Nebula marco C2
PorHackingTeamOficial
Cargando visitas...
0 seguidores
Nebula es un framework de pruebas de penetraci贸n en la nube y (con suerte) en DevOps. Est谩 dise帽ado con m贸dulos para cada proveedor y funcionalidad. A partir de abril de 2021, solo cubre AWS, pero actualmente es un proyecto en curso y esperamos que siga creciendo para probar GCP, Azure, Kubernetes, Docker o motores de automatizaci贸n como Ansible, Terraform, Chef, etc. Comenc茅 a escribirlo mientras le铆a "Pruebas de penetraci贸n pr谩cticas en AWS con Kali Linux" ( https://www.amazon.com/Hands-Penetration-Testing-Kali-Linux/dp/1789136725 ) y se bas贸 en Pacu ( https://github.com/RhinoSecurityLabs/pacu ).
Presentaciones:
BlackHat Europa 2021: Actualmente" target="_blank" rel="noopener noreferrer">Actualmente" target="_blank" rel="noopener noreferrer">Actualmente" target="_blank" rel="noopener noreferrer">Actualmente" target="_blank" rel="noopener noreferrer">https://www.blackhat.com/eu-21/arsenal/schedule/index.html#nebula-un-caso-de-estudio-en-la-penetraci贸n-de-algo-tan-suave-como-una-nube-25174
Actualmente cubre:
Enumeraci贸n, explotaci贸n y postexplotaci贸n de AWS, Azure (API de gr谩ficos y administraci贸n) y DigitalOcean
Actualmente hay 53 m贸dulos que cubren:
Reconocimiento
Enumeraci贸n
Explotar
Limpieza
La versi贸n 3.0 incluye:
Cooperaci贸n en equipo con la arquitectura cliente-servidor
Todas las solicitudes requieren autenticaci贸n (excepto la solicitud de autenticaci贸n, por supuesto)
Toda la informaci贸n se almacena en un servidor MongoDB y se puede acceder a ella mediante comandos. Por supuesto, la informaci贸n deber谩 enumerarse previamente, pero esto permite no enumerar un objeto determinado.
Instalaci贸n
Servidor
Nebula est谩 codificado en Python 3.11. Utiliza la biblioteca boto3 para acceder a AWS. Para instalarlo, simplemente acceda al teamserverdirectorio y cree el contenedor:
$ docker build -t nebula-teamserver .
Luego, simplemente ejec煤talo usando Docker:
$ docker run -it nebula-teamserver -dH -du -dp -dn --p
------------------------------------------------------------
_ _ _ _
| \ | | | | | |
| \| | ___| |__ _ _| | __ _
| . ` |/ _ \ '_ \| | | | |/ _` |
_______ | |\ | __/ |_) | |_| | | (_| |
|__ __||_| \_|\___|_.__/ \__,_|_|\__,_|
| | ___ __ _ _ __ ___ ___ ___ _ ____ _____ _ __
| |/ _ \/ _` | '_ ` _ \/ __|/ _ \ '__\ \ / / _ \ '__|
| | __/ (_| | | | | | \__ \ __/ | \ V / __/ |
|_|\___|\__,_|_| |_| |_|___/\___|_| \_/ \___|_|
-------------------------------------------------------------
37 aws 0 gcp 4 azure 0 office365
0 docker 0 kubernetes 4 misc 11 azuread
4 digitalocean
-------------------------------------------------------------
60 modules 6 cleanup 0 detection
19 enum 5 exploit 2 persistence
1 listeners 0 lateral movement 7 detection bypass
7 privesc 10 reconnaissance 2 stager 0 postexploitation
1 misc
[*] Port is busy. Is a MongoDB instance running there? [y/N] y
------------------------------------------------------------
[*] JWT Secret Key set to: ''
[*] Database Server set to: ':'
[*] Database set to: ''
[*] Teamserver IP address is ''
[*] User 'cosmonaut' was created!
[*] API Server set to: ':'
------------------------------------------------------------
Cliente
Lo mismo ocurre con el cliente . Simplemente ve al clientdirectorio y crea el contenedor:
$ docker build -t nebula-client .
