Added get-session-creds-in-config-format.sh and couple of repos to prepare-kali.sh

clouds/aws/README.md

@@ -95,6 +95,8 @@ Afterwards, one should see following logs in CloudWatch traces for planted Lambd
 
 - **`exfiltrateLambdaTasksDirectory.py`** - Script that creates an in-memory ZIP file from the entire directory `$LAMBDA_TASK_ROOT` (typically `/var/task`) and sends it out in a form of HTTP(S) POST request, within an `exfil` parameter. To be used for exfiltrating AWS Lambda's entire source code.
 
+- **`get-session-creds-in-config-format.sh`** - Calls `aws sts assume-role` using MFA token in order to then retrieve session credentials and reformat it into `~/.aws/credentials` file format. Having that it's easy to copy-and-paste that script's output into credentials file. Then tools such as _s3tk_ that are unable to process MFA tokens may just use preconfigured profile creds. 
+
 - **`identifyS3Bucket.rb`** - This script attempts to identify passed name whether it resolves to a valid AWS S3 Bucket via different means. This script may come handy when revealing S3 buckets hidden behind HTTP proxies.
 
 - **`pentest-ec2-instance`** - A set of utilities for quick starting, ssh-ing and stopping of a single temporary EC2 instance intended to be used for Web out-of-band tests (SSRF, reverse-shells, dns/http/other daemons).

clouds/aws/get-session-creds-in-config-format.sh

@@ -0,0 +1,34 @@
+#!/bin/bash
+#
+# This script simply calls `aws sts assume-role` using hardcoded parameters, in order
+# to retrieve set of session credentials and reformat it into ~/.aws/credentials file format.
+#
+# Mariusz B., mgeeky '19
+#
+
+
+#
+# Configure below variables.
+#
+PROFILE_NAME=your-profile-name
+SERIAL_MFA=arn:aws:iam::<NUMBER>:mfa/<USER-NAME>
+ROLE_NAME=MWRAuditRole
+ROLE_ARN=arn:aws:iam::<NUMBER>:role/$ROLE_NAME
+DURATION=42000
+
+#
+# ------------------------
+#
+
+read -p "Type your AWS MFA Code: " code
+echo
+
+out=$(aws sts assume-role --serial-number $SERIAL_MFA --role-arn $ROLE_ARN --role-session-name $ROLE_NAME --duration-seconds $DURATION --token-code $code)
+
+if [ $? -eq 0 ]; then
+	echo "[$PROFILE_NAME]"
+	echo "$out" | python3 -c 'import sys,json; foo=json.loads(sys.stdin.read()); print("aws_access_key_id={}\naws_secret_access_key={}\naws_session_token={}".format(foo["Credentials"]["AccessKeyId"],foo["Credentials"]["SecretAccessKey"],foo["Credentials"]["SessionToken"]))'
+	echo
+else
+	echo $out
+fi

linux/prepare-kali.sh

@@ -98,6 +98,7 @@ cd aws
 git_clone https://github.com/RhinoSecurityLabs/pacu.git ; cd pacu ; bash install.sh ; cd ..
 git_clone https://github.com/Alfresco/prowler.git
 git_clone https://github.com/sa7mon/S3Scanner.git
+git_clone https://github.com/ankane/s3tk.git
 git_clone https://github.com/nahamsec/lazys3.git
 git_clone https://github.com/andresriancho/nimbostratus.git
 git_clone https://github.com/duo-labs/cloudmapper.git ; cd cloudmapper/ ; pipenv install --skip-lock ; pipenv shell ; cd ..
@@ -234,6 +235,7 @@ git_clone https://github.com/pentestgeek/phishing-frenzy.git
 git_clone https://github.com/trustedsec/social-engineer-toolkit.git
 git_clone https://github.com/bluscreenofjeff/Malleable-C2-Randomizer.git
 git_clone https://github.com/rsmudge/Malleable-C2-Profiles.git
+git_clone https://github.com/sense-of-security/ADRecon.git
 git_clone https://github.com/threatexpress/malleable-c2.git
 git_clone https://github.com/ropnop/kerbrute.git
 git_clone https://github.com/Raikia/CredNinja.git