v2.0.0

Commits

• 83d9611: init (jbarciabf) #121
• 8f6208d: Merge remote-tracking branch 'upstream/main' into cloudfox-gcp-new (jbarciabf) #121
• 69c9070: updates (jbarciabf) #121
• abf1543: added new modules (jbarciabf) #121
• 0df2aa9: updated to include all-projects and added project name to output (jbarciabf) #121
• eae16c3: updated permission module (jbarciabf) #121
• ec9a50e: fixed error handling (jbarciabf) #121
• c9edf84: Update README.md (Seth Art) #117
• 333ca05: fixed error handling, added auto org detection for vpc, added features to whoami (jbarciabf) #121
• 36b45a6: rework (jbarciabf) #121
• 8dddcc8: Merge remote-tracking branch 'upstream/main' into cloudfox-gcp-new (jbarciabf) #121
• fbc862a: updated readme (jbarciabf) #121
• 3c1213b: fixed cloudrun 400 error (jbarciabf) #121
• 7bb7d94: fixed logging newline, more 400 errors, text formatting, and enhancements in dns, filestore, endpoints, and dataefil (jbarciabf) #121
• 8954fc2: fixed permissions denied error (jbarciabf) #121
• ce545ca: updated dataexfil (jbarciabf) #121
• 06a9dab: refactored output to be hierarchical, added privesc checks (jbarciabf) #121
• 31e2fe5: fixed privesc execution and output issues (jbarciabf) #121
• eedf397: created beautified ASCII tree view of the organization hierarchy (jbarciabf) #121
• f3f98f2: add org tree (jbarciabf) #121
• baf62fd: updated whoami for better privesc description (jbarciabf) #121
• d473e31: updated privesc checks (jbarciabf) #121
• 2f80731: updated bucketenum to no limits and enumerate all (jbarciabf) #121
• c94996e: added network diagrams (jbarciabf) #121
• 2b272a1: merged privesc, lat movemet, and data exfil into attack paths (jbarciabf) #121
• 8886496: added attackpath flag (jbarciabf) #121
• 35fca31: updated whoami counts (jbarciabf) #121
• f82547b: updated attackpath output (jbarciabf) #121
• ed732d0: migrated over to sdk and caching for standardization with aws modules (jbarciabf) #121
• 04bb167: updated version number (jbarciabf) #121
• 711e29e: updated readme permissions (jbarciabf) #121
• d24f817: changed global all projects flag (jbarciabf) #121
• 70107c6: updated session handling (jbarciabf) #121
• 44bf8e8: added attackpaths and loot (jbarciabf) #121
• 59bac4e: fixed whoami output and added new attack paths (jbarciabf) #121
• 72a551b: centralized attackpath service and playbooks (jbarciabf) #121
• eb76d76: physical cache instead of memory. 1st wave of cleanup (jbarciabf) #121
• de14130: fixed enumerate regions where permissions were sometimes denied (jbarciabf) #121
• 8a248e3: updated instances (jbarciabf) #121
• 6f45cbe: Fix false positive where GitHub Actions subject was not recognized (Dominik Prodinger) #118
• cb8be67: removed attack paths to use foxmapper instead (jbarciabf) #121
• 7a18090: removed attackpath and orgcache flags and enable by default (jbarciabf) #121
• d021ea5: cleanup output, better streaming and file splitting (jbarciabf) #121
• a8e8024: code cleanup (jbarciabf) #121
• c9d1c2d: normalized loot files and added additional commands (jbarciabf) #121
• 47d69d8: remove alias due to conflict (jbarciabf) #121
• f2d4b7c: updated readme (jbarciabf) #121
• 72cd367: fixed potential panics (jbarciabf) #121
• 8db014b: updated foxmapper mappings (jbarciabf) #121
• 60c6b8d: added log-enum, bigquery-enum, bigtable-enum, spanner-enum to search for sensitive stored data (jbarciabf) #121
• a3b7ab4: rename buckets -> storage (jbarciabf) #121
• a3d1c09: fixed codespell referer error (jbarciabf) #121
• 11763f0: Merge branch 'BishopFox:main' into fix-privesc-false-positive (Dominik Prodinger) #118

v1.17.0

Breaking change announcement

Versions prior to v1.17.0 depend on a json file from AWS that recently changed it's format and no longer work.

