Dufflebag: Uncovering Secrets in Exposed EBS Volumes

When Ben Morris presented his findings in “More Keys than a Piano: Finding Secrets in Publicly Exposed EBS Volumes” back at DEF CON 27, he found all sorts of secrets and associated data — passwords, SSH private keys, TLS certificates, application source code, API keys, and anything else that might be stored on a server hard disk. Even more surprising, some of this sensitive information was found on “internal-only” resources that are hosted on AWS. So by searching exposed EBS volumes, an attacker can steal secrets from a server that isn’t even exposed to the internet!

To help identify these exposed EBS volumes and allow individuals and businesses to secure their secrets, the Bishop Fox team developed Dufflebag, an open source tool available on GitHub.

The tool is organized as an Elastic Beanstalk ("EB", not to be confused with EBS) application, and definitely won't work if you try to run it on your own machine.

Dufflebag has a lot of moving pieces because it's fairly nontrivial to actually read EBS volumes in practice. You have to be in an AWS environment, clone the snapshot, make a volume from the snapshot, attach the volume, mount the volume, etc... This is why it's made as an Elastic Beanstalk app, so it can automagically scale up or down however much you like, and so that the whole thing can be easily torn down when you're done with it.

Just keep an eye on your AWS console to make sure something isn't going haywire and racking up bills. We've tried to think of every contingency and provide error handling... but you've been warned!