in ,

LC multi-cloud attack surface asset grooming open source tool


LC (List Cloud) is a multi-cloud attack surface asset sorting tool. Using LC, Party A's blue team can quickly sort out assets that may be exposed to the public network when managing multi-cloud.

Function

  • List multiple configured cloud assets
  • Support multiple cloud service providers
  • Support multiple cloud services
  • Support filtering intranet IP
  • Highly scalable, you can easily add more cloud service providers and cloud services
  • Can be used in conjunction with other tools using the pipe character

Running screenshot:

Supports listed cloud services

serial number Cloud service provider service name
1 Ali Cloud ECS cloud server
2 Ali Cloud OSS object storage
3 Ali Cloud RDS database
4 Tencent Cloud CVM cloud server
5 Tencent Cloud LH lightweight application server
6 Tencent Cloud COS object storage
7 Huawei Cloud OBS object storage
8 Tianyi Cloud OOS object storage
9 Baidu cloud BOS object storage
10 Baidu cloud BCC cloud server
11 China Unicom Cloud OSS object storage
12 Qiniuyun Kodo Object Storage
13 mobile cloud EOS object storage

manual

For detailed user manual, please see:LC User Manual

Install

Install using brew

Install

brew tap wgpsec/tap
brew install wgpsec/tap/lc

renew

brew update
brew upgrade lc

Download binaries

Directly download address in LC:github.com/wgpsec/lc/releases Download the compressed file corresponding to the system, decompress it and run it in the command line.

usage

lc -h

use -h View the help information of lc for parameters. This is the usage currently supported by lc.

lc (list cloud) 是一个多云攻击面资产梳理工具

Usage:
  lc (flags)

Flags:
配置:
  -c, -config string  指定配置文件路径 (default "$HOME/.config/lc/config.yaml")
  -t, -threads int    指定扫描的线程数量 (default 3)

过滤:
  -i, -id string()        指定要使用的配置(以逗号分隔)
  -p, -provider string()  指定要使用的云服务商(以逗号分隔)
  -ep, -exclude-private   从输出的结果中排除私有 IP

输出:
  -o, -output string  将结果输出到指定的文件中
  -s, -silent         只输出结果
  -v, -version        输出工具的版本
  -debug              输出调试日志信息

Easy to get started

When used for the first time, the LC will $HOME/.config/lc Create a directory config.yamlso in the first execution lc After the command, fill in your cloud access credentials into $HOME/.config/lc/config.yaml Once in the file, you can start to use LC officially.

Run directly lc command to list your cloud assets.

lc

If no results are listed, it may be because there are no assets on the cloud itself, or the access credentials are insufficient. Here we recommend giving the access credentials global readable permissions.

If you want to exclude the intranet IP from the results, just add -ep parameter.

lc -ep

If you want to use LC with other tools, such as using httpx to detect whether assets can be accessed from the public network, you can use the following command.

lc -ep -s | httpx -sc -title -silent

More usage can be viewed LC User Manual

postscript

This tool is open source using the MIT license. Masters are very welcome to contribute code to this project. Masters who want to contribute code can just submit a PR directly to the dev branch of this project.

In addition, if this tool can help you, please click Star and thank you for using my tool ~

For more information, please follow my personal WeChat public account: TeamsSix

What do you think?

Leave a Reply

Your email address will not be published. Required fields are marked *

GIPHY App Key not set. Please check settings

Adobe fixed multiple critical flaws in Acrobat and Reader

Notes on ThroughTek Kalay Vulnerabilities and Their Impact on the IoT Ecosystem