Releases: BishopFox/cloudfox
Releases · BishopFox/cloudfox
v1.15.0
Commits
- 0a95240: added admin/pmapper logic to principals command (Seth Art) #96
- b31f367: added the the --admin-check-only flag to iam-simulator command (Seth Art) #96
- e0dc71b: updated the adminActionNames check actions to remove ssm get documents and replace with ssm get parameters (Seth Art) #96
- 6b0970e: Fix for cape in regards to permission expansion (Seth Art) #96
- 85b9b11: Bumped version to 1.43.3 (Seth Art) #96
- a88e98a: Removed AWSSSO-ACCOUNTID entries from cape table as they are redundant (Seth Art) #96
- 8e1e8d0: Fix for cape that also makes edges for cross-account explicit trusts. Also added a new flag to ignore certain edges entirely. (Seth Art) #96
- ebf9985: Fix for #92 (Seth Art) #96
- 878d7ec: Fixed bug in cape where files did not exist crash. Fixed bug that duplicated edges because of magenta. (Seth Art) #96
- 9076beb: Bumped version to 1.15.0 (Seth Art) #96
- b3c25bb: spelling fix (Seth Art) #96
v1.14.2
v1.14.1
Bug Fixes
Commits
- 91f5f14: Added RDS database instances back into output. I think it's ok to have both clusters and instances in the output (Seth Art) #89
- 0b88bca: Updated tests to make sure that RDS instances without clusters are checked for (Seth Art) #89
- 5ba8b08: Update Makefile to include 386 linux binary for release action (Seth Art) #90
- 0ac24e3: Update utils.go (Seth Art) #90
- 738085d: fix typo from codespell (David) #90
v1.14.0
Commits
- 5c40ef4: initial ideas for graph command (sethsec-bf) #84
- 4edbd33: neo4j cross-account stuff kind of working, pmapper stuff not working (sethsec-bf) #84
- c4a276e: graph/neo4j functionali working - detecting cross account attack paths (sethsec-bf) #84
- 66ffc57: go mod tidy (sethsec-bf) #84
- 1e2eaf5: merged from main (sethsec-bf) #84
- ef25d8b: Merged origin/seth-dev into graph (sethsec-bf) #84
- f5437b7: Started to add knownvendoraccounts info (sethsec-bf) #84
- 4cf58a3: Created loot file for pmapper (sethsec-bf) #84
- 009321e: Updated pmapper output files (sethsec-bf) #84
- ac1125d: added users model (sethsec-bf) #84
- 4d3c6a4: Merge remote-tracking branch 'origin/seth-dev' into graph (sethsec-bf) #84
- aeccb6d: Have global data in dom's graph format now. just need to write the table creation code (sethsec-bf) #84
- a13527a: Added MakeVertices method for type Role (sethsec-bf) #84
- e61a401: Kept first draft as the graph command. Moved second take to the caper command. (sethsec-bf) #84
- e4f3421: Added functionailty to hightlight admins in caper command (sethsec-bf) #84
- 24b7076: saving place in caper command (sethsec-bf) #84
- e4e5480: revert test (sethsec-bf) #84
- 42b0f3a: Merge branch 'main' of github.com:BishopFox/cloudfox into graph (sethsec-bf) #84
- dd6dd29: playing around with saving graph state between runs (sethsec-bf) #84
- 36c9a5b: Merged changes from neptune PR into this branch (sethsec-bf) #84
- 23409e3: remove unused code (enzowritescode) #78
- a40f0aa: More cleanup (enzowritescode) #78
- 05fd899: Fixed bug in federeated role trust poclies where multiple subjects are trusted (sethsec-bf) #84
- 2f99a76: working gcp functionality (David) #79
- f9d9ec4: Merge branch 'main' of github.com:BishopFox/cloudfox into feature/aws-neptune (sethsec-bf) #78
- ce03106: update release and fix database test (sethsec-bf) #78
- 3ff704e: merged from main (sethsec-bf) #84
- 8fac75e: merged from main (sethsec-bf) #84
- 334583d: save work whomai account stub (David) #79
- 4ef87d8: updated caper to use new version of parseFederatedRoleTrusts from the role-trusts command. Also changed the way vendors and federated identities are labled (sethsec-bf) #84
- 8436924: quick fix for context error. logging issue still there. (sethsec-bf) #79
- fca22ce: renamed to cape, added hop count logic, pulled privesc function out so i can add logic to handle cobra flags (sethsec-bf) #84
- 590a94b: changed println to printf (sethsec-bf) #84
- dee22b3: fix logging issue and improve whoami (David) #79
- de492fa: Add Directory Service support for AWS (Bastien Faure) #81
- 608f078: AWS uses a mix of clouddirectory and directoryservices for Directory services (Bastien Faure) #81
- 57832ad: Codespell fix (Bastien Faure) #81
- 3a45583: Got cape working without any aws calls, cleaned up logging messages (sethsec-bf) #84
- 356d57b: Added pmapper basepath to all relevent commands. Improved logging for cape/cape-tui. Fixed codebuld cache bug. (sethsec-bf) #84
