[short_descr]
Ghostbuster helps eliminate dangling AWS Elastic IPs by analyzing resources across all your accounts, including Route53 DNS records and public IPs from Network Interfaces. Detect subdomains pointing to IPs you no longer own with a complete picture of your DNS records and owned IPs.
[/short_descr]
Eliminate dangling elastic IPs by performing analysis on your resources within all your AWS accounts.
Ghostbuster obtains all the DNS records present in all of your AWS accounts (Route53), and can optionally take in records via CSV input, or via Cloudflare.
After these records are collected, Ghostbuster iterates through all of your AWS Elastic IPs and Network Interface Public IPs and collects this data.
By having a complete picture of the DNS records (from route53, file input or cloudflare) and having a complete picture of the AWS IPs owned by your organization, this tool can detect subdomains that are pointing to dangling elastic IPs (IPs you no longer own).
The problem
When you are deploying infrastructure to AWS, you may spin up EC2 instances which have an IP associated with them. When you create DNS records pointing to these IPs, but forget to remove the DNS records after the EC2 instance has been given a new IP or destroyed, you are susceptible to subdomain takeover attacks.
There has been a great amount of research done on elastic IP takeovers, where it is possible for attackers to continually claim elastic IPs until they obtain an IP associated with a subdomain of the company they are targeting.
While AWS frequently bans accounts that are attempting to perform this attack pattern, no long term fix has been released by AWS.
The impact of dangling elastic IP subdomain takeover attacks are more serious than a typical subdomain takeover where you can only control the content being served. With dangling elastic IP takeovers, it is possible for an attacker to do the following:
Claim SSL certificates for the subdomain
Listen for traffic on all ports (potentially discovering sensitive information still being sent to the subdomain)
Run server-side scripts with the ability to steal HTTPOnly cookies, typically leading to a one-click account takeover attack when cookies are scoped to *.domain.com
Project Features
Dynamically iterates through each AWS profile configured in .aws/config
Pulls A records from AWS Route53
Pulls A records from Cloudflare (optional)
Pulls A records from CSV input (optional)
Iterate through all regions, a single region, or a comma delimitted list of regions
Obtains all Elastic IPs associated with all of your AWS accounts
Obtains all Public IPs associated with all of your AWS accounts
Cross checks the DNS records, with IPs owned by your organization to detect potential takeovers
Slack Webhook support to send notifications of takeovers
Important:
In order for this tool to be effective, it must have a complete picture of your AWS environment. If it does not have a complete picture, it will lead to false positive findings.
Installing Ghostbuster
Installing Ghostbuster is as simple as running: pip install ghostbuster. The CLI tool will then be accessible via the ghostbuster command.
This requires a Python 3.x environment.
Using Ghostbuster
❯ ghostbuster scan aws --help
Usage: ghostbuster scan aws [OPTIONS]
Scan for dangling elastic IPs inside your AWS accounts.
Options:
--profile TEXT Specify a specific AWS profile to run ghostbuster
on.
--skipascii Skip printing the ASCII art when starting up
Ghostbuster.
--json Only return a JSON object.
--slackwebhook TEXT Specify a Slack webhook URL to send notifications
about potential takeovers.
--records PATH Manually specify DNS records to check against.
Ghostbuster will check these IPs after checking
retrieved DNS records. See records.csv for an
example.
--cloudflaretoken TEXT Pull DNS records from Cloudflare, provide a CF API
token.
--allregions Run on all regions.
--exclude TEXT Comma delimited list of profile names to exclude.
--regions TEXT Comma delimited list of regions to run on.
--help Show this message and exit.
Example Commands
Run Ghostbuster with access to Cloudflare DNS records, send notifications to a Slack webhook, iterate through every AWS profile configured in .aws/config or .aws/credentials for all AWS regions
[homepage] https://github.com/assetnote/ghostbuster [/homepage]
[tags] dns, aws [/tags]
[short_descr] Ghostbuster helps eliminate dangling AWS Elastic IPs by analyzing resources across all your accounts, including Route53 DNS records and public IPs from Network Interfaces. Detect subdomains pointing to IPs you no longer own with a complete picture of your DNS records and owned IPs. [/short_descr]
[long_descr]
Table of Contents
Ghostbuster
Eliminate dangling elastic IPs by performing analysis on your resources within all your AWS accounts.
Ghostbuster obtains all the DNS records present in all of your AWS accounts (Route53), and can optionally take in records via CSV input, or via Cloudflare.
After these records are collected, Ghostbuster iterates through all of your AWS Elastic IPs and Network Interface Public IPs and collects this data.
By having a complete picture of the DNS records (from route53, file input or cloudflare) and having a complete picture of the AWS IPs owned by your organization, this tool can detect subdomains that are pointing to dangling elastic IPs (IPs you no longer own).
The problem
When you are deploying infrastructure to AWS, you may spin up EC2 instances which have an IP associated with them. When you create DNS records pointing to these IPs, but forget to remove the DNS records after the EC2 instance has been given a new IP or destroyed, you are susceptible to subdomain takeover attacks.
There has been a great amount of research done on elastic IP takeovers, where it is possible for attackers to continually claim elastic IPs until they obtain an IP associated with a subdomain of the company they are targeting.
While AWS frequently bans accounts that are attempting to perform this attack pattern, no long term fix has been released by AWS.
The impact of dangling elastic IP subdomain takeover attacks are more serious than a typical subdomain takeover where you can only control the content being served. With dangling elastic IP takeovers, it is possible for an attacker to do the following:
*.domain.com
Project Features
.aws/config
Important:
In order for this tool to be effective, it must have a complete picture of your AWS environment. If it does not have a complete picture, it will lead to false positive findings.
Installing Ghostbuster
Installing Ghostbuster is as simple as running:
pip install ghostbuster
. The CLI tool will then be accessible via theghostbuster
command.This requires a Python 3.x environment.
Using Ghostbuster
Example Commands
Run Ghostbuster with access to Cloudflare DNS records, send notifications to a Slack webhook, iterate through every AWS profile configured in
.aws/config or .aws/credentials
for all AWS regionsRun Ghostbuster with a manually input list of subdomain A records (see
records.csv
in this repo for example file):You can specify specific regions using
--regions
set to a comma delimited list of regions i.e.us-east-1,us-west-1
.[/long_descr]
[image] [/image]