Nebula云渗透工具

admin
admin
admin
102523
文章
87
评论
2023年10月27日18:34:12评论50 views字数 8470阅读28分14秒阅读模式

项目介绍

Nebula是一个云和DevOps渗透测试框架,它为每个提供者和每个功能构建了模块,截至 2021年4月,它仅涵盖AWS,但目前是一个正在进行的项目,有望继续发展以测试GCP、Azure、Kubernetes、Docker或Ansible、Terraform、Chef等自动化引擎

项目涵盖

  • 自定义HTTP用户代理

  • S3 存储桶名称暴力破解

  • IAM、EC2和S3漏洞利用

  • IAM、EC2、S3和Lambda枚举

项目构建

Step 1:下载项目文件

git clone https://github.com/gl4ssesbo1/Nebuladocker pull gl4ssesbo1/nebula:latest

Nebula云渗透工具

Step 2:执行项目

cd Nebuladocker run -v $(pwd):/app -ti gl4ssesbo1/nebula:latest main.py

Nebula云渗透工具

工具使用

帮助信息
()()(AWS) >>> help
    Help Command:               Description:    -------------               ------------
    help                        Show help for all the commands    help credentials            Show help for credentials    help module                 Show help for modules    help workspace              Show help for credentials    help user-agent             Show help for credentials    help shell                  Show help for shell connections

    Module Commands             Description    ---------------             -----------
    show modules                List all the modules    show enum                   List all Enumeration modules    show exploit                List all Exploit modules    show persistence            List all Persistence modules    show privesc                List all Privilege Escalation modules    show reconnaissance         List all Reconnaissance modules    show listener               List all Reconnaissance modules    show cleanup                List all Enumeration modules    show detection              List all Exploit modules    show detectionbypass        List all Persistence modules    show lateralmovement        List all Privilege Escalation modules    show stager                 List all Reconnaissance modules
    use module <module>         Use a module.    options                     Show options of a module you have selected.    run                         Run a module you have selected. Eg: 'run <module name>'    search                      Search for a module via pattern. Eg: 'search s3'    back                        Unselect a module    set <option>                Set option of a module. Need to have the module used first.    unset <option>              Unset option of a module. Need to have the module used first.

    User-Agent commands         Description    -------------------         -----------
    set user-agent windows      Set a windows client user agent    set user-agent linux        Set a linux client user agent    set user-agent custom       Set a custom client user agent    show user-agent             Show the current user-agent    unset user-agent            Use the user agent that boto3 produces

    Workspace Commands          Description    ------------------          -----------
    create workspace <wp>       Create a workspace    use workspace <wp>          Use one of the workspaces    remove workspace <wp>       Remove a workspace

    Shell commands              Description    -------------------         -----------
    shell check_env             Check the environment you are in, get data and meta-data    shell exit                  Kill a connection    shell <command>             Run a command on a system. You don't need " on the command, just shell <command1> <command2>
权限查看
(test)()(AWS) >>> getuid------------------------------------------------UserId: A******************Q------------------------------------------------        UserID: A******************Q        Arn: arn:aws:iam::012345678912:user/user_user        Account: 012345678912[*] Output is saved to './workspaces/test/12_07_2021_02_22_54_getuid_dev_brian'
(test)()(AWS) >>> enum_user_privsUser: user_user        UserID: A******************Q        Arn: arn:aws:iam::012345678912:user/user_user        Account: 012345678912--------------------------Service: ec2--------------------------[*] Trying the 'Describe' functions:[*] 'describe_account_attributes' worked![*] 'describe_addresses' worked![*] 'describe_aggregate_id_format' worked![*] 'describe_availability_zones' worked![*] 'describe_bundle_tasks' worked![*] 'describe_capacity_reservations' worked![*] 'describe_client_vpn_endpoints' worked![*] 'describe_coip_pools' worked![*] 'describe_customer_gateways' worked![*] 'describe_dhcp_options' worked![*] 'describe_egress_only_internet_gateways' worked!^C[*] Stopping. It might take a while. Please wait.[*] Output of the allowed functions is saved to './workspaces/test/12_07_2021_02_24_09_enum_user_privs'[*] The list of the allowed functions is saved to './workspaces/test/12_07_2021_02_24_09_allowed_functions'
模块查询
()()(AWS) >>> show modules        cleanup/aws_iam_delete_access_key                                     Delete access key of a user by providing                                                                                it.
        cleanup/aws_iam_delete_login_profile                                  Delete access of a user to the Management                                                                                Console
        enum/aws_ec2_enum_elastic_ips                                         Lists User data of an Instance provided.                                                                                Requires Secret Key and Access Key of an IAM that has access                                                                                to it.
        enum/aws_ec2_enum_images                                              List all ec2 images. Needs credentials of an                                                                                IAM with DescribeImages right. Output is dumpled on a file.                                                                                It takes a sh*tload of time, unfortunately. And boy, is it a                                                                                huge output.
        enum/aws_ec2_enum_instances                                           Describes instances attribues: Instances, VCP,                                                                                Zones, Images, Security Groups, Snapshots, Subnets, Tags,                                                                                Volumes. Requires Secret Key and Access Key of an IAM that                                                                                has access to all or any of the API calls:                                                                                DescribeAvailabilityZones, DescribeImages,                                                                                DescribeInstances, DescribeKeyPairs, DescribeSecurityGroups,                                                                                DescribeSnapshots, DescribeSubnets, DescribeTags,                                                                                DescribeVolumes, DescribeVpcs

