New Module: SNS topic subscription via email & SNS enum

[h00die]

This PR adds a new module which can be used to subscribe to a topic via Email. It's pretty simplistic, but I noticed the functionality didn't exist and I needed it.

@6a6f656c was a co-author on this.

Example run:

Pacu (session:key) > run sns__subscribe --topic arn:aws:sns:us-east-1:111111111111:topic_name_example --email [email protected]
  Running module sns__subscribe...
[sns__subscribe] Subscribed successfully, check email for subscription confirmation. Confirmation ARN: arn:aws:sns:us-east-1:111111111111:topic_name_example:11111111-1111-1111-1111-111111111111

Example run when the topic doesn't exist or permission denied:

Pacu (session:key) > run sns__subscribe --topic arn:aws:sns:us-east-1:111111111111:topic_name_example111 --email [email protected]
  Running module sns__subscribe...
[sns__subscribe] Unable to subscribe, check permissions and topic. Error: An error occurred (AuthorizationError) when calling the Subscribe operation: User: arn:aws:iam::111111111111:user/example is not authorized to perform: SNS:Subscribe on resource: arn:aws:sns:us-east-1:111111111111:topic_name_example111 because no identity-based policy allows the SNS:Subscribe action

Enum module

[DaveYesland]

A thought while using this: an sns__enum module might go well with this and adding a flag like --all where if you have permissions you could run sns__enum then sns__subscribe --all and it would just try to subscribe to all the topics which have been enumerated.

If you want to write the sns__enum go for it, otherwise let me know and I can do it then you can just update this module to work along with it.

[DaveYesland]

I receive the error below because there is no region specified in client = pacu_main.get_boto3_client("sns")

Could do something like:

region_from_arn = args.topic.split(":")[3]
client = pacu_main.get_boto3_client("sns", region=region_from_arn)

Traceback (most recent call last):
  File "/mnt/c/Users/path/Desktop/dev/rhino-pacu/pacu/pacu/main.py", line 1827, in run_gui
    self.idle()
  File "/mnt/c/Users/path/Desktop/dev/rhino-pacu/pacu/pacu/main.py", line 1683, in idle
    self.idle()
  File "/mnt/c/Users/path/Desktop/dev/rhino-pacu/pacu/pacu/main.py", line 1683, in idle
    self.idle()
  File "/mnt/c/Users/path/Desktop/dev/rhino-pacu/pacu/pacu/main.py", line 1681, in idle
    self.parse_command(command)
  File "/mnt/c/Users/path/Desktop/dev/rhino-pacu/pacu/pacu/main.py", line 600, in parse_command
    self.parse_exec_module_command(command)
  File "/mnt/c/Users/path/Desktop/dev/rhino-pacu/pacu/pacu/main.py", line 786, in parse_exec_module_command
    self.exec_module(command)
  File "/mnt/c/Users/path/Desktop/dev/rhino-pacu/pacu/pacu/main.py", line 1003, in exec_module
    summary_data = module.main(command[2:], self)
  File "/mnt/c/Users/path/Desktop/dev/rhino-pacu/pacu/pacu/modules/sns__subscribe/main.py", line 71, in main
    client = pacu_main.get_boto3_client("sns")
  File "/mnt/c/Users/path/Desktop/dev/rhino-pacu/pacu/pacu/main.py", line 1560, in get_boto3_client
    return aws_sess.client(service, config=conf)
  File "/mnt/c/Users/path/Desktop/dev/rhino-pacu/pacu/.venv/lib/python3.9/site-packages/boto3/session.py", line 299, in client
    return self._session.create_client(
  File "/mnt/c/Users/path/Desktop/dev/rhino-pacu/pacu/.venv/lib/python3.9/site-packages/botocore/session.py", line 997, in create_client
    client = client_creator.create_client(
  File "/mnt/c/Users/path/Desktop/dev/rhino-pacu/pacu/.venv/lib/python3.9/site-packages/botocore/client.py", line 159, in create_client
    client_args = self._get_client_args(
  File "/mnt/c/Users/path/Desktop/dev/rhino-pacu/pacu/.venv/lib/python3.9/site-packages/botocore/client.py", line 490, in _get_client_args
    return args_creator.get_client_args(
  File "/mnt/c/Users/path/Desktop/dev/rhino-pacu/pacu/.venv/lib/python3.9/site-packages/botocore/args.py", line 100, in get_client_args
    final_args = self.compute_client_args(
  File "/mnt/c/Users/path/Desktop/dev/rhino-pacu/pacu/.venv/lib/python3.9/site-packages/botocore/args.py", line 219, in compute_client_args
    endpoint_config = self._compute_endpoint_config(
  File "/mnt/c/Users/path/Desktop/dev/rhino-pacu/pacu/.venv/lib/python3.9/site-packages/botocore/args.py", line 368, in _compute_endpoint_config
    return self._resolve_endpoint(**resolve_endpoint_kwargs)
  File "/mnt/c/Users/path/Desktop/dev/rhino-pacu/pacu/.venv/lib/python3.9/site-packages/botocore/args.py", line 473, in _resolve_endpoint
    return endpoint_bridge.resolve(
  File "/mnt/c/Users/path/Desktop/dev/rhino-pacu/pacu/.venv/lib/python3.9/site-packages/botocore/client.py", line 595, in resolve
    resolved = self.endpoint_resolver.construct_endpoint(
  File "/mnt/c/Users/path/Desktop/dev/rhino-pacu/pacu/.venv/lib/python3.9/site-packages/botocore/regions.py", line 229, in construct_endpoint
    result = self._endpoint_for_partition(
  File "/mnt/c/Users/path/Desktop/dev/rhino-pacu/pacu/.venv/lib/python3.9/site-packages/botocore/regions.py", line 277, in _endpoint_for_partition
    raise NoRegionError()
<class 'botocore.exceptions.NoRegionError'>: You must specify a region.

[h00die]

Its very interesting. In my test env, which i just pulled down all the changes to this repo, I'm still able to run it as is.

However, when helping with the mq__enum module, it required the region field even though the boto3 docs didn't specify it. Makes me wonder if there was a lib upgrade in the last few days or something like that.

I an add an sns__enum module next week, wont take but an hour or two. I'll tack it on to this PR to save space, and fix this module in the process.

[DaveYesland]

Yeah guessing it is just differences in boto3 lib versions or something requiring region. I have come across it on quite a few services seems better just just supply it as a default to make it more compatible with different versions/envs.

[h00die]

Should be ready to retest.

1. Added the region parsing as you described
2. added a new check to make sure the topic isn't a fifo as you can't subscribe via email to these
3. added new enumeration module

[h00die]

hold on landing, going to see if we can't enumerate emails as well in the enum module.

[h00die]

Should be good to go for testing. We now pull subscriber data, if permissioned you get emails/phone numbers (etc) for free!

[h00die]

prob worth storing in the DB as well.... any code snippets to help with that?

I saw https://github.com/RhinoSecurityLabs/pacu/blob/master/pacu/modules/iam__enum_permissions/main.py#L162 and https://github.com/RhinoSecurityLabs/pacu/blob/master/pacu/modules/iam__enum_permissions/main.py#L169-L174 but assumed we'll need a new key in the DB to handle sns and mq correct (https://github.com/RhinoSecurityLabs/pacu/blob/master/pacu/core/models.py#L39)?

[DaveYesland]

You need to add the tables to: pacu/core/models.py

Here is an example:
pacu/core/models.pypacu/core/models.py

Then you can dump the JSON data to the tables: https://github.com/davidkutz-marks/newmodules-cognito/blob/31a980353db26bb04c21e2e1fa7084c2be4fac93/pacu/modules/cognito__enum/main.py#L462-L465

Let me know if you need more help with the DB stuff.

[h00die]

ready for a review

[h00die]

Don't forget to update https://github.com/RhinoSecurityLabs/pacu/wiki/Module-Details

[DaveYesland]

Left a couple comments, let me know if you want me to implement any of those changes or you have questions. Thanks!

[h00die]

1. sns__enum now doesn't store empty region keys
2. sns__subscribe now has an --all flag which will use sns__enum or db store data to attempt to subscribe to all available SNS topics
3. sns__subscribe now can take a comma separated list of --topics and attempt to subscribe to them all

[DaveYesland]

Awesome thanks for the work on this one! Everything looks good and testing worked.