Skip to content

Commit

Permalink
The rise of the new Nebula
Browse files Browse the repository at this point in the history
  • Loading branch information
Bleon Proko authored and Bleon Proko committed Jul 12, 2024
1 parent d519250 commit 4cd1639
Show file tree
Hide file tree
Showing 220 changed files with 12,347 additions and 302,424 deletions.
10 changes: 7 additions & 3 deletions .gitignore
View file
Original file line number Diff line number Diff line change
Expand Up @@ -25,13 +25,17 @@
/core/enum_user_privs/__pycache__/
/core/database/__pycache__/
/core/module/listeners/__listeners/__pycache__/
/core/module/reconnaissance/__ip_source/__pycache__/
/core/__pycache__/
/workspaces
/client/venv/
/clientGUI/venv/
/client/venv/
/clientGUI/__pycache__/
/client/__pycache__/
/client/commands/__pycache__/
/client/core/__pycache__/
/client/help/__pycache__/
/client/help/__pycache__/
/client/.nebula-history-file
/clientGUI/.nebula-history-file
/todo.txt
/ToDo.txt
/Done.txt
5 changes: 2 additions & 3 deletions Dockerfile
View file
Original file line number Diff line number Diff line change
@@ -1,5 +1,4 @@
FROM python:3.9
#FROM python:3.8-slim-buster
FROM python:3.10

WORKDIR /nebula
COPY . .
Expand All @@ -16,4 +15,4 @@ RUN dpkg -i session-manager-plugin.deb
RUN service docker start
RUN ls /nebula

ENTRYPOINT python3.9 teamserver.py -c teamserver.conf
ENTRYPOINT ["python3", "teamserver.py"]
176 changes: 88 additions & 88 deletions README.md
View file
Original file line number Diff line number Diff line change
@@ -1,5 +1,5 @@
# Nebula
<img src="./core/img/logo.png" alt="logo" width="200" align="center"/>
<img src="./img/nebulalogo.png" alt="logo" width="200" align="center"/>

Nebula is a Cloud and (hopefully) DevOps Penetration Testing framework.
It is build with modules for each provider and each functionality. As of April 2021, it only covers AWS, but is currently an ongoing project and hopefully will continue to grow to test GCP, Azure, Kubernetes, Docker, or automation engines like Ansible, Terraform, Chef, etc.
Expand All @@ -11,7 +11,7 @@ I started writing it while I was reading "Hands-On AWS Penetration Testing with
**Currently covers:**
- AWS, Azure (Graph and Management API) and DigitalOcean enumeration, exploitation and post-exploitation

**There are currently 72 modules covering:**
**There are currently 55 modules covering:**
- Reconnaissance
- Enumeration
- Exploit
Expand All @@ -25,25 +25,24 @@ I started writing it while I was reading "Hands-On AWS Penetration Testing with
## Installation
### Server
Nebula is coded in python3.11. It uses boto3 library to access AWS.
To install, create a venv and install python 3.11+ and install libraries required from *requirements.txt*

```
python3 -m venv ./venv
source venv/bin/activate
python3 -m pip install -r requirements.txt
```

Then install session-manager-plugin. This is needed for SSM modules:
```
curl "https://s3.amazonaws.com/session-manager-downloads/plugin/latest/ubuntu_64bit/session-manager-plugin.deb" -o "session-manager-plugin.deb"
dpkg -i session-manager-plugin.deb
```
On windows devices, since less is not installed, I got one from **https://github.com/jftuga/less-Windows**
The prebuilt binary is saved on directory less_binary. Just add that directory to the PATH environment variable and it will be ok.

Then just run **teamserver**
```
python3 teamserver.py -dn <workspace name> -p <password>
To install, run ```install.sh``` script, which will get the mongo image, create teamserver image and install client's libraries on a venv (docker does not work for client due to TTY issues)
```
$ ./install.sh
---------------------------------------------------------
Installing Nebula
---------------------------------------------------------
[*] Pulling mongo image
Using default tag: latest
latest: Pulling from library/mongo
Digest: sha256:bd38dc3d2895c7434b9b75c86525642efe3d65e4c6aadfe397486d7cc89406f0
Status: Image is up to date for mongo:latest
docker.io/library/mongo:latest
[*] Pulled Docker Image
---------------------------------------------------------
[*] Building Nebula Teamserver
DEPRECATED: The legacy builder is deprecated and will be removed in a future release.
Install the buildx component to build images with BuildKit:
https://docs.docker.com/go/buildx/
```

### Client
Expand All @@ -59,75 +58,76 @@ nebula -w <database name> --password <password> -ah <server host>
## Usage
```
...........
...''''''''''''''...
..'''''...........''''''............
..''''.. ...'''''''''''''''...
..'''.. ..............'''''..
.''''. .;loddool:'. ..''''..
..'''. .;clokXWWMWNKkl;. .''''.
.'''. .',,'.. ';dNMMMMMWKko;. .'''..
.''''. .cx0NWWNX0koc;,'cKMMMMMMMMMWXOo:. .''''....
.'''. .',',:oONMMMMMWNNNWMMMMMMWKk0WMMWXx' .''''''''...
..'''. .,dXMMMMMMMMMMMMMNOl',oONWWd. .......'''''..
...'''''.. :o' cXMMMMMMMMMMMMMWNXKKXNWWKxc,. ..''''..
..''''.... oNKl'. ..oXMMMMMMMMMMMMMMMMMMMMMMMMMNKOdc,.. ..''''.
..''''.. ,OWWX0O0XWMMMMMMMMMMMMMMMMMMWWWWMMMMMMMMMWXOxooxk:. ..'''.
..'''''''''''''''''''''. .l0NMMMMMMMMMMMMMMMMMMMMN0dc;;;coONMMMMMMMMMMMMMK: ..'''.
....................... .,dXMMMMMMMMMMMMMMMMMMWX0ko:. .;OWMMMMMMMMMMMWx. .'''.
.oWMMMMMMMMMMMMMMWNXXXWMMWKd' .:lccclodOXWMWd. .'''.
,lc' .................. ',. .,OWMMMMMMMMMMMMXx:'...:0WMMMKl. .. .'oKO, .'''.
,0MWx. .''''''''''''''''''. ;OKOOOO0NWMMMMMMMMMMMMNl. .cdoox0XOl;'....... ... .'''.
.;ol' ................... ;kXWMMMMMMMMMMMMMMMMMWx. .:0WNKkdo:. ... .'''.
.................... .:ldxk0XWMMMMMMMMMMMW0o' .';;,. .... ..'''.
;k00000000000000000000x' ..;lkXWMMMMMMMMMWXkc. ..'''.
.lXWWWWWWWWWWWWWWWWWWMMWKl. ;OWMMMMMMMMMMMWKx:. ..''''.
.,,,,,,,,,,,,,,,,,:kNMMW0o,. 'kWMMMMMMMMMMMMMMWKd,. ..''''..
.:ONMMMNKkdlc:::::::::ccldkKWMMMMMMMMMMMMMMMMMMNOl' ...........'''''..
.,oOXWMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMWXkc....''''''''''...
.':ldkO0000000000000000000000000000000000000000Ox:. ........
...........................................
_ _______ ______ _ _______
( ( /|( ____ \( ___ \ |\ /|( \ ( ___ )
| \ ( || ( \/| ( ) )| ) ( || ( | ( ) |
| \ | || (__ | (__/ / | | | || | | (___) |
| (\ \) || __) | __ ( | | | || | | ___ |
| | \ || ( | ( \ \ | | | || | | ( ) |
| