image
Passpie is a command line tool to manage passwords from the terminal with a colorful and configurable interface. Use a master passphrase to decrypt login credentials, copy passwords to clipboard, syncronize with a git repository, check the state of your passwords, and more. Password files are encrypted using GnuPG and saved into yaml text files. Passpie supports Linux , OSX and Windows . What does it look like? Here is an example of a simple Passpie usage: passpie init passpie add [email protected] –random passpie add [email protected] –pattern “[0-9]{5}[a-z]{5}” passpie update [email protected] –comment “Hello” passpie passpie copy [email protected] Outputs: =========== ======= ========== ========= Name Login Password Comment =========== ======= ========== ========= example.com bar ******** example.com foo ******** Hello =========== ======= ========== ========= Password copied to clipboard Check example remote passpie database: https://github.com/marcwebbie/passpiedb . Install pip install passpie Or if you are on a mac, install via Homebrew : brew install passpie Dependencies Passpie depends on GnuPG for encryption Commands Usage: passpie [OPTIONS] COMMAND [ARGS]… Options: -D, –database TEXT Database path or url to remote repository –autopull TEXT Autopull changes from remote pository –autopush TEXT Autopush changes to remote pository –config PATH Path to configuration file -v, –verbose Activate verbose output –version Show the version and exit. –help Show this message and exit. Commands: add Add new credential to database complete Generate completion scripts for shells config Show current configuration for shell copy Copy credential password to clipboard/stdout export Export credentials in plain text import Import credentials from path init Initialize new passpie database list Print credential as a table log Shows passpie database changes history purge Remove all credentials from database remove Remove credential reset Renew passpie database and re-encrypt… search Search credentials by regular expressions status Diagnose database for improvements update Update credential Learn more Gitter: https://gitter.im/marcwebbie/passpie Documentation: http://passpie.readthedocs.org FAQ: http://passpie.readthedocs.org/en/latest/faq.html Download Passpie

image
PasteHunter is a python3 application that is designed to query a collection of sites that host publicly pasted data. For all the pasts it finds it scans the raw contents against a series of Yara rules looking for information that can be used by an organisation or a researcher. For setup instructions please see the official documentation https://pastehunter.readthedocs.io/en/latest/installation.html Supported Inputs Pastehunter currently has support for the following sites: pastebin.com gist.github.com slexy.org stackexchange # There are about 176! Supported Outputs Pastehunter supports several output modules: dump to ElasticSearch DB (default). Email alerts (SMTP). Slack Channel notifications. Dump to JSON file. Dump to CSV file. Send to syslog. For examples of data discovered using pastehunter check out my posts https://techanarchy.net/blog/hunting-pastebin-with-pastehunter and https://techanarchy.net/blog/pastehunter-the-results Download PasteHunter

image
Essential tool for finding blind injection attacks using DNS side-channels. Credits This tool is part of secapps.com open-source initiative. ___ ___ ___ _ ___ ___ ___ / __| __/ __| /_ | _ _ / __| __ _| (__ / _ | _/ _/__ |___/______/_/ __| |_| |___/ https://secapps.com NB : This tool is taking advantage of http://requestbin.net service. Future versions will use a dedicated, custom-built infrastructure. Quickstart This tool is meant to be used as part of Pown.js but it can be invoked separately as an independent tool. Install Pown first as usual: $ npm install -g [email protected] Invoke directly from Pown: $ pown duct Otherwise, install this module locally from the root of your project: $ npm install @pown/duct –save Once done, invoke pown cli: $ ./node_modules/.bin/pown-cli duct You can also use the global pown to invoke the tool locally: $ POWN_ROOT=. pown duct Usage pown duct Side-channel attack enabler Commands: pown duct dns DNS ducting Options: –version Show version number [boolean] –help Show help [boolean] pown duct dns pown duct dns DNS ducting Options: –version Show version number [boolean] –help Show help [boolean] –channel Restore channel [string] –output Output format [string] [choices: “string”, “hexdump”, “json”] [default: “string”] Tutorial There are cases when we need to perform an attack such as sql injection, XSS, XXE or SSRF but the target application is not providing any indication that it is vulnerable. One way to be sure if a vulnerability is present is to try to inject a valid attack vector which forces a DNS resolver to ask for a controlled domain. If the resolution is successful, the attack will be considered successful. NOTE : You might be familiar with Burp Collaborator which provides a similar service for customers. First, we need a disposable dns name to resolve: $ pown duct dns Using the provided DNS, compose your payload. For example, the following could trigger a DNS resolution if a XXE vulnerability is present. <!DOCTYPE foo [ ]> &bar; If the attack was successful, we will get a message in the terminal. Download Pown-Duct

image
A debugger for reverse engineers, crackers and security analyst. Or you can call it damn, why are raspberries so fluffy or yet, duck warriors are rich as fuck. Whatever you like! Built on top of pyqt5, frida and some terrible code. Checkout the website for features, api and examples CHANGELOG Something you can do with Dwarf breakpoints watchpoints without hardware support visual emulation with auto map from target, reporting memory accesses breaks module loading cycle, java classes set breaks conditions and custom logics inject code on each breakpointed thread exchange data with your target and display it in UI digging through memory, disassembly and jvm fields/functions backtrace both native and java takes your whole frida agent in script editor, convert hooks to breakpoints etc more… all of this can be done through scripting to build custom debugging logic Pre requisites A frida server running anywhere. Android Session: make sure you can use ‘adb’ command in console or Read here root on the device/emulator is required! make sure frida is in /system/bin|xbin with a+x permissions or eventually use Dwarf to automatically install latest frida server Setup and run git clone https://github.com/iGio90/Dwarf cd Dwarf pip3 install -r requirements.txt python3 dwarf.py Optionally You can install keystone-engine to enable assembler: Windows x86: https://github.com/keystone-engine/keystone/releases/download/0.9.1/keystone-0.9.1-python-win32.msi x64: https://github.com/keystone-engine/keystone/releases/download/0.9.1/keystone-0.9.1-python-win64.msi OSX / Unix pip3 install keystone-engine dex2jar tools (required for baksmali/decompiling) Guide: https://sourceforge.net/p/dex2jar/wiki/UserGuide/ Files: https://github.com/pxb1988/dex2jar/releases On Windows add d2j folder to %PATH% and change: ‘java -Xms512m -Xmx1024m -cp “%CP%” %*’ in d2j_invoke.bat to ‘java -Xms512m -Xmx4096m -cp “%CP%” %*’ Settings You can change in .dwarf “dwarf_ui_hexedit_bpl”: 32 (default: 16) – Bytes per line in hexview “dwarf_ui_hexstyle”: “upper”, “lower” (default: “upper”) – overall hexstyle 0xabcdef or 0xABCDEF (note: click on the “Offset (X)” in hexview to change) “dwarf_ui_font_size”: 12 (default: 12) – (note: hexview/disasm use other font wait for settingsdlg or change lib/utils.py get_os_monospace_font()) Download Dwarf

image
Obfuscate python scripts making them password-protected using AES Encryption Usage Just execute the script, and follow the menu. Info Once an script is obfuscated, when running it a password asking prompt will appear, after submiting the correct password, the script will execute decrypting it’s decrypted content in the memory Download Ghostfuscator

image