- 23e8878: Merge branch 'main' into feature/gcp-v1 (David) #79
- 94628aa: i cant spel (David) #79
- df3fb6e: Update codeowners (moloch--) #82
- 6e52e5e: merge gcp stuff from main into this branch (sethsec-bf) #81
- 8ab4c42: Merge branch 'main' into bastien_directoryservice_aws (Seth Art) #81
- 79f3899: update go mod (sethsec-bf) #81
- 67af1bd: update gcp package with vuln (sethsec-bf) #81
- 82635fd: made aws sso like eks, where edges are not created if it's if the provider is in the same account as the role that trusts it. the edges will still show up cross account though. (sethsec-bf) #84
- 57194ef: bump to version 1.14.0, merged gcp and aws ds functionality (sethsec-bf) #84
- 77cd08b: updated gcp verbosity, updated cape command usage, switched version tracking file from main.go to internal/utils.go (sethsec-bf) #84
- abcc930: added afero fs back to output2 (needed to pass brew tests) (sethsec-bf) #84
- c3be95b: cleaned up enhanced pmapper loot file (sethsec-bf) #84
- 22417f1: spelling (sethsec-bf) #84
- c0e4301: Add GCP to readme, fix typo (sethsec-bf) #84
- a8d2bfb: Removed graph command from cobra for now (sethsec-bf) #84
v1.13.4
Commits
- a38451c: Typo fixes, reduced copy pasta, Neptune support (enzowritescode) #74
- 8c4bcc0: Add .idea to gitignore for GoLand (enzowritescode) #74
- 29514a9: Merge in latest and fix merge conflicts (enzowritescode) #74
- ae1dac6: Merge branch 'main' of github.com:BishopFox/cloudfox into seth-dev (sethsec-bf) #80
- ca437d3: Filter Neptune results (enzowritescode) #74
- 59afbb3: Switched RDS database command from instances to clusters, and since it grabs Neptune and DocsDB clusters, we don't need to run those api calls. (they all return the same data). Also added back port info and added role info to the RDS clusters in -o wide mode (sethsec-bf) #74
- 80c00f3: Added test for databases command (sethsec-bf) #74
- 15e0507: Merge branch 'main' into feature/aws-neptune (Seth Art) #74
- fd01647: Merge branch 'main' of github.com:BishopFox/cloudfox into seth-dev (sethsec-bf) #80
- 8d03932: Fix for #77 (sethsec-bf) #80
- a1903f6: Major update for role trusts parsing. Cleaner version has case statement on federated principal value and not soley on condition data (sethsec-bf) #80
- 6a21b96: Auth0 not ready yet - also this new version lists unknown federated types not instead of ignoring them (sethsec-bf) #80
- cec0d49: Fixing a bug in the new cached versions of the apigateway sdk calls (sethsec-bf) #80
- eaac503: bumped version to 1.13.4 for release with apigateway fix (sethsec-bf) #80
- 00e63b0: found a way to fix the apigateway types conflict with gob (sethsec-bf) #80
v1.13.3
v1.13.2
Commits
- a656103: Bumped to version 1.31.1 before PR (sethsec-bf) #75
- b5908fc: Fixed bug in the role trusts command introduced in 1.13.1 where cloudfox only shows princiapls with :root trust and not ALL role trusts (sethsec-bf) #75
- 18e38bf: Fixed bug in env-vars command introduced in 1.13.1 with the new interesting version of the table written to disk. was still recording them all. now the second table only has interesting env-vars (sethsec-bf) #75
- 237b073: Bumped version to 1.13.2 (sethsec-bf) #75
v1.13.1
Commits
- f13df07: Added mocks for apigw and apigwv2, and a test for the new api-gw command (sethsec-bf) #73
- 525f262: Added mocks for apigw and apigwv2, and a test for the new api-gw command (sethsec-bf) #73
- 1d53b98: Used the output2 loot mechanism for api-gws, updated tests (sethsec-bf) #73
- 97e2fef: Add data from fwd:cloudsec's known_aws_accounts repo into role-trust module (sethsec-bf) #73
- ea2ee3d: Fixed bug where instances without instance profile were not showing up (sethsec-bf) #73
- 5df1ca6: Update README.md (Seth Art)
- dd6bfef: Merge branch 'main' of github.com:BishopFox/cloudfox into seth-dev (sethsec-bf) #73
- 13a03c5: Fixed panic bug that occured when user specified a profile that did not exist (sethsec-bf) #73
- 5827abb: Hopefully this is a fix for #72 (sethsec-bf) #73
- 89789a0: updated pmapper command info (sethsec-bf) #73
- 23fc346: Update README.md (Seth Art)
- ff810ba: Update README.md (Seth Art)
- 8e99347: Update README.md (Seth Art)
- e08967b: This potential fix for #72 makes a lot more sense. Rather than overrwite the profile attribute of the struct, i have an AWSProfileProvided and a AWSProfileFake so that I can just pass the orig to other modules (since each module cleans it up itself). (sethsec-bf) #73
