项目介绍
Nebula是一个云和DevOps渗透测试框架,它为每个提供者和每个功能构建了模块,截至 2021年4月,它仅涵盖AWS,但目前是一个正在进行的项目,有望继续发展以测试GCP、Azure、Kubernetes、Docker或Ansible、Terraform、Chef等自动化引擎
项目涵盖
-
自定义HTTP用户代理
-
S3 存储桶名称暴力破解
-
IAM、EC2和S3漏洞利用
-
IAM、EC2、S3和Lambda枚举
项目构建
Step 1:下载项目文件
git clone https://github.com/gl4ssesbo1/Nebuladocker pull gl4ssesbo1/nebula:latest
Step 2:执行项目
cd Nebuladocker run -v $(pwd):/app -ti gl4ssesbo1/nebula:latest main.py
工具使用
帮助信息
()()(AWS) >>> helpHelp Command: Description:------------- ------------help Show help for all the commandshelp credentials Show help for credentialshelp module Show help for moduleshelp workspace Show help for credentialshelp user-agent Show help for credentialshelp shell Show help for shell connectionsModule Commands Description--------------- -----------show modules List all the modulesshow enum List all Enumeration modulesshow exploit List all Exploit modulesshow persistence List all Persistence modulesshow privesc List all Privilege Escalation modulesshow reconnaissance List all Reconnaissance modulesshow listener List all Reconnaissance modulesshow cleanup List all Enumeration modulesshow detection List all Exploit modulesshow detectionbypass List all Persistence modulesshow lateralmovement List all Privilege Escalation modulesshow stager List all Reconnaissance modulesuse module <module> Use a module.options Show options of a module you have selected.run Run a module you have selected. Eg: \\\'run <module name>\\\'search Search for a module via pattern. Eg: \\\'search s3\\\'back Unselect a moduleset <option> Set option of a module. Need to have the module used first.unset <option> Unset option of a module. Need to have the module used first.User-Agent commands Description------------------- -----------set user-agent windows Set a windows client user agentset user-agent linux Set a linux client user agentset user-agent custom Set a custom client user agentshow user-agent Show the current user-agentunset user-agent Use the user agent that boto3 producesWorkspace Commands Description------------------ -----------create workspace <wp> Create a workspaceuse workspace <wp> Use one of the workspacesremove workspace <wp> Remove a workspaceShell commands Description------------------- -----------shell check_env Check the environment you are in, get data and meta-datashell exit Kill a connectionshell <command> Run a command on a system. You don\\\'t need \\\" on the command, just shell <command1> <command2>
权限查看
(test)()(AWS) >>> getuid------------------------------------------------UserId: A******************Q------------------------------------------------UserID: A******************QArn: arn:aws:iam::012345678912:user/user_userAccount: 012345678912[*] Output is saved to \\\'./workspaces/test/12_07_2021_02_22_54_getuid_dev_brian\\\'
(test)()(AWS) >>> enum_user_privsUser: user_userUserID: A******************QArn: arn:aws:iam::012345678912:user/user_userAccount: 012345678912--------------------------Service: ec2--------------------------[*] Trying the \\\'Describe\\\' functions:[*] \\\'describe_account_attributes\\\' worked![*] \\\'describe_addresses\\\' worked![*] \\\'describe_aggregate_id_format\\\' worked![*] \\\'describe_availability_zones\\\' worked![*] \\\'describe_bundle_tasks\\\' worked![*] \\\'describe_capacity_reservations\\\' worked![*] \\\'describe_client_vpn_endpoints\\\' worked![*] \\\'describe_coip_pools\\\' worked![*] \\\'describe_customer_gateways\\\' worked![*] \\\'describe_dhcp_options\\\' worked![*] \\\'describe_egress_only_internet_gateways\\\' worked!^C[*] Stopping. It might take a while. Please wait.[*] Output of the allowed functions is saved to \\\'./workspaces/test/12_07_2021_02_24_09_enum_user_privs\\\'[*] The list of the allowed functions is saved to \\\'./workspaces/test/12_07_2021_02_24_09_allowed_functions\\\'
模块查询
()()(AWS) >>> show modulescleanup/aws_iam_delete_access_key Delete access key of a user by providingit.cleanup/aws_iam_delete_login_profile Delete access of a user to the ManagementConsoleenum/aws_ec2_enum_elastic_ips Lists User data of an Instance provided.Requires Secret Key and Access Key of an IAM that has accessto it.enum/aws_ec2_enum_images List all ec2 images. Needs credentials of anIAM with DescribeImages right. Output is dumpled on a file.It takes a sh*tload of time, unfortunately. And boy, is it ahuge output.enum/aws_ec2_enum_instances Describes instances attribues: Instances, VCP,Zones, Images, Security Groups, Snapshots, Subnets, Tags,Volumes. Requires Secret Key and Access Key of an IAM thathas access to all or any of the API calls:DescribeAvailabilityZones, DescribeImages,DescribeInstances, DescribeKeyPairs, DescribeSecurityGroups,DescribeSnapshots, DescribeSubnets, DescribeTags,DescribeVolumes, DescribeVpcs
类型列举:
show moduleshow enumshow exploitshow persistenceshow privescshow reconnaissanceshow listenershow cleanupshow detectionshow detectionbypassshow lateralmovementshow stager
模块检索
()()(AWS) >>> search instanceenum/aws_ec2_enum_instances Describes instances attribues: Instances, VCP,Zones, Images, Security Groups, Snapshots, Subnets, Tags,Volumes. Requires Secret Key and Access Key of an IAM thathas access to all or any of the API calls:DescribeAvailabilityZones, DescribeImages,DescribeInstances, DescribeKeyPairs, DescribeSecurityGroups,DescribeSnapshots, DescribeSubnets, DescribeTags,DescribeVolumes, DescribeVpcsenum/aws_iam_list_instance_profiles List all the instance profiles.exploit/aws_ec2_create_instance_with_user_data You must provide policies in JSON format inIAM. However, for AWS CloudFormation templates formatted inYAML, you can provide the policy in JSON or YAML format. AWSCloudFormation always converts a YAML policy to JSON formatbefore submitting it to IAM.()()(AWS) >>>
模块使用
(work1)()(enum/aws_ec2_enum_instances) >>> use module enum/aws_iam_get_group(work1)()(enum/aws_ec2_enum_instances) >>>
模块细节
(work1)()(enum/aws_ec2_enum_instances) >>> optionsDesctiption:-----------------------------Describes instances attribues: Instances, VCP, Zones, Images, Security Groups, Snapshots, Subnets, Tags, Volumes. Requires Secret Key and Access Key of an IAM that has access to all or any of the API calls: DescribeAvailabilityZones, DescribeImages, DescribeInstances, DescribeKeyPairs, DescribeSecurityGroups, DescribeSnapshots, DescribeSubnets, DescribeTags, DescribeVolumes, DescribeVpcsAuthor:-----------------------------name: gl4ssesbo1twitter: https://twitter.com/gl4ssesbo1github: https://github.com/gl4ssesbo1blog: https://www.pepperclipp.com/AWSCLI Command:-----------------------------aws ec2 describe-instances --region {} --profile {}Needs Credentials: True-----------------------------Options:-----------------------------SERVICE: ec2Required: trueDescription: The service that will be used to run the module. It cannot be changed.INSTANCE-ID:Required: falseDescription: The ID of the instance you want to enumerate. If not supplied, all instances will be enumerated.(work1)()(enum/aws_ec2_enum_instances) >>>
反弹shell
A、Stager
()()(AWS) >>> use module stager/aws_python_tcp()()(stager/aws_python_tcp) >>> optionsDesctiption:-----------------------------The TCP Reverse Shell that is used by listeners/aws_python_tcp_listenerAuthor:-----------------------------name: gl4ssesbo1twitter: https://twitter.com/gl4ssesbo1github: https://github.com/gl4ssesbo1blog: https://www.pepperclipp.com/Needs Credentials: False-----------------------------AWSCLI Command:-----------------------------NoneOptions:-----------------------------SERVICE: noneRequired: trueDescription: The service that will be used to run the module. It cannot be changed.HOST:Required: trueDescription: The Host/IP of the C2 Server.PORT:Required: trueDescription: The C2 Server Port.FORMAT:Required: trueDescription: The format of the stager. Currently only allows \\\'py\\\' for Python and \\\'elf\\\' for ELF Binary.CALLBACK-TIME: NoneRequired: trueDescription: The time in seconds between callbacks from Stager. The Stager calls back even if the server crashes or is stoped in a loop.OUTPUT-FILE-NAME:Required: trueDescription: The name of the stager output file.
B、Listener
()()(stager/aws_python_tcp) >>> use module listeners/aws_python_tcp_listener()()(listeners/aws_python_tcp_listener) >>> optionsDesctiption:-----------------------------TCP Listener for Reverse Shell stagers/aws_python_tcpAuthor:-----------------------------name: gl4ssesbo1twitter: https://twitter.com/gl4ssesbo1github: https://github.com/gl4ssesbo1blog: https://www.pepperclipp.com/Needs Credentials: False-----------------------------AWSCLI Command:-----------------------------NoneOptions:-----------------------------SERVICE: noneRequired: trueDescription: The service that will be used to run the module. It cannot be changed.HOST: 0.0.0.0Required: trueDescription: The Host/IP of the C2 Server.PORT:Required: trueDescription: The C2 Server Port.
C、Agents
()()(AWS) >>> set user-agent linuxUser Agent: Boto3/1.9.89 Python/3.8.1 Linux/4.1.2-34-generic was set()()(AWS) >>> show user-agent[*] User Agent is: Boto3/1.9.89 Python/3.8.1 Linux/4.1.2-34-generic()()(AWS) >>> set user-agent windowsUser Agent: Boto3/1.7.48 Python/3.9.1 Windows/7 Botocore/1.10.48 was set()()(AWS) >>> show user-agent[*] User Agent is: Boto3/1.7.48 Python/3.9.1 Windows/7 Botocore/1.10.48()()(AWS) >>> set user-agent customEnter the User-Agent you want: sthUser Agent: sth was set()()(AWS) >>> show user-agent[*] User Agent is: sth()()(AWS) >>>
原创文章,作者:七芒星实验室,如若转载,请注明出处:https://www.sudun.com/ask/34257.html
