diff --git a/.github/workflows/python-app.yml b/.github/workflows/python-app.yml new file mode 100644 index 0000000..b90d369 --- /dev/null +++ b/.github/workflows/python-app.yml @@ -0,0 +1,28 @@ +name: Python application + +on: + push: + branches: [ master ] + pull_request: + branches: [ master ] + +permissions: + contents: read + +jobs: + test: + runs-on: ubuntu-latest + + steps: + - uses: actions/checkout@v4 + + - name: Install uv + uses: astral-sh/setup-uv@v6 + with: + enable-cache: true + + - name: Install dependencies + run: uv sync + + - name: Test with pytest + run: uv run pytest diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml new file mode 100644 index 0000000..2f1cbf8 --- /dev/null +++ b/.github/workflows/release.yml @@ -0,0 +1,49 @@ +name: Release + +on: + push: + branches: [ master ] + +permissions: + contents: write + +jobs: + release: + runs-on: ubuntu-latest + + steps: + - uses: actions/checkout@v4 + with: + fetch-depth: 0 + + - name: Install uv + uses: astral-sh/setup-uv@v6 + with: + enable-cache: true + + - name: Read version from pyproject.toml + id: version + run: | + VERSION=$(grep '^version' pyproject.toml | head -1 | sed 's/version = "\(.*\)"/\1/') + echo "version=$VERSION" >> "$GITHUB_OUTPUT" + + - name: Check if tag already exists + id: tag_check + run: | + if git rev-parse "refs/tags/${{ steps.version.outputs.version }}" >/dev/null 2>&1; then + echo "exists=true" >> "$GITHUB_OUTPUT" + else + echo "exists=false" >> "$GITHUB_OUTPUT" + fi + + - name: Create tag and release + if: steps.tag_check.outputs.exists == 'false' + env: + GH_TOKEN: ${{ secrets.GITHUB_TOKEN }} + run: | + VERSION="${{ steps.version.outputs.version }}" + git tag "$VERSION" + git push origin "$VERSION" + gh release create "$VERSION" \ + --title "Release $VERSION" \ + --generate-notes diff --git a/.gitignore b/.gitignore index 98d210f..0b72a6c 100644 --- a/.gitignore +++ b/.gitignore @@ -1,107 +1,33 @@ -# Byte-compiled / optimized / DLL files +# custom +cloud-enum-output + +# MacOS +.DS_Store + +# Python __pycache__/ *.py[cod] *$py.class - -# C extensions *.so - -# Distribution / packaging .Python build/ -develop-eggs/ dist/ -downloads/ -eggs/ -.eggs/ -lib/ -lib64/ -parts/ -sdist/ -var/ -wheels/ *.egg-info/ -.installed.cfg -*.egg -MANIFEST - -# PyInstaller -# Usually these files are written by a python script from a template -# before PyInstaller builds the exe, so as to inject date/other infos into it. -*.manifest -*.spec - -# Installer logs -pip-log.txt -pip-delete-this-directory.txt - -# Unit test / coverage reports -htmlcov/ -.tox/ +.pytest_cache/ .coverage .coverage.* -.cache -nosetests.xml coverage.xml -*.cover +htmlcov/ +.tox/ +.nox/ .hypothesis/ -.pytest_cache/ - -# Translations -*.mo -*.pot -# Django stuff: -*.log -local_settings.py -db.sqlite3 - -# Flask stuff: -instance/ -.webassets-cache - -# Scrapy stuff: -.scrapy - -# Sphinx documentation -docs/_build/ - -# PyBuilder -target/ - -# Jupyter Notebook -.ipynb_checkpoints - -# pyenv -.python-version - -# celery beat schedule file -celerybeat-schedule - -# SageMath parsed files -*.sage.py - -# Environments -.env -.venv -env/ -venv/ -ENV/ -env.bak/ -venv.bak/ - -# Spyder project settings -.spyderproject -.spyproject - -# Rope project settings -.ropeproject - -# mkdocs documentation -/site - -# mypy -.mypy_cache/ +# uv +.venv/ +uv.lock # vim swap files *.swp + +# vscode +.vscode/ diff --git a/LICENSE b/LICENSE index f288702..bf2564e 100644 --- a/LICENSE +++ b/LICENSE @@ -1,674 +1,21 @@ - GNU GENERAL PUBLIC LICENSE - Version 3, 29 June 2007 - - Copyright (C) 2007 Free Software Foundation, Inc. - Everyone is permitted to copy and distribute verbatim copies - of this license document, but changing it is not allowed. - - Preamble - - The GNU General Public License is a free, copyleft license for -software and other kinds of works. - - The licenses for most software and other practical works are designed -to take away your freedom to share and change the works. By contrast, -the GNU General Public License is intended to guarantee your freedom to -share and change all versions of a program--to make sure it remains free -software for all its users. We, the Free Software Foundation, use the -GNU General Public License for most of our software; it applies also to -any other work released this way by its authors. You can apply it to -your programs, too. - - When we speak of free software, we are referring to freedom, not -price. Our General Public Licenses are designed to make sure that you -have the freedom to distribute copies of free software (and charge for -them if you wish), that you receive source code or can get it if you -want it, that you can change the software or use pieces of it in new -free programs, and that you know you can do these things. - - To protect your rights, we need to prevent others from denying you -these rights or asking you to surrender the rights. Therefore, you have -certain responsibilities if you distribute copies of the software, or if -you modify it: responsibilities to respect the freedom of others. - - For example, if you distribute copies of such a program, whether -gratis or for a fee, you must pass on to the recipients the same -freedoms that you received. You must make sure that they, too, receive -or can get the source code. And you must show them these terms so they -know their rights. - - Developers that use the GNU GPL protect your rights with two steps: -(1) assert copyright on the software, and (2) offer you this License -giving you legal permission to copy, distribute and/or modify it. - - For the developers' and authors' protection, the GPL clearly explains -that there is no warranty for this free software. For both users' and -authors' sake, the GPL requires that modified versions be marked as -changed, so that their problems will not be attributed erroneously to -authors of previous versions. - - Some devices are designed to deny users access to install or run -modified versions of the software inside them, although the manufacturer -can do so. This is fundamentally incompatible with the aim of -protecting users' freedom to change the software. The systematic -pattern of such abuse occurs in the area of products for individuals to -use, which is precisely where it is most unacceptable. Therefore, we -have designed this version of the GPL to prohibit the practice for those -products. If such problems arise substantially in other domains, we -stand ready to extend this provision to those domains in future versions -of the GPL, as needed to protect the freedom of users. - - Finally, every program is threatened constantly by software patents. -States should not allow patents to restrict development and use of -software on general-purpose computers, but in those that do, we wish to -avoid the special danger that patents applied to a free program could -make it effectively proprietary. To prevent this, the GPL assures that -patents cannot be used to render the program non-free. - - The precise terms and conditions for copying, distribution and -modification follow. - - TERMS AND CONDITIONS - - 0. Definitions. - - "This License" refers to version 3 of the GNU General Public License. - - "Copyright" also means copyright-like laws that apply to other kinds of -works, such as semiconductor masks. - - "The Program" refers to any copyrightable work licensed under this -License. Each licensee is addressed as "you". "Licensees" and -"recipients" may be individuals or organizations. - - To "modify" a work means to copy from or adapt all or part of the work -in a fashion requiring copyright permission, other than the making of an -exact copy. The resulting work is called a "modified version" of the -earlier work or a work "based on" the earlier work. - - A "covered work" means either the unmodified Program or a work based -on the Program. - - To "propagate" a work means to do anything with it that, without -permission, would make you directly or secondarily liable for -infringement under applicable copyright law, except executing it on a -computer or modifying a private copy. Propagation includes copying, -distribution (with or without modification), making available to the -public, and in some countries other activities as well. - - To "convey" a work means any kind of propagation that enables other -parties to make or receive copies. Mere interaction with a user through -a computer network, with no transfer of a copy, is not conveying. - - An interactive user interface displays "Appropriate Legal Notices" -to the extent that it includes a convenient and prominently visible -feature that (1) displays an appropriate copyright notice, and (2) -tells the user that there is no warranty for the work (except to the -extent that warranties are provided), that licensees may convey the -work under this License, and how to view a copy of this License. If -the interface presents a list of user commands or options, such as a -menu, a prominent item in the list meets this criterion. - - 1. Source Code. - - The "source code" for a work means the preferred form of the work -for making modifications to it. "Object code" means any non-source -form of a work. - - A "Standard Interface" means an interface that either is an official -standard defined by a recognized standards body, or, in the case of -interfaces specified for a particular programming language, one that -is widely used among developers working in that language. - - The "System Libraries" of an executable work include anything, other -than the work as a whole, that (a) is included in the normal form of -packaging a Major Component, but which is not part of that Major -Component, and (b) serves only to enable use of the work with that -Major Component, or to implement a Standard Interface for which an -implementation is available to the public in source code form. A -"Major Component", in this context, means a major essential component -(kernel, window system, and so on) of the specific operating system -(if any) on which the executable work runs, or a compiler used to -produce the work, or an object code interpreter used to run it. - - The "Corresponding Source" for a work in object code form means all -the source code needed to generate, install, and (for an executable -work) run the object code and to modify the work, including scripts to -control those activities. However, it does not include the work's -System Libraries, or general-purpose tools or generally available free -programs which are used unmodified in performing those activities but -which are not part of the work. For example, Corresponding Source -includes interface definition files associated with source files for -the work, and the source code for shared libraries and dynamically -linked subprograms that the work is specifically designed to require, -such as by intimate data communication or control flow between those -subprograms and other parts of the work. - - The Corresponding Source need not include anything that users -can regenerate automatically from other parts of the Corresponding -Source. - - The Corresponding Source for a work in source code form is that -same work. - - 2. Basic Permissions. - - All rights granted under this License are granted for the term of -copyright on the Program, and are irrevocable provided the stated -conditions are met. This License explicitly affirms your unlimited -permission to run the unmodified Program. The output from running a -covered work is covered by this License only if the output, given its -content, constitutes a covered work. This License acknowledges your -rights of fair use or other equivalent, as provided by copyright law. - - You may make, run and propagate covered works that you do not -convey, without conditions so long as your license otherwise remains -in force. You may convey covered works to others for the sole purpose -of having them make modifications exclusively for you, or provide you -with facilities for running those works, provided that you comply with -the terms of this License in conveying all material for which you do -not control copyright. Those thus making or running the covered works -for you must do so exclusively on your behalf, under your direction -and control, on terms that prohibit them from making any copies of -your copyrighted material outside their relationship with you. - - Conveying under any other circumstances is permitted solely under -the conditions stated below. Sublicensing is not allowed; section 10 -makes it unnecessary. - - 3. Protecting Users' Legal Rights From Anti-Circumvention Law. - - No covered work shall be deemed part of an effective technological -measure under any applicable law fulfilling obligations under article -11 of the WIPO copyright treaty adopted on 20 December 1996, or -similar laws prohibiting or restricting circumvention of such -measures. - - When you convey a covered work, you waive any legal power to forbid -circumvention of technological measures to the extent such circumvention -is effected by exercising rights under this License with