Tools

Nebula Cloud C2 Penetration Testing Framework

In this article, we’ll learn more about Nebula Cloud C2 Penetration Testing Framework.

Nebula is a Cloud and (hopefully) DevOps Penetration Testing framework. It is build with modules for each provider and each functionality. As of April 2021, it only covers AWS, but is currently an ongoing project and hopefully will continue to grow to test GCP, Azure, Kubernetes, Docker, or automation engines like Ansible, Terraform, Chef, etc.

Currently covers:

  • S3 Bucket name bruteforce
  • IAM, EC2, S3, STS and Lambda Enumeration
  • IAM, EC2, STS, and S3 exploitation
  • SSM Enumeration + Exploitation
  • Custom HTTP User-Agent
  • Enumerate Read Privileges (working on write privs)
  • Reverse Shell
  • No creds Reconnaisance

There are currently 67 modules covering:

  • Reconnaissance
  • Enumeration
  • Exploit
  • Cleanup
  • Reverse Shell

Let’s start with the installation process.

Docker

From Dockerhub

Clone the Nebula Repo from Github and pull Nebula Docker image:

# git clone https://github.com/gl4ssesbo1/Nebula
# docker pull gl4ssesbo1/nebula:latest

and then run main.py through:

# cd Nebula
# docker run -v $(pwd):/app -ti gl4ssesbo1/nebula:latest main.py

Remember to not forget -v option, because it allows files to be saved on the system even after removing the docker image.

Using DockerFile

Clone the Nebula Repo from Github and build Docker image locally:

# git clone https://github.com/gl4ssesbo1/Nebula
# docker build -t nebula .

then run main.py through:

# docker run -v Nebula:/app -ti nebula main.py

Remember to not forget -v option, because it allows files to be saved on the system even after removing the docker image.

Adding port mapping

If you want to run a shell, also add the -p option:

# cd Nebula
# docker run -p <host port>:<container port> -v $(pwd):/app -ti gl4ssesbo1/nebula:latest main.py

Installed on System

Nebula is coded in python3.8 and tested on python3.8 and 3.9. It uses boto3 library to access AWS. To install, just install python 3.8+ and install libraries required from requirements.txt

# python3.8 -m pip install -r requirements.txt

Then install session-manager-plugin. This is needed for SSM modules:

# curl “https://s3.amazonaws.com/session-manager-downloads/plugin/latest/ubuntu_64bit/session-manager-plugin.deb” -o “session-manager-plugin.deb”
# dpkg -i session-manager-plugin.deb

On windows devices, since less is not installed, I got one from https://github.com/jftuga/less-Windows The prebuilt binary is saved on directory less_binary. Just add that directory to the PATH environment variable and it will be ok.

Then just run main.py

# python3.8 ./main.py

Usage

 

python3.9.exe .\main.py -b
                -------------------------------------------------------------
                50 aws          0 gcp           0 azure         0 office365
                0 docker        0 kubernetes
                -------------------------------------------------------------
                50 modules      2 cleanup               0 detection
                41 enum         6 exploit               0 persistence
                0 listeners     0 lateral movement      0 detection bypass
                0 privesc       1 reconnaissance        0 stager
                -------------------------------------------------------------
()()(AWS)

Help

Running help command, will give you a list of the commands that can be used:

Enum Privs

When you have a set of credentials, you can enter getuid to get the user or enum_user_privs to check the Read permission of a set of credentials.

GetUID

(test)()(AWS) >>> getuid

If the creds do not have the below privs on himself,

STS:GetUserIdentity
IAM:GetUser
IAM:ListAttachedUserPolicies
IAM:GetPolicy (for all policies)

you will get an error:

[*] An error occurred (AccessDenied) when calling the GetUser operation: User: arn:aws:iam::012345678912:user/user_user is not authorized to perform: iam:GetUser on resource: user user_user

Enum_User_Privs

This command checks List and Describe Privileges on a set of credentials.