objection is a runtime mobile exploration toolkit, powered by Frida . It was built with the aim of helping assess mobile applications and their security posture without the need for a jailbroken or rooted mobile device. Note: This is not some form of jailbreak / root bypass. By using objection , you are still limited by all of the restrictions imposed by the applicable sandbox you are facing. features Supporting both iOS and Android and having new features and improvements added regularly as the tool is used in real world scenarios, the following is a short list of only a few key features: For all supported platforms, objection allows you to: Patch iOS and Android applications, embedding a Frida gadget that can be used with objection or just Frida itself. Interact with the filesystem, listing entries as well as upload & download files where permitted. Perform various memory related tasks, such as listing loaded modules and their respective exports. Attempt to bypass and simulate jailbroken or rooted environments. Discover loaded classes and list their respective methods. Perform common SSL pinning bypasses. Dynamically dump arguments from methods called as you use the target application. Interact with SQLite databases inline without the need to download the targeted database and use an external tool. Execute custom Frida scripts. iOS specific features in objection include the ability to: Dump the iOS keychain, and export it to a file. Dump data from common storage such as NSUserDefaults and the shared NSHTTPCookieStorage. Dump various formats of information in human readable forms. Bypass certain forms of TouchID restrictions. Watch for method executions by targeting all methods in a class, or just a single method. Monitor the iOS pasteboard. Dump encoded .plist files in a human readable format without relying on external parsers. Android specific features in objection include the ability to: List the applications Activities, Services and Broadcast receivers. Start arbitrary Activities available in the target application. Watch a class method, reporting execution as it happens. screenshots The following screenshots show the main objection repl, connected to a test application on both an iPad running iOS 10.2.1, and Samsung Galaxy S5 running Android 6. A file system listing of the iOS applications main bundle A file system listing of the Android applications bundle iOS Keychain dumped for the current application, and later written to a file called keychain.json Inline SQLite query tool SSL Pinning bypass running for an iOS application SSL Pinning bypass running for an Android application API usage to list the currently stored iOS sharedHTTPCookieStorage sample usage A sample session, where objection version 0.1 is used to explore the applications environment. Newer versions have the REPL prompt set to the current applications name, however usage has remained the same: prerequisites To run objection , all you need is the python3 interpreter to be available. Installation via pip should take care of all of the dependencies needed. For more details, please see the prerequisites section on the project wiki. As for the target mobile applications though, for iOS, an unencrypted IPA is needed and Android just the normal APK should be fine. If you have the source code of the iOS application you want to explore, then you can simply embed and load the FridaGadget.dylib from within the Xcode project. installation Installation is simply a matter of pip3 install objection . This will give you the objection command. For more detailed update and installation instructions, please refer to the wiki page here . Download Objection

image
Welcome to CommandoVM – a fully customized, Windows-based security distribution for penetration testing and red teaming. Installation (Install Script) Requirements Windows 7 Service Pack 1 or Windows 10 60 GB Hard Drive 2 GB RAM Recommended Windows 10 80+ GB Hard Drive 4+ GB RAM 2 network adapters Enable Virtualization support for VM Instructions Create and configure a new Windows Virtual Machine Ensure VM is updated completely. You may have to check for updates, reboot, and check again until no more remain Take a snapshot of your machine! Download and copy install.ps1 on your newly configured machine. Open PowerShell as an Administrator Enable script execution by running the following command: Set-ExecutionPolicy Unrestricted Finally, execute the installer script as follows: .install.ps1 You can also pass your password as an argument: .install.ps1 -password The script will set up the Boxstarter environment and proceed to download and install the Commando VM environment. You will be prompted for the administrator password in order to automate host restarts during installation. If you do not have a