# dsnap

## Install

{% code overflow="wrap" %}

```bash
# with apt package manager
sudo apt install python3-dsnap

# with pipx
pipx install dnsap 
```

{% endcode %}

***

## Enumerating Snapshots

{% hint style="warning" %}
You need the AWS action `ebs:ListSnapshotBlocks`
{% endhint %}

{% code overflow="wrap" %}

```bash
# list all snapshots available in an account you have valid credentials for
dsnap --profile <profileName> --region <awsRegion> list

           Id          |   Owneer ID   | Description
snap-11111111111111111   123456789012    mysnapshot
```

{% endcode %}

***

## Downloading Snapshots&#x20;

{% hint style="warning" %}
You need the AWS action `ebs:GetSnapshotBlock`
{% endhint %}

### With Access to the AWS Account

* So long as the snapshot exists in an AWS account you have access to, you can download it&#x20;

{% code overflow="wrap" %}

```bash
dsnap --profile <profileName> --region <awsRegion> get snap-11111111111111111
Selected snapshot with id snap-11111111111111111

Output Path: /home/parallels/snap-11111111111111111.img
Truncating file to 8.0 GB
```

{% endcode %}

### Without Access to the AWS Account

* If you don't have credentials for an AWS account where the public snapshot is, you can't download it&#x20;

{% code overflow="wrap" %}

```bash
dsnap --profile <profileName> --region <awsRegion> get snap-22222222222222222

Selected snapshot with id snap-22222222222222222
[snip]
botocore.errorfactory.ValidationException: An error occurred (ValidationException) when calling the ListSnapshotBlocks operation: Public snapshots are not supported
```

{% endcode %}

* To resolve this, first copy the snapshot from the target account to your account

{% code overflow="wrap" %}

```bash
aws --profile <profileName> --region <awsRegion> ec2 copy-snapshot --source-snapshot-id snap-22222222222222222 --source-region <awsRegion> --destination-region <awsRegion> --description "Copy of ABC's public snapshot"

{
    "SnapshotId": "snap-11111111111111111"
}
```

{% endcode %}

* Then you can download it locally with dsnap
* Alternatively, you can create an ec2 in your account and use this snapshot which may be beneficial depending on the snapshot size / your download speeds

{% code overflow="wrap" %}

```bash
dsnap --profile <profileName> --region <awsRegion> get snap-11111111111111111
Selected snapshot with id snap-11111111111111111

Output Path: /home/parallels/snap-11111111111111111.img
Truncating file to 8.0 GB
```

{% endcode %}

***

## Mounting the Snapshot for Local Inspection

* If you decide to download the snapshot locally (rather than run it on an EC2) then we need to mount it

{% hint style="info" %}
Mounting the snapshot is like attaching a USB drive to your computer. You have access to all the files on the drive but it's not running the operating system.
{% endhint %}

{% code overflow="wrap" %}

```bash
parted snap-11111111111111111.img unit s print

# output
WARNING: You are not superuser.  Watch out for permissions.
Model:  (file)
Disk /home/parallels/snap-11111111111111111.img: 16777216s
Sector size (logical/physical): 512B/512B
Partition Table: gpt
Disk Flags: 

Number  Start    End        Size       File system  Name  Flags
14      2048s    10239s     8192s                         bios_grub
15      10240s   227327s    217088s    fat32              boot, esp
 1      227328s  16777182s  16549855s  ext4
```

{% endcode %}

* We take the start point of the `ext4` partition (`227328`) and multiply it by the sector size (`512` bytes), which gives us an offset value of `116391936`. This offset tells the operating system where to begin reading the partition within the disk image. Without specifying the correct offset, the operating system might attempt to read from the wrong location—such as the partition table or unallocated space—causing errors or preventing access to the file system.

{% code overflow="wrap" %}

```bash
# make a directory to mount the snapshot
sudo mkdir /mnt/snapshot

# mount the snapshot
sudo mount -o loop,offset=116391936 snap-11111111111111111.img /mnt/snapshot
```

{% endcode %}

* Now we can access the snapshot

{% code overflow="wrap" %}

```bash
ls -alh /mnt/snapshot

# output
total 88K
drwxr-xr-x 19 root root 4.0K Dec 21  2023 .
drwxr-xr-x  3 root root 4.0K Jan  4 13:06 ..
lrwxrwxrwx  1 root root    7 Dec  6  2023 bin -> usr/bin
drwxr-xr-x  4 root root 4.0K Dec  6  2023 boot
drwxr-xr-x  4 root root 4.0K Dec  6  2023 dev
drwxr-xr-x 93 root root 4.0K Dec 21  2023 etc
drwxr-xr-x  3 root root 4.0K Dec 21  2023 home
lrwxrwxrwx  1 root root    7 Dec  6  2023 lib -> usr/lib
[snip]
```

{% endcode %}

* You'll notice the files and directories are all owned by `root` since we had to use sudo to mount this
* We have a few options, the easiest being to switch to the `root` user

{% code overflow="wrap" %}

```bash
ls root/    

#output
ls: cannot open directory 'root': Permission denied

sudo su
ls root/ 

# output 
root_file1 root_file2
```

{% endcode %}

* Or you can change ownership of the mount directory to our current user (parallels for me)

{% code overflow="wrap" %}

```bash
sudo chown -R $USER:$USER /mnt/snapshot
ls -alh /mnt/snapshot

# output
total 88K
drwxr-xr-x 19 parallels parallels 4.0K Dec 21  2023 .
drwxr-xr-x  3 root      root      4.0K Jan  4 13:06 ..
lrwxrwxrwx  1 parallels parallels    7 Dec  6  2023 bin -> usr/bin
drwxr-xr-x  4 parallels parallels 4.0K Dec  6  2023 boot
drwxr-xr-x  4 parallels parallels 4.0K Dec  6  2023 dev
[snip]
```

{% endcode %}

* Change it back to root if you want

{% code overflow="wrap" %}

```bash
sudo chown -R root:root /mnt/snapshot
ls -alh /mnt/snapshot

# output
total 88K
drwxr-xr-x 19 root root 4.0K Dec 21  2023 .
drwxr-xr-x  3 root root 4.0K Jan  4 13:06 ..
lrwxrwxrwx  1 root root    7 Dec  6  2023 bin -> usr/bin
drwxr-xr-x  4 root root 4.0K Dec  6  2023 boot
drwxr-xr-x  4 root root 4.0K Dec  6  2023 dev
```

{% endcode %}

***

## Running the Snapshot in a Local Docker Container

* Dsnap can spin up a local docker container to run the snapshot from but I haven't had luck getting this to work on an Apple Silicon mac (though I haven't tried for over a year)
* <https://github.com/RhinoSecurityLabs/dsnap?tab=readme-ov-file#mounting-with-docker>

## Resources

{% @github-files/github-code-block url="<https://github.com/RhinoSecurityLabs/dsnap>" %}


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://www.techwithtyler.dev/cloud-security/tools/dsnap.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.