respect to -the covered work, and you disclaim any intention to limit operation or -modification of the work as a means of enforcing, against the work's -users, your or third parties' legal rights to forbid circumvention of -technological measures. - - 4. Conveying Verbatim Copies. - - You may convey verbatim copies of the Program's source code as you -receive it, in any medium, provided that you conspicuously and -appropriately publish on each copy an appropriate copyright notice; -keep intact all notices stating that this License and any -non-permissive terms added in accord with section 7 apply to the code; -keep intact all notices of the absence of any warranty; and give all -recipients a copy of this License along with the Program. - - You may charge any price or no price for each copy that you convey, -and you may offer support or warranty protection for a fee. - - 5. Conveying Modified Source Versions. - - You may convey a work based on the Program, or the modifications to -produce it from the Program, in the form of source code under the -terms of section 4, provided that you also meet all of these conditions: - - a) The work must carry prominent notices stating that you modified - it, and giving a relevant date. - - b) The work must carry prominent notices stating that it is - released under this License and any conditions added under section - 7. This requirement modifies the requirement in section 4 to - "keep intact all notices". - - c) You must license the entire work, as a whole, under this - License to anyone who comes into possession of a copy. This - License will therefore apply, along with any applicable section 7 - additional terms, to the whole of the work, and all its parts, - regardless of how they are packaged. This License gives no - permission to license the work in any other way, but it does not - invalidate such permission if you have separately received it. - - d) If the work has interactive user interfaces, each must display - Appropriate Legal Notices; however, if the Program has interactive - interfaces that do not display Appropriate Legal Notices, your - work need not make them do so. - - A compilation of a covered work with other separate and independent -works, which are not by their nature extensions of the covered work, -and which are not combined with it such as to form a larger program, -in or on a volume of a storage or distribution medium, is called an -"aggregate" if the compilation and its resulting copyright are not -used to limit the access or legal rights of the compilation's users -beyond what the individual works permit. Inclusion of a covered work -in an aggregate does not cause this License to apply to the other -parts of the aggregate. - - 6. Conveying Non-Source Forms. - - You may convey a covered work in object code form under the terms -of sections 4 and 5, provided that you also convey the -machine-readable Corresponding Source under the terms of this License, -in one of these ways: - - a) Convey the object code in, or embodied in, a physical product - (including a physical distribution medium), accompanied by the - Corresponding Source fixed on a durable physical medium - customarily used for software interchange. - - b) Convey the object code in, or embodied in, a physical product - (including a physical distribution medium), accompanied by a - written offer, valid for at least three years and valid for as - long as you offer spare parts or customer support for that product - model, to give anyone who possesses the object code either (1) a - copy of the Corresponding Source for all the software in the - product that is covered by this License, on a durable physical - medium customarily used for software interchange, for a price no - more than your reasonable cost of physically performing this - conveying of source, or (2) access to copy the - Corresponding Source from a network server at no charge. - - c) Convey individual copies of the object code with a copy of the - written offer to provide the Corresponding Source. This - alternative is allowed only occasionally and noncommercially, and - only if you received the object code with such an offer, in accord - with subsection 6b. - - d) Convey the object code by offering access from a designated - place (gratis or for a charge), and offer equivalent access to the - Corresponding Source in the same way through the same place at no - further charge. You need not require recipients to copy the - Corresponding Source along with the object code. If the place to - copy the object code is a network server, the Corresponding Source - may be on a different server (operated by you or a third party) - that supports equivalent copying facilities, provided you maintain - clear directions next to the object code saying where to find the - Corresponding Source. Regardless of what server hosts the - Corresponding Source, you remain obligated to ensure that it is - available for as long as needed to satisfy these requirements. - - e) Convey the object code using peer-to-peer transmission, provided - you inform other peers where the object code and Corresponding - Source of the work are being offered to the general public at no - charge under subsection 6d. - - A separable portion of the object code, whose source code is excluded -from the Corresponding Source as a System Library, need not be -included in conveying the object code work. - - A "User Product" is either (1) a "consumer product", which means any -tangible personal property which is normally used for personal, family, -or household purposes, or (2) anything designed or sold for incorporation -into a dwelling. In determining whether a product is a consumer product, -doubtful cases shall be resolved in favor of coverage. For a particular -product received by a particular user, "normally used" refers to a -typical or common use of that class of product, regardless of the status -of the particular user or of the way in which the particular user -actually uses, or expects or is expected to use, the product. A product -is a consumer product regardless of whether the product has substantial -commercial, industrial or non-consumer uses, unless such uses represent -the only significant mode of use of the product. - - "Installation Information" for a User Product means any methods, -procedures, authorization keys, or other information required to install -and execute modified versions of a covered work in that User Product from -a modified version of its Corresponding Source. The information must -suffice to ensure that the continued functioning of the modified object -code is in no case prevented or interfered with solely because -modification has been made. - - If you convey an object code work under this section in, or with, or -specifically for use in, a User Product, and the conveying occurs as -part of a transaction in which the right of possession and use of the -User Product is transferred to the recipient in perpetuity or for a -fixed term (regardless of how the transaction is characterized), the -Corresponding Source conveyed under this section must be accompanied -by the Installation Information. But this requirement does not apply -if neither you nor any third party retains the ability to install -modified object code on the User Product (for example, the work has -been installed in ROM). - - The requirement to provide Installation Information does not include a -requirement to continue to provide support service, warranty, or updates -for a work that has been modified or installed by the recipient, or for -the User Product in which it has been modified or installed. Access to a -network may be denied when the modification itself materially and -adversely affects the operation of the network or violates the rules and -protocols for communication across the network. - - Corresponding Source conveyed, and Installation Information provided, -in accord with this section must be in a format that is publicly -documented (and with an implementation available to the public in -source code form), and must require no special password or key for -unpacking, reading or copying. - - 7. Additional Terms. - - "Additional permissions" are terms that supplement the terms of this -License by making exceptions from one or more of its conditions. -Additional permissions that are applicable to the entire Program shall -be treated as though they were included in this License, to the extent -that they are valid under applicable law. If additional permissions -apply only to part of the Program, that part may be used separately -under those permissions, but the entire Program remains governed by -this License without regard to the additional permissions. - - When you convey a copy of a covered work, you may at your option -remove any additional permissions from that copy, or from any part of -it. (Additional permissions may be written to require their own -removal in certain cases when you modify the work.) You may place -additional permissions on material, added by you to a covered work, -for which you have or can give appropriate copyright permission. - - Notwithstanding any other provision of this License, for material you -add to a covered work, you may (if authorized by the copyright holders of -that material) supplement the terms of this License with terms: - - a) Disclaiming warranty or limiting liability differently from the - terms of sections 15 and 16 of this License; or - - b) Requiring preservation of specified reasonable legal notices or - author attributions in that material or in the Appropriate Legal - Notices displayed by works containing it; or - - c) Prohibiting misrepresentation of the origin of that material, or - requiring that modified versions of such material be marked in - reasonable ways as different from the original version; or - - d) Limiting the use for publicity purposes of names of licensors or - authors of the material; or - - e) Declining to grant rights under trademark law for use of some - trade names, trademarks, or service marks; or - - f) Requiring indemnification of licensors and authors of that - material by anyone who conveys the material (or modified versions of - it) with contractual assumptions of liability to the recipient, for - any liability that these contractual assumptions directly impose on - those licensors and authors. - - All other non-permissive additional terms are considered "further -restrictions" within the meaning of section 10. If the Program as you -received it, or any part of it, contains a notice stating that it is -governed by this License along with a term that is a further -restriction, you may remove that term. If a license document contains -a further restriction but permits relicensing or conveying under this -License, you may add to a covered work material governed by the terms -of that license document, provided that the further restriction does -not survive such relicensing or conveying. - - If you add terms to a covered work in accord with this section, you -must place, in the relevant source files, a statement of the -additional terms that apply to those files, or a notice indicating -where to find the applicable terms. - - Additional terms, permissive or non-permissive, may be stated in the -form of a separately written license, or stated as exceptions; -the above requirements apply either way. - - 8. Termination. - - You may not propagate or modify a covered work except as expressly -provided under this License. Any attempt otherwise to propagate or -modify it is void, and will automatically terminate your rights under -this License (including any patent licenses granted under the third -paragraph of section 11). - - However, if you cease all violation of this License, then your -license from a particular copyright holder is reinstated (a) -provisionally, unless and until the copyright holder explicitly and -finally terminates your license, and (b) permanently, if the copyright -holder fails to notify you of the violation by some reasonable means -prior to 60 days after the cessation. - - Moreover, your license from a particular copyright holder is -reinstated permanently if the copyright holder notifies you of the -violation by some reasonable means, this is the first time you have -received notice of violation of this License (for any work) from that -copyright holder, and you cure the violation prior to 30 days after -your receipt of the notice. - - Termination of your rights under this section does not terminate the -licenses of parties who have received copies or rights from you under -this License. If your rights have been terminated and not permanently -reinstated, you do not qualify to receive new licenses for the same -material under section 10. - - 9. Acceptance Not Required for Having Copies. - - You are not required to accept this License in order to receive or -run a copy of the Program. Ancillary propagation of a covered work -occurring solely as a consequence of using peer-to-peer transmission -to receive a copy likewise does not require