I ran into this issue when trying to run python3 aws_escalate.py
caught_exception) File "/usr/local/lib/python3.6/site-packages/botocore/retryhandler.py", line 223, in __call__ attempt_number, caught_exception) File "/usr/local/lib/python3.6/site-packages/botocore/retryhandler.py", line 359, in _check_caught_exception raise caught_exception File "/usr/local/lib/python3.6/site-packages/botocore/endpoint.py", line 204, in _get_response proxies=self.proxies, timeout=self.timeout) File "/usr/local/lib/python3.6/site-packages/botocore/vendored/requests/sessions.py", line 573, in send r = adapter.send(request, **kwargs) File "/usr/local/lib/python3.6/site-packages/botocore/vendored/requests/adapters.py", line 370, in send timeout=timeout File "/usr/local/lib/python3.6/site-packages/botocore/vendored/requests/packages/urllib3/connectionpool.py", line 544, in urlopen body=body, headers=headers) File "/usr/local/lib/python3.6/site-packages/botocore/vendored/requests/packages/urllib3/connectionpool.py", line 349, in _make_request conn.request(method, url, **httplib_request_kw) File "/usr/local/Cellar/python/3.6.5_1/Frameworks/Python.framework/Versions/3.6/lib/python3.6/http/client.py", line 1239, in request self._send_request(method, url, body, headers, encode_chunked) TypeError: _send_request() takes 5 positional arguments but 6 were given

Searching around and boto3 community said it's a known issue.
Any remediation or workaround would be helpful. Thanks

`$ pip install -r requirements.txt
Collecting argparse (from -r requirements.txt (line 1))
Downloading argparse-1.4.0-py2.py3-none-any.whl
Collecting requests (from -r requirements.txt (line 2))
Downloading requests-2.18.4-py2.py3-none-any.whl (88kB)
100% |████████████████████████████████| 92kB 1.1MB/s
Collecting dnspython (from -r requirements.txt (line 3))
Downloading dnspython-1.15.0-py2.py3-none-any.whl (177kB)
100% |████████████████████████████████| 184kB 1.8MB/s
Collecting dnslib (from -r requirements.txt (line 4))
Downloading dnslib-0.9.7.tar.gz (60kB)
100% |████████████████████████████████| 61kB 2.6MB/s
Collecting netaddr (from -r requirements.txt (line 5))
Downloading netaddr-0.7.19-py2.py3-none-any.whl (1.6MB)
100% |████████████████████████████████| 1.6MB 555kB/s
Collecting sqlite3 (from -r requirements.txt (line 6))
Downloading sqlite3-99.0.tar.gz
Complete output from command python setup.py egg_info:
Traceback (most recent call last):
File "", line 1, in
File "/private/var/folders/xf/j6d7cpsn4qq7rht_ydj1r2zr001118/T/pip-build-6JTwrA/sqlite3/setup.py", line 2, in
raise RuntimeError("Package 'sqlite3' must not be downloaded from pypi")
RuntimeError: Package 'sqlite3' must not be downloaded from pypi

----------------------------------------

Command "python setup.py egg_info" failed with error code 1 in /private/var/folders/xf/j6d7cpsn4qq7rht_ydj1r2zr001118/T/pip-build-6JTwrA/sqlite3/
`

Environment:
$ pip -V pip 9.0.1 from /Library/Python/2.7/site-packages/pip-9.0.1-py2.7.egg (python 2.7)
$ python -V Python 2.7.10
OS X Sierra 10.12.6

@SpenGietz I've read https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/ and also the different escalation methods listed in aws-pentest-tools/aws_escalate.py.

IMHO in the blog post, 13. Updating the code of an existing Lambda function could allow admin privilege escalation only if the function does run as admin, because lambda:UpdateFunctionCode does not allow you to change the role with which the function runs. This means that maybe you want to remove that from the script, or make the output look differently? For example: Partial privilege escalation?

On the other side, neither the blog post or code references lambda:UpdateFunctionConfiguration which does allow you to set the role with which the function will run as.