password set, hitting enter when prompted will also work. Installing a new package Commando VM uses the Chocolatey Windows package manager. It is easy to install a new package. For example, enter the following command as Administrator to deploy Github Desktop on your system: cinst github Staying up to date Type the following command to update all of the packages to the most recent version: cup all Installed Tools Active Directory Tools Remote Server Administration Tools (RSAT) SQL Server Command Line Utilities Sysinternals Command & Control Covenant PoshC2 WMImplant WMIOps Developer Tools Dep Git Go Java Python 2 Python 3 (default) Ruby Ruby Devkit Visual Studio 2017 Build Tools (Windows 10) Visual Studio Code Evasion CheckPlease Demiguise DefenderCheck DotNetToJScript Invoke-CradleCrafter Invoke-DOSfuscation Invoke-Obfuscation Invoke-Phant0m Not PowerShell (nps) PS>Attack PSAmsi Pafishmacro PowerLessShell PowerShdll StarFighters Exploitation ADAPE-Script API Monitor CrackMapExec CrackMapExecWin DAMP EvilClippy Exchange-AD-Privesc FuzzySec’s PowerShell-Suite FuzzySec’s Sharp-Suite Generate-Macro GhostPack Rubeus SafetyKatz Seatbelt SharpDPAPI SharpDump SharpRoast SharpUp SharpWMI GoFetch Impacket Invoke-ACLPwn Invoke-DCOM Invoke-PSImage Invoke-PowerThIEf Juicy Potato Kali Binaries for Windows LuckyStrike MetaTwin Metasploit Mr. Unikod3r’s RedTeamPowershellScripts NetshHelperBeacon Nishang Orca PSReflect PowerLurk PowerPriv PowerSploit PowerUpSQL PrivExchange RottenPotatoNG Ruler SharpClipHistory SharpExchangePriv SharpExec SpoolSample SharpSploit UACME impacket-examples-windows vssown Vulcan Information Gathering ADACLScanner ADExplorer ADOffline ADRecon BloodHound dnsrecon FOCA Get-ReconInfo GoBuster GoWitness NetRipper Nmap PowerView Dev branch included SharpHound SharpView SpoolerScanner Watson Networking Tools Citrix Receiver OpenVPN Proxycap PuTTY Telnet VMWare Horizon Client VMWare vSphere Client VNC-Viewer WinSCP Windump Wireshark Password Attacks ASREPRoast CredNinja DomainPasswordSpray DSInternals Get-LAPSPasswords Hashcat Internal-Monologue Inveigh Invoke-TheHash KeeFarce KeeThief LAPSToolkit MailSniper Mimikatz Mimikittenz RiskySPN SessionGopher Reverse Engineering DNSpy Flare-Floss ILSpy PEview Windbg x64dbg Utilities 7zip Adobe Reader AutoIT Cmder CyberChef Explorer Suite Gimp Greenshot Hashcheck Hexchat HxD Keepass MobaXterm Mozilla Thunderbird Neo4j Community Edition Notepad++ Pidgin Process Hacker 2 SQLite DB Browser Screentogif Shellcode Launcher Sublime Text 3 TortoiseSVN VLC Media Player Winrar yEd Graph Tool Vulnerability Analysis AD Control Paths Egress-Assess Grouper2 NtdsAudit PwndPasswordsNTLM zBang Web Applications Burp Suite Fiddler Firefox OWASP Zap Subdomain-Bruteforce Wfuzz Wordlists FuzzDB PayloadsAllTheThings SecLists Probable-Wordlists RobotsDisallowed Changelog: 1.3 – June 28 2019 Added RottenPotatoNG https://github.com/breenmachine/RottenPotatoNG #63 Added Juicy Potato https://github.com/ohpe/juicy-potato #63, #64 Added Watson https://github.com/rasta-mouse/Watson #64 Added PwndPasswordsNTLM https://github.com/JacksonVD/PwnedPasswordsNTLM #67 Added FOCA https://github.com/JacksonVD/PwnedPasswordsNTLM #71 Added Vulcan https://github.com/praetorian-code/vulcan Added SharpClipHistory https://github.com/mwrlabs/SharpClipHistory Added NetRipper https://github.com/NytroRST/NetRipper Added RobotsDisallowed https://github.com/danielmiessler/RobotsDisallowed Added Probable-Wordlists https://github.com/berzerk0/Probable-Wordlists Added SharpSploit https://github.com/cobbr/SharpSploit Changed WinRM configuration #65 Un-hardened UNC file paths #68 Fixed install issues with Covenant #61, #76 1.2 – May 31 2019 Added recommended hardware settings #20, #17 Added DomainPasswordSpray https://github.com/dafthack/DomainPasswordSpray #2 Added GoBuster https://github.com/OJ/gobuster #39 Added Wfuzz https://github.com/xmendez/wfuzz #40 Added Notepad++ #30 Added TextFX plugin for Notepad++ Added Explorer Suite (CFF Explorer) 1.1 – April 30 2019 Added AD-Control-Paths https://github.com/ANSSI-FR/AD-control-paths/releases Added DefenderCheck https://github.com/matterpreter/DefenderCheck Added dnsrecon https://github.com/darkoperator/dnsrecon Added EvilClippy https://github.com/outflanknl/EvilClippy Added NtdsAudit https://github.com/Dionach/NtdsAudit Added SharpExec https://github.com/anthemtotheego/SharpExec Added Subdomain-Bruteforce https://github.com/visualbasic6/subdomain-bruteforce Fixed issue #18 with PATH Added Commando Logos with transparent backgrounds to $HomePictures Pinned Firefox to Taskbar Fixed misspellings in Readme #42/#43 Added Ruby and Ruby Devkit #1 Updated Rubeus package to current version (1.4.2) #31 1.0.2 – April 10 2019 Added missing ‘seclists.fireeye’ package to packages.json #38 1.0.1 – March 31 2019 Used https instead of http to install boxstarter #10 Download Commando-Vm