Luego, simplemente ejec煤talo usando Docker:
$ docker run -it nebula-client -ah -p -b
-------------------------------------------------------------
37 aws 0 gcp 4 azure 0 office365
0 docker 0 kubernetes 4 misc 13 azuread
4 digitalocean
-------------------------------------------------------------
62 modules 6 cleanup 0 detection
19 enum 5 exploit 2 persistence
1 listeners 0 lateral movement 7 detection bypass
7 privesc 10 reconnaissance 2 stager
1 misc 2 initialaccess 0 postexploitation
-------------------------------------------------------------
[*] Importing sessions found on ~/.aws
[*] No sessions found on ~/.aws
()()(Nebula) >>>
Uso
...........
...''''''''''''''...
..'''''...........''''''............
..''''.. ...'''''''''''''''...
..'''.. ..............'''''..
.''''. .;loddool:'. ..''''..
..'''. .;clokXWWMWNKkl;. .''''.
.'''. .',,'.. ';dNMMMMMWKko;. .'''..
.''''. .cx0NWWNX0koc;,'cKMMMMMMMMMWXOo:. .''''....
.'''. .',',:oONMMMMMWNNNWMMMMMMWKk0WMMWXx' .''''''''...
..'''. .,dXMMMMMMMMMMMMMNOl',oONWWd. .......'''''..
...'''''.. :o' cXMMMMMMMMMMMMMWNXKKXNWWKxc,. ..''''..
..''''.... oNKl'. ..oXMMMMMMMMMMMMMMMMMMMMMMMMMNKOdc,.. ..''''.
..''''.. ,OWWX0O0XWMMMMMMMMMMMMMMMMMMWWWWMMMMMMMMMWXOxooxk:. ..'''.
..'''''''''''''''''''''. .l0NMMMMMMMMMMMMMMMMMMMMN0dc;;;coONMMMMMMMMMMMMMK: ..'''.
....................... .,dXMMMMMMMMMMMMMMMMMMWX0ko:. .;OWMMMMMMMMMMMWx. .'''.
.oWMMMMMMMMMMMMMMWNXXXWMMWKd' .:lccclodOXWMWd. .'''.
,lc' .................. ',. .,OWMMMMMMMMMMMMXx:'...:0WMMMKl. .. .'oKO, .'''.
,0MWx. .''''''''''''''''''. ;OKOOOO0NWMMMMMMMMMMMMNl. .cdoox0XOl;'....... ... .'''.
.;ol' ................... ;kXWMMMMMMMMMMMMMMMMMWx. .:0WNKkdo:. ... .'''.
.................... .:ldxk0XWMMMMMMMMMMMW0o' .';;,. .... ..'''.
;k00000000000000000000x' ..;lkXWMMMMMMMMMWXkc. ..'''.
.lXWWWWWWWWWWWWWWWWWWMMWKl. ;OWMMMMMMMMMMMWKx:. ..''''.
.,,,,,,,,,,,,,,,,,:kNMMW0o,. 'kWMMMMMMMMMMMMMMWKd,. ..''''..
.:ONMMMNKkdlc:::::::::ccldkKWMMMMMMMMMMMMMMMMMMNOl' ...........'''''..
.,oOXWMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMWXkc....''''''''''...
.':ldkO0000000000000000000000000000000000000000Ox:. ........
...........................................
_ _______ ______ _ _______
( ( /|( ____ \( ___ \ |\ /|( \ ( ___ )
| \ ( || ( \/| ( ) )| ) ( || ( | ( ) |
| \ | || (__ | (__/ / | | | || | | (___) |
| (\ \) || __) | __ ( | | | || | | ___ |
| | \ || ( | ( \ \ | | | || | | ( ) |
| ) \ || (____/\| )___) )| (___) || (____/\| ) ( |
|/ )_)(_______/|/ \___/ (_______)(_______/|/ \|
Because Clouds are so AWSome
-------------------------------------------------------------
Created by: gl4ssesbo1
-------------------------------------------------------------
48 aws 1 gcp 7 azure 0 office365
0 docker 0 kubernetes 6 misc 4 azuread
4 digitalocean
-------------------------------------------------------------
81 modules 6 cleanup 0 detection
19 enum 22 exploit 2 persistence
2 listeners 0 lateral movement 7 detection bypass
0 privesc 16 reconnaissance 2 stager 1 postexploitation
4 misc
Remember:
-------------------------------------------------------------
1) Only use this tool if you have permissions from the
infrastructure's owner. Don't be a dick. Don't choose jail.
