Dufflebag is a tool that searches through public Elastic Block Storage (EBS) snapshots for secrets that may have been accidentally left in. You may be surprised by all the passwords and secrets just laying around!
When Ben Morris presented his findings in “More Keys than a Piano: Finding Secrets in Publicly Exposed EBS Volumes” back at DEF CON 27, he found all sorts of secrets and associated data — passwords, SSH private keys, TLS certificates, application source code, API keys, and anything else that might be stored on a server hard disk. Even more surprising, some of this sensitive information was found on “internal-only” resources that are hosted on AWS. So by searching exposed EBS volumes, an attacker can steal secrets from a server that isn’t even exposed to the internet!
To help identify these exposed EBS volumes and allow individuals and businesses to secure their secrets, the Bishop Fox team developed Dufflebag, an open source tool available on GitHub.
The tool is organized as an Elastic Beanstalk ("EB", not to be confused with EBS) application, and definitely won't work if you try to run it on your own machine.
Dufflebag has a lot of moving pieces because it's fairly nontrivial to actually read EBS volumes in practice. You have to be in an AWS environment, clone the snapshot, make a volume from the snapshot, attach the volume, mount the volume, etc... This is why it's made as an Elastic Beanstalk app, so it can automagically scale up or down however much you like, and so that the whole thing can be easily torn down when you're done with it.
Just keep an eye on your AWS console to make sure something isn't going haywire and racking up bills. We've tried to think of every contingency and provide error handling... but you've been warned!
Dan Petro is a Lead Researcher at Bishop Fox and focuses on application penetration testing (static and dynamic), product security reviews, network penetration testing (external and internal), and cryptographic analysis. Dan has presented at several Black Hats and DEF CONs on topics such as hacking smart safes, hijacking Google Chromecasts, and weaponizing AI. He has developed several open-source tools including Untwister, which breaks pseudorandom number generators. Additionally, Dan has been quoted in Wired, The Guardian, Business Insider, and Mashable. Dan holds both a Bachelor of Science and a Master of Science in Computer Science from Arizona State University.
Twitter: @2600AltF4
GitHub: dan-bishopfox
This site uses cookies to provide you with a great user experience. By continuing to use our website, you consent to the use of cookies. To find out more about the cookies we use, please see our Privacy Policy.