What do you think about adding these to escalation_methods:

        'UpdateExistingLambdaFunctionConfigurationWithRole': {
            'lambda:UpdateFunctionConfiguration': True,
            'lambda:InvokeFunction': True
        }

Hello,
I followed the steps after downloading the python file. However getting the below error. Please let me know what went wrong.
Step-1: I created a file 'mydocs.docx' and have written Hello World
Step-2: I run the below command. And observed that a new file 'infected.docx' has been created at the same location and with the same content with 'mydoc.docx'. There is no other data inside 'infected.docx' file. I also received an error while running the command.
C:\Users\Sofily\Study\PythonCodes>python subdoc_injector.py -i mydoc.docx -o infected.docx -u ///127.0.0.1/subdoctest -d 100
[+] Infecting mydoc.docx
Traceback (most recent call last):
File "subdoc_injector.py", line 227, in
main()
File "subdoc_injector.py", line 220, in main
infectDoc(args.infile, args.outfile, args.url, args.identifier, False)
File "subdoc_injector.py", line 179, in infectDoc
closepos = docx.index('/>')
TypeError: a bytes-like object is required, not 'str'

C:\Users\Sofily\Study\PythonCodes>

That will simplify running this without having to disclose access key and secret on CLI or in logs. prowler, as an example, accepts a -p flag for profile.

The resource is no longer available, any alternative?

Error:
[-] nsout archive missing. Downloading to cfdb/nsout.zip
[+] Downloading http://crimeflare.net:82/domains/nsout.zip to cfdb/nsout.zip
[-] http://crimeflare.net:82/domains/nsout.zip not found. Please enter correct host/path

The files in this repository appear not to have a license specified for them.

Please can you add to the repo:

• a copy of the relevant license, and
• a notice stating who owns the copyright in the files, and stating that the copyright holder is making them available under the license above.

Ideally, please use this license (the AGPLv3).

Thank you.

[*] Start: Tue Sep 12 09:19:20 2017
[*] Looking target up on CrimeFlare database
[*] www.cloudstress.com (104.24.99.64) is hosted on Cloudflare network
[-] No records found for www.cloudstress.com
[*] Complete: Tue Sep 12 09:19:21 2017

SSL leaks real ip...

https://censys.io/ipv4/137.74.107.240

Would it help to be able to point this script at an organization and be able to scan all accounts underneath? Perhaps we could have a --org and --role flags and require that the user passed in has DescribeOrganization and AssumeRole permissions? That will simplify running this from a central InfoSec/Compliance account. Happy to submit a PR if this is deemed useful.

Would it possible to get a mirror of cf.db? It seems like GitHub has cut you guys off.

Error downloading object: tools/cfire/cfdb/cf.db (da64bd2): Smudge error: Error downloading tools/cfire/cfdb/cf.db (da64bd273b371fbed06bb093139846aac1ee9e8c6314087bca73723e56ae056c): batch response: This repository is over its data quota. Purchase more data packs to restore access.

raceback (most recent call last):
File "./aws_escalate.py", line 533, in
main(args)
File "./aws_escalate.py", line 41, in main
current_user = client.get_user()['User']
File "/root/Downloads/tools/cloudmapper-master/venv/lib/python3.6/site-packages/botocore/client.py", line 324, in _api_call
return self._make_api_call(operation_name, kwargs)
File "/root/Downloads/tools/cloudmapper-master/venv/lib/python3.6/site-packages/botocore/client.py", line 622, in _make_api_call
raise error_class(parsed_response, operation_name)
botocore.exceptions.ClientError: An error occurred (AccessDenied) when calling the GetUser operation: User: arn:aws:iam::aaaaaaa:user/xxxxxx@yyyyyyyy is not authorized to perform: iam:GetUser on resource: user xxxx@yyyyyyyyy with an explicit deny

my AWS user doesn't have permission to run:

current_user = client.get_user()['User'] (line 41) and it stops there.

Can you do something about this?

Thanks,
A

Hi, is this method need any specific flag on remote Responder? it not work with default flags and when use other scripts for testing ntlm auth it works properly. so there is a problem with word requests.

cfire.py -u
[-] Could not make connection to http://www.crimeflare.org:82/zippy.html. Confirm you have correct host.