And if you have some scruples, don't hack others just because
you can (or cannot, in which case that's why you chose this
tool to do it).
2) There is a template file on module directory that you can
use if you want to develop new modules. If you want to
contribute on this tool, be my guest.
3) Thank you for using this tool and Hack the Planet Legally!
-------------------------------------------------------------
[*] Importing sessions found on ~/.aws
[*] Imported sessions found on ~/.aws. Enter 'show credentials' to get the credentials.
(test)()(Nebula)
Ayuda
Al ejecutar el comando de ayuda , obtendr谩 una lista de los comandos que se pueden utilizar:
()()(AWS) >>> help
Help Command: Description:
------------- ------------
help Show help for all the commands
help credentials Show help for credentials
help module Show help for modules
help workspace Show help for credentials
help user-agent Show help for credentials
help shell Show help for shell connections
Module Commands Description
--------------- -----------
show modules List all the modules
show enum List all Enumeration modules
show exploit List all Exploit modules
show persistence List all Persistence modules
show privesc List all Privilege Escalation modules
show reconnaissance List all Reconnaissance modules
show listener List all Reconnaissance modules
show cleanup List all Enumeration modules
show detection List all Exploit modules
show detectionbypass List all Persistence modules
show lateralmovement List all Privilege Escalation modules
show stager List all Reconnaissance modules
use module Use a module.
options Show options of a module you have selected.
run Run a module you have selected. Eg: 'run '
search Search for a module via pattern. Eg: 'search s3'
back Unselect a module
set Set option of a module. Need to have the module used first.
unset Unset option of a module. Need to have the module used first.
User-Agent commands Description
------------------- -----------
set user-agent windows Set a windows client user agent
set user-agent linux Set a linux client user agent
set user-agent custom Set a custom client user agent
show user-agent Show the current user-agent
unset user-agent Use the user agent that boto3 produces
Workspace Commands Description
------------------ -----------
create workspace Create a workspace
use workspace Use one of the workspaces
remove workspace Remove a workspace
Shell commands Description
------------------- -----------
shell check_env Check the environment you are in, get data and meta-data
shell exit Kill a connection
shell Run a command on a system. You don't need " on the command, just shell
Privs de enumeraci贸n
Cuando tenga un conjunto de credenciales, puede ingresar getuid para obtener el usuario o enum_user_privs para verificar el permiso de lectura de un conjunto de credenciales.
Obtener UID
(test)()(AWS) >>> getuid
------------------------------------------------
UserId: A******************Q
------------------------------------------------
UserID: A******************Q
Arn: arn:aws:iam::012345678912:user/user_user
Account: 012345678912
[*] Output is saved to './workspaces/test/12_07_2021_02_22_54_getuid_dev_brian'
Si los credenciales no tienen los privilegios a continuaci贸n,
STS:GetUserIdentity
IAM:GetUser
IAM:ListAttachedUserPolicies
IAM:GetPolicy (for all policies)
Recibir谩s un error:
[*] An error occurred (AccessDenied) when calling the GetUser operation: User: arn:aws:iam::012345678912:user/user_user is not authorized to perform: iam:GetUser on resource: user user_user
Enumeraci贸n_Privaciones_de_usuario
Este comando verifica los privilegios de lista y descripci贸n en un conjunto de credenciales.
(test)()(AWS) >>> enum_user_privs
User: user_user
UserID: A******************Q
Arn: arn:aws:iam::012345678912:user/user_user
Account: 012345678912
--------------------------
Service: ec2
--------------------------
[*] Trying the 'Describe' functions:
[*] 'describe_account_attributes' worked!
[*] 'describe_addresses' worked!
[*] 'describe_aggregate_id_format' worked!
[*] 'describe_availability_zones' worked!
[*] 'describe_bundle_tasks' worked!
[*] 'describe_capacity_reservations' worked!
[*] 'describe_client_vpn_endpoints' worked!