acceptance. However, -nothing other than this License grants you permission to propagate or -modify any covered work. These actions infringe copyright if you do -not accept this License. Therefore, by modifying or propagating a -covered work, you indicate your acceptance of this License to do so. - - 10. Automatic Licensing of Downstream Recipients. - - Each time you convey a covered work, the recipient automatically -receives a license from the original licensors, to run, modify and -propagate that work, subject to this License. You are not responsible -for enforcing compliance by third parties with this License. - - An "entity transaction" is a transaction transferring control of an -organization, or substantially all assets of one, or subdividing an -organization, or merging organizations. If propagation of a covered -work results from an entity transaction, each party to that -transaction who receives a copy of the work also receives whatever -licenses to the work the party's predecessor in interest had or could -give under the previous paragraph, plus a right to possession of the -Corresponding Source of the work from the predecessor in interest, if -the predecessor has it or can get it with reasonable efforts. - - You may not impose any further restrictions on the exercise of the -rights granted or affirmed under this License. For example, you may -not impose a license fee, royalty, or other charge for exercise of -rights granted under this License, and you may not initiate litigation -(including a cross-claim or counterclaim in a lawsuit) alleging that -any patent claim is infringed by making, using, selling, offering for -sale, or importing the Program or any portion of it. - - 11. Patents. - - A "contributor" is a copyright holder who authorizes use under this -License of the Program or a work on which the Program is based. The -work thus licensed is called the contributor's "contributor version". - - A contributor's "essential patent claims" are all patent claims -owned or controlled by the contributor, whether already acquired or -hereafter acquired, that would be infringed by some manner, permitted -by this License, of making, using, or selling its contributor version, -but do not include claims that would be infringed only as a -consequence of further modification of the contributor version. For -purposes of this definition, "control" includes the right to grant -patent sublicenses in a manner consistent with the requirements of -this License. - - Each contributor grants you a non-exclusive, worldwide, royalty-free -patent license under the contributor's essential patent claims, to -make, use, sell, offer for sale, import and otherwise run, modify and -propagate the contents of its contributor version. - - In the following three paragraphs, a "patent license" is any express -agreement or commitment, however denominated, not to enforce a patent -(such as an express permission to practice a patent or covenant not to -sue for patent infringement). To "grant" such a patent license to a -party means to make such an agreement or commitment not to enforce a -patent against the party. - - If you convey a covered work, knowingly relying on a patent license, -and the Corresponding Source of the work is not available for anyone -to copy, free of charge and under the terms of this License, through a -publicly available network server or other readily accessible means, -then you must either (1) cause the Corresponding Source to be so -available, or (2) arrange to deprive yourself of the benefit of the -patent license for this particular work, or (3) arrange, in a manner -consistent with the requirements of this License, to extend the patent -license to downstream recipients. "Knowingly relying" means you have -actual knowledge that, but for the patent license, your conveying the -covered work in a country, or your recipient's use of the covered work -in a country, would infringe one or more identifiable patents in that -country that you have reason to believe are valid. - - If, pursuant to or in connection with a single transaction or -arrangement, you convey, or propagate by procuring conveyance of, a -covered work, and grant a patent license to some of the parties -receiving the covered work authorizing them to use, propagate, modify -or convey a specific copy of the covered work, then the patent license -you grant is automatically extended to all recipients of the covered -work and works based on it. - - A patent license is "discriminatory" if it does not include within -the scope of its coverage, prohibits the exercise of, or is -conditioned on the non-exercise of one or more of the rights that are -specifically granted under this License. You may not convey a covered -work if you are a party to an arrangement with a third party that is -in the business of distributing software, under which you make payment -to the third party based on the extent of your activity of conveying -the work, and under which the third party grants, to any of the -parties who would receive the covered work from you, a discriminatory -patent license (a) in connection with copies of the covered work -conveyed by you (or copies made from those copies), or (b) primarily -for and in connection with specific products or compilations that -contain the covered work, unless you entered into that arrangement, -or that patent license was granted, prior to 28 March 2007. - - Nothing in this License shall be construed as excluding or limiting -any implied license or other defenses to infringement that may -otherwise be available to you under applicable patent law. - - 12. No Surrender of Others' Freedom. - - If conditions are imposed on you (whether by court order, agreement or -otherwise) that contradict the conditions of this License, they do not -excuse you from the conditions of this License. If you cannot convey a -covered work so as to satisfy simultaneously your obligations under this -License and any other pertinent obligations, then as a consequence you may -not convey it at all. For example, if you agree to terms that obligate you -to collect a royalty for further conveying from those to whom you convey -the Program, the only way you could satisfy both those terms and this -License would be to refrain entirely from conveying the Program. - - 13. Use with the GNU Affero General Public License. - - Notwithstanding any other provision of this License, you have -permission to link or combine any covered work with a work licensed -under version 3 of the GNU Affero General Public License into a single -combined work, and to convey the resulting work. The terms of this -License will continue to apply to the part which is the covered work, -but the special requirements of the GNU Affero General Public License, -section 13, concerning interaction through a network will apply to the -combination as such. - - 14. Revised Versions of this License. - - The Free Software Foundation may publish revised and/or new versions of -the GNU General Public License from time to time. Such new versions will -be similar in spirit to the present version, but may differ in detail to -address new problems or concerns. - - Each version is given a distinguishing version number. If the -Program specifies that a certain numbered version of the GNU General -Public License "or any later version" applies to it, you have the -option of following the terms and conditions either of that numbered -version or of any later version published by the Free Software -Foundation. If the Program does not specify a version number of the -GNU General Public License, you may choose any version ever published -by the Free Software Foundation. - - If the Program specifies that a proxy can decide which future -versions of the GNU General Public License can be used, that proxy's -public statement of acceptance of a version permanently authorizes you -to choose that version for the Program. - - Later license versions may give you additional or different -permissions. However, no additional obligations are imposed on any -author or copyright holder as a result of your choosing to follow a -later version. - - 15. Disclaimer of Warranty. - - THERE IS NO WARRANTY FOR THE PROGRAM, TO THE EXTENT PERMITTED BY -APPLICABLE LAW. EXCEPT WHEN OTHERWISE STATED IN WRITING THE COPYRIGHT -HOLDERS AND/OR OTHER PARTIES PROVIDE THE PROGRAM "AS IS" WITHOUT WARRANTY -OF ANY KIND, EITHER EXPRESSED OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, -THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR -PURPOSE. THE ENTIRE RISK AS TO THE QUALITY AND PERFORMANCE OF THE PROGRAM -IS WITH YOU. SHOULD THE PROGRAM PROVE DEFECTIVE, YOU ASSUME THE COST OF -ALL NECESSARY SERVICING, REPAIR OR CORRECTION. - - 16. Limitation of Liability. - - IN NO EVENT UNLESS REQUIRED BY APPLICABLE LAW OR AGREED TO IN WRITING -WILL ANY COPYRIGHT HOLDER, OR ANY OTHER PARTY WHO MODIFIES AND/OR CONVEYS -THE PROGRAM AS PERMITTED ABOVE, BE LIABLE TO YOU FOR DAMAGES, INCLUDING ANY -GENERAL, SPECIAL, INCIDENTAL OR CONSEQUENTIAL DAMAGES ARISING OUT OF THE -USE OR INABILITY TO USE THE PROGRAM (INCLUDING BUT NOT LIMITED TO LOSS OF -DATA OR DATA BEING RENDERED INACCURATE OR LOSSES SUSTAINED BY YOU OR THIRD -PARTIES OR A FAILURE OF THE PROGRAM TO OPERATE WITH ANY OTHER PROGRAMS), -EVEN IF SUCH HOLDER OR OTHER PARTY HAS BEEN ADVISED OF THE POSSIBILITY OF -SUCH DAMAGES. - - 17. Interpretation of Sections 15 and 16. - - If the disclaimer of warranty and limitation of liability provided -above cannot be given local legal effect according to their terms, -reviewing courts shall apply local law that most closely approximates -an absolute waiver of all civil liability in connection with the -Program, unless a warranty or assumption of liability accompanies a -copy of the Program in return for a fee. - - END OF TERMS AND CONDITIONS - - How to Apply These Terms to Your New Programs - - If you develop a new program, and you want it to be of the greatest -possible use to the public, the best way to achieve this is to make it -free software which everyone can redistribute and change under these terms. - - To do so, attach the following notices to the program. It is safest -to attach them to the start of each source file to most effectively -state the exclusion of warranty; and each file should have at least -the "copyright" line and a pointer to where the full notice is found. - - - Copyright (C) - - This program is free software: you can redistribute it and/or modify - it under the terms of the GNU General Public License as published by - the Free Software Foundation, either version 3 of the License, or - (at your option) any later version. - - This program is distributed in the hope that it will be useful, - but WITHOUT ANY WARRANTY; without even the implied warranty of - MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the - GNU General Public License for more details. - - You should have received a copy of the GNU General Public License - along with this program. If not, see . - -Also add information on how to contact you by electronic and paper mail. - - If the program does terminal interaction, make it output a short -notice like this when it starts in an interactive mode: - - Copyright (C) - This program comes with ABSOLUTELY NO WARRANTY; for details type `show w'. - This is free software, and you are welcome to redistribute it - under certain conditions; type `show c' for details. - -The hypothetical commands `show w' and `show c' should show the appropriate -parts of the General Public License. Of course, your program's commands -might be different; for a GUI interface, you would use an "about box". - - You should also get your employer (if you work as a programmer) or school, -if any, to sign a "copyright disclaimer" for the program, if necessary. -For more information on this, and how to apply and follow the GNU GPL, see -. - - The GNU General Public License does not permit incorporating your program -into proprietary programs. If your program is a subroutine library, you -may consider it more useful to permit linking proprietary applications with -the library. If this is what you want to do, use the GNU Lesser General -Public License instead of this License. But first, please read -. +MIT License + +Copyright (c) 2022 initstring + +Permission is hereby granted, free of charge, to any person obtaining a copy +of this software and associated documentation files (the "Software"), to deal +in the Software without restriction, including without limitation the rights +to use, copy, modify, merge, publish, distribute, sublicense, and/or sell +copies of the Software, and to permit persons to whom the Software is +furnished to do so, subject to the following conditions: + +The above copyright notice and this permission notice shall be included in all +copies or substantial portions of the Software. + +THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR +IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, +FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE +AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER +LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, +OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE +SOFTWARE. diff --git a/README.md b/README.md index ade74cb..f548862 100644 --- a/README.md +++ b/README.md @@ -1,11 +1,28 @@ # cloud_enum + +## Future of cloud_enum + +I built this tool in 2019 for a pentest involving Azure, as no other enumeration tools supported it at the time. It grew from there, and I learned a lot while adding features. + +Building tools is fun, but maintaining tools is hard. I haven't actively used this tool myself in a while, but I've done my best to fix bugs and review pull requests. + +Moving forward, it makes sense to consolidate this functionality into a well-maintained project that handles the essentials (web/dns requests, threading, I/O, logging, etc.). [Nuclei](https://github.com/projectdiscovery/nuclei) is really well suited for this. You can see my first PR to migrate cloud_enum functionality to Nuclei [here](https://github.com/projectdiscovery/nuclei-templates/pull/6865). + +I encourage others to contribute templates to Nuclei, allowing us to focus on detecting cloud resources while leaving the groundwork to Nuclei. + +I'll still try to review PRs here to address bugs as time permits, but likely won't have time for major changes. + +Thanks to all the great contributors. Good luck with your recon! + +## Overview + Multi-cloud OSINT tool. Enumerate public resources in AWS, Azure, and Google Cloud. Currently enumerates the following: **Amazon Web Services**: -- Open S3 Buckets -- Protected S3 Buckets +- Open / Protected S3 Buckets +- awsapps (WorkMail, WorkDocs, Connect, etc.) **Microsoft Azure**: - Storage Accounts @@ -15,45 +32,47 @@ Currently enumerates the following: - Web Apps **Google Cloud Platform** -- Open GCP Buckets -- Protected GCP Buckets +- Open / Protected GCP Buckets +- Open / Protected Firebase Realtime Databases - Google App Engine sites +- Cloud Functions (enumerates project/regions with existing functions, then brute forces actual function names) +- Open Firebase Apps -By "open" buckets/containers, I mean those that allow anonymous users to list contents. if you discover a protected bucket/container, it is still worth trying to brute force the contents with another tool. - -**IMPORTANT**: Azure Virtual Machine DNS records can span a lot of geo regions. To save time scanning, there is a "REGIONS" variable defined in cloudenum/azure_regions.py. You'll want to look at this file and edit it to be relevant to your own work. +See it in action in [Codingo](https://github.com/codingo)'s video demo [here](https://www.youtube.com/embed/pTUDJhWJ1m0). -# Usage +## Usage -## Setup -Several non-standard libaries are required to support threaded HTTP requests and dns lookups. You'll need to install the requirements as follows: +### Setup +This project uses [uv](https://github.com/astral-sh/uv) for dependency management. Install uv, then run: ```sh -pip3 install -r ./requirements.txt +uv sync ``` -## Running +### Running The only required argument is at least one keyword. You can use the built-in fuzzing strings, but you will get better results if you supply your own with `-m` and/or `-b`. You can provide multiple keywords by specifying the `-k` argument multiple times. -Azure Containers required two levels of brute-forcing, both handled automatically by this tool. First, by finding valid accounts (DNS). Then, by brute-forcing container names inside that account (HTTP scraping). The tool uses the same fuzzing file for both by default, but you can specificy individual files separately if you'd like. +Keywords are mutated automatically using strings from `enum_tools/fuzz.txt` or a file you provide with the `-m` flag. Services that require a second-level of brute forcing (Azure Containers and GCP Functions) will also use `fuzz.txt` by default or a file you provide with the `-b` flag. Let's say you were researching "somecompany" whose website is "somecompany.io" that makes a product called "blockchaindoohickey". You could run the tool like this: ```sh -cloudenum.py -k somecompany -k somecompany.io -k blockchaindoohickey +uv run cloud_enum -k somecompany -k somecompany.io -k blockchaindoohickey ``` HTTP scraping and DNS lookups use 5 threads each by default. You can try increasing this, but eventually the cloud providers will rate limit you. Here is an example to increase to 10. ```sh -cloudenum.py -k keyword -t 10 +uv run cloud_enum -k keyword -t 10 ``` +**IMPORTANT**: Some resources (Azure Containers, GCP Functions) are discovered per-region. To save time scanning, there is a "REGIONS" variable defined in `cloudenum/azure_regions.py and cloudenum/gcp_regions.py` that is set by default to use only 1 region. You may want to look at these files and edit them to be relevant to your own work. + **Complete Usage Details** ``` usage: cloud_enum.py [-h] -k KEYWORD [-m MUTATIONS] [-b BRUTE] @@ -67,21 +86,23 @@ optional arguments: -kf KEYFILE, --keyfile KEYFILE Input file with a single keyword per line. -m MUTATIONS, --mutations MUTATIONS - Mutations. Default: cloud_enum/mutations.txt. + Mutations. Default: enum_tools/fuzz.txt -b BRUTE, --brute BRUTE - List to brute-force Azure container names. Default: - cloud_enum/brute.txt. + List to brute-force Azure container names. Default: enum_tools/fuzz.txt -t THREADS, --threads THREADS Threads for HTTP brute-force. Default = 5 -ns NAMESERVER, --nameserver NAMESERVER DNS server to use in brute-force. -l LOGFILE, --logfile LOGFILE Will APPEND found items to specified file. + -f FORMAT, --format FORMAT + Format for log file (text,json,csv - defaults to text) --disable-aws Disable Amazon checks. --disable-azure Disable Azure checks. --disable-gcp Disable Google checks. + -qs, --quickscan Disable all mutations and second-level scans ``` -# Thanks +## Thanks So far, I have borrowed from: - Some of the permutations from [GCPBucketBrute](https://github.com/RhinoSecurityLabs/GCPBucketBrute/blob/master/permutations.txt) diff --git a/cloud_enum.py b/cloud_enum.py index df07aa3..8746d42 100755 --- a/cloud_enum.py +++ b/cloud_enum.py @@ -26,7 +26,6 @@ ''' -LOGFILE = False def parse_arguments(): """ @@ -64,11 +63,16 @@ def parse_arguments(): ' Default = 5') parser.add_argument('-ns', '--nameserver', type=str, action='store', - default='8.8.8.8', + default='1.1.1.1', help='DNS server to use in brute-force.') - + parser.add_argument('-nsf', '--nameserverfile', type=str, + help='Path to the file containing nameserver IPs') parser.add_argument('-l', '--logfile', type=str, action='store', - help='Will APPEND found items to specified file.') + help='Appends found items to specified file.') + parser.add_argument('-f', '--format', type=str, action='store', + default='text', + help='Format for log file (text,json,csv)' + ' - default: text') parser.add_argument('--disable-aws', action='store_true', help='Disable Amazon checks.') @@ -79,12 +83,14 @@ def parse_arguments(): parser.add_argument('--disable-gcp', action='store_true', help='Disable Google checks.') + parser.add_argument('-qs', '--quickscan', action='store_true', + help='Disable all mutations and second-level scans') + args = parser.parse_args() # Ensure mutations file is readable if not os.access(args.mutations, os.R_OK): - print("[!] Cannot access mutations file: {}" - .format(args.mutations)) + print(f"[!] Cannot access mutations file: {args.mutations}") sys.exit() # Ensure brute file is readable @@ -99,7 +105,7 @@ def parse_arguments(): sys.exit() # Parse keywords from input file - with open(args.keyfile) as infile: + with open(args.keyfile, encoding='utf-8') as infile: args.keyword = [keyword.strip() for keyword in infile] # Ensure log file is writeable @@ -118,20 +124,29 @@ def parse_arguments(): print("[!] Cannot write to log file, exiting") sys.exit() + # Set up logging format + if args.format not in ('text', 'json', 'csv'): + print("[!] Sorry! Allowed log formats: 'text', 'json', or 'csv'") + sys.exit() # Set the global in the utils file, where logging needs to happen - utils.init_logfile(args.logfile) + utils.init_logfile(args.logfile, args.format) return args + def print_status(args): """ Print a short pre-run status message """ - print("Keywords: {}".format(', '.join(args.keyword))) - print("Mutations: {}".format(args.mutations)) - print("Brute-list: {}".format(args.brute)) + print(f"Keywords: {', '.join(args.keyword)}") + if args.quickscan: + print("Mutations: NONE! (Using quickscan)") + else: + print(f"Mutations: {args.mutations}") + print(f"Brute-list: {args.brute}") print("") + def check_windows(): """ Fixes pretty color printing for Windows users. Keeping out of @@ -145,6 +160,7 @@ def check_windows(): print("[!] Yo, Windows user - if you want pretty colors, you can" " install the colorama python package.") + def read_mutations(mutations_file): """ Read mutations file into memory for processing. @@ -152,9 +168,10 @@ def read_mutations(mutations_file): with open(mutations_file, encoding="utf8", errors="ignore") as infile: mutations = infile.read().splitlines() - print("[+] Mutations list imported: {} items".format(len(mutations))) + print(f"[+] Mutations list imported: {len(mutations)} items") return mutations + def clean_text(text): """ Clean text to be RFC compliant for hostnames / DNS @@ -165,6 +182,15 @@ def clean_text(text): return text_clean + +def append_name(name, names_list): + """ + Ensure strings stick to DNS label limit of 63 characters + """ + if len(name) <= 63: + names_list.append(name) + + def build_names(base_list, mutations): """ Combine base and mutations for processing by individual modules. @@ -176,26 +202,40 @@ def build_names(base_list, mutations): base = clean_text(base) # First, include with no mutations - names.append(base) + append_name(base, names) for mutation in mutations: # Clean mutation mutation = clean_text(mutation) # Then, do appends - names.append("{}{}".format(base, mutation)) - names.append("{}.{}".format(base, mutation)) - names.append("{}-{}".format(base, mutation)) + append_name(f"{base}{mutation}", names) + append_name(f"{base}.{mutation}", names) + append_name(f"{base}-{mutation}", names) # Then, do prepends - names.append("{}{}".format(mutation, base)) - names.append("{}.{}".format(mutation, base)) - names.append("{}-{}".format(mutation, base)) + append_name(f"{mutation}{base}", names) + append_name(f"{mutation}.{base}", names) + append_name(f"{mutation}-{base}", names) - print("[+] Mutated results: {} items".format(len(names))) + print(f"[+] Mutated results: {len(names)} items") return names +def read_nameservers(file_path): + try: + with open(file_path, 'r') as file: + nameservers = [line.strip() for line in file if line.strip()] + if not nameservers: + raise ValueError("Nameserver file is empty") + return nameservers + except FileNotFoundError: + print(f"Error: File '{file_path}' not found.") + exit(1) + except ValueError as e: + print(e) + exit(1) + def main(): """ Main program function. @@ -209,8 +249,11 @@ def main(): # Give our Windows friends a chance at pretty colors check_windows() - # First, build a sort base list of target names - mutations = read_mutations(args.mutations) + # First, build a sorted base list of target names + if args.quickscan: + mutations = [] + else: + mutations = read_mutations(args.mutations) names = build_names(args.keyword, mutations) # All the work is done in the individual modules diff --git a/enum_tools/aws_checks.py b/enum_tools/aws_checks.py index bb5428a..de8b10e 100644 --- a/enum_tools/aws_checks.py +++ b/enum_tools/aws_checks.py @@ -13,6 +13,7 @@ # Known S3 domain names S3_URL = 's3.amazonaws.com' +APPS_URL = 'awsapps.com' # Known AWS region names. This global will be used unless the user passes # in a specific region name. (NOT YET IMPLEMENTED) @@ -37,6 +38,7 @@ 'eu-north-1.amazonaws.com', 'sa-east-1.amazonaws.com'] + def print_s3_response(reply): """ Parses the HTTP reply of a brute-force attempt @@ -44,24 +46,32 @@ def print_s3_response(reply): This function is passed into the class object so we can view results in real-time. """ + data = {'platform': 'aws', 'msg': '', 'target': '', 'access': ''} + if reply.status_code == 404: pass elif 'Bad Request' in reply.reason: pass elif reply.status_code == 200: - utils.printc(" OPEN S3 BUCKET: {}\n" - .format(reply.url), 'green') + data['msg'] = 'OPEN S3 BUCKET' + data['target'] = reply.url + data['access'] = 'public' + utils.fmt_output(data) utils.list_bucket_contents(reply.url) elif reply.status_code == 403: - utils.printc(" Protected S3 Bucket: {}\n" - .format(reply.url), 'orange') + data['msg'] = 'Protected S3 Bucket' + data['target'] = reply.url + data['access'] = 'protected' + utils.fmt_output(data) elif 'Slow Down' in reply.reason: print("[!] You've been rate limited, skipping rest of check...") return 'breakout' else: - print(" Unknown status codes being received from {}:\n" - " {}: {}" - .format(reply.url, reply.status_code, reply.reason)) + print(f" Unknown status codes being received from {reply.url}:\n" + " {reply.status_code}: {reply.reason}") + + return None + def check_s3_buckets(names, threads): """ @@ -77,7 +87,7 @@ def check_s3_buckets(names, threads): # Take each mutated keyword craft a url with the correct format for name in names: - candidates.append('{}.