Commits

• 00fe4fd: add support for Route53 Alias records in route53 command (Dominic Breuker) #97
• ab4866f: fix bug with route53 alias record processing (Dominic Breuker) #97
• b60f479: Add container name column to ecs-tasks command (edops973) #104
• ed8e0a2: Add task definition column to env-vars command (edops973) #104
• ec497fa: Support kms service for command resource-trusts (edops973) #104
• 5e0eb15: Add resource-trusts KMS unit test (edops973) #104
• 8eec1c3: Add checksum to the release packages (edops973) #104
• 67b84f0: fix kms client nil when running all-checks command (edops973) #104
• 89b3492: Fix the order of input parameters when fetching KMS policy (edops973) #104
• a94bdc1: Remove task definition column in env-vars command (edops973) #104
• f058e1c: Bump version to v1.16.0-prerelease (Seth Art) #104
• 13bd04d: Add support for building Linux Arm64 (CraHan) #102
• 831198c: Support kms service for command resource-trusts (edops973) #104
• 4e75b11: Add resource-trusts KMS unit test (edops973) #104
• cae31fb: fix kms client nil when running all-checks command (edops973) #104
• e494029: Fix the order of input parameters when fetching KMS policy (edops973) #104
• cda06ff: Add container name column to ecs-tasks command (edops973) #104
• d3c042c: Add task definition column to env-vars command (edops973) #104
• 7e64399: Remove task definition column in env-vars command (edops973) #104
• 16c0f4d: Bump version to v1.16.0-prerelease (Seth Art) #104
• 1f4f128: Add checksum to the release packages (edops973) #104
• caaf399: Add feature flag for KMS service in resource-trusts command (edops973) #104
• 7d6d16a: Merge branch 'main' into feature/add-kms-service-to-resource-trusts-command (edops973) #104
• 68d68fc: fix typo in utils.go (Seth Art) #104
• 2391bb7: merge updates (Seth Art) #104
• 6b45f54: Removed block that ran kms even without feature flag. Also edited supported serviecs line to account for feature flag use (Seth Art) #104
• 296710c: Merge conflict (edops973) #104
• a104639: Merge conflict (edops973) #104
• d8e4157: Fix resource-trusts unittest (edops973) #104
• 5d2f261: Merge conflict (edops973) #104
• 43fe99e: Merge conflict (edops973) #104
• 56e64d8: Merge conflict (edops973) #104
• e54ffe8: Merge conflict (edops973) #104
• 2806f7e: Merge conflict (edops973) #104
• 0deb568: Get open search policies (edops973) #104
• 0c858e6: Add missing method in codebuild_mocks.go (edops973) #104
• 7671e7e: Add opensearch unittest (edops973) #104
• dfed049: Ignore public apigateway in resource trusts command (edops973) #104
• 19b825c: Merge remote-tracking branch 'origin' into feature/add-vpcendpoint-to-resource-trusts-command (Seth Art) #104
• d558e1c: Update supported services banner (Seth Art) #104
• 4584774: updated arn column to print full arn (Seth Art) #104
• 00b49aa: Merge branch 'main' into feature/add-opensearch-to-resource-trusts-command (Seth Art) #104
• d0de59d: update opensearch mod (Seth Art) #104
• 2cc97f5: Update version to 1.16.0 (Seth Art) #104
• 0e7b006: Merge branch 'main' into main (Seth Art) #104
• b28ed6a: Update CODEOWNERS (Bastien Faure)
• 5115f84: Update CODEOWNERS (jbarciabf)
• 521cf7e: Reduced the number of times awsservicemap calls out to get the AWS json (Seth Art) #109
• b3a03ec: Fixed small bug with inventory where it was counting total resources incorrectly (Seth Art) #109
• 3dbb98f: Added split level logging to logrus (Seth Art) #109
• 16b3c66: Unified logging around logrus. removed standard logging lines. (Seth Art) #109
• 1bb8576: Added logging for all successfull API calls to cloudfox-info.log (Seth Art) #109
• 52c1285: fixed makefile (jbarciabf) #115

v1.15.0

Commits

• 0a95240: added admin/pmapper logic to principals command (Seth Art) #96
• b31f367: added the the --admin-check-only flag to iam-simulator command (Seth Art) #96
• e0dc71b: updated the adminActionNames check actions to remove ssm get documents and replace with ssm get parameters (Seth Art) #96
• 6b0970e: Fix for cape in regards to permission expansion (Seth Art) #96
• 85b9b11: Bumped version to 1.43.3 (Seth Art) #96
• a88e98a: Removed AWSSSO-ACCOUNTID entries from cape table as they are redundant (Seth Art) #96
• 8e1e8d0: Fix for cape that also makes edges for cross-account explicit trusts. Also added a new flag to ignore certain edges entirely. (Seth Art) #96
• ebf9985: Fix for #92 (Seth Art) #96
• 878d7ec: Fixed bug in cape where files did not exist crash. Fixed bug that duplicated edges because of magenta. (Seth Art) #96
• 9076beb: Bumped version to 1.15.0 (Seth Art) #96
• b3c25bb: spelling fix (Seth Art) #96

v1.14.2

Commits

• 0184e15: Fix for IMDS not working due to breaking change in aws-sdk-go-v2. (Seth Art) #93
• aed3c0a: bump version (Seth Art) #93
• 547c48a: Merge branch 'main' into imds-fix (Seth Art) #93

v1.14.1

Bug Fixes

• close input file #87 (guangwu)

