282 lines
10 KiB
Bash
Executable File
282 lines
10 KiB
Bash
Executable File
#!/bin/bash
|
|
|
|
AWS_REGION=us-east-1
|
|
EC2_NAME=pentestec2
|
|
EC2_KEY_NAME=ec2-pentest-key
|
|
EC2_SECURITY_GROUP_NAME=ec2-pentest-usage
|
|
MANAGEMENT_SCRIPT=ec2-utils.sh
|
|
|
|
install_prerequisities() {
|
|
if [[ ! -z "$(which ruby)" ]] && [[ ! -z "$(which gem)" ]] && [[ ! -z "$(which bundle)" ]]; then
|
|
echo "[.] Prerequisities already installed."
|
|
return
|
|
fi
|
|
|
|
sudo=sudo
|
|
if [ $EUID -eq 0 ] || [[ ! -z "$(which sudo)" ]]; then
|
|
sudo=
|
|
fi
|
|
|
|
if [[ ! -z "$(which dnf)" ]]; then
|
|
$sudo dnf update
|
|
$sudo dnf install -y ssh cron ruby rubygems awscli jq
|
|
elif [[ ! -z "$(which apt-get)" ]]; then
|
|
$sudo apt-get update
|
|
$sudo apt-get install -y ssh cron ruby rubygems awscli jq
|
|
elif [[ ! -z "$(which yum)" ]]; then
|
|
$sudo yum update
|
|
$sudo yum install -y ssh cron ruby rubygems awscli jq
|
|
else
|
|
echo "[!] Please install following packages: ssh, cron, ruby, rubygems, awscli, jq yourself first."
|
|
exit 1
|
|
fi
|
|
|
|
gem install bundler
|
|
bundle install
|
|
|
|
aw=$(which aws)
|
|
if [ -z "$aw" ]; then
|
|
echo "[!] Something went wrong. There is no 'aws' after installing 'awscli'."
|
|
exit 1
|
|
fi
|
|
}
|
|
|
|
configure_credentials() {
|
|
if [ -e ~/.aws/credentials ]; then
|
|
con=$(cat ~/.aws/credentials)
|
|
if echo $con | grep -q AKIA; then
|
|
echo "[.] AWS CLI already configured."
|
|
return
|
|
fi
|
|
fi
|
|
|
|
if [ ! -d "~/.aws" ]; then
|
|
mkdir -p ~/.aws
|
|
fi
|
|
|
|
access_key=
|
|
secret_key=
|
|
read -p 'AWS Access Key (AKIA...): ' access_key
|
|
read -s -p "AWS Secret Access Key: " secret_key
|
|
|
|
if [ "$secret_key" == "" ] || [ "$access_key" == "" ]; then
|
|
echo "[!] You must specify both access key and secret key."
|
|
exit 1
|
|
fi
|
|
|
|
touch ~/.aws/config
|
|
touch ~/.aws/credentials
|
|
|
|
cat <<EOT > ~/.aws/config
|
|
[default]
|
|
region = $AWS_REGION
|
|
output = json
|
|
EOT
|
|
|
|
cat <<EOT > ~/.aws/credentials
|
|
[default]
|
|
aws_access_key_id = $access_key
|
|
aws_secret_access_key = $secret_key
|
|
EOT
|
|
}
|
|
|
|
create_security_group() {
|
|
groupId=$(aws ec2 create-security-group --group-name $EC2_SECURITY_GROUP_NAME --description "Security Group with allow any any for inbound and outbound." 2>&1 )
|
|
|
|
if echo $groupId | grep -q "InvalidGroup.Duplicate"; then
|
|
echo "[.] Security Group already exists."
|
|
return
|
|
elif echo $groupId | grep -q "An error occurred" ; then
|
|
echo "[!] Failed: $groupId"
|
|
exit 1
|
|
fi
|
|
|
|
groupId=$(echo $groupId | jq -r .GroupId)
|
|
|
|
echo "[>] Security Group ID: $groupId"
|
|
aws ec2 authorize-security-group-ingress --group-id $groupId --ip-permissions IpProtocol=tcp,FromPort=0,ToPort=65535,IpRanges='[{CidrIp=0.0.0.0/0,Description="allow any any"}]'
|
|
aws ec2 authorize-security-group-ingress --group-id $groupId --ip-permissions IpProtocol=udp,FromPort=0,ToPort=65535,IpRanges='[{CidrIp=0.0.0.0/0,Description="allow any any"}]'
|
|
aws ec2 authorize-security-group-egress --group-id $groupId --ip-permissions IpProtocol=tcp,FromPort=0,ToPort=65535,IpRanges='[{CidrIp=0.0.0.0/0,Description="allow any any"}]'
|
|
aws ec2 authorize-security-group-egress --group-id $groupId --ip-permissions IpProtocol=udp,FromPort=0,ToPort=65535,IpRanges='[{CidrIp=0.0.0.0/0,Description="allow any any"}]'
|
|
|
|
echo "[>] Created inbound/outbound allow any any rules"
|
|
}
|
|
|
|
delete_key_pair_and_instances() {
|
|
echo "[.] Deleting key pair..."