image
A cross-platform tool that use Certificates Transparency logs to find subdomains. We currently support Linux, Windows and MacOS. How it works? It tool doesn’t use the common methods for sub(domains) discover, the tool uses Certificate Transparency logs to find subdomains and it method make it tool very faster and reliable. The tool make use of multiple public available APIs to perform the search. If you want to know more about Certificate Transparency logs, read https://www.certificate-transparency.org/ Installation Linux If you want to install it, you can do that manually compiling the source or using the precompiled binary. Manually: You need to have Rust installed in your computer first. $ git clone https://github.com/Edu4rdSHL/findomain.git $ cd findomain $ cargo build –release $ sudo cp target/release/findomain /usr/bin/ $ findomain Using the binary: $ wget https://github.com/Edu4rdSHL/findomain/releases/latest/download/findomain-linux $ chmod +x findomain-linux $ ./findomain-linux If you are using the BlackArch Linux distribution, you just need to use: $ sudo pacman -S findomain Installation Windows Download the binary from https://github.com/Edu4rdSHL/findomain/releases/latest/download/findomain-windows.exe Open a CMD shell and go to the dir where findomain-windows.exe was downloaded. Exec: findomain-windows in the CMD shell. Installation MacOS $ wget https://github.com/Edu4rdSHL/findomain/releases/latest/download/findomain-osx $ chmod +x findomain-osx.dms $ ./findomain-osx.dms Usage You can use the tool in two ways, only discovering the domain name or discovering the domain + the IP address. findomain 0.1.4 Eduard Tolosa A tool that use Certificates Transparency logs to find subdomains. USAGE: findomain [FLAGS] [OPTIONS] FLAGS: -a, –all-apis Use all the available APIs to perform the search. It take more time but you will have a lot of more results. -h, –help Prints help information -i, –get-ip Return the subdomain list with IP address if resolved. -V, –version Prints version information OPTIONS: -f, –file Sets the input file to use. -o, –output Write data to output file in the specified format. [possible values: txt, csv, json] -t, –target Target host Examples Make a simple search of subdomains and print the info in the screen: findomain -t example.com Make a simple search of subdomains using all the APIs and print the info in the screen: findomain -t example.com -a Make a search of subdomains and export the data to a CSV file: findomain -t example.com -o csv Make a search of subdomains using all the APIs and export the data to a CSV file: findomain -t example.com -a -o csv Make a search of subdomains and resolve the IP address of subdomains (if possible): findomain -t example.com -i Make a search of subdomains with all the APIs and resolve the IP address of subdomains (if possible): findomain -t example.com -i -a Make a search of subdomains with all the APIs and resolve the IP address of subdomains (if possible), exporting the data to a CSV file: findomain -t example.com -i -a -o csv Features Discover subdomains without brute-force, it tool uses Certificate Transparency Logs. Discover subdomains with or without IP address according to user arguments. Read target from user argument (-t). Read a list of targets from file and discover their subdomains with or without IP and also write to output files per-domain if specified by the user, recursively. Write output to TXT file. Write output to CSV file. Write output to JSON file. Cross platform support: Linux, Windows, MacOS. Optional multiple API support. Issues and requests If you have a problem or a feature request, open an issue . Download Findomain