[*] 'describe_coip_pools' worked!
[*] 'describe_customer_gateways' worked!
[*] 'describe_dhcp_options' worked!
[*] 'describe_egress_only_internet_gateways' worked!
^C[*] Stopping. It might take a while. Please wait.
[*] Output of the allowed functions is saved to './workspaces/test/12_07_2021_02_24_09_enum_user_privs'
[*] The list of the allowed functions is saved to './workspaces/test/12_07_2021_02_24_09_allowed_functions'
M贸dulos
Listado de m贸dulos
Puede enumerar todos los m贸dulos o un m贸dulo espec铆fico:
()()(AWS) >>> show modules
cleanup/aws_iam_delete_access_key Delete access key of a user by providing
it.
cleanup/aws_iam_delete_login_profile Delete access of a user to the Management
Console
enum/aws_ec2_enum_elastic_ips Lists User data of an Instance provided.
Requires Secret Key and Access Key of an IAM that has access
to it.
enum/aws_ec2_enum_images List all ec2 images. Needs credentials of an
IAM with DescribeImages right. Output is dumpled on a file.
It takes a sh*tload of time, unfortunately. And boy, is it a
huge output.
enum/aws_ec2_enum_instances Describes instances attribues: Instances, VCP,
Zones, Images, Security Groups, Snapshots, Subnets, Tags,
Volumes. Requires Secret Key and Access Key of an IAM that
has access to all or any of the API calls:
DescribeAvailabilityZones, DescribeImages,
DescribeInstances, DescribeKeyPairs, DescribeSecurityGroups,
DescribeSnapshots, DescribeSubnets, DescribeTags,
DescribeVolumes, DescribeVpcs
Y as铆 puedes usar:
show module
show enum
show exploit
show persistence
show privesc
show reconnaissance
show listener
show cleanup
show detection
show detectionbypass
show lateralmovement
show stager
Buscando m贸dulos
Utilice el comando de b煤squeda para buscar m贸dulos con una palabra espec铆fica:
()()(AWS) >>> search instance
enum/aws_ec2_enum_instances Describes instances attribues: Instances, VCP,
Zones, Images, Security Groups, Snapshots, Subnets, Tags,
Volumes. Requires Secret Key and Access Key of an IAM that
has access to all or any of the API calls:
DescribeAvailabilityZones, DescribeImages,
DescribeInstances, DescribeKeyPairs, DescribeSecurityGroups,
DescribeSnapshots, DescribeSubnets, DescribeTags,
DescribeVolumes, DescribeVpcs
enum/aws_iam_list_instance_profiles List all the instance profiles.
exploit/aws_ec2_create_instance_with_user_data You must provide policies in JSON format in
IAM. However, for AWS CloudFormation templates formatted in
YAML, you can provide the policy in JSON or YAML format. AWS
CloudFormation always converts a YAML policy to JSON format
before submitting it to IAM.
()()(AWS) >>>
Uso de m贸dulos
Para usar un m贸dulo, simplemente escriba "use" y el nombre del m贸dulo. Los tres corchetes contendr谩n el nombre del m贸dulo.
(work1)()(enum/aws_ec2_enum_instances) >>> use module enum/aws_iam_get_group
(work1)()(enum/aws_ec2_enum_instances) >>>
Opciones
Usando opciones , podemos listar la informaci贸n del m贸dulo:
(work1)()(enum/aws_ec2_enum_instances) >>> options
Desctiption:
-----------------------------
Describes instances attribues: Instances, VCP, Zones, Images, Security Groups, Snapshots, Subnets, Tags, Volumes. Requires Secret Key and Access Key of an IAM that has access to all or any of the API calls: DescribeAvailabilityZones, DescribeImages, DescribeInstances, DescribeKeyPairs, DescribeSecurityGroups, DescribeSnapshots, DescribeSubnets, DescribeTags, DescribeVolumes, DescribeVpcs
Author:
-----------------------------
name: gl4ssesbo1
twitter:https://twitter.com/gl4ssesbo1
>>>> github: https://github.com/gl4ssesbo1
>>>> blog:
AWSCLI" target="_blank" rel="noopener noreferrer">
AWSCLI" target="_blank" rel="noopener noreferrer">
AWSCLI" target="_blank" rel="noopener noreferrer">
AWSCLI" target="_blank" rel="noopener noreferrer">https://www.pepperclipp.com/
AWSCLI Command:
-----------------------------
aws ec2 describe-instances --region {} --profile {}
Needs Credentials: True
-----------------------------
Options:
-----------------------------
SERVICE: ec2
Required: true
Description: The service that will be used to run the module. It cannot be changed.