|
|
out=$(aws ec2 delete-key-pair --key-name $EC2_KEY_NAME 2>&1 )
|
|
if echo $out | grep -q "An error occurred" ; then
|
|
echo "[!] Deleting key pair failed: $out"
|
|
exit 1
|
|
fi
|
|
|
|
echo "[.] Terminating related EC2 instances..."
|
|
out=$(aws ec2 terminate-instances --instance-ids $(aws ec2 describe-instances --query 'Reservations[].Instances[].InstanceId' --filters "Name=key-name,Values=$EC2_KEY_NAME" --output text) 2>&1 )
|
|
if echo $out | grep -q "An error occurred" ; then
|
|
echo "[!] Terminating instances failed: $out"
|
|
exit 1
|
|
fi
|
|
}
|
|
|
|
create_ec2_key_pair() {
|
|
keymaterial=
|
|
out=$(aws ec2 describe-key-pairs --key-name $EC2_KEY_NAME 2>&1 )
|
|
if echo $out | jq -r .KeyPairs[0].KeyName | grep -q $EC2_KEY_NAME ; then
|
|
echo "[.] Key pair already created in your AWS account."
|
|
|
|
filefinger=
|
|
if [ -f "~/.aws/$EC2_KEY_NAME.pem" ] ; then
|
|
filefinger=$(openssl pkcs8 -in ~/.aws/$EC2_KEY_NAME.pem -inform PEM -outform DER -topk8 -nocrypt | openssl sha1 -c | cut -d= -f2 | tr -d ' ')
|
|
fi
|
|
awsfinger=$(echo $out | jq -r .KeyPairs[0].KeyFingerprint)
|
|
|
|
if [ ! -e ~/.aws/$EC2_KEY_NAME.pem ]; then
|
|
echo
|
|
echo "[!] ERROR: It looks like you don't have ~/.aws/$EC2_KEY_NAME.pem file with your EC2 Key-Pair"
|
|
echo "[!] This means you do have the key pair on your AWS account but not physically in a file."
|
|
echo "[!] In such case you will be unable to SSH into previously created EC2 instances without it, so "
|
|
echo "[!] you are left with creating a new key pair and then terminating existing EC2 instances."
|
|
echo
|
|
read -p "Do you want to remove your $EC2_NAME EC2 instance and recreate key pairs? [y/N] " -n 1 -r
|
|
echo
|
|
if [[ $REPLY =~ ^[Yy]$ ]]
|
|
then
|
|
delete_key_pair_and_instances
|
|
else
|
|
echo "[-] Unable to continue. You must sort this out yourself."
|
|
return
|
|
fi
|
|
elif [ "$filefinger" != "" ] && [ "$awsfinger" != "" ] && [ "$filefinger" != "$awsfinger" ]; then
|
|
echo
|
|
echo "[!] ERROR: It looks like your EC2 Key Pair located at ~/.aws/$EC2_KEY_NAME.pem"
|
|
echo "[!] has differrent fingerprint than the Key Pair on your AWS account."
|
|
echo "[!] In such case you will be unable to SSH into previously created EC2 instances using it, so "
|
|
echo "[!] you are left with creating a new key pair and then terminating existing EC2 instances."
|
|
echo
|
|
echo "Your locally stored PEM fingerprint: $filefinger"
|
|
echo "Your on AWS stored PEM fingerprint: $awsfinger"
|
|
echo
|
|
read -p "Do you want to remove your $EC2_NAME EC2 instance and recreate key pairs? [y/N] " -n 1 -r
|
|
echo
|
|
if [[ $REPLY =~ ^[Yy]$ ]]
|
|
then
|
|
delete_key_pair_and_instances
|
|
else
|
|
echo "[-] Unable to continue. You must sort this out yourself."
|
|
return
|
|
fi
|
|
else
|
|
echo "[+] EC2 Key pair already created. PEM stored at: ~/.aws/$EC2_KEY_NAME.pem"
|
|
return
|
|
fi
|
|
fi
|
|
|
|
keymaterial=$(aws ec2 create-key-pair --key-name $EC2_KEY_NAME 2>&1 )
|
|
if echo $keymaterial | grep -q "An error occurred" ; then
|
|
echo "[!] Creating key pair failed: $keymaterial"
|
|
exit 1
|
|
fi
|
|
|
|
touch ~/.aws/$EC2_KEY_NAME.pem
|
|
echo $keymaterial | jq -r .KeyMaterial > ~/.aws/$EC2_KEY_NAME.pem
|
|
chmod 400 ~/.aws/$EC2_KEY_NAME.pem
|
|
|
|
echo "[+] EC2 Key pair created. PEM stored at: ~/.aws/$EC2_KEY_NAME.pem"
|
|
}
|
|
|
|
integrate_with_bashrc() {
|
|
if cat ~/.bashrc | grep -q $MANAGEMENT_SCRIPT ; then
|
|
echo "[.] Script is already integrated."