(test)()(AWS) >>> enum_user_privs

Modules

Listing modules

You can list all the modules or specific module:

()()(AWS) >>> show modules

And like that you can use:

show module
show enum
show exploit
show persistence
show privesc
show reconnaissance
show listener
show cleanup
show detection
show detectionbypass
show lateralmovement
show stager

Searching for modules Use search command to search modules with a specific word:

()()(AWS) >>> search instance

Using Modules

To use a module, just type use and the name of the module. The 3 brackets will have the name of the module.

(work1)()(enum/aws_ec2_enum_instances) >>> use module enum/aws_iam_get_group

Options

Using options, we can list the information on the module:

(work1)()(enum/aws_ec2_enum_instances) >>> options

To set options, use set and the name of the option:

(work1)()(enum/aws_ec2_enum_instances) >>> set INSTANCE-ID 1234
(work1)()(enum/aws_ec2_enum_instances) >>> options

Also unsetting them, using unset.

(work1)()(enum/aws_ec2_enum_instances) >>> unset INSTANCE-ID

To set options, use set and the name of the option:

(work1)()(enum/aws_ec2_enum_instances) >>> set INSTANCE-ID 1234
(work1)()(enum/aws_ec2_enum_instances) >>> options

Also unsetting them, using unset.

(work1)()(enum/aws_ec2_enum_instances) >>> unset INSTANCE-ID

Running the module

To run the module, if it requires credentials, you will need to have imported a set of credentials with the permission required to run it. This is shown on a module’s options as:

Needs Credentials: True
—————————–

To run it, just enter run. Depending on the output, it will either show a pagainated view, or just print it. The pagination, uses less binary, which for Windows uses the binary from https://github.com/jftuga/less-Windows. A copy of the exe is on less_binary directory. The output is also saved on files on the workspace directory:

(work1)()(enum/aws_ec2_enum_instances) >>> run
[*] Content dumped on file './workspaces/work1/16_04_2021_18_16_48_ec2_enum_instances'.

Credentials

####Inputing Credentials Nebula can use both AccessKeyID + SecretKey combination and AccessKeyID + SecretKey+SessionKey combination to authenticate into the infratructure. To insert a set of credentials, use:

()()(AWS) >>> set credentials test1
Profile Name: test1
Access Key ID: A*********2
Secret Key ID: a****************************7
Region: us-west-3

Do you also have a session token?[y/N]
[*] Credentials set. Use 'show credentials' to check them.
[*] Currect credential profile set to 'test1'.Use 'show current-creds' to check them.

And you will get some inputs allowing you to set them. Session token can be added when entering credentials, by inputing y when asked Do you also have a session token?[y/N].

####Using Credentials To use another credential, just enter:

()()(AWS) >>> use credentials test1
[*] Currect credential profile set to 'test1'.Use 'show current-creds' to check them.

####Current Credentials When you enter the credentials, they are automatically made the current credentials, meaning the ones you will authenticate with. To check the current credentials, use:

()()(AWS) >>> show current-creds
{
    "profile": "test1",
    "access_key_id": "A*********2",
    "secret_key": "a****************************7",
    "region": "us-west-3"
}

####Removing Credentials In case you don’t want your credentials, you can can remove them using:

()()(AWS) >>> remove credentials test1
You are about to remove credential 'test1'. Are you sure? [y/N] y

####Dumping and importing credentials In case you want your credentials saved on the machine, you can use:

()()(AWS) >>> dump credentials
[*] Credentials dumped on file './credentials/16_04_2021_17_37_59'.

And they will be saved on a file containing the time and date of the dump on directory credentials on Nebula directory. To import them, just enter:

()()(AWS) >>> import credentials 16_04_2021_17_37_59
()()(AWS) >>> show credentials
[
    {
        "profile": "test1",
        "access_key_id": "A*********2",
        "secret_key": "a****************************7",
        "region": "us-west-3"
    }
]

Workspaces

Nebula uses workspaces to save the output from every command. The output is saved as json data (except for s3_name_fuzzer which saves it as XML) on a folder created on directory workspaces.