INSTANCE-ID:
Required: false
Description: The ID of the instance you want to enumerate. If not supplied, all instances will be enumerated.
(work1)()(enum/aws_ec2_enum_instances) >>>
Para configurar opciones, utilice set y el nombre de la opci贸n:
(work1)()(enum/aws_ec2_enum_instances) >>> set INSTANCE-ID 1234
(work1)()(enum/aws_ec2_enum_instances) >>> options
Desctiption:
-----------------------------
Describes instances attribues: Instances, VCP, Zones, Images, Security Groups, Snapshots, Subnets, Tags, Volumes. Requires Secret Key and Access Key of an IAM that has access to all or any of the API calls: DescribeAvailabilityZones, DescribeImages, DescribeInstances, DescribeKeyPairs, DescribeSecurityGroups, DescribeSnapshots, DescribeSubnets, DescribeTags, DescribeVolumes, DescribeVpcs
Author:
-----------------------------
name: gl4ssesbo1
twitter: https://twitter.com/gl4ssesbo1
>>>> github: https://github.com/gl4ssesbo1
>>>> blog:
Needs" target="_blank" rel="noopener noreferrer">
Needs" target="_blank" rel="noopener noreferrer">
Needs" target="_blank" rel="noopener noreferrer">
Needs" target="_blank" rel="noopener noreferrer">https://www.pepperclipp.com/
Needs Credentials: True
-----------------------------
AWSCLI Command:
-----------------------------
aws ec2 describe-instances --region {} --profile {}
Options:
-----------------------------
SERVICE: ec2
Required: true
Description: The service that will be used to run the module. It cannot be changed.
INSTANCE-ID: 1234
Required: false
Description: The ID of the instance you want to enumerate. If not supplied, all instances will be enumerated.
(work1)()(enum/aws_ec2_enum_instances) >>>
Tambi茅n puedes desmarcarlos usando unset .
(work1)()(enum/aws_ec2_enum_instances) >>> unset INSTANCE-ID
(work1)()(enum/aws_ec2_enum_instances) >>>
Ejecuci贸n del m贸dulo
Para ejecutar el m贸dulo, si requiere credenciales, deber谩 haber importado un conjunto de credenciales con los permisos necesarios. Esto se muestra en las opciones del m贸dulo como:
Needs Credentials: True
-----------------------------
Para ejecutarlo, simplemente escriba `run` . Seg煤n el resultado, mostrar谩 una vista pagainada o simplemente la imprimir谩. La paginaci贸n usa `less binary`, que para Windows usa el binario de `https://github.com/ jftuga/less-Windows`. Hay una copia del `exe` en el directorio `less_binary`. El resultado tambi茅n se guarda en archivos del directorio del espacio de trabajo:
(work1)()(enum/aws_ec2_enum_instances) >>> run
[*] Content dumped on file './workspaces/work1/16_04_2021_18_16_48_ec2_enum_instances'.
Cartas credenciales
Introducci贸n de credenciales: Nebula puede usar tanto la combinaci贸n AccessKeyID + SecretKey como la combinaci贸n AccessKeyID + SecretKey + SessionKey para autenticarse en la infraestructura. Para introducir un conjunto de credenciales, utilice:
()()(AWS) >>> set credentials test1
Profile Name: test1
Access Key ID: A*********2
Secret Key ID: a****************************7
Region: us-west-3
Do you also have a session token?[y/N]
[*] Credentials set. Use 'show credentials' to check them.
[*] Currect credential profile set to 'test1'.Use 'show current-creds' to check them.
Recibir谩 algunas entradas que le permitir谩n configurarlas. Puede agregar el token de sesi贸n al ingresar las credenciales, ingresando " y" cuando se le pregunte " 驴Tambi茅n tiene un token de sesi贸n?" [y/N] .