{}'.format(name, S3_URL)) + candidates.append(f'{name}.{S3_URL}') # Send the valid names to the batch HTTP processor utils.get_url_batch(candidates, use_ssl=False, @@ -87,6 +97,42 @@ def check_s3_buckets(names, threads): # Stop the time utils.stop_timer(start_time) + +def check_awsapps(names, threads, nameserver, nameserverfile=False): + """ + Checks for existence of AWS Apps + (ie. WorkDocs, WorkMail, Connect, etc.) + """ + data = {'platform': 'aws', 'msg': 'AWS App Found:', 'target': '', 'access': ''} + + print("[+] Checking for AWS Apps") + + # Start a counter to report on elapsed time + start_time = utils.start_timer() + + # Initialize the list of domain names to look up + candidates = [] + + # Initialize the list of valid hostnames + valid_names = [] + + # Take each mutated keyword craft a domain name to lookup. + for name in names: + candidates.append(f'{name}.{APPS_URL}') + + # AWS Apps use DNS sub-domains. First, see which are valid. + valid_names = utils.fast_dns_lookup(candidates, nameserver, + nameserverfile, threads=threads) + + for name in valid_names: + data['target'] = f'https://{name}' + data['access'] = 'protected' + utils.fmt_output(data) + + # Stop the timer + utils.stop_timer(start_time) + + def run_all(names, args): """ Function is called by main program @@ -94,7 +140,7 @@ def run_all(names, args): print(BANNER) # Use user-supplied AWS region if provided - #if not regions: + # if not regions: # regions = AWS_REGIONS check_s3_buckets(names, args.threads) - return '' + check_awsapps(names, args.threads, args.nameserver, args.nameserverfile) diff --git a/enum_tools/azure_checks.py b/enum_tools/azure_checks.py index abe06cc..6ff47f9 100644 --- a/enum_tools/azure_checks.py +++ b/enum_tools/azure_checks.py @@ -16,6 +16,11 @@ # Known Azure domain names BLOB_URL = 'blob.core.windows.net' +FILE_URL= 'file.core.windows.net' +QUEUE_URL = 'queue.core.windows.net' +TABLE_URL = 'table.core.windows.net' +MGMT_URL = 'scm.azurewebsites.net' +VAULT_URL = 'vault.azure.net' WEBAPP_URL = 'azurewebsites.net' DATABASE_URL = 'database.windows.net' @@ -31,26 +36,40 @@ def print_account_response(reply): This function is passed into the class object so we can view results in real-time. """ - if reply.status_code == 404: + data = {'platform': 'azure', 'msg': '', 'target': '', 'access': ''} + + if reply.status_code == 404 or 'The requested URI does not represent' in reply.reason: pass elif 'Server failed to authenticate the request' in reply.reason: - utils.printc(" Auth-Only Storage Account: {}\n" - .format(reply.url), 'red') + data['msg'] = 'Auth-Only Account' + data['target'] = reply.url + data['access'] = 'protected' + utils.fmt_output(data) elif 'The specified account is disabled' in reply.reason: - utils.printc(" Disabled Storage Account: {}\n" - .format(reply.url), 'red') + data['msg'] = 'Disabled Account' + data['target'] = reply.url + data['access'] = 'disabled' + utils.fmt_output(data) elif 'Value for one of the query' in reply.reason: - utils.printc(" HTTP-OK Storage Account: {}\n" - .format(reply.url), 'orange') + data['msg'] = 'HTTP-OK Account' + data['target'] = reply.url + data['access'] = 'public' + utils.fmt_output(data) elif 'The account being accessed' in reply.reason: - utils.printc(" HTTPS-Only Storage Account: {}\n" - .format(reply.url), 'orange') + data['msg'] = 'HTTPS-Only Account' + data['target'] = reply.url + data['access'] = 'public' + utils.fmt_output(data) + elif 'Unauthorized' in reply.reason: + data['msg'] = 'Unathorized Account' + data['target'] = reply.url + data['access'] = 'public' + utils.fmt_output(data) else: - print(" Unknown status codes being received from {}:\n" - " {}: {}" - .format(reply.url, reply.status_code, reply.reason)) + print(" Unknown status codes being received from " + reply.url +":\n" + " "+ str(reply.status_code)+" : "+ reply.reason) -def check_storage_accounts(names, threads, nameserver): +def check_storage_accounts(names, threads, nameserver, nameserverfile=False): """ Checks storage account names """ @@ -71,11 +90,11 @@ def check_storage_accounts(names, threads, nameserver): regex = re.compile('[^a-zA-Z0-9]') for name in names: if not re.search(regex, name): - candidates.append('{}.{}'.format(name, BLOB_URL)) + candidates.append(f'{name}.{BLOB_URL}') # Azure Storage Accounts use DNS sub-domains. First, see which are valid. valid_names = utils.fast_dns_lookup(candidates, nameserver, - threads=threads) + nameserverfile, threads=threads) # Send the valid names to the batch HTTP processor utils.get_url_batch(valid_names, use_ssl=False, @@ -88,6 +107,197 @@ def check_storage_accounts(names, threads, nameserver): # de-dupe the results and return return list(set(valid_names)) +def check_file_accounts(names, threads, nameserver, nameserverfile=False): + """ + Checks File account names + """ + print("[+] Checking for Azure File Accounts") + + # Start a counter to report on elapsed time + start_time = utils.start_timer() + + # Initialize the list of domain names to look up + candidates = [] + + # Initialize the list of valid hostnames + valid_names = [] + + # Take each mutated keyword craft a domain name to lookup. + # As Azure Storage Accounts can contain only letters and numbers, + # discard those not matching to save time on the DNS lookups. + regex = re.compile('[^a-zA-Z0-9]') + for name in names: + if not re.search(regex, name): + candidates.append(f'{name}.{FILE_URL}') + + # Azure Storage Accounts use DNS sub-domains. First, see which are valid. + valid_names = utils.fast_dns_lookup(candidates, nameserver, + nameserverfile, threads=threads) + + # Send the valid names to the batch HTTP processor + utils.get_url_batch(valid_names, use_ssl=False, + callback=print_account_response, + threads=threads) + + # Stop the timer + utils.stop_timer(start_time) + + # de-dupe the results and return + return list(set(valid_names)) + +def check_queue_accounts(names, threads, nameserver, nameserverfile=False): + """ + Checks Queue account names + """ + print("[+] Checking for Azure Queue Accounts") + + # Start a counter to report on elapsed time + start_time = utils.start_timer() + + # Initialize the list of domain names to look up + candidates = [] + + # Initialize the list of valid hostnames + valid_names = [] + + # Take each mutated keyword craft a domain name to lookup. + # As Azure Storage Accounts can contain only letters and numbers, + # discard those not matching to save time on the DNS lookups. + regex = re.compile('[^a-zA-Z0-9]') + for name in names: + if not re.search(regex, name): + candidates.append(f'{name}.{QUEUE_URL}') + + # Azure Storage Accounts use DNS sub-domains. First, see which are valid. + valid_names = utils.fast_dns_lookup(candidates, nameserver, + nameserverfile, threads=threads) + + # Send the valid names to the batch HTTP processor + utils.get_url_batch(valid_names, use_ssl=False, + callback=print_account_response, + threads=threads) + + # Stop the timer + utils.stop_timer(start_time) + + # de-dupe the results and return + return list(set(valid_names)) + +def check_table_accounts(names, threads, nameserver, nameserverfile=False): + """ + Checks Table account names + """ + print("[+] Checking for Azure Table Accounts") + + # Start a counter to report on elapsed time + start_time = utils.start_timer() + + # Initialize the list of domain names to look up + candidates = [] + + # Initialize the list of valid hostnames + valid_names = [] + + # Take each mutated keyword craft a domain name to lookup. + # As Azure Storage Accounts can contain only letters and numbers, + # discard those not matching to save time on the DNS lookups. + regex = re.compile('[^a-zA-Z0-9]') + for name in names: + if not re.search(regex, name): + candidates.append(f'{name}.{TABLE_URL}') + + # Azure Storage Accounts use DNS sub-domains. First, see which are valid. + valid_names = utils.fast_dns_lookup(candidates, nameserver, + nameserverfile, threads=threads) + + # Send the valid names to the batch HTTP processor + utils.get_url_batch(valid_names, use_ssl=False, + callback=print_account_response, + threads=threads) + + # Stop the timer + utils.stop_timer(start_time) + + # de-dupe the results and return + return list(set(valid_names)) + +def check_mgmt_accounts(names, threads, nameserver, nameserverfile=False): + """ + Checks App Management account names + """ + print("[+] Checking for Azure App Management Accounts") + + # Start a counter to report on elapsed time + start_time = utils.start_timer() + + # Initialize the list of domain names to look up + candidates = [] + + # Initialize the list of valid hostnames + valid_names = [] + + # Take each mutated keyword craft a domain name to lookup. + # As Azure Storage Accounts can contain only letters and numbers, + # discard those not matching to save time on the DNS lookups. + regex = re.compile('[^a-zA-Z0-9]') + for name in names: + if not re.search(regex, name): + candidates.append(f'{name}.{MGMT_URL}') + + # Azure Storage Accounts use DNS sub-domains. First, see which are valid. + valid_names = utils.fast_dns_lookup(candidates, nameserver, + nameserverfile, threads=threads) + + # Send the valid names to the batch HTTP processor + utils.get_url_batch(valid_names, use_ssl=False, + callback=print_account_response, + threads=threads) + + # Stop the timer + utils.stop_timer(start_time) + + # de-dupe the results and return + return list(set(valid_names)) + +def check_vault_accounts(names, threads, nameserver, nameserverfile=False): + """ + Checks Key Vault account names + """ + print("[+] Checking for Azure Key Vault Accounts") + + # Start a counter to report on elapsed time + start_time = utils.start_timer() + + # Initialize the list of domain names to look up + candidates = [] + + # Initialize the list of valid hostnames + valid_names = [] + + # Take each mutated keyword craft a domain name to lookup. + # As Azure Storage Accounts can contain only letters and numbers, + # discard those not matching to save time on the DNS lookups. + regex = re.compile('[^a-zA-Z0-9]') + for name in names: + if not re.search(regex, name): + candidates.append(f'{name}.{VAULT_URL}') + + # Azure Storage Accounts use DNS sub-domains. First, see which are valid. + valid_names = utils.fast_dns_lookup(candidates, nameserver, + nameserverfile, threads=threads) + + # Send the valid names to the batch HTTP processor + utils.get_url_batch(valid_names, use_ssl=False, + callback=print_account_response, + threads=threads) + + # Stop the timer + utils.stop_timer(start_time) + + # de-dupe the results and return + return list(set(valid_names)) + + def print_container_response(reply): """ Parses the HTTP reply of a brute-force attempt @@ -95,6 +305,8 @@ def print_container_response(reply): This function is passed into the class object so we can view results in real-time. """ + data = {'platform': 'azure', 'msg': '', 'target': '', 'access': ''} + # Stop brute forcing disabled accounts if 'The specified account is disabled' in reply.reason: print(" [!] Breaking out early, account disabled.") @@ -102,8 +314,10 @@ def print_container_response(reply): # Stop brute forcing accounts without permission if ('not authorized to perform this operation' in reply.reason or - 'not have sufficient permissions' in reply.reason): - print(" [!] Breaking out early, auth errors.") + 'not have sufficient permissions' in reply.reason or + 'Public access is not permitted' in reply.reason or + 'Server failed to authenticate the request' in reply.reason): + print(" [!] Breaking out early, auth required.") return 'breakout' # Stop brute forcing unsupported accounts @@ -115,17 +329,21 @@ def print_container_response(reply): if reply.status_code == 404: pass elif reply.status_code == 200: - utils.printc(" OPEN AZURE CONTAINER: {}\n" - .format(reply.url), 'green') + data['msg'] = 'OPEN AZURE CONTAINER' + data['target'] = reply.url + data['access'] = 'public' + utils.fmt_output(data) utils.list_bucket_contents(reply.url) elif 'One of the request inputs is out of range' in reply.reason: pass elif 'The request URI is invalid' in reply.reason: pass else: - print(" Unknown status codes being received from {}:\n" - " {}: {}" - .format(reply.url, reply.status_code, reply.reason)) + print(f" Unknown status codes being received from {reply.url}:\n" + " {reply.status_code}: {reply.reason}") + + return None + def brute_force_containers(storage_accounts, brute_list, threads): """ @@ -138,48 +356,37 @@ def brute_force_containers(storage_accounts, brute_list, threads): # We have a list of valid DNS names that might not be worth scraping, # such as disabled accounts or authentication required. Let's quickly # weed those out. - print("[*] Checking {} accounts for status before brute-forcing" - .format(len(storage_accounts))) + print(f"[*] Checking {len(storage_accounts)} accounts for status before brute-forcing") valid_accounts = [] for account in