Skip to content

December 20, 2017   |   Read Online

US MongoDB servers via Shodan

The most important challenge facing the companies I work with is knowing what they have facing the internet.

There are lots of other ways to be insecure, of course. Bad endpoint security and security hygiene will get a company hacked by phishing. And bad AppSec will get you hacked through the apps that you need to keep online.

The biggest problem I see however—by a wide margin—is companies not having any idea what ports, protocols, and applications they are presenting to the world.

Their networks are too large, they change too often, and their security teams are too busy filling out security questionnaires and deploying new security solutions to watch their perimeter in a reliable way. Moving to the cloud has made this much worse because developers are standing up boxes constantly, and hardly anyone is actually tracking what’s live at any given time.

AWS is by far the biggest cloud provider for my customers, but I have similar commands for the other providers.

That’s why I created getawspublicips.sh, which simply tells you—at any given moment—what the public IPs are for a given AWS account. It sounds like a small thing, but it isn’t. And if you’ve read this far you probably agree. Here’s the code and how to set it up.

AWS CLI

  1. Install the aws command

AWS has a cli command called aws, which you can install like so:

pip install awscli

Learn about the aws command syntax here.

  1. Configure the aws command

Then you have to set it up with your information.

aws configure

You’ll need to put in your access keys, your region, and your desired output format, e.g., whatever your keys are, us-west-1, json.

Unsupervised Learning — Security, Tech, and AI in 10 minutes…

Get a weekly breakdown of what's happening in security and tech—and why it matters.

  1. getawspublicips.sh

Now that the aws command will work for you, you can do the following:

You might have to fix the single and double quotes when pasting this code.

aws ec2 describe-regions | jq -r ‘.Regions[].RegionName’ | xargs -I{} sh -c ‘aws ec2 –region “$1” describe-network-interfaces | jq “.NetworkInterfaces[].Association.PublicIp” ‘ — {} | sed ‘s/”//g’

The output of this will be a simple list of all your public IPs for your EC2 instances.

54.8x.49.101
54.81.50.x0
254.x2.51.103
54.83.52.1x4

Of course, knowing what those IPs are is just the start of the beginning. You’ll then need a process for ensuring that they’re not presenting a port, protocol, or application that you didn’t know about and/or haven’t secured.

You can do that with lots of tools, e.g., masscan, nmap (with NSE functionality), arachni, et al.

But the most important bit is at least knowing what your attack surface is, and keeping that list updated on a regular basis. I recommend running this perhaps hourly, and feeding that into your monitoring and alert/response framework for when something nasty pops up.

Hope this helps someone.

  1. Thanks to Scott Piper for helping to improve the aws command syntax.
  1. What I Found Most Interesting from Amazon re:invent 2018
  2. How I Just Saved $5,500 on my EC2 Bill in 5 Minutes by Switching to a Reserved Instance
  3. A @TomNomNom Recon Tools Primer