LinkedInGitHubYouTube

dsnap

A tool for enumerating and downloading EBS snapshots

Install

# with apt package manager
sudo apt install python3-dsnap

# with pipx
pipx install dnsap

Enumerating Snapshots

You need the AWS action ebs:ListSnapshotBlocks

# list all snapshots available in an account you have valid credentials for
dsnap --profile <profileName> --region <awsRegion> list

           Id          |   Owneer ID   | Description
snap-11111111111111111   123456789012    mysnapshot

Downloading Snapshots

You need the AWS action ebs:GetSnapshotBlock

With Access to the AWS Account

  • So long as the snapshot exists in an AWS account you have access to, you can download it 

dsnap --profile <profileName> --region <awsRegion> get snap-11111111111111111
Selected snapshot with id snap-11111111111111111

Output Path: /home/parallels/snap-11111111111111111.img
Truncating file to 8.0 GB

Without Access to the AWS Account

  • If you don't have credentials for an AWS account where the public snapshot is, you can't download it 

dsnap --profile <profileName> --region <awsRegion> get snap-22222222222222222

Selected snapshot with id snap-22222222222222222
[snip]
botocore.errorfactory.ValidationException: An error occurred (ValidationException) when calling the ListSnapshotBlocks operation: Public snapshots are not supported

  • To resolve this, first copy the snapshot from the target account to your account

aws --profile <profileName> --region <awsRegion> ec2 copy-snapshot --source-snapshot-id snap-22222222222222222 --source-region <awsRegion> --destination-region <awsRegion> --description "Copy of ABC's public snapshot"

{
    "SnapshotId": "snap-11111111111111111"
}

  • Then you can download it locally with dsnap

  • Alternatively, you can create an ec2 in your account and use this snapshot which may be beneficial depending on the snapshot size / your download speeds

dsnap --profile <profileName> --region <awsRegion> get snap-11111111111111111
Selected snapshot with id snap-11111111111111111

Output Path: /home/parallels/snap-11111111111111111.img
Truncating file to 8.0 GB

Mounting the Snapshot for Local Inspection

  • If you decide to download the snapshot locally (rather than run it on an EC2) then we need to mount it

Mounting the snapshot is like attaching a USB drive to your computer. You have access to all the files on the drive but it's not running the operating system.

parted snap-11111111111111111.img unit s print

# output
WARNING: You are not superuser.  Watch out for permissions.
Model:  (file)
Disk /home/parallels/snap-11111111111111111.img: 16777216s
Sector size (logical/physical): 512B/512B
Partition Table: gpt
Disk Flags: 

Number  Start    End        Size       File system  Name  Flags
14      2048s    10239s     8192s                         bios_grub
15      10240s   227327s    217088s    fat32              boot, esp
 1      227328s  16777182s  16549855s  ext4

  • We take the start point of the ext4 partition (227328) and multiply it by the sector size (512 bytes), which gives us an offset value of 116391936. This offset tells the operating system where to begin reading the partition within the disk image. Without specifying the correct offset, the operating system might attempt to read from the wrong location—such as the partition table or unallocated space—causing errors or preventing access to the file system.

# make a directory to mount the snapshot
sudo mkdir /mnt/snapshot

# mount the snapshot
sudo mount -o loop,offset=116391936 snap-11111111111111111.img /mnt/snapshot

  • Now we can access the snapshot

ls -alh /mnt/snapshot

# output
total 88K
drwxr-xr-x 19 root root 4.0K Dec 21  2023 .
drwxr-xr-x  3 root root 4.0K Jan  4 13:06 ..
lrwxrwxrwx  1 root root    7 Dec  6  2023 bin -> usr/bin
drwxr-xr-x  4 root root 4.0K Dec  6  2023 boot
drwxr-xr-x  4 root root 4.0K Dec  6  2023 dev
drwxr-xr-x 93 root root 4.0K Dec 21  2023 etc
drwxr-xr-x  3 root root 4.0K Dec 21  2023 home
lrwxrwxrwx  1 root root    7 Dec  6  2023 lib -> usr/lib
[snip]

  • You'll notice the files and directories are all owned by root since we had to use sudo to mount this

  • We have a few options, the easiest being to switch to the root user

ls root/    

#output
ls: cannot open directory 'root': Permission denied

sudo su
ls root/ 

# output 
root_file1 root_file2

  • Or you can change ownership of the mount directory to our current user (parallels for me)

sudo chown -R $USER:$USER /mnt/snapshot
ls -alh /mnt/snapshot

# output
total 88K
drwxr-xr-x 19 parallels parallels 4.0K Dec 21  2023 .
drwxr-xr-x  3 root      root      4.0K Jan  4 13:06 ..
lrwxrwxrwx  1 parallels parallels    7 Dec  6  2023 bin -> usr/bin
drwxr-xr-x  4 parallels parallels 4.0K Dec  6  2023 boot
drwxr-xr-x  4 parallels parallels 4.0K Dec  6  2023 dev
[snip]

  • Change it back to root if you want

sudo chown -R root:root /mnt/snapshot
ls -alh /mnt/snapshot

# output
total 88K
drwxr-xr-x 19 root root 4.0K Dec 21  2023 .
drwxr-xr-x  3 root root 4.0K Jan  4 13:06 ..
lrwxrwxrwx  1 root root    7 Dec  6  2023 bin -> usr/bin
drwxr-xr-x  4 root root 4.0K Dec  6  2023 boot
drwxr-xr-x  4 root root 4.0K Dec  6  2023 dev

Running the Snapshot in a Local Docker Container

Resources

https://github.com/RhinoSecurityLabs/dsnap
PreviousTooling IndexNextPacu

Last updated

Was this helpful?