|
|
return
|
|
elif cat ~/.bashrc | grep -q "Adding aliases for EC2 single-instance management" ; then
|
|
echo "[.] Script is already integrated."
|
|
return
|
|
fi
|
|
|
|
sed -i -e "s@ruby ./aws-manager.rb@ruby $PWD/aws-manager.rb@" ./$MANAGEMENT_SCRIPT
|
|
|
|
source $PWD/$MANAGEMENT_SCRIPT
|
|
cat <<EOT >> ~/.bashrc
|
|
|
|
# Adding aliases for EC2 single-instance management.
|
|
source $PWD/$MANAGEMENT_SCRIPT
|
|
|
|
EOT
|
|
}
|
|
|
|
add_cron_job() {
|
|
crontab -l > /tmp/.cr 2> /dev/null
|
|
cp /tmp/.cr /tmp/.cr.bak
|
|
|
|
if cat /tmp/.cr | grep -q "aws-manager.rb notify "; then
|
|
echo "[.] Crontab job already scheduled."
|
|
return
|
|
fi
|
|
|
|
cmd="$(which ruby) $PWD/aws-manager.rb notify $EC2_NAME"
|
|
job=" * */2 * * * $USER $cmd"
|
|
|
|
echo -e "[*] Adding following line to crontab:\n\n\t\t$job\n"
|
|
|
|
echo $job >> /tmp/.cr
|
|
crontab /tmp/.cr
|
|
if [ $? -ne 0 ]; then
|
|
echo "[!] Updating crontab failed. Restoring original one (you can find it at: /tmp/.cr.bak) "
|
|
crontab /tmp/.cr.bak
|
|
fi
|
|
rm /tmp/.cr
|
|
#rm /tmp/.cr.bak
|
|
}
|
|
|
|
echo
|
|
echo "----------------------------------------------"
|
|
echo
|
|
echo ":: AWS EC2 single-instance management utilities installation script."
|
|
echo
|
|
echo "This script is going to:"
|
|
echo -e "\t- Update your repos & install packages such as: ssh, cron, jq, ruby, rubygems, awscli, gem bundler, gem 'aws-sdk-ec2'"
|
|
echo -e "\t- Configure your AWS credentials"
|
|
echo -e "\t- Create AWS security groups, EC2 key pairs"
|
|
echo -e "\t- Integrate EC2 management aliases into the end of your .bashrc"
|
|
echo -e "\t- Add a cron job that will notify you every two hours if your EC2 machine is up and running"
|
|
echo
|
|
echo "----------------------------------------------"
|
|
echo
|
|
read -p "Would you like to proceed? [Y/n] " -n 1 -r
|
|
echo
|
|
if [[ $REPLY =~ ^[Yy]$ ]]
|
|
then
|
|
echo -e "\n[.] Step 1: Installing prerequisities first."
|
|
install_prerequisities
|
|
|
|
echo -e "\n[.] Step 2: Configuring credentials."
|
|
configure_credentials
|
|
|
|
echo -e "\n\n[.] Step 3: Creating Security Group."
|
|
create_security_group
|
|
|
|
echo -e "\n[.] Step 4: Creating EC2 Key Pairs."
|
|
create_ec2_key_pair
|
|
|
|
echo -e "\n[.] Step 5: Integrating scripts with your .bashrc"
|
|
integrate_with_bashrc
|
|
|
|
echo -e "\n[.] Step 6: Adding notification cron job"
|
|
add_cron_job
|
|
|
|
echo -e "\n[+] Ready to roll."
|
|
echo
|
|
echo "----------------------------------------------"
|
|
echo
|
|
echo -e "You can now try out our shiny new bash aliases:"
|
|
echo -e "\t- check$EC2_NAME - To check an instance status"
|
|
echo -e "\t- get$EC2_NAME - To get the instance IPv4 address."
|
|
echo -e "\t- start$EC2_NAME - To start the instance."
|
|
echo -e "\t- stop$EC2_NAME - To stop the instance."
|
|
echo -e "\t- terminate$EC2_NAME - To terminate the instance."
|
|
echo -e "\t- ssh$EC2_NAME - To ssh into that instance"
|
|
echo
|
|
echo "Go ahead, check them out. Start with creating EC2 first using 'start$EC2_NAME'"
|
|
bash
|
|
fi
|