Author Archives: Jason Gillam

Cloud-Base Host Discovery Is Easier Than You Think!

During a recent conversation at DerbyCon it occurred to me that some security folks who are just dipping their toes into AWS are struggling a lot with the idea that cloud (EC2) instances keep popping up spontaneously. Developers and their agile / devops / continuous deployment methodologies are creating a chaotic mess of the network that has some security folks feeling like they are constantly in a game of whack-a-mole.  “I have to keep telling the developers to send me the IP address of new instances so I can scan them!” one security pro told me.  Running port scans across  the entire network every day may seem impractical.

If this sounds like your current situation, have no fear!  Amazon has a pretty slick solution that makes the use of port-scanning for discovering hosts obsolete.  It is called the AWS CLI (Command Line Interface).  When used with an API key configured with appropriate permissions, the CLI enables a significant degree of control over an AWS environment.  To get started with the CLI just visit the Amazon guide (  You will find the downloads on the right-hand side, as indicated below:


Notice for Windows there is an actual installer but for Mac and Linux you can just use Python’s package installer “pip”.  If you don’t yet have pip installed, then you will need to do this first.  On my Debian/Ubuntu based system I ran:

apt-get install python-pip

On my Mac I find the easiest way to keep up with Python and pip (and several other things) is to install it through homebrew (see

So assuming you have gotten this far and have the AWS CLI installed, you won’t be able to use it right away.  First you need an Access Key.  To get this, sign in to your AWS account, navigate to Identity and Access Management (IAM) and either:

  1. Select your account; or,
  2. Create a service account.

Note that for the service account you will also have to set up which subset of permissions the account will have.  Once you have decided which account is going to take advantage of the CLI, create a new access key from the Security Credentials tab:


Once you create the key you will be presented with a dialog that displays the Access Key ID and Secret Access Key as follows:


See that Download Credentials button prominently displayed in the bottom right-hand of the dialog?  Will this is the only time your Secret Access Key will ever be displayed so press that button and download your Access Key ID and Secret Access Key to a safe location.  You’re going to need them.

Once you have these in place, type from the command-line:

aws configure

This will prompt you for your keys as well as the AWS region you are communicating with, which will look something like:

AWS Access Key ID [None]: <Insert your key ID here>
AWS Secret Access Key [None]: <Insert your secret key here>
Default region name [None]: us-west-2
Default output format [None]:

Once this is complete you should be able to use the AWS CLI.  Of immediate interest is the ability to return a list of currently running hosts (e.g. the describe-instances command), which essentially skips the discovery step of a port scan completely.  Yep, that’s right.  Instead of scanning for instances, we just ask AWS for a list!  One way to return information is as follows:

aws ec2 describe-instances

You will see immediately that although the AWS CLI is very flexible, it tends to return more information than we really need.  To simplify things further I prefer to write Python scripts using the boto3 module.  This module provides relatively easy access to the AWS CLI functionality but within the Python interpreter.  To demonstrate just how easy things get I threw together a simple Python script called (on GitHub:  Once you have AWS CLI running locally and boto3 installed (i.e. pip install boto3), you can run aws-list-hosts to return a list of ip addresses… convenient for feeding directly into NMap or your favorite vulnerability scanning tool.

By default it will just list internal IP addresses of running hosts in the default region, but there are options to filter on other run-states and to view public IP addresses.  You can see all the available options but by simply running

 python --help
usage: [-h] [--region REGION] [--profile PROFILE]
[--state {pending,running,shutting-down,terminated,stopped,stopping,all}]
[--group GROUP] [--public]

This really is just a tiny taste of  what can be done through the AWS CLI and Boto3.  If you are getting started with AWS I hope this will help you realize that managing assets in the AWS cloud can actually be less stressful and more automated than trying to manage them in a traditional network where host discovery through port scanning is the only way to find them.  View my github repo for the latest version of the script, and please let me know if you have ideas for other ways of filtering hosts or automating security scanning tasks through AWS CLI and Boto3.

Jason Gillam is a Principal Security Consultant with Secure Ideas. If you are in need of a penetration test or other security consulting services you can contact him at, on Twitter @JGillam, or visit the Secure Ideas – ProfessionallyEvil site for services provided.

Wireless Attacking EAP-TTLS with Kali 2 and ALFA AWUS051NH

Is your corporate wifi as secure as you think it is? A common configuration for WPA Enterprise wireless networks is to use a combination of PEAP (Protected EAP) and EAP-TTLS (Tunneled Transport Layer Security). Though this configuration solves several issues found in other configurations, it (sometimes) also has its own fatal flaw. If a client… Continue Reading

Professionally Evil Insights: 2015

Are you interested in knowing which vulnerabilities are the most commonly discovered in penetration tests?  How about which industries are doing the best (or worst) with improving on their security programs?  We pulled together all of our 2014 and 2015 findings, analyzed the results, and came up with some interesting (at least we think so)… Continue Reading

Five Outdated Security Excuses

Five Outdated Security Excuses

The Security Industry as a whole has been known to criticize businesses large and small with respect to how they manage security.   Why does it so often seem like an after-thought?  How is it that today we still frequently find that security teams are understaffed (or not at all), that business decisions involving sensitive information are made without… Continue Reading

Introducing Burp Correlator!

This one is for you web penetration testers!  This new Burp extension is designed to help with efficiency when you are testing a complex application full of parameters or a series of applications and just do not have enough time to thoroughly analyze each one.  It analyzes all the parameters in your in-scope traffic and… Continue Reading

Practical Pentest Advice from PCI

The PCI Security Standards Council released a Penetration Testing Guidance information supplement in March 2015.  This document, while geared towards the Payment Card Industry, provides a lot of valuable advice to the providers of penetration tests and their clients, regardless of industry.  At 40 pages in length the document might seem a bit heavy, so… Continue Reading

And Now… Introducing: Burp BS!

Burp BS… where the “BS” stands for BeanShell.  “What on earth is BeanShell?” you may ask?  BeanShell is a very old Java library that was designed to build scripts in Java (full details on  It never really caught on for general use because the Java language is designed from the ground up to be… Continue Reading

MobiSec 2.0 Awesomeness Unleashed!

MobiSec has undergone a major reconstruction and version 2.0 (actually 2.0.1) is now available for download on SourceForge.  The popular mobile testing VM platform has been rebuilt on the latest Ubuntu 64-bit LTS.  The tools have been modernized through updates and by replacing deprecated tools with better-supported equivalents.  The environment has also been trimmed down… Continue Reading

Don’t Forget the Little Things!

On January 31st, Deusen disclosed what was described as a Same Origin Policy Bypass flaw called “Universal XSS (U-XSS)” in IE 9 through 11 on Full Disclosure.  This zero-day is another reminder of why a “Defense in Depth” strategy is so important, even within web applications.  That’s because this particular flaw has to do with… Continue Reading