Commits

• 91f5f14: Added RDS database instances back into output. I think it's ok to have both clusters and instances in the output (Seth Art) #89
• 0b88bca: Updated tests to make sure that RDS instances without clusters are checked for (Seth Art) #89
• 5ba8b08: Update Makefile to include 386 linux binary for release action (Seth Art) #90
• 0ac24e3: Update utils.go (Seth Art) #90
• 738085d: fix typo from codespell (David) #90

v1.14.0

Commits

• 5c40ef4: initial ideas for graph command (sethsec-bf) #84
• 4edbd33: neo4j cross-account stuff kind of working, pmapper stuff not working (sethsec-bf) #84
• c4a276e: graph/neo4j functionali working - detecting cross account attack paths (sethsec-bf) #84
• 66ffc57: go mod tidy (sethsec-bf) #84
• 1e2eaf5: merged from main (sethsec-bf) #84
• ef25d8b: Merged origin/seth-dev into graph (sethsec-bf) #84
• f5437b7: Started to add knownvendoraccounts info (sethsec-bf) #84
• 4cf58a3: Created loot file for pmapper (sethsec-bf) #84
• 009321e: Updated pmapper output files (sethsec-bf) #84
• ac1125d: added users model (sethsec-bf) #84
• 4d3c6a4: Merge remote-tracking branch 'origin/seth-dev' into graph (sethsec-bf) #84
• aeccb6d: Have global data in dom's graph format now. just need to write the table creation code (sethsec-bf) #84
• a13527a: Added MakeVertices method for type Role (sethsec-bf) #84
• e61a401: Kept first draft as the graph command. Moved second take to the caper command. (sethsec-bf) #84
• e4f3421: Added functionailty to hightlight admins in caper command (sethsec-bf) #84
• 24b7076: saving place in caper command (sethsec-bf) #84
• e4e5480: revert test (sethsec-bf) #84
• 42b0f3a: Merge branch 'main' of github.com:BishopFox/cloudfox into graph (sethsec-bf) #84
• dd6dd29: playing around with saving graph state between runs (sethsec-bf) #84
• 36c9a5b: Merged changes from neptune PR into this branch (sethsec-bf) #84
• 23409e3: remove unused code (enzowritescode) #78
• a40f0aa: More cleanup (enzowritescode) #78
• 05fd899: Fixed bug in federeated role trust poclies where multiple subjects are trusted (sethsec-bf) #84
• 2f99a76: working gcp functionality (David) #79
• f9d9ec4: Merge branch 'main' of github.com:BishopFox/cloudfox into feature/aws-neptune (sethsec-bf) #78
• ce03106: update release and fix database test (sethsec-bf) #78
• 3ff704e: merged from main (sethsec-bf) #84
• 8fac75e: merged from main (sethsec-bf) #84
• 334583d: save work whomai account stub (David) #79
• 4ef87d8: updated caper to use new version of parseFederatedRoleTrusts from the role-trusts command. Also changed the way vendors and federated identities are labled (sethsec-bf) #84
• 8436924: quick fix for context error. logging issue still there. (sethsec-bf) #79
• fca22ce: renamed to cape, added hop count logic, pulled privesc function out so i can add logic to handle cobra flags (sethsec-bf) #84
• 590a94b: changed println to printf (sethsec-bf) #84
• dee22b3: fix logging issue and improve whoami (David) #79
• de492fa: Add Directory Service support for AWS (Bastien Faure) #81
• 608f078: AWS uses a mix of clouddirectory and directoryservices for Directory services (Bastien Faure) #81
• 57832ad: Codespell fix (Bastien Faure) #81
• 3a45583: Got cape working without any aws calls, cleaned up logging messages (sethsec-bf) #84
• 356d57b: Added pmapper basepath to all relevent commands. Improved logging for cape/cape-tui. Fixed codebuld cache bug. (sethsec-bf) #84
• 23e8878: Merge branch 'main' into feature/gcp-v1 (David) #79
• 94628aa: i cant spel (David) #79
• df3fb6e: Update codeowners (moloch--) #82
• 6e52e5e: merge gcp stuff from main into this branch (sethsec-bf) #81
• 8ab4c42: Merge branch 'main' into bastien_directoryservice_aws (Seth Art) #81
• 79f3899: update go mod (sethsec-bf) #81
• 67af1bd: update gcp package with vuln (sethsec-bf) #81
• 82635fd: made aws sso like eks, where edges are not created if it's if the provider is in the same account as the role that trusts it. the edges will still show up cross account though. (sethsec-bf) #84
• 57194ef: bump to version 1.14.0, merged gcp and aws ds functionality (sethsec-bf) #84
• 77cd08b: updated gcp verbosity, updated cape command usage, switched version tracking file from main.go to internal/utils.go (sethsec-bf) #84
• abcc930: added afero fs back to output2 (needed to pass brew tests) (sethsec-bf) #84
• c3be95b: cleaned up enhanced pmapper loot file (sethsec-bf) #84
• 22417f1: spelling (sethsec-bf) #84
• c0e4301: Add GCP to readme, fix typo (sethsec-bf) #84
• a8d2bfb: Removed graph command from cobra for now (sethsec-bf) #84