- 6069267: Fix for sub issue found by @cyberbutler in #72 (sethsec-bf) #73
- 1d1d198: More fixes from #72. Took the suggestion from @johnkeates and fixed the prepopulated nmap commands to NOT include a profile for the cases where the user did not specify a profile for cloudfox (sethsec-bf) #73
- 997c13d: Merge branch 'main' of github.com:BishopFox/cloudfox into seth-dev (sethsec-bf) #73
v1.13.0
AWS
-
New Commands
- workloads - Summarize all compute workloads that have administrative access or a path to admin (EC2, Lambda, ECS for now)
- api-gws - (Contributed by @wdahlenburg) Enumerates all of the API gateways. Grabs API keys if they exist and creates a loot file with curl commands for you to access each endpoint
-
Command Updates
- role-trusts - Added new output file for
role-trusts
that highlights the role that trust:root
and also don't have an external ID - env-vars - Added new output file for
env-vars
that highlights interesting credentials based on the name (secret, key, password, token, etc.) - env-vars - Added color to screen print to highlight the interesting credentials based on the name (secret, key, password, token, etc.)
- workloads - Added color to screen print to highlight the princpals that are assigned to workloads that also are admin or have a path to admin.
- iam-simulator & permissions - Fixed a bug in the
iam-simulator
andpermissions
commands where they were not writing a custom filename for custom checks. - inventory - Supports more resources
- role-trusts - Added new output file for
-
General AWS Updates
- Updated default AWS output to v2 (shows table data). To suppress, use -v1 at the command line
- Added support for roles that require MFA
- Added ability for users to specify which columns they want displayed
- Added a -o wide flag to all commands. Like kubectl, you get default cols without -o wide, but with it, you get a few extra columns or arns instead of names in some cases.
Commits
- 17011f3: Additional enumeration on API gateways compared to the endpoints module (Wyatt Dahlenburg) #64
- 5eff1c7: Merging with main + minor updates (Wyatt Dahlenburg) #64
- 2ce1f0f: Codespell (Wyatt Dahlenburg) #64
- b1c248b: Used SDK, added more counters (sethsec-bf) #64
- 7343852: Updated endpoints to use the newly created sdk functions (sethsec-bf) #64
- Added a new output file for role trusts that just highlights the overly permissive root trusts without external ID #67 (sethsec-bf)
- First draft of new workloads command - summarizes all workloads #67 (sethsec-bf)
- 82738db: Fixed a bug where when pmapper data was missing iam simulator was not getting IAM roles properly. Also got workloads command working (sethsec-bf) #67
- 98af839: Added intersting functionality to env-vars and workloads (sethsec-bf) #67
- a690ad3: bumped version to 1.13.0-prerelease (sethsec-bf) #67
- ae7ed9e: Merge branch 'main' of github.com:BishopFox/cloudfox into seth-dev (sethsec-bf) #67
- 6e146a5: add mfatoken param from recent update to api-gw code (sethsec-bf) #67
- cef6c9e: Fixed a bug where iam-simulator custom commands were overwriting the files for the default run. (sethsec-bf) #67
- 2b19d0a: For 1.13, switching default AWS verbosity to 2 (with the exception of all-checks which will be hardocded to a versbosity of 1) (sethsec-bf) #67
- d1af1bb: Fixed a bug where permissions custom runs were overwriting the files for the default run. (sethsec-bf) #67
- d648e5b: Added ability to supply just a princpal name, and the command will try it as a role and a user (sethsec-bf) #67
- 5c4d0fd: go get -u and fixes (sethsec-bf) #67
- cba252d: Normalize/clean up console messages. Also re-order the way the messages print in multi-profile mode (sethsec-bf) #67
- 06f8e36: bumped version to 1.13.0 (sethsec-bf) #67
- f1b6eae: codespell was tripping up on a has from go.sum (sethsec-bf) #67
v1.12.3
Fixes:
- Fixed a bad bug in ECR that was only looking at the fist repo
- role trusts were not sorting by service anymore
- fix for #65 - now supports roles that require MFA token
- fixed bug in cache load. was skipping cache load if any single file was messed up. now just skips bad files
- fixed caching of glue resource policies
- fixed error where cache load was loading json files along with the gob files and erroring. skipping the json files.
