "=== 存储安全评估 ==="
# 检查S3存储桶
echo "S3存储桶列表:"
aws s3api list-buckets --query "Buckets[*].Name"
# 检查公开访问
echo "公开访问设置:"
for bucket in $(aws s3api list-buckets --query "Buckets[*].Name" --output text); do
echo "存储桶: $bucket"
aws s3api get-public-access-block --bucket "$bucket" 2>/dev/null || echo "无公开访问限制"
done
# 检查EBS加密
echo "未加密的EBS卷:"
aws ec2 describe-volumes --filters "Name=encrypted,Values=false" --query "Volumes[*].VolumeId"
# 检查RDS加密
echo "RDS加密状态:"
aws rds describe-db-instances --query "DBInstances[*].{ID:DBInstanceIdentifier,Encrypted:StorageEncrypted}"
EOF
chmod +x "$OUTPUT_DIR/storage_assessment.sh"
"$OUTPUT_DIR/storage_assessment.sh" > "$OUTPUT_DIR/storage_report.txt" 2>&1
# 4. 日志和监控评估
echo "[4/8] 评估日志和监控..."
cat > "$OUTPUT_DIR/logging_assessment.sh" << 'EOF'
#!/bin/bash
echo "=== 日志和监控评估 ==="
# 检查CloudTrail
echo "CloudTrail:"
aws cloudtrail describe-trails --query "trailList[*].{Name:Name,Bucket:S3BucketName,Status:IsMultiRegionTrail}"
# 检查Config
echo "Config状态:"
aws configservice describe-configuration-recorders
# 检查GuardDuty
echo "GuardDuty状态:"
aws guardduty list-detectors 2>/dev/null || echo "GuardDuty未启用"
EOF
chmod +x "$OUTPUT_DIR/logging_assessment.sh"
"$OUTPUT_DIR/logging_assessment.sh" > "$OUTPUT_DIR/logging_report.txt" 2>&1
# 5. 计算资源评估
echo "[5/8] 评估计算资源..."
cat > "$OUTPUT_DIR/compute_assessment.sh" << 'EOF'
#!/bin/bash
echo "=== 计算资源评估 ==="
# EC2实例
echo "EC2实例:"
aws ec2 describe-instances --query "Reservations[*].Instances[*].{ID:InstanceId,State:State.Name,Type:InstanceType,IP:PublicIpAddress}"
# Lambda函数
echo "Lambda函数:"
aws lambda list-functions --query "Functions[*].{Name:FunctionName,Runtime:Runtime}"
# ECS集群
echo "ECS集群:"
aws ecs list-clusters
EOF
chmod +x "$OUTPUT_DIR/compute_assessment.sh"
"$OUTPUT_DIR/compute_assessment.sh" > "$OUTPUT_DIR/compute_report.txt" 2>&1
# 6. 数据库评估
echo "[6/8] 评估数据库..."
cat > "$OUTPUT_DIR/database_assessment.sh" << 'EOF'
#!/bin/bash
echo "=== 数据库评估 ==="
# RDS实例
echo "RDS实例:"
aws rds describe-db-instances --query "DBInstances[*].{ID:DBInstanceIdentifier,Engine:Engine,Status:DBInstanceStatus}"
# DynamoDB表
echo "DynamoDB表:"
aws dynamodb list-tables --query "TableNames"
EOF
chmod +x "$OUTPUT_DIR/database_assessment.sh"
"$OUTPUT_DIR/database_assessment.sh" > "$OUTPUT_DIR/database_report.txt" 2>&1
# 7. 生成综合报告
echo "[7/8] 生成综合报告..."
cat > "$OUTPUT_DIR/final_report.txt" << EOF
AWS安全评估综合报告
====================
账户ID: $ACCOUNT_ID
评估时间: $(date)
1. IAM安全
2. 网络安全
3. 存储安全
4. 日志和监控
5. 计算资源
6. 数据库
详细报告请查看各分类报告文件。
EOF
# 8. 生成HTML报告
echo "[8/8] 生成HTML报告..."