Create Workspaces

To create one, enter:

()()(AWS) >>> create workspace work1
[*] Workspace 'work1' created.
[*] Current workspace set at 'work1'.
(work1)()(AWS) >>> ls ./workspaces


    Directory: C:\Users\***\Desktop\Nebula\workspaces


Mode                 LastWriteTime         Length Name
----                 -------------         ------ ----
d-----         4/16/2021   5:42 PM                work1
-a----         4/16/2021   4:40 PM              0 __init__.py

When created, the first brackets will contain the name of the workspace you are working at. If you want to use an existing workspace, just type:

()()(AWS) >>> use workspace work1
(work1)()(AWS) >>>

Workspaces are required to be used, so even if you are not using any at the moment, while running a module, it will ask you to create one with random name or to just create one with a custom name yourself.

()()(enum/aws_ec2_enum_instances) >>> run
A workspace is not configured. Workstation 'qxryiuct' will be created. Are you sure? [y/N] n
[*] Create a workstation first using 'create workstation <workstation name>'.
()()(enum/aws_ec2_enum_instances) >>>

List workspaces

To get a list of workspaces, use:

(work1)()(enum/aws_ec2_enum_instances) >>> show workspaces
-----------------------------------
Workspaces:
-----------------------------------
work1

(work1)()(enum/aws_ec2_enum_instances) >>>

Remove Workspaces

To remove a workspace, enter:

()()(AWS) >>> remove workspace work1
[*] Are you sure you want to delete the workspace? [y/N] y
()()(AWS) >>> show workspaces
-----------------------------------
Workspaces:
-----------------------------------

()()(AWS) >>>

Reverse Shell

To create a Reverse Shell, you need to create a stager and run a listener. To use this feature, you need to have Nebula run as root (to open ports).

Stager

To generate a stager, use modules on stagers:

()()(AWS) >>> use module stager/aws_python_tcp
()()(stager/aws_python_tcp) >>> options

The options to fill are:

  • HOST: The IP or domain of the C2 Server
  • Port: The C2 Server Port
  • Format: Currently only supports python raw file and elf binary
  • Callback-Time: The time in seconds for which the sessions should call back. It calls back even if a current session is up, and even if the server crushes or is closed, so that you don’t loose access to the machine.
  • Output File Name: The name of the output file.

Running the module will generate a stager saved on ./workspaces/workspacename/stagername

Listener

The listener is simple. Just configure Host (by default set to 0.0.0.0) and Port and it creates the server. To run the listener, you need to have Nebula run as root.

()()(stager/aws_python_tcp) >>> use module listeners/aws_python_tcp_listener
()()(listeners/aws_python_tcp_listener) >>> options

User Agents

User agents can be set as linux ones, windows ones or custom. To show them, just use show.

()()(AWS) >>> set user-agent linux
User Agent: Boto3/1.9.89 Python/3.8.1 Linux/4.1.2-34-generic was set
()()(AWS) >>> show user-agent
[*] User Agent is: Boto3/1.9.89 Python/3.8.1 Linux/4.1.2-34-generic
()()(AWS) >>> set user-agent windows
User Agent: Boto3/1.7.48 Python/3.9.1 Windows/7 Botocore/1.10.48 was set
()()(AWS) >>> show user-agent
[*] User Agent is: Boto3/1.7.48 Python/3.9.1 Windows/7 Botocore/1.10.48
()()(AWS) >>> set user-agent custom
Enter the User-Agent you want: sth
User Agent: sth was set
()()(AWS) >>> show user-agent
[*] User Agent is: sth
()()(AWS) >>>

To unset a user agent, enter:

()()(AWS) >>> unset user-agent [*] User Agent set to empty.

Which will have the system’s user agent.

Grab high performance dedicated servers and KVM VPS.

Related Articles