- fixed bug in #53 - buckets with no policy were not creating policy cache stubs so each bucket without a policy would always look for a new policy
Updates:
- Added ability for users to specify which columns they want displayed
- Now supports profiles for roles that require MFA tokens
Commits
- 1ff35a7: Upgrade GitHub Actions (Christian Clauss) #50
- f78f149: Fix typos discovered by codespell (Christian Clauss) #51
- 217ac7a: GitHub Action to run codespell (Christian Clauss) #52
- 6d1b471: Update codespell.yml (Christian Clauss) #52
- 8d145b1: Update README.md with more install methods (Seth Art)
- 187299a: Update README.md (Seth Art) #56
- bcfa318: cache load was loading json files along with the gob files and erroring. skipping the json files. also, updated ioutil library to os library (sethsec-bf) #59
- 818c3a8: fixed cache load issue, updated aws instances command to use cached data (sethsec-bf) #59
- 50493e6: fixed bug in #53 - buckets with no policy were not creating policy cache stubs so each bucket without a policy would always look for a new policy (sethsec-bf) #59
- dad2277: moved policy analysis behind a feature flag in the buckets command (sethsec-bf) #59
- 57d9e91: removed newline from buckets policy analyis (sethsec-bf) #59
- 4ee0da8: added user controled columns to buckets, role-trusts, permissions (sethsec-bf) #59
- 9095908: added user controled columns to cloudformation, and access keys (sethsec-bf) #59
- 7d3a61a: fixed caching issues in sdk/ecs (sethsec-bf) #59
- 1215a27: completed --cols & -o wide support for ALL aws commands (sethsec-bf) #59
- b43d6ad: go get -u and fixes (sethsec-bf) #59
- 7656267: fixes #36. -o wide will give you the arn, and the default (-o brief) will only give you the name for brevity (sethsec-bf) #59
- 2dc20ea: fixed codespell items (sethsec-bf) #59
- 54f7849: added accountID col to every table and removed the service col in all commands that are single service. (sethsec-bf) #61
- 06344b9: added secrets manager to resourcetrusts and cloud9 to inventory (sethsec-bf) #61
- 6a6f758: Fixed a bad bug in ECR that was only looking at the fist repo (sethsec-bf) #61
- d505bc4: Updating the tests/mocks for ECR (sethsec-bf) #61
- e0f0627: new idea for resource trusts field (sethsec-bf) #61
- 8f5a571: fixed issue where role trusts was not sorting services correctly anymore (sethsec-bf) #66
- f51c1e9: Update README.md (Seth Art)
- 1819b11: Merge branch 'main' of github.com:BishopFox/cloudfox into seth-dev (sethsec-bf) #66
- ff38b2c: fix for #65 -- adds config.WithAssumeRoleCredentialOptions section to the LoadDefaultConfig loader (sethsec-bf) #66
- 5e1ed54: fixed bug in cache loading that would error out if even a single cache file was not accounted for (sethsec-bf) #66
- 2ed0796: fixed bug where glue resource policy data was not caching properly. (sethsec-bf) #66
- a9a0c7a: more updates for #65. Added a cli flag --mfa-token so you can pass the token at the cloudfox command line. Ended up reworking AWSConfigFileLoader to use a map to store fetched configs which should have other performance improvemnts (sethsec-bf) #66
- 27a5110: for #65, decided to add a prompt to ask for MFA token if the user does not specify it at runtime (sethsec-bf) #66
- 9be3792: bumped version to 1.12.3 (sethsec-bf) #66