Dufflebag

A tool called Dufflebag developed by dan-bishopfox Dan Petro and bmoar Ben Morris looks through open Elastic Block Storage (EBS) snapshots for information that might have been unintentionally left inside. The amount of passwords and secrets that are just lying around might surprise you!

Due to the fact that reading EBS volumes in practice isn’t particularly simple, Dufflebag has a lot of moving parts. To clone the snapshot, create a volume from the snapshot, attach the volume, mount the volume, etc., you must be in an AWS environment. This is the reason it was designed as an Elastic Beanstalk app, allowing you to easily take it down once you’re done using it and automatically scale it up or down however much you like.

All you need to do is keep an eye on your AWS console to make sure nothing is going awry and accruing costs. We’ve made an effort to account for every scenario and provide error handling… But you have been forewarned!

Building

You’ll need a Golang compiler because the main application is written in Go. The Makefile will generate a zip for you because the EB application is actually contained within a.zip file (that’s just how EB functions).

Verify your area. At any given time, Dufflebag can only be used in one AWS region. You must deploy that many instances if you want to search every area. Modify the source code file region’s contents to alter the region. go.

The last step is to create an S3 bucket. It might be possible, but it would be difficult to set this up automatically in Dufflebag. Do it yourself instead.

Simply create an S3 bucket, give it default permissions, and give it a name that starts with “dufflebag.” S3 bucket names must be globally unique, so you’ll probably need to add some kind of gibberish-filled or otherwise obscure suffix.

to Elastic Beanstalk deployment

Locate the Elastic Beanstalk menu option in your AWS console. Although the console will be used in this explanation, this is probably also possible using the CLI. Select Create Environment under Actions.

Once this is operational, you can retry with the safety valve closed. Dufflebag by default only looks through 20 EBS snapshots. Go into populate to expand the search to the entire area (so it doesn’t go haywire on your first try).

Go ahead, delete the next line of code, then rebuild:

Dufflebag was created as an Elastic Beanstalk app in part so that it could be easily scaled up or down automatically. It will run on a single instance by default and be fairly slow. However, you can boost it a little by changing Elastic Beanstalk’s autoscaling. I’ll let you experiment with the full options of this because they are a little outside the scope of this document. But in actual use, I’ve discovered that a straightforward CPU use trigger performs admirably.

Instead of selecting Create environment, then Scaling, when configuring the environment in the example above, you’ll find the options under the Configure more options button.

Scaling

Obtaining the missing goods

Any interesting files will be copied by Dufflebag to the S3 bucket you previously created. Dufflebag will technically use the first S3 bucket whose name begins with “dufflebag” that it finds.

Simply observe the files arrive one at a time in your S3 bucket. They shall be known as:

originalfilename blake3sum volumeid

Monitoring Status

You shouldn’t need to read the logs if everything is running smoothly. To be safe, Elastic Beanstalk allows apps to write to log files as they operate. These can be viewed by going to the Logs tab. Then select Last 100 Lines and Request Logs. You’ll receive the most recent batch of Dufflebag logs by doing this. To read it, click the Download button.

Changing what to Look For

Dufflebag is set up to look for things we deemed likely to be “interesting.” AWS keys, private keys, passwords, etc. But what if you want to look for something that is specifically about YOU? For instance, you might be a bank.com employee who is interested in finding references to the company online.

The Dufflebag code will need to be slightly modified to achieve this, but not significantly. Not to worry! Inspector is where the logic for what to search for happens. go. The goroutine pilfer() is responsible for handling file inspection. At first glance, the code there might seem a little intimidating, but this is what it is doing. (As well as how you can easily modify that)

Blacklists for file names:

Verify a blacklist against the file name. (blacklist exact)

Verify a “contains” blacklist against the file name. If the file contains the specified string, reject it. (blacklist contains)

Verify the file name against a blacklist of prefixes. (Blacklist prefix) (Reject the file if it begins with the specified string)

Simply changing the items in those three lists will significantly alter the searching logic in this case. However, in general, I would advise leaving these alone. These blacklists are made to cover tedious files that are common in many filesystems and spare Dufflebag the need to thoroughly inspect each and every file on the entire AWS infrastructure. The sensitive information you’re looking for COULD be in those files, but it’s unlikely.

Whitelist for file names:

The function IsSensitiveFileName() compares a file name to a regular expression that searches for sensitive file names. (Examples include /etc/shadow, bash history, etc.)

Document content

The checkContentsRegex() function compares a file’s contents to a list of regular expressions. (The input to this function is one line of a file, not the entire file. The file input argument is line-by-line.) Therefore, simply alter the regular expressions inside checkContentsRegex to search for keywords related to your company ().