####Uso de credenciales Para utilizar otra credencial, simplemente ingrese:
()()(AWS) >>> use credentials test1
[*] Currect credential profile set to 'test1'.Use 'show current-creds' to check them.
Credenciales actuales: Al ingresar las credenciales, estas se convierten autom谩ticamente en las actuales, es decir, las que se usar谩n para autenticarse. Para verificar las credenciales actuales, use:
()()(AWS) >>> show current-creds
{
"profile": "test1",
"access_key_id": "A*********2",
"secret_key": "a****************************7",
"region": "us-west-3"
}
####Eliminar credenciales En caso de que no quieras tus credenciales, puedes eliminarlas usando:
()()(AWS) >>> remove credentials test1
You are about to remove credential 'test1'. Are you sure? [y/N] y
####Volcado e importaci贸n de credenciales En caso de que desee guardar sus credenciales en la m谩quina, puede utilizar:
()()(AWS) >>> dump credentials
[*] Credentials dumped on file './credentials/16_04_2021_17_37_59'.
Se guardar谩n en un archivo con la fecha y hora del volcado de credenciales del directorio Nebula. Para importarlas, simplemente escriba:
()()(AWS) >>> import credentials 16_04_2021_17_37_59
()()(AWS) >>> show credentials
[
{
"profile": "test1",
"access_key_id": "A*********2",
"secret_key": "a****************************7",
"region": "us-west-3"
}
]
Espacios de trabajo
Nebula usa espacios de trabajo para guardar la salida de cada comando. La salida se guarda como datos JSON (excepto s3_name_fuzzer, que la guarda como XML) en una carpeta creada en el directorio workspaces .
Crear espacios de trabajo
Para crear uno, ingrese:
()()(AWS) >>> create workspace work1
[*] Workspace 'work1' created.
[*] Current workspace set at 'work1'.
(work1)()(AWS) >>> ls ./workspaces
Directory: C:\Users\***\Desktop\Nebula\workspaces
Mode LastWriteTime Length Name
---- ------------- ------ ----
d----- 4/16/2021 5:42 PM work1
-a---- 4/16/2021 4:40 PM 0 __init__.py
Al crearlo, los primeros corchetes contendr谩n el nombre del espacio de trabajo en el que est谩 trabajando. Si desea usar un espacio de trabajo existente, simplemente escriba:
()()(AWS) >>> use workspace work1
(work1)()(AWS) >>>
Es necesario utilizar espacios de trabajo, por lo que incluso si no utiliza ninguno en este momento, mientras ejecuta un m贸dulo, se le pedir谩 que cree uno con un nombre aleatorio o que cree uno con un nombre personalizado usted mismo.
()()(enum/aws_ec2_enum_instances) >>> run
A workspace is not configured. Workstation 'qxryiuct' will be created. Are you sure? [y/N] n
[*] Create a workstation first using 'create workstation '.
()()(enum/aws_ec2_enum_instances) >>>
Lista de espacios de trabajo
Para obtener una lista de espacios de trabajo, utilice:
(work1)()(enum/aws_ec2_enum_instances) >>> show workspaces
-----------------------------------
Workspaces:
-----------------------------------
work1
(work1)()(enum/aws_ec2_enum_instances) >>>
Eliminar espacios de trabajo
Para eliminar un espacio de trabajo, ingrese:
()()(AWS) >>> remove workspace work1
[*] Are you sure you want to delete the workspace? [y/N] y
()()(AWS) >>> show workspaces
-----------------------------------
Workspaces:
-----------------------------------
()()(AWS) >>>
Concha inversa
Para crear un shell inverso, necesitas crear un stager y ejecutar un listener. Para usar esta funci贸n, necesitas que Nebula se ejecute como root (para abrir puertos).