v1.13.4

Commits

• a38451c: Typo fixes, reduced copy pasta, Neptune support (enzowritescode) #74
• 8c4bcc0: Add .idea to gitignore for GoLand (enzowritescode) #74
• 29514a9: Merge in latest and fix merge conflicts (enzowritescode) #74
• ae1dac6: Merge branch 'main' of github.com:BishopFox/cloudfox into seth-dev (sethsec-bf) #80
• ca437d3: Filter Neptune results (enzowritescode) #74
• 59afbb3: Switched RDS database command from instances to clusters, and since it grabs Neptune and DocsDB clusters, we don't need to run those api calls. (they all return the same data). Also added back port info and added role info to the RDS clusters in -o wide mode (sethsec-bf) #74
• 80c00f3: Added test for databases command (sethsec-bf) #74
• 15e0507: Merge branch 'main' into feature/aws-neptune (Seth Art) #74
• fd01647: Merge branch 'main' of github.com:BishopFox/cloudfox into seth-dev (sethsec-bf) #80
• 8d03932: Fix for #77 (sethsec-bf) #80
• a1903f6: Major update for role trusts parsing. Cleaner version has case statement on federated principal value and not soley on condition data (sethsec-bf) #80
• 6a21b96: Auth0 not ready yet - also this new version lists unknown federated types not instead of ignoring them (sethsec-bf) #80
• cec0d49: Fixing a bug in the new cached versions of the apigateway sdk calls (sethsec-bf) #80
• eaac503: bumped version to 1.13.4 for release with apigateway fix (sethsec-bf) #80
• 00e63b0: found a way to fix the apigateway types conflict with gob (sethsec-bf) #80

v1.13.3

Commits

• 1ca5dbf: Fix bug in role-trusts command around new vendor lookup feature, enabled caching on apigateway commands (sethsec-bf)

v1.13.2

Commits

• a656103: Bumped to version 1.31.1 before PR (sethsec-bf) #75
• b5908fc: Fixed bug in the role trusts command introduced in 1.13.1 where cloudfox only shows princiapls with :root trust and not ALL role trusts (sethsec-bf) #75
• 18e38bf: Fixed bug in env-vars command introduced in 1.13.1 with the new interesting version of the table written to disk. was still recording them all. now the second table only has interesting env-vars (sethsec-bf) #75
• 237b073: Bumped version to 1.13.2 (sethsec-bf) #75

v1.13.1

Commits

• f13df07: Added mocks for apigw and apigwv2, and a test for the new api-gw command (sethsec-bf) #73
• 525f262: Added mocks for apigw and apigwv2, and a test for the new api-gw command (sethsec-bf) #73
• 1d53b98: Used the output2 loot mechanism for api-gws, updated tests (sethsec-bf) #73
• 97e2fef: Add data from fwd:cloudsec's known_aws_accounts repo into role-trust module (sethsec-bf) #73
• ea2ee3d: Fixed bug where instances without instance profile were not showing up (sethsec-bf) #73
• 5df1ca6: Update README.md (Seth Art)
• dd6bfef: Merge branch 'main' of github.com:BishopFox/cloudfox into seth-dev (sethsec-bf) #73
• 13a03c5: Fixed panic bug that occured when user specified a profile that did not exist (sethsec-bf) #73
• 5827abb: Hopefully this is a fix for #72 (sethsec-bf) #73
• 89789a0: updated pmapper command info (sethsec-bf) #73
• 23fc346: Update README.md (Seth Art)
• ff810ba: Update README.md (Seth Art)
• 8e99347: Update README.md (Seth Art)
• e08967b: This potential fix for #72 makes a lot more sense. Rather than overrwite the profile attribute of the struct, i have an AWSProfileProvided and a AWSProfileFake so that I can just pass the orig to other modules (since each module cleans it up itself). (sethsec-bf) #73
• 6069267: Fix for sub issue found by @cyberbutler in #72 (sethsec-bf) #73
• 1d1d198: More fixes from #72. Took the suggestion from @johnkeates and fixed the prepopulated nmap commands to NOT include a profile for the cases where the user did not specify a profile for cloudfox (sethsec-bf) #73
• 997c13d: Merge branch 'main' of github.com:BishopFox/cloudfox into seth-dev (sethsec-bf) #73