cat > "$OUTPUT_DIR/report.html" << EOF
<!DOCTYPE html>
<html>
<head>
<title>AWS安全评估报告</title>
<style>
body { font-family: Arial, sans-serif; margin: 20px; }
h1 { color: #333; }
h2 { color: #666; }
.section { margin: 20px 0; padding: 10px; border: 1px solid #ddd; }
.warning { color: orange; }
.danger { color: red; }
.safe { color: green; }
</style>
</head>
<body>
<h1>AWS安全评估报告</h1>
<p>账户ID: $ACCOUNT_ID</p>
<p>评估时间: $(date)</p>
<div class="section">
<h2>IAM安全</h2>
<p>详细报告: iam_report.txt</p>
</div>
<div class="section">
<h2>网络安全</h2>
<p>详细报告: network_report.txt</p>
</div>
<div class="section">
<h2>存储安全</h2>
<p>详细报告: storage_report.txt</p>
</div>
<div class="section">
<h2>日志和监控</h2>
<p>详细报告: logging_report.txt</p>
</div>
<div class="section">
<h2>计算资源</h2>
<p>详细报告: compute_report.txt</p>
</div>
<div class="section">
<h2>数据库</h2>
<p>详细报告: database_report.txt</p>
</div>
</body>
</html>
EOF
echo ""
echo "AWS安全评估完成!所有结果已保存到 $OUTPUT_DIR 目录"
echo ""
echo "报告文件:"
ls -la "$OUTPUT_DIR"案例2: 云环境渗透测试#
场景描述#
在授权的云环境中进行渗透测试,识别安全漏洞和攻击路径。
实施步骤#
#!/bin/bash
# 云环境渗透测试脚本
OUTPUT_DIR="pentest_results"
mkdir -p "$OUTPUT_DIR"
echo "=== 云环境渗透测试 ==="
echo ""
# 1. 信息收集阶段
echo "[1/5] 信息收集..."
# 收集账户信息
aws sts get-caller-identity > "$OUTPUT_DIR/identity.json"
# 收集区域信息
aws ec2 describe-regions > "$OUTPUT_DIR/regions.json"
# 2. 资产发现阶段
echo "[2/5] 资产发现..."
# 发现EC2实例
aws ec2 describe-instances > "$OUTPUT_DIR/ec2_instances.json"
# 发现Lambda函数
aws lambda list-functions > "$OUTPUT_DIR/lambda_functions.json"
# 发现S3存储桶
aws s3api list-buckets > "$OUTPUT_DIR/s3_buckets.json"
# 3. 漏洞识别阶段
echo "[3/5] 漏洞识别..."
# 检查公开S3存储桶
cat > "$OUTPUT_DIR/s3_vulns.txt" << 'EOF'
公开S3存储桶检查:
EOF
for bucket in $(aws s3api list-buckets --query "Buckets[*].Name" --output text); do
block_config=$(aws s3api get-public-access-block --bucket "$bucket" 2>/dev/null)
if [ -n "$block_config" ]; then
if echo "$block_config" | grep -q "false"; then
echo "警告: 存储桶 $bucket 可能公开访问" >> "$OUTPUT_DIR/s3_vulns.txt"
fi
fi
done
# 检查开放的安全组
cat > "$OUTPUT_DIR/sg_vulns.txt" << 'EOF'
开放安全组检查:
EOF
aws ec2 describe-security-groups --filters "Name=ip-permission.from-port,Values=22" "Name=ip-permission.cidr,Values=0.0.0.0/0" --query "SecurityGroups[*].GroupId" >> "$OUTPUT_DIR/sg_vulns.txt"
# 4. 权限提升尝试
echo "[4/5] 权限提升..."
# 检查当前权限
cat > "$OUTPUT_DIR/current_permissions.txt" << 'EOF'
当前权限检查:
EOF
aws iam get-account-authorization-details > "$OUTPUT_DIR/iam_details.json"
# 5. 生成测试报告
echo "[5/5] 生成测试报告..."
cat > "$OUTPUT_DIR/pentest_report.txt" << EOF
云环境渗透测试报告
==================
测试时间: $(date)
1. 收集的账户信息
2. 发现的资产
3. 识别的漏洞
4. 权限提升路径
5. 建议修复措施
详细结果请查看各个JSON和TXT文件。
EOF
echo ""
echo "渗透测试完成!所有结果已保存到 $OUTPUT_DIR 目录"总结#
AWSRecon是一款功能强大的AWS云平台侦察工具,为云安全评估和渗透测试提供了全面的支持。
核心优势#
- 全面覆盖: 支持几乎所有AWS服务的侦察
- 自动化: 自动枚举和分析AWS资源
- 漏洞检测: 内置多种漏洞检测规则
- 报告生成: 支持多种输出格式
- 易于使用: 简单的命令行界面
应用场景#
- 云安全评估和渗透测试
- AWS账户资产发现
- 安全配置审计
- 合规性检查
- 威胁情报收集
最佳实践#
- 权限控制: 使用最小权限原则运行侦察
- 结果保护: 妥善保管侦察结果,避免泄露敏感信息
- 定期扫描: 定期进行安全扫描,及时发现新风险
- 结果验证: 对发现的问题进行验证,避免误报
- 持续监控: 建立持续监控机制,及时响应安全事件
注意事项#
- 仅在获得授权的账户上运行
- 遵守AWS服务条款和使用政策
- 注意API调用限制和成本
- 妥善处理敏感信息
- 定期更新工具以获取最新功能