From 7aef456c20d68180e19a5210810f7b08d25dc91c Mon Sep 17 00:00:00 2001 From: mgeeky Date: Tue, 14 May 2019 18:15:14 +0200 Subject: [PATCH] Added get-session-creds-in-config-format.sh and couple of repos to prepare-kali.sh --- clouds/aws/README.md | 2 ++ .../aws/get-session-creds-in-config-format.sh | 34 +++++++++++++++++++ linux/prepare-kali.sh | 2 ++ 3 files changed, 38 insertions(+) create mode 100644 clouds/aws/get-session-creds-in-config-format.sh diff --git a/clouds/aws/README.md b/clouds/aws/README.md index 0432ef2..0c25a9f 100644 --- a/clouds/aws/README.md +++ b/clouds/aws/README.md @@ -95,6 +95,8 @@ Afterwards, one should see following logs in CloudWatch traces for planted Lambd - **`exfiltrateLambdaTasksDirectory.py`** - Script that creates an in-memory ZIP file from the entire directory `$LAMBDA_TASK_ROOT` (typically `/var/task`) and sends it out in a form of HTTP(S) POST request, within an `exfil` parameter. To be used for exfiltrating AWS Lambda's entire source code. +- **`get-session-creds-in-config-format.sh`** - Calls `aws sts assume-role` using MFA token in order to then retrieve session credentials and reformat it into `~/.aws/credentials` file format. Having that it's easy to copy-and-paste that script's output into credentials file. Then tools such as _s3tk_ that are unable to process MFA tokens may just use preconfigured profile creds. + - **`identifyS3Bucket.rb`** - This script attempts to identify passed name whether it resolves to a valid AWS S3 Bucket via different means. This script may come handy when revealing S3 buckets hidden behind HTTP proxies. - **`pentest-ec2-instance`** - A set of utilities for quick starting, ssh-ing and stopping of a single temporary EC2 instance intended to be used for Web out-of-band tests (SSRF, reverse-shells, dns/http/other daemons). diff --git a/clouds/aws/get-session-creds-in-config-format.sh b/clouds/aws/get-session-creds-in-config-format.sh new file mode 100644 index 0000000..334606c --- /dev/null +++ b/clouds/aws/get-session-creds-in-config-format.sh @@ -0,0 +1,34 @@ +#!/bin/bash +# +# This script simply calls `aws sts assume-role` using hardcoded parameters, in order +# to retrieve set of session credentials and reformat it into ~/.aws/credentials file format. +# +# Mariusz B., mgeeky '19 +# + + +# +# Configure below variables. +# +PROFILE_NAME=your-profile-name +SERIAL_MFA=arn:aws:iam:::mfa/ +ROLE_NAME=MWRAuditRole +ROLE_ARN=arn:aws:iam:::role/$ROLE_NAME +DURATION=42000 + +# +# ------------------------ +# + +read -p "Type your AWS MFA Code: " code +echo + +out=$(aws sts assume-role --serial-number $SERIAL_MFA --role-arn $ROLE_ARN --role-session-name $ROLE_NAME --duration-seconds $DURATION --token-code $code) + +if [ $? -eq 0 ]; then + echo "[$PROFILE_NAME]" + echo "$out" | python3 -c 'import sys,json; foo=json.loads(sys.stdin.read()); print("aws_access_key_id={}\naws_secret_access_key={}\naws_session_token={}".format(foo["Credentials"]["AccessKeyId"],foo["Credentials"]["SecretAccessKey"],foo["Credentials"]["SessionToken"]))' + echo +else + echo $out +fi \ No newline at end of file diff --git a/linux/prepare-kali.sh b/linux/prepare-kali.sh index 9167b9b..2fe2265 100644 --- a/linux/prepare-kali.sh +++ b/linux/prepare-kali.sh @@ -98,6 +98,7 @@ cd aws git_clone https://github.com/RhinoSecurityLabs/pacu.git ; cd pacu ; bash install.sh ; cd .. git_clone https://github.com/Alfresco/prowler.git git_clone https://github.com/sa7mon/S3Scanner.git +git_clone https://github.com/ankane/s3tk.git git_clone https://github.com/nahamsec/lazys3.git git_clone https://github.com/andresriancho/nimbostratus.git git_clone https://github.com/duo-labs/cloudmapper.git ; cd cloudmapper/ ; pipenv install --skip-lock ; pipenv shell ; cd .. @@ -234,6 +235,7 @@ git_clone https://github.com/pentestgeek/phishing-frenzy.git git_clone https://github.com/trustedsec/social-engineer-toolkit.git git_clone https://github.com/bluscreenofjeff/Malleable-C2-Randomizer.git git_clone https://github.com/rsmudge/Malleable-C2-Profiles.git +git_clone https://github.com/sense-of-security/ADRecon.git git_clone https://github.com/threatexpress/malleable-c2.git git_clone https://github.com/ropnop/kerbrute.git git_clone https://github.com/Raikia/CredNinja.git