Open kyrylo-hulak opened 2 weeks ago
Hi,
If you don't provide keys then credentials are sourced according to the docs here, so AWS_PROFILE
and any other AWS environment variable should be respected: https://boto3.amazonaws.com/v1/documentation/api/latest/guide/credentials.html#configuring-credentials
Are you trying to run dnsReaper on an EC2 instance with an IAM role attached? If so, it looks like you'll need to increase the hop limit to allow the docker container to fetch credentials from the metadata endpoint: https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/configuring-IMDS-existing-instances.html#modify-PUT-response-hop-limit
That's strange, the command you sent looks fine.
Could you try mounting the .aws
directory to somewhere else e.g. /aws
and set AWS_CONFIG_FILE
and/or AWS_SHARED_CREDENTIALS_FILE
environment variables?
I can't think of anything else right now, if that doesn't work I'll need to take a deeper look.
Hi @imnotbrandon,
If you don't provide keys then credentials are sourced according to the docs here, so AWS_PROFILE and any other AWS environment variable should be respected: https://boto3.amazonaws.com/v1/documentation/api/latest/guide/credentials.html#configuring-credentials
yeap, it is mentioned in the README. So, that's why I decided to try it first locally. As you saw from above I have tried to pass a directory that contains AWS credentials and config files. However, it's errored and saying that can't find a profile.
Are you trying to run dnsReaper on an EC2 instance with an IAM role attached? I would like to run it on Fargate service and attach IAM role there to query Route53. But I wanted to see it worked out locally.
Not sure, why the container doesn't see configuration files then. Thank you!
Hi,
I've just tested it locally and it's working as expected for me.
➜ ~ docker run --rm -it -v ~/.aws/:/root/.aws:ro -e AWS_PROFILE="punksecurity" punksecurity/dnsreaper aws
____ __ _____ _ __
/ __ \__ ______ / /__/ ___/___ _______ _______(_) /___ __
/ /_/ / / / / __ \/ //_/\__ \/ _ \/ ___/ / / / ___/ / __/ / / /
/ ____/ /_/ / / / / ,< ___/ / __/ /__/ /_/ / / / / /_/ /_/ /
/_/ \__,_/_/ /_/_/|_|/____/\___/\___/\__,_/_/ /_/\__/\__, /
PRESENTS /____/
DNS Reaper ☠️
Scan all your DNS records for subdomain takeovers!
Using IAM identity: arn:aws:sts::REDACTED:assumed-role/AWSReservedSSO_AWSAdministratorAccess_2440f09507fe4bd6/REDACTED
Got 4 records from aws
Testing with 61 signatures
We found 2 takeovers ☠️
-- DOMAIN 'vulnerable.punksecurity.io' :: SIGNATURE '_generic_cname_found_but_unregistered' :: CONFIDENCE 'CONFIRMED'
CNAME: saafedfewfewfew.com
-- DOMAIN 'vulnerable.punksecurity.io' :: SIGNATURE '_generic_cname_found_doesnt_resolve' :: CONFIDENCE 'POTENTIAL'
CNAME: saafedfewfewfew.com
⏱️ We completed in 3.56 seconds
...Thats all folks!
I think that the wrong profile name is being used or there's an issue with your .aws/config
or .aws/credentials
files.
Hi @imnotbrandon!
I am sorry for the delayed answer! I appreciate your replies!
I think that's probably due to the sense that I have been running docker via minikube to overcome restrictions.
However, minikube has its own nuances to mount volumes. It should be done through minikube mount
(https://minikube.sigs.k8s.io/docs/handbook/mount/)
I wasn't able to use that yet because of lack of time. Though, once I have tested it out I will publish my findings.
Thank you!
Hello Tech,
As the first, I wanted to thank you for a such great tool! I wanted to ask if you ever thought about enhancing and passing to AWS provider rather a specific profile or IAM role instead of the AWS keys. The last option is inconvenient as it demands additional maintenance of those access keys e.g.its rotation.
I have tried to pass through
-e
variable, likeAWS_PROFILE
as well as mount local ~/.aws/ topunksecurity/dnsreaper
container. But it didn't work out. It returns errorAm I doing something wrong? I would appreciate your assistance on that. Thank you very much!