image
Echidna is a weird creature that eats bugs and is highly electrosensitive (with apologies to Jacob Stanley) More seriously, Echidna is a Haskell library designed for fuzzing/property-based testing of EVM code. It supports relatively sophisticated grammar-based fuzzing campaigns to falsify a variety of predicates. Features Generates inputs tailored to your actual code Optional coverage guidance to find deeper bugs Automatic testcase minimization for quick triage Seamless integration into the development workflow Fast Powerful API for advanced usage Beautiful logo Usage Executing the test runner The core Echidna functionality is an executable called echidna-test . echidna-test takes a contract and a list of invariants (properties that should always remain true) as input. For each invariant, it generates random sequences of calls to the contract and checks if the invariant holds. If it can find some way to falsify the invariant, it prints the call sequence that does so. If it can’t, you have some assurance the contract is safe. Writing invariants Invariants are expressed as Solidity functions with names that begin with echidna_ , have no arguments, and return a boolean. For example, if you have some balance variable that should never go below 20 , you can write an extra function in your contract like this one: function echidna_check_balance() { return(balance >= 20); } To check these invariants, run: $ echidna-test myContract.sol An example contract with tests can be found examples/solidity/basic/flags.sol . To run it, you should execute: $ echidna-test examples/solidity/basic/flags.sol Echidna should find a a call sequence that falisfies echidna_sometimesfalse and should be unable to find a falsifying input for echidna_alwaystrue . Configuration options Echidna’s CLI can be used to choose the contract to test and load a configuration file. $ echidna-test contract.sol TEST –config=”config.yaml” The configuration file allows users to choose EVM and test generation parameters. An example of a complete config file with the default options can be found at examples/solidity/basic/default.yaml . More detailed documentation on the configuration options is available in our wiki . Advanced usage Echidna exports an API to build powerful fuzzing systems, and has a multitude of configuration options. Unfortunately, these parts of the codebase change quickly and are thus poorly documented. The examples/api directory or Trail of Bits blog are excellent references, or use the references below to get in touch with us directly. Installation If you want to quickly test Echidna in Linux, we offer a statically linked binary release of v1.0.0.0 to download here . Otherwise, to install the latest revision of Echidna, we recommend to use docker : $ docker build -t echidna . for example $ docker run -t -v `pwd`:/src echidna echidna-test /src/examples/solidity/basic/flags.sol If you’d prefer to build from source, use Stack . stack install should build and compile echidna-test in ~/.local/bin . You will need to link against libreadline and libsecp256k1 (built with recovery enabled), which should be installed with the package manager of your choosing. Additionally, you need to install the latest release of libff (you can take a look to this script used in our CI tests) If you’re getting errors building related to linking, try tinkering with –extra-include-dirs and –extra-lib-dirs . Getting help Feel free to stop by our #ethereum slack channel in Empire Hacking for help using or extending Echidna. Get started by reviewing these simple Echidna invariants Review the Solidity examples directory for more extensive Echidna use cases Considering emailing the Echidna development team directly for more detailed questions Download Echidna

image