Veterano
Para generar un stager, utilice m贸dulos en stagers :
()()(AWS) >>> use module stager/aws_python_tcp
()()(stager/aws_python_tcp) >>> options
Desctiption:
-----------------------------
The TCP Reverse Shell that is used by listeners/aws_python_tcp_listener
Author:
-----------------------------
name: gl4ssesbo1
twitter: https://twitter.com/gl4ssesbo1
>>>> github: https://github.com/gl4ssesbo1
>>>> blog:
Needs" target="_blank" rel="noopener noreferrer">
Needs" target="_blank" rel="noopener noreferrer">
Needs" target="_blank" rel="noopener noreferrer">
Needs" target="_blank" rel="noopener noreferrer">https://www.pepperclipp.com/
Needs Credentials: False
-----------------------------
AWSCLI Command:
-----------------------------
None
Options:
-----------------------------
SERVICE: none
Required: true
Description: The service that will be used to run the module. It cannot be changed.
HOST:
Required: true
Description: The Host/IP of the C2 Server.
PORT:
Required: true
Description: The C2 Server Port.
FORMAT:
Required: true
Description: The format of the stager. Currently only allows 'py' for Python and 'elf' for ELF Binary.
CALLBACK-TIME: None
Required: true
Description: The time in seconds between callbacks from Stager. The Stager calls back even if the server crashes or is stoped in a loop.
OUTPUT-FILE-NAME:
Required: true
Description: The name of the stager output file.
Las opciones a rellenar son:
HOST : La IP o dominio del servidor C2
Puerto : El puerto del servidor C2
Formato : Actualmente solo se admiten archivos RAW de Python y binarios ELF
Tiempo de devoluci贸n de llamada : El tiempo en segundos que las sesiones deben devolver la llamada. Se devuelve incluso si la sesi贸n actual est谩 activa y si el servidor falla o se cierra, para que no se pierda el acceso a la m谩quina.
Nombre del archivo de salida : el nombre del archivo de salida.
Al ejecutar el m贸dulo se generar谩 un stager guardado en ./workspaces/workspacename/stagername
Oyente
El escucha es sencillo. Simplemente configure el host (por defecto, 0.0.0.0) y el puerto, y se crear谩 el servidor. Para ejecutar el escucha, Nebula debe ejecutarse como root.
()()(stager/aws_python_tcp) >>> use module listeners/aws_python_tcp_listener
()()(listeners/aws_python_tcp_listener) >>> options
Desctiption:
-----------------------------
TCP Listener for Reverse Shell stagers/aws_python_tcp
Author:
-----------------------------
name: gl4ssesbo1
twitter: https://twitter.com/gl4ssesbo1
>>>> github: https://github.com/gl4ssesbo1
>>>> blog:
Needs" target="_blank" rel="noopener noreferrer">
Needs" target="_blank" rel="noopener noreferrer">
Needs" target="_blank" rel="noopener noreferrer">
Needs" target="_blank" rel="noopener noreferrer">https://www.pepperclipp.com/
Needs Credentials: False
-----------------------------
AWSCLI Command:
-----------------------------
None
Options:
-----------------------------
SERVICE: none
Required: true
Description: The service that will be used to run the module. It cannot be changed.
HOST: 0.0.0.0
Required: true
Description: The Host/IP of the C2 Server.
PORT:
Required: true
Description: The C2 Server Port.
Agentes de usuario
Los agentes de usuario se pueden configurar como de Linux, Windows o personalizados. Para mostrarlos, simplemente use `show` .
()()(AWS) >>> set user-agent linux
User Agent: Boto3/1.9.89 Python/3.8.1 Linux/4.1.2-34-generic was set
()()(AWS) >>> show user-agent
[*] User Agent is: Boto3/1.9.89 Python/3.8.1 Linux/4.1.2-34-generic
()()(AWS) >>> set user-agent windows
User Agent: Boto3/1.7.48 Python/3.9.1 Windows/7 Botocore/1.10.48 was set
()()(AWS) >>> show user-agent
[*] User Agent is: Boto3/1.7.48 Python/3.9.1 Windows/7 Botocore/1.10.48
()()(AWS) >>> set user-agent custom
Enter the User-Agent you want: sth
User Agent: sth was set
()()(AWS) >>> show user-agent
[*] User Agent is: sth
()()(AWS) >>>
Para deshabilitar un agente de usuario, ingrese:
()()(AWS) >>> unset user-agent
[*] User Agent set to empty.
El cual tendr谩 el agente de usuario del sistema.
Comentarios (0)
Cargando comentarios...