storage_accounts: - reply = requests.get('https://{}/'.format(account)) - if 'Server failed to authenticate the request' in reply.reason: - storage_accounts.remove(account) - elif 'The specified account is disabled' in reply.reason: - storage_accounts.remove(account) - else: - valid_accounts.append(account) + try: + reply = requests.get(f'https://{account}/') + if 'Server failed to authenticate the request' in reply.reason: + storage_accounts.remove(account) + elif 'The specified account is disabled' in reply.reason: + storage_accounts.remove(account) + else: + valid_accounts.append(account) + except requests.exceptions.ConnectionError as error_msg: + print(f" [!] Connection error on https://{account}:") + print(error_msg) # Read the brute force file into memory - with open(brute_list, encoding="utf8", errors="ignore") as infile: - names = infile.read().splitlines() - - # Clean up the names to usable for containers - banned_chars = re.compile('[^a-z0-9-]') - clean_names = [] - for name in names: - name = name.lower() - name = banned_chars.sub('', name) - if 63 >= len(name) >= 3: - if name not in clean_names: - clean_names.append(name) + clean_names = utils.get_brute(brute_list, mini=3) # Start a counter to report on elapsed time start_time = utils.start_timer() - print("[*] Brute-forcing container names in {} storage accounts" - .format(len(valid_accounts))) + print(f"[*] Brute-forcing container names in {len(valid_accounts)} storage accounts") for account in valid_accounts: - print("[*] Brute-forcing {} container names in {}" - .format(len(clean_names), account)) + print(f"[*] Brute-forcing {len(clean_names)} container names in {account}") # Initialize the list of correctly formatted urls candidates = [] # Take each mutated keyword and craft a url with correct format for name in clean_names: - candidates.append('{}/{}/?restype=container&comp=list' - .format(account, name)) + candidates.append(f'{account}/{name}/?restype=container&comp=list') # Send the valid names to the batch HTTP processor utils.get_url_batch(candidates, use_ssl=True, @@ -189,15 +396,21 @@ def brute_force_containers(storage_accounts, brute_list, threads): # Stop the timer utils.stop_timer(start_time) + def print_website_response(hostname): """ This function is passed into the DNS brute force as a callback, so we can get real-time results. """ - utils.printc(" Registered Azure Website DNS Name: {}\n" - .format(hostname), 'green') + data = {'platform': 'azure', 'msg': '', 'target': '', 'access': ''} -def check_azure_websites(names, nameserver, threads): + data['msg'] = 'Registered Azure Website DNS Name' + data['target'] = hostname + data['access'] = 'public' + utils.fmt_output(data) + + +def check_azure_websites(names, nameserver, threads, nameserverfile=False): """ Checks for Azure Websites (PaaS) """ @@ -211,26 +424,32 @@ def check_azure_websites(names, nameserver, threads): # Azure Websites use DNS sub-domains. If it resolves, it is registered. utils.fast_dns_lookup(candidates, nameserver, + nameserverfile, callback=print_website_response, threads=threads) # Stop the timer utils.stop_timer(start_time) + def print_database_response(hostname): """ This function is passed into the DNS brute force as a callback, so we can get real-time results. """ - utils.printc(" Registered Azure Database DNS Name: {}\n" - .format(hostname), 'green') + data = {'platform': 'azure', 'msg': '', 'target': '', 'access': ''} -def check_azure_databases(names, nameserver, threads): + data['msg'] = 'Registered Azure Database DNS Name' + data['target'] = hostname + data['access'] = 'public' + utils.fmt_output(data) + + +def check_azure_databases(names, nameserver, threads, nameserverfile=False): """ Checks for Azure Databases """ print("[+] Checking for Azure Databases") - # Start a counter to report on elapsed time start_time = utils.start_timer() @@ -239,21 +458,28 @@ def check_azure_databases(names, nameserver, threads): # Azure databases use DNS sub-domains. If it resolves, it is registered. utils.fast_dns_lookup(candidates, nameserver, + nameserverfile, callback=print_database_response, threads=threads) # Stop the timer utils.stop_timer(start_time) + def print_vm_response(hostname): """ This function is passed into the DNS brute force as a callback, so we can get real-time results. """ - utils.printc(" Registered Azure Virtual Machine DNS Name: {}\n" - .format(hostname), 'green') + data = {'platform': 'azure', 'msg': '', 'target': '', 'access': ''} + + data['msg'] = 'Registered Azure Virtual Machine DNS Name' + data['target'] = hostname + data['access'] = 'public' + utils.fmt_output(data) + -def check_azure_vms(names, nameserver, threads): +def check_azure_vms(names, nameserver, threads, nameserverfile=False): """ Checks for Azure Virtual Machines """ @@ -265,8 +491,7 @@ def check_azure_vms(names, nameserver, threads): # Pull the regions from a config file regions = azure_regions.REGIONS - print("[*] Testing across {} regions defined in the config file" - .format(len(regions))) + print(f"[*] Testing across {len(regions)} regions defined in the config file") for region in regions: @@ -275,12 +500,14 @@ def check_azure_vms(names, nameserver, threads): # Azure VMs use DNS sub-domains. If it resolves, it is registered. utils.fast_dns_lookup(candidates, nameserver, + nameserverfile, callback=print_vm_response, threads=threads) # Stop the timer utils.stop_timer(start_time) + def run_all(names, args): """ Function is called by main program @@ -288,10 +515,16 @@ def run_all(names, args): print(BANNER) valid_accounts = check_storage_accounts(names, args.threads, - args.nameserver) - if valid_accounts: + args.nameserver, args.nameserverfile) + if valid_accounts and not args.quickscan: brute_force_containers(valid_accounts, args.brute, args.threads) - check_azure_websites(names, args.nameserver, args.threads) - check_azure_databases(names, args.nameserver, args.threads) - check_azure_vms(names, args.nameserver, args.threads) + check_file_accounts(names, args.threads, args.nameserver, args.nameserverfile) + check_queue_accounts(names, args.threads, args.nameserver, args.nameserverfile) + check_table_accounts(names, args.threads, args.nameserver, args.nameserverfile) + check_mgmt_accounts(names, args.threads, args.nameserver, args.nameserverfile) + check_vault_accounts(names, args.threads, args.nameserver, args.nameserverfile) + + check_azure_websites(names, args.nameserver, args.threads, args.nameserverfile) + check_azure_databases(names, args.nameserver, args.threads, args.nameserverfile) + check_azure_vms(names, args.nameserver, args.threads, args.nameserverfile) diff --git a/enum_tools/azure_regions.py b/enum_tools/azure_regions.py index ba4b189..72771fd 100644 --- a/enum_tools/azure_regions.py +++ b/enum_tools/azure_regions.py @@ -23,4 +23,4 @@ # And here I am limiting the search by overwriting this variable: -REGIONS = ['eastus',] +REGIONS = ['eastus', ] diff --git a/enum_tools/fuzz.txt b/enum_tools/fuzz.txt index 278dc30..1d131cc 100644 --- a/enum_tools/fuzz.txt +++ b/enum_tools/fuzz.txt @@ -14,6 +14,11 @@ 2018 2019 2020 +2021 +2022 +2023 +2024 +2025 3 4 5 @@ -21,6 +26,9 @@ 7 8 9 +access-logs +access.logs +accounting admin administrator ae @@ -28,6 +36,7 @@ alpha amazon analytics android +api app appengine appspot @@ -35,9 +44,16 @@ appspot.com archive artifacts assets +attachments audit audit-logs aws +aws-billing +aws-logs +aws.billing +aws.logs +azure +azure-logs backup backups bak @@ -55,7 +71,11 @@ builds cache cdn ce +central +centralus cf +chef +client cloud cloudfunction club @@ -66,19 +86,30 @@ common composer compute computeengine +conf +confidential +config +configuration consultants contact container content +core corp corporate +customer data +data-private +data-public +data.private +data.public database dataflow dataproc datastore db debug +demo dev developer developers @@ -86,6 +117,7 @@ development devops directory discount +dist dl dns docker @@ -99,12 +131,17 @@ emails endpoints es events +exe export files fileshare +filestorage filestore +finance +firebase firestore functions +gateway gcp gcp-logs gcplogs @@ -115,18 +152,31 @@ gke graphite graphql gs +gw help +hidden +hr hub +iaas iam images img infra internal +internal-dist +internal-repo internal-tools +internal.dist +internal.repo ios iot +it +jenkins jira js +k8s +key +keys kube kubeengine kubernetes @@ -146,12 +196,16 @@ mercurial ml mobile monitoring +my mysql net +northcentralus ops oracle org +paas packages +panel passwords photos pics @@ -163,7 +217,10 @@ presentations preview private pro +processed prod +product +productcontent production products project @@ -175,7 +232,10 @@ qa repo reports resources +root +rtdb s3 +saas screenshots scripts sec @@ -183,10 +243,12 @@ secret secrets secure security +service services share shared shop +site sitemaps slack snapshots @@ -195,16 +257,20 @@ source-code spanner splunk sql +sql-logs src +ssh stackdriver stage staging static stats storage +storageaccount store subversion support +svc svn syslog tasks @@ -213,18 +279,28 @@ temp templates terraform test +themes tmp +tmp-logs +tmp.logs trace traffic training travis troposphere uploads +useast +useast2 +userfiles userpictures users ux videos +vm web website +westcentralus +westus +westus2 wp www diff --git a/enum_tools/gcp_checks.py b/enum_tools/gcp_checks.py index 0d5de8b..b31c2ca 100644 --- a/enum_tools/gcp_checks.py +++ b/enum_tools/gcp_checks.py @@ -4,6 +4,7 @@ """ from enum_tools import utils +from enum_tools import gcp_regions BANNER = ''' ++++++++++++++++++++++++++ @@ -11,9 +12,17 @@ ++++++++++++++++++++++++++ ''' -# Known S3 domain names +# Known GCP domain names GCP_URL = 'storage.googleapis.com' +FBRTDB_URL = 'firebaseio.com' APPSPOT_URL = 'appspot.com' +FUNC_URL = 'cloudfunctions.net' +FBAPP_URL = 'firebaseapp.com' + +# Hacky, I know. Used to store project/region combos that report at least +# one cloud function, to brute force later on +HAS_FUNCS = [] + def print_bucket_response(reply): """ @@ -22,19 +31,25 @@ def print_bucket_response(reply): This function is passed into the class object so we can view results in real-time. """ + data = {'platform': 'gcp', 'msg': '', 'target': '', 'access': ''} + if reply.status_code == 404: pass elif reply.status_code == 200: - utils.printc(" OPEN GOOGLE BUCKET: {}\n" - .format(reply.url), 'green') + data['msg'] = 'OPEN GOOGLE BUCKET' + data['target'] = reply.url + data['access'] = 'public' + utils.fmt_output(data) utils.list_bucket_contents(reply.url + '/') elif reply.status_code == 403: - utils.printc(" Protected Google Bucket: {}\n" - .format(reply.url), 'orange') + data['msg'] = 'Protected Google Bucket' + data['target'] = reply.url + data['access'] = 'protected' + utils.fmt_output(data) else: - print(" Unknown status codes being received from {}:\n" - " {}: {}" - .format(reply.url, reply.status_code, reply.reason)) + print(f" Unknown status codes being received from {reply.url}:\n" + " {reply.status_code}: {reply.reason}") + def check_gcp_buckets(names, threads): """ @@ -50,7 +65,7 @@ def check_gcp_buckets(names, threads): # Take each mutated keyword craft a url with the correct format for name in names: - candidates.append('{}/{}'.format(GCP_URL, name)) + candidates.append(f'{GCP_URL}/{name}') # Send the valid names to the batch HTTP processor utils.get_url_batch(candidates, use_ssl=False, @@ -60,6 +75,120 @@ def check_gcp_buckets(names, threads): # Stop the time utils.stop_timer(start_time) + +def print_fbrtdb_response(reply): + """ + Parses the HTTP reply of a brute-force attempt + + This function is passed into the class object so we can view results + in real-time. + """ + data = {'platform': 'gcp', 'msg': '', 'target': '', 'access': ''} + + if reply.status_code == 404: + pass + elif reply.status_code == 200: + data['msg'] = 'OPEN GOOGLE FIREBASE RTDB' + data['target'] = reply.url + data['access'] = 'public' + utils.fmt_output(data) + elif reply.status_code == 401: + data['msg'] = 'Protected Google Firebase RTDB' + data['target'] = reply.url + data['access'] = 'protected' + utils.fmt_output(data) + elif reply.status_code == 402: + data['msg'] = 'Payment required on Google Firebase RTDB' + data['target'] = reply.url + data['access'] = 'disabled' + utils.fmt_output(data) + elif reply.status_code == 423: + data['msg'] = 'The Firebase database has been deactivated.' + data['target'] = reply.url + data['access'] = 'disabled' + utils.fmt_output(data) + else: + print(f" Unknown status codes being received from {reply.url}:\n" + " {reply.status_code}: {reply.reason}") + + +def check_fbrtdb(names, threads): + """ + Checks for Google Firebase RTDB + """ + print("[+] Checking for Google Firebase Realtime Databases") + + # Start a counter to report on elapsed time + start_time = utils.start_timer() + + # Initialize the list of correctly formatted urls + candidates = [] + + # Take each mutated keyword craft a url with the correct format + for name in names: + # Firebase RTDB names cannot include a period. We'll exlcude + # those from the global candidates list + if '.' not in name: + candidates.append(f'{name}.