A command line security audit tool for Amazon Web Services About Cloud Security Audit is a command line tool that scans for vulnerabilities in your AWS Account. In easy way you will be able to identify unsecure parts of your infrastructure and prepare your AWS account for security audit. Installation Currently Cloud Security Audit does not support any package managers, but the work is in progress. Building from sources First of all you need to download Cloud Security Audit to your GO workspace: $GOPATH $ go get github.com/Appliscale/cloud-security-audit $GOPATH $ cd cloud-security-audit Then build and install configuration for the application inside cloud-security-audit directory by executing: cloud-security-audit $ make all Usage Initialising Session If you’re using MFA you need to tell Cloud Security Audit to authenticate you before trying to connect by using flag –mfa . Example: $ cloud-security-audit –service s3 –mfa –mfa-duration 3600 EC2 Scan How to use To perform audit on all EC2 instances, type: $ cloud-security-audit –service ec2 You can narrow the audit to a region, by using the flag -r or –region . Cloud Security Audit also supports AWS profiles – to specify profile use the flag -p or –profile . Example output +—————+———————+——————————–+———————————–+———-+ | AVAILABILITY | EC2 | VOLUMES | SECURITY | | | | | | | EC2 TAGS | | ZONE | | (NONE) – NOT ENCRYPTED | GROUPS | | | | | | | | | | | (DKMS) – ENCRYPTED WITH | (INCOMING CIDR = 0.0.0.0/0) | | | | | DEFAULT KMSKEY | | | | | | | ID : PROTOCOL : PORT | | +—————+———————+——————————–+———————————–+———-+ | eu-central-1a | i-0fa345j6756nb3v23 | vol-0a81288qjd188424d[DKMS] | sg-aaaaaaaa : tcp : 22 | App:some | | | | vol-0c2834re8dfsd8sdf[NONE] | sg-aaaaaaaa : tcp : 22 | Key:Val | +—————+———————+——————————–+———————————–+———-+ How to read it First column AVAILABILITY ZONE contains information where the instance is placed Second column EC2 contains instance ID. Third column Volumes contains IDs of attached volumes(virtual disks) to given EC2. Suffixes meaning: [NONE] – Volume not encrypted. [DKMS] – Volume encrypted using AWS Default KMS Key. More about KMS you can find here Fourth column Security Groups contains IDs of security groups that have too open permissions. e.g. CIDR block is equal to 0.0.0.0/0 (open to the whole world). Fifth column EC2 TAGS contains tags of a given EC2 instance to help you identify purpose of this instance. Docs You can find more information about encryption in the following documentation: https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/EBSEncryption.html S3 Scan How to use To perform audit on all S3 buckets, type: $ cloud-security-audit –service s3 Cloud Security Audit supports AWS profiles – to specify profile use the flag -p or –profile . Example output +——————————+———+———+————-+————+ | BUCKET NAME | DEFAULT | LOGGING | ACL | POLICY | | | | | | | | | SSE | ENABLED | IS PUBLIC | IS PUBLIC | | | | | | | | | | | R – READ | R – READ | | | | | | | | | | | W – WRITE | W – WRITE | | | | | | | | | | | D – DELETE | D – DELETE | +——————————+———+———+————-+————+ | bucket1 | NONE | true | false | false | +——————————+———+———+————-+————+ | bucket2 | DKMS | false | false | true [R] | +——————————+———+———+————-+————+ | bucket3 | AES256 | false | true [RWD] | false | +————————— –+———+———+————-+————+ How to read it First column BUCKET NAME contains names of the s3 buckets. Second column DEFAULT SSE gives you information on which default type of server side encryption was used in your S3 bucket: NONE – Default SSE not enabled. DKMS – Default SSE enabled, AWS KMS Key used to encrypt data. AES256 – Default SSE enabled, AES256 . Third column LOGGING ENABLED contains information if Server access logging was enabled for a given S3 bucket. This provides detailed records for the requests that are made to an S3 bucket. More information about Server Access Logging can be found here Fourth column ACL IS PUBLIC provides information if ACL (Access Control List) contains permissions, that make the bucket public (allow read/writes for anyone). More information about ACLs here Fifth column POLICY IS PUBLIC contains information if bucket’s policy allows any action (read/write) for an anonymous user. More about bucket policies here R, W and D letters describe what type of action is available for everyone. Docs You can find more about securing your S3’s in the following documentations: https://docs.aws.amazon.com/AmazonS3/latest/dev/serv-side-encryption.html https://docs.aws.amazon.com/AmazonS3/latest/dev/ServerLogs.html https://docs.aws.amazon.com/AmazonS3/latest/user-guide/server-access-logging.html License Apache License 2.0 Maintainers Michał Połcik Maksymilian Wojczuk Piotr Figwer Sylwia Gargula Mateusz Piwowarczyk Download Cloud-Security-Audit