类型列举:

show moduleshow enumshow exploitshow persistenceshow privescshow reconnaissanceshow listenershow cleanupshow detectionshow detectionbypassshow lateralmovementshow stager
模块检索
()()(AWS) >>> search instance        enum/aws_ec2_enum_instances                                           Describes instances attribues: Instances, VCP,                                                                                Zones, Images, Security Groups, Snapshots, Subnets, Tags,                                                                                Volumes. Requires Secret Key and Access Key of an IAM that                                                                                has access to all or any of the API calls:                                                                                DescribeAvailabilityZones, DescribeImages,                                                                                DescribeInstances, DescribeKeyPairs, DescribeSecurityGroups,                                                                                DescribeSnapshots, DescribeSubnets, DescribeTags,                                                                                DescribeVolumes, DescribeVpcs
        enum/aws_iam_list_instance_profiles                                   List all the instance profiles.
        exploit/aws_ec2_create_instance_with_user_data                        You must provide policies in JSON format in                                                                                IAM. However, for AWS CloudFormation templates formatted in                                                                                YAML, you can provide the policy in JSON or YAML format. AWS                                                                                CloudFormation always converts a YAML policy to JSON format                                                                                before submitting it to IAM.
()()(AWS) >>>
模块使用
(work1)()(enum/aws_ec2_enum_instances) >>> use module enum/aws_iam_get_group(work1)()(enum/aws_ec2_enum_instances) >>>
模块细节
(work1)()(enum/aws_ec2_enum_instances) >>> optionsDesctiption:-----------------------------        Describes instances attribues: Instances, VCP, Zones, Images, Security Groups, Snapshots, Subnets, Tags, Volumes. Requires Secret Key and Access Key of an IAM that has access to all or any of the API calls: DescribeAvailabilityZones, DescribeImages, DescribeInstances, DescribeKeyPairs, DescribeSecurityGroups, DescribeSnapshots, DescribeSubnets, DescribeTags, DescribeVolumes, DescribeVpcs
Author:-----------------------------        name:   gl4ssesbo1        twitter:        https://twitter.com/gl4ssesbo1        github: https://github.com/gl4ssesbo1        blog:   https://www.pepperclipp.com/
AWSCLI Command:-----------------------------        aws ec2 describe-instances --region {} --profile {}
Needs Credentials: True-----------------------------
Options:-----------------------------        SERVICE:        ec2                Required: true                Description: The service that will be used to run the module. It cannot be changed.
        INSTANCE-ID:                Required: false                Description: The ID of the instance you want to enumerate. If not supplied, all instances will be enumerated.
(work1)()(enum/aws_ec2_enum_instances) >>>
反弹shell

A、Stager

()()(AWS) >>> use module stager/aws_python_tcp()()(stager/aws_python_tcp) >>> optionsDesctiption:-----------------------------        The TCP Reverse Shell that is used by listeners/aws_python_tcp_listener
Author:-----------------------------        name:   gl4ssesbo1        twitter:        https://twitter.com/gl4ssesbo1        github: https://github.com/gl4ssesbo1        blog:   https://www.pepperclipp.com/
Needs Credentials: False-----------------------------
AWSCLI Command:-----------------------------        None
Options:-----------------------------        SERVICE:        none                Required: true                Description: The service that will be used to run the module. It cannot be changed.
        HOST:                Required: true                Description: The Host/IP of the C2 Server.
        PORT:                Required: true                Description: The C2 Server Port.
        FORMAT:                Required: true                Description: The format of the stager. Currently only allows 'py' for Python and 'elf' for ELF Binary.
        CALLBACK-TIME:  None                Required: true                Description: The time in seconds between callbacks from Stager. The Stager calls back even if the server crashes or is stoped in a loop.
        OUTPUT-FILE-NAME:                Required: true                Description: The name of the stager output file.

B、Listener

()()(stager/aws_python_tcp) >>> use module listeners/aws_python_tcp_listener()()(listeners/aws_python_tcp_listener) >>> optionsDesctiption:-----------------------------        TCP Listener for Reverse Shell stagers/aws_python_tcp
Author:-----------------------------        name:   gl4ssesbo1        twitter:        https://twitter.com/gl4ssesbo1        github: https://github.com/gl4ssesbo1        blog:   https://www.pepperclipp.com/
Needs Credentials: False-----------------------------
AWSCLI Command:-----------------------------        None
Options:-----------------------------        SERVICE:        none                Required: true                Description: The service that will be used to run the module. It cannot be changed.
        HOST:   0.0.0.0                Required: true                Description: The Host/IP of the C2 Server.
        PORT:                Required: true                Description: The C2 Server Port.

C、Agents

()()(AWS) >>> set user-agent linuxUser Agent: Boto3/1.9.89 Python/3.8.1 Linux/4.1.2-34-generic was set()()(AWS) >>> show user-agent[*] User Agent is: Boto3/1.9.89 Python/3.8.1 Linux/4.1.2-34-generic()()(AWS) >>> set user-agent windowsUser Agent: Boto3/1.7.48 Python/3.9.1 Windows/7 Botocore/1.10.48 was set()()(AWS) >>> show user-agent[*] User Agent is: Boto3/1.7.48 Python/3.9.1 Windows/7 Botocore/1.10.48()()(AWS) >>> set user-agent customEnter the User-Agent you want: sthUser Agent: sth was set()()(AWS) >>> show user-agent[*] User Agent is: sth()()(AWS) >>>



原文始发于微信公众号(七芒星实验室):Nebula云渗透工具

  • 左青龙
  • 微信扫一扫
  • weinxin
  • 右白虎
  • 微信扫一扫
  • weinxin
admin
  • 本文由 发表于 2023年10月27日18:34:12
  • 转载请保留本文链接(CN-SEC中文网:感谢原作者辛苦付出):
                   Nebula云渗透工具http://cn-sec.com/archives/2152611.html

发表评论

匿名网友 填写信息