{FBRTDB_URL}/.json') + + # Send the valid names to the batch HTTP processor + utils.get_url_batch(candidates, use_ssl=True, + callback=print_fbrtdb_response, + threads=threads, + redir=False) + + # Stop the time + utils.stop_timer(start_time) + + +def print_fbapp_response(reply): + """ + Parses the HTTP reply of a brute-force attempt + + This function is passed into the class object so we can view results + in real-time. + """ + data = {'platform': 'gcp', 'msg': '', 'target': '', 'access': ''} + + if reply.status_code == 404: + pass + elif reply.status_code == 200: + data['msg'] = 'OPEN GOOGLE FIREBASE APP' + data['target'] = reply.url + data['access'] = 'public' + utils.fmt_output(data) + else: + print(f" Unknown status codes being received from {reply.url}:\n" + " {reply.status_code}: {reply.reason}") + +def check_fbapp(names, threads): + """ + Checks for Google Firebase Applications + """ + print("[+] Checking for Google Firebase Applications") + + # Start a counter to report on elapsed time + start_time = utils.start_timer() + + # Initialize the list of correctly formatted urls + candidates = [] + + # Take each mutated keyword craft a url with the correct format + for name in names: + # Firebase App names cannot include a period. We'll exlcude + # those from the global candidates list + if '.' not in name: + candidates.append(f'{name}.{FBAPP_URL}') + + # Send the valid names to the batch HTTP processor + utils.get_url_batch(candidates, use_ssl=True, + callback=print_fbapp_response, + threads=threads, + redir=False) + + # Stop the time + utils.stop_timer(start_time) + def print_appspot_response(reply): """ Parses the HTTP reply of a brute-force attempt @@ -67,18 +196,30 @@ def print_appspot_response(reply): This function is passed into the class object so we can view results in real-time. """ + data = {'platform': 'gcp', 'msg': '', 'target': '', 'access': ''} + if reply.status_code == 404: pass - elif reply.status_code == 500 or reply.status_code == 503: - utils.printc(" Google App Engine app with a 50x error: {}\n" - .format(reply.url), 'orange') - elif reply.status_code == 200 or reply.status_code == 302: - utils.printc(" Google App Engine app: {}\n" - .format(reply.url), 'green') + elif str(reply.status_code)[0] == 5: + data['msg'] = 'Google App Engine app with a 50x error' + data['target'] = reply.url + data['access'] = 'public' + utils.fmt_output(data) + elif reply.status_code in (200, 302, 404): + if 'accounts.google.com' in reply.url: + data['msg'] = 'Protected Google App Engine app' + data['target'] = reply.history[0].url + data['access'] = 'protected' + utils.fmt_output(data) + else: + data['msg'] = 'Open Google App Engine app' + data['target'] = reply.url + data['access'] = 'public' + utils.fmt_output(data) else: - print(" Unknown status codes being received from {}:\n" - " {}: {}" - .format(reply.url, reply.status_code, reply.reason)) + print(f" Unknown status codes being received from {reply.url}:\n" + " {reply.status_code}: {reply.reason}") + def check_appspot(names, threads): """ @@ -97,7 +238,7 @@ def check_appspot(names, threads): # App Engine project names cannot include a period. We'll exlcude # those from the global candidates list if '.' not in name: - candidates.append('{}.{}'.format(name, APPSPOT_URL)) + candidates.append(f'{name}.{APPSPOT_URL}') # Send the valid names to the batch HTTP processor utils.get_url_batch(candidates, use_ssl=False, @@ -107,6 +248,136 @@ def check_appspot(names, threads): # Stop the time utils.stop_timer(start_time) + +def print_functions_response1(reply): + """ + Parses the HTTP reply the initial Cloud Functions check + + This function is passed into the class object so we can view results + in real-time. + """ + data = {'platform': 'gcp', 'msg': '', 'target': '', 'access': ''} + + if reply.status_code == 404: + pass + elif reply.status_code == 302: + data['msg'] = 'Contains at least 1 Cloud Function' + data['target'] = reply.url + data['access'] = 'public' + utils.fmt_output(data) + HAS_FUNCS.append(reply.url) + else: + print(f" Unknown status codes being received from {reply.url}:\n" + " {reply.status_code}: {reply.reason}") + + +def print_functions_response2(reply): + """ + Parses the HTTP reply from the secondary, brute-force Cloud Functions check + + This function is passed into the class object so we can view results + in real-time. + """ + data = {'platform': 'gcp', 'msg': '', 'target': '', 'access': ''} + + if 'accounts.google.com/ServiceLogin' in reply.url: + pass + elif reply.status_code in (403, 401): + data['msg'] = 'Auth required Cloud Function' + data['target'] = reply.url + data['access'] = 'protected' + utils.fmt_output(data) + elif reply.status_code == 405: + data['msg'] = 'UNAUTHENTICATED Cloud Function (POST-Only)' + data['target'] = reply.url + data['access'] = 'public' + utils.fmt_output(data) + elif reply.status_code in (200, 404): + data['msg'] = 'UNAUTHENTICATED Cloud Function (GET-OK)' + data['target'] = reply.url + data['access'] = 'public' + utils.fmt_output(data) + else: + print(f" Unknown status codes being received from {reply.url}:\n" + " {reply.status_code}: {reply.reason}") + + +def check_functions(names, brute_list, quickscan, threads): + """ + Checks for Google Cloud Functions running on cloudfunctions.net + + This is a two-part process. First, we want to find region/project combos + that have existing Cloud Functions. The URL for a function looks like this: + https://[ZONE]-[PROJECT-ID].cloudfunctions.net/[FUNCTION-NAME] + + We look for a 302 in [ZONE]-[PROJECT-ID].cloudfunctions.net. That means + there are some functions defined in that region. Then, we brute force a list + of possible function names there. + + See gcp_regions.py to define which regions to check. The tool currently + defaults to only 1 region, so you should really modify it for best results. + """ + print("[+] Checking for project/zones with Google Cloud Functions.") + + # Start a counter to report on elapsed time + start_time = utils.start_timer() + + # Initialize the list of correctly formatted urls + candidates = [] + + # Pull the regions from a config file + regions = gcp_regions.REGIONS + + print(f"[*] Testing across {len(regions)} regions defined in the config file") + + # Take each mutated keyword craft a url with the correct format + for region in regions: + candidates += [region + '-' + name + '.' + FUNC_URL for name in names] + + # Send the valid names to the batch HTTP processor + utils.get_url_batch(candidates, use_ssl=False, + callback=print_functions_response1, + threads=threads, + redir=False) + + # Retun from function if we have not found any valid combos + if not HAS_FUNCS: + utils.stop_timer(start_time) + return + + # Also bail out if doing a quick scan + if quickscan: + return + + # If we did find something, we'll use the brute list. This will allow people + # to provide a separate fuzzing list if they choose. + print(f"[*] Brute-forcing function names in {len(HAS_FUNCS)} project/region combos") + + # Load brute list in memory, based on allowed chars/etc + brute_strings = utils.get_brute(brute_list) + + # The global was built in a previous function. We only want to brute force + # project/region combos that we know have existing functions defined + for func in HAS_FUNCS: + print(f"[*] Brute-forcing {len(brute_strings)} function names in {func}") + # Initialize the list of initial URLs to check. Strip out the HTTP + # protocol first, as that is handled in the utility + func = func.replace("http://", "") + + # Noticed weird behaviour with functions when a slash is not appended. + # Works for some, but not others. However, appending a slash seems to + # get consistent results. Might need further validation. + candidates = [func + brute + '/' for brute in brute_strings] + + # Send the valid names to the batch HTTP processor + utils.get_url_batch(candidates, use_ssl=False, + callback=print_functions_response2, + threads=threads) + + # Stop the time + utils.stop_timer(start_time) + + def run_all(names, args): """ Function is called by main program @@ -114,5 +385,6 @@ def run_all(names, args): print(BANNER) check_gcp_buckets(names, args.threads) + check_fbrtdb(names, args.threads) check_appspot(names, args.threads) - return '' + check_functions(names, args.brute, args.quickscan, args.threads) diff --git a/enum_tools/gcp_regions.py b/enum_tools/gcp_regions.py new file mode 100644 index 0000000..89d0730 --- /dev/null +++ b/enum_tools/gcp_regions.py @@ -0,0 +1,23 @@ +""" +File used to track the DNS regions for GCP resources. +""" + +# Some enumeration tasks will need to go through the complete list of +# possible DNS names for each region. You may want to modify this file to +# use the regions meaningful to you. +# +# Whatever is listed in the last instance of 'REGIONS' below is what the tool +# will use. + + +# Here is the list I get when running `gcloud functions regions list` +REGIONS = ['us-central1', 'us-east1', 'us-east4', 'us-west2', 'us-west3', + 'us-west4', 'europe-west1', 'europe-west2', 'europe-west3', + 'europe-west6', 'asia-east2', 'asia-northeast1', 'asia-northeast2', + 'asia-northeast3', 'asia-south1', 'asia-southeast2', + 'northamerica-northeast1', 'southamerica-east1', + 'australia-southeast1'] + + +# And here I am limiting the search by overwriting this variable: +REGIONS = ['us-central1', ] diff --git a/enum_tools/utils.py b/enum_tools/utils.py index 9a40fe8..b9f84b8 100644 --- a/enum_tools/utils.py +++ b/enum_tools/utils.py @@ -6,8 +6,12 @@ import sys import datetime import re +import csv +import json +import ipaddress from multiprocessing.dummy import Pool as ThreadPool from functools import partial +from urllib.parse import urlparse try: import requests import dns @@ -20,8 +24,10 @@ sys.exit() LOGFILE = False +LOGFILE_FMT = '' -def init_logfile(logfile): + +def init_logfile(logfile, fmt): """ Initialize the global logfile if specified as a user-supplied argument """ @@ -29,12 +35,32 @@ def init_logfile(logfile): global LOGFILE LOGFILE = logfile + global LOGFILE_FMT + LOGFILE_FMT = fmt + now = datetime.datetime.now().strftime("%d/%m/%Y %H:%M:%S") - with open(logfile, 'a') as log_writer: - log_writer.write("\n\n#### CLOUD_ENUM {} ####\n" - .format(now)) + with open(logfile, 'a', encoding='utf-8') as log_writer: + log_writer.write(f"\n\n#### CLOUD_ENUM {now} ####\n") + + +def is_valid_domain(domain): + """ + Checks if the domain has a valid format and length + """ + # Check for domain total length + if len(domain) > 253: # According to DNS specifications + return False + + # Check each label in the domain + for label in domain.split('.'): + # Each label should be between 1 and 63 characters long + if not (1 <= len(label) <= 63): + return False + + return True + -def get_url_batch(url_list, use_ssl=False, callback='', threads=5): +def get_url_batch(url_list, use_ssl=False, callback='', threads=5, redir=True): """ Processes a list of URLs, sending the results back to the calling function in real-time via the `callback` parameter @@ -45,6 +71,9 @@ def get_url_batch(url_list, use_ssl=False, callback='', threads=5): tick['total'] = len(url_list) tick['current'] = 0 + # Filter out invalid URLs + url_list = [url for url in url_list if is_valid_domain(url)] + # Break the url list into smaller lists based on thread size queue = [url_list[x:x+threads] for x in range(0, len(url_list), threads)] @@ -54,19 +83,22 @@ def get_url_batch(url_list, use_ssl=False, callback='', threads=5): else: proto = 'http://' - # Start a requests object - session = FuturesSession(executor=ThreadPoolExecutor(max_workers=threads)) - # Using the async requests-futures module, work in batches based on # the 'queue' list created above. Call each URL, sending the results # back to the callback function. for batch in queue: + # I used to initialize the session object outside of this loop, BUT + # there were a lot of errors that looked related to pool cleanup not + # happening. Putting it in here fixes the issue. + # There is an unresolved discussion here: + # https://github.com/ross/requests-futures/issues/20 + session = FuturesSession(executor=ThreadPoolExecutor(max_workers=threads+5)) batch_pending = {} batch_results = {} # First, grab the pending async request and store it in a dict for url in batch: - batch_pending[url] = session.get(proto + url) + batch_pending[url] = session.get(proto + url, allow_redirects=redir) # Then, grab all the results from the queue. # This is where we need to catch exceptions that occur with large @@ -76,12 +108,12 @@ def get_url_batch(url_list, use_ssl=False, callback='', threads=5): # Timeout is set due to observation of some large jobs simply # hanging forever with no exception raised. batch_results[url] = batch_pending[url].result(timeout=30) - except requests.exceptions.ConnectionError: - print(" [!] Connection error on {}. Investigate if there" - " are many of these.".format(url)) + except requests.exceptions.ConnectionError as error_msg: + print(f" [!] Connection error on {url}:") + print(error_msg) except TimeoutError: - print(" [!] Timeout on {}. Investigate if there are" - " many of these".format(url)) + print(f" [!] Timeout on {url}. Investigate if there are" + " many of these") # Now, send all the results to the callback function for analysis # We need a way to stop processing unnecessary brute-forces, so the @@ -94,29 +126,79 @@ def get_url_batch(url_list, use_ssl=False, callback='', threads=5): # Refresh a status message tick['current'] += threads sys.stdout.flush() - sys.stdout.write(" {}/{} complete..." - .format(tick['current'], tick['total'])) + sys.stdout.write(f" {tick['current']}/{tick['total']} complete...") sys.stdout.write('\r') # Clear the status message sys.stdout.write(' \r') +def read_nameservers(file_path): + """ + Reads nameservers from a given file. + Each line in the file should contain one nameserver IP address. + Lines starting with '#' will be ignored as comments. + """ + try: + with open(file_path, 'r') as file: + nameservers = [line.strip() for line in file if line.strip() and not line.startswith('#')] + if not nameservers: + raise ValueError("Nameserver file is empty or only contains comments") + return nameservers + except FileNotFoundError: + print(f"Error: File '{file_path}' not found.") + exit(1) + except ValueError as e: + print(e) + exit(1) + +def is_valid_ip(address): + try: + ipaddress.ip_address(address) + return True + except ValueError: + return False + def dns_lookup(nameserver, name): """ This function performs the actual DNS lookup when called in a threadpool by the fast_dns_lookup function. """ - res = dns.resolver.Resolver() - res.nameservers = [nameserver] + nameserverfile = False + if not is_valid_ip(nameserver): + nameserverfile = nameserver - try: - res.query(name) - # If no exception is thrown, return the valid name - return name - except dns.resolver.NXDOMAIN: - return '' - -def fast_dns_lookup(names, nameserver, callback='', threads=5): + res = dns.resolver.Resolver() + res.timeout = 3 + if nameserverfile: + nameservers = read_nameservers(nameserverfile) + res.nameservers = nameservers + else: + res.nameservers = [nameserver] + + tries = 0 + + while tries < 3: + try: + res.query(name) + # If no exception is thrown, return the valid name + return name + except dns.resolver.NXDOMAIN: + return '' + except dns.resolver.NoNameservers as exc_text: + print(" [!] Error querying nameservers! This could be a problem.") + print(" [!] If you're using a VPN, try setting --ns to your VPN's nameserver.") + print(" [!] Bailing because you need to fix this") + print(" [!] More Info:") + print(exc_text) + return '-#BREAKOUT_DNS_ERROR#-' + except dns.exception.Timeout: + tries += 1 + + print(f" [!] DNS lookup for {name} timed out after 3 tries. Investigate if there are many of these.") + return '' + + +def fast_dns_lookup(names, nameserver, nameserverfile, callback='', threads=5): """ Helper function to resolve DNS names. Uses multithreading. """ @@ -124,7 +206,10 @@ def fast_dns_lookup(names, nameserver, callback='', threads=5): current = 0 valid_names = [] - print("[*] Brute-forcing a list of {} possible DNS names".format(total)) + print(f"[*] Brute-forcing a list of {total} possible DNS names") + + # Filter out invalid domains + names = [name for name in names if is_valid_domain(name)] # Break the url list into smaller lists based on thread size queue = [names[x:x+threads] for x in range(0, len(names), threads)] @@ -134,13 +219,18 @@ def fast_dns_lookup(names, nameserver, callback='', threads=5): # Because pool.map takes only a single function arg, we need to # define this partial so that each iteration uses the same ns - dns_lookup_params = partial(dns_lookup, nameserver) + if nameserverfile: + dns_lookup_params = partial(dns_lookup, nameserverfile) + else: + dns_lookup_params = partial(dns_lookup, nameserver) results = pool.map(dns_lookup_params, batch) # We should now have the batch of results back, process them. for name in results: if name: + if name == '-#BREAKOUT_DNS_ERROR#-': + sys.exit() if callback: callback(name) valid_names.append(name) @@ -149,14 +239,16 @@ def fast_dns_lookup(names, nameserver, callback='', threads=5): # Update the status message sys.stdout.flush() - sys.stdout.write(" {}/{} complete...".format(current, total)) + sys.stdout.write(f" {current}/{total} complete...") sys.stdout.write('\r') + pool.close() # Clear the status message sys.stdout.write(' \r') return valid_names + def list_bucket_contents(bucket): """ Provides a list of full URLs to each open bucket @@ -174,38 +266,62 @@ def list_bucket_contents(bucket): # Format them to full URLs and print to console if keys: - printc(" FILES:\n", 'none') + print(" FILES:") for key in keys: url = bucket + key - printc(" ->{}\n".format(url), 'none') + print(f" ->{url}") else: - printc(" ...empty bucket, so sad. :(\n", 'none') + print(" ...empty bucket, so sad. :(") -def printc(text, color): + +def fmt_output(data): """ - Prints colored text to screen + Handles the output - printing and logging based on a specified format """ - # ANSI escape sequences - green = '\033[92m' - orange = '\033[33m' - red = '\033[31m' + # ANSI escape sequences are set based on accessibility of target + # (basically, how public it is)) bold = '\033[1m' end = '\033[0m' + if data['access'] == 'public': + ansi = bold + '\033[92m' # green + if data['access'] == 'protected': + ansi = bold + '\033[33m' # orange + if data['access'] == 'disabled': + ansi = bold + '\033[31m' # red - if color == 'orange': - sys.stdout.write(bold + orange + text + end) - if color == 'green': - sys.stdout.write(bold + green + text + end) - if color == 'red': - sys.stdout.write(bold + red + text + end) - if color == 'black': - sys.stdout.write(bold + text + end) - if color == 'none': - sys.stdout.write(text) + sys.stdout.write(' ' + ansi + data['msg'] + ': ' + data['target'] + end + '\n') if LOGFILE: - with open(LOGFILE, 'a') as log_writer: - log_writer.write(text.lstrip()) + with open(LOGFILE, 'a', encoding='utf-8') as log_writer: + if LOGFILE_FMT == 'text': + log_writer.write(f'{data["msg"]}: {data["target"]}\n') + if LOGFILE_FMT == 'csv': + writer = csv.DictWriter(log_writer, data.keys()) + writer.writerow(data) + if LOGFILE_FMT == 'json': + log_writer.write(json.dumps(data) + '\n') + + +def get_brute(brute_file, mini=1, maxi=63, banned='[^a-z0-9_-]'): + """ + Generates a list of brute-force words based on length and allowed chars + """ + # Read the brute force file into memory + with open(brute_file, encoding="utf8", errors="ignore") as infile: + names = infile.read().splitlines() + + # Clean up the names to usable for containers + banned_chars = re.compile(banned) + clean_names = [] + for name in names: + name = name.lower() + name = banned_chars.sub('', name) + if maxi >= len(name) >= mini: + if name not in clean_names: + clean_names.append(name) + + return clean_names + def start_timer(): """ @@ -215,6 +331,7 @@ def start_timer(): start_time = time.time() return start_time + def stop_timer(start_time): """ Stops timer and prints a status @@ -225,5 +342,5 @@ def stop_timer(start_time): # Print some statistics print("") - print(" Elapsed time: {}".format(formatted_time)) + print(f" Elapsed time: {formatted_time}") print("") diff --git a/manpage/cloud_enum.1 b/manpage/cloud_enum.1 new file mode 100644 index 0000000..cc8b1ae --- /dev/null +++ b/manpage/cloud_enum.1 @@ -0,0 +1,103 @@ +.\" Text automatically generated by txt2man +.TH cloud_enum 1 "01 Apr 2022" "cloud_enum-0.7" "Multi-cloud open source intelligence tool" +.SH NAME +\fBcloud_enum \fP- enumerates public resources matching user requested keyword +\fB +.SH SYNOPSIS +.nf +.fam C +cloud_enum [OPTIONS] [ARGS] \.\.\. + +.fam T +.fi +.fam T +.fi +.SH DESCRIPTION +Multi-cloud OSINT tool. Enumerate public resources in AWS, Azure, and Google Cloud. +Currently enumerates the following: +.PP +.nf +.fam C + Amazon Web Services: + Open / Protected S3 Buckets + awsapps (WorkMail, WorkDocs, Connect, etc.) + + Microsoft Azure: + Storage Accounts + Open Blob Storage Containers + Hosted Databases + Virtual Machines + Web Apps + + Google Cloud Platform + Open / Protected GCP Buckets + Open / Protected Firebase Realtime Databases + Google App Engine sites + Cloud Functions (enumerates project/regions with existing functions, then brute forces actual function names) + +.fam T +.fi +.SH OPTIONS +.TP +.B +\fB-h\fP, \fB--help\fP +Show this help message and exit. +.TP +.B +\fB-k\fP KEYWORD, \fB--keyword\fP KEYWORD +Keyword. Can use argument multiple times. +.TP +.B +\fB-kf\fP KEYFILE, \fB--keyfile\fP KEYFILE +Input file with a single keyword per line. +.TP +.B +\fB-m\fP MUTATIONS, \fB--mutations\fP MUTATIONS +Mutations. Default: /usr/lib/cloud-enum/enum_tools/fuzz.txt. +.TP +.B +\fB-b\fP BRUTE, \fB--brute\fP BRUTE +List to brute-force Azure container names. Default: /usr/lib/cloud-enum/enum_tools/fuzz.txt. +.TP +.B +\fB-t\fP THREADS, \fB--threads\fP THREADS +Threads for HTTP brute-force. Default = 5. +.TP +.B +\fB-ns\fP NAMESERVER, \fB--nameserver\fP NAMESERVER +DNS server to use in brute-force. +.TP +.B +\fB-l\fP LOGFILE, \fB--logfile\fP LOGFILE +Will APPEND found items to specified file. +.TP +.B +\fB-f\fP FORMAT, \fB--format\fP Format +Format for log file (text,json,csv - defaults to text) +.TP +.B +\fB--disable-aws\fP +Disable Amazon checks. +.TP +.B +\fB--disable-azure\fP +Disable Azure checks. +.TP +.B +\fB--disable-gcp\fP +Disable Google checks. +.TP +.B +\fB-qs\fP, \fB--quickscan\fP +Disable all mutations and second-level scan. +.SH EXAMPLES +cloud_enum \fB-k\fP keyword +.PP +cloud_enum \fB-k\fP keyword \fB-t\fP 10 +.PP +cloud_enum \fB-k\fP somecompany \fB-k\fP somecompany.io \fB-k\fP blockchaindoohickey +.SH AUTHOR +Written by initstring +.PP +This manual page was written by Guilherme de Paula Xavier Segundo + for the Debian project (but may be used by others). diff --git a/manpage/cloud_enum.txt b/manpage/cloud_enum.txt new file mode 100644 index 0000000..4cfe598 --- /dev/null +++ b/manpage/cloud_enum.txt @@ -0,0 +1,54 @@ +NAME + cloud_enum - enumerates public resources matching user requested keyword + +SYNOPSIS + cloud_enum [OPTIONS] [ARGS] ... + +DESCRIPTION + Multi-cloud OSINT tool. Enumerate public resources in AWS, Azure, and Google Cloud. + Currently enumerates the following: + + Amazon Web Services: + Open / Protected S3 Buckets + awsapps (WorkMail, WorkDocs, Connect, etc.) + + Microsoft Azure: + Storage Accounts + Open Blob Storage Containers + Hosted Databases + Virtual Machines + Web Apps + + Google Cloud Platform + Open / Protected GCP Buckets + Open / Protected Firebase Realtime Databases + Google App Engine sites + Cloud Functions (enumerates project/regions with existing functions, then brute forces actual function names) + +OPTIONS + -h, --help Show this help message and exit. + -k KEYWORD, --keyword KEYWORD Keyword. Can use argument multiple times. + -kf KEYFILE, --keyfile KEYFILE Input file with a single keyword per line. + -m MUTATIONS, --mutations MUTATIONS Mutations. Default: /usr/lib/cloud-enum/enum_tools/fuzz.txt. + -b BRUTE, --brute BRUTE List to brute-force Azure container names. Default: /usr/lib/cloud-enum/enum_tools/fuzz.txt. + -t THREADS, --threads THREADS Threads for HTTP brute-force. Default = 5. + -ns NAMESERVER, --nameserver NAMESERVER DNS server to use in brute-force. + -l LOGFILE, --logfile LOGFILE Will APPEND found items to specified file. + -f FORMAT, --format Format Format for log file (text,json,csv - defaults to text) + --disable-aws Disable Amazon checks. + --disable-azure Disable Azure checks. + --disable-gcp Disable Google checks. + -qs, --quickscan Disable all mutations and second-level scan. + +EXAMPLES + cloud_enum -k keyword + + cloud_enum -k keyword -t 10 + + cloud_enum -k somecompany -k somecompany.io -k blockchaindoohickey + +AUTHOR + Written by initstring + + This manual page was written by Guilherme de Paula Xavier Segundo + for the Debian project (but may be used by others). diff --git a/pyproject.toml b/pyproject.toml new file mode 100644 index 0000000..34cd28a --- /dev/null +++ b/pyproject.toml @@ -0,0 +1,26 @@ +[project] +name = "cloud_enum" +version = "0.8" +description = "Multi-cloud OSINT tool. Enumerate public resources in AWS, Azure, and Google Cloud." +requires-python = ">=3.10" +dependencies = [ + "dnspython>=2.8.0", + "requests>=2.34.2", + "requests-futures>=1.0.2", +] + +[project.scripts] +cloud_enum = "cloud_enum:main" + +[dependency-groups] +dev = [ + "pytest", +] + +[tool.setuptools] +py-modules = ["cloud_enum"] +packages = ["enum_tools"] + +[build-system] +requires = ["setuptools>=61"] +build-backend = "setuptools.build_meta" diff --git a/requirements.txt b/requirements.txt deleted file mode 100644 index 77b97fb..0000000 --- a/requirements.txt +++ /dev/null @@ -1,3 +0,0 @@ -dnspython -requests -requests_futures diff --git a/tests/__init__.py b/tests/__init__.py new file mode 100644 index 0000000..e69de29 diff --git a/tests/test_utils.py b/tests/test_utils.py new file mode 100644 index 0000000..0eb31af --- /dev/null +++ b/tests/test_utils.py @@ -0,0 +1,3 @@ +# This test obviously does nothing, it is just setting up the framework +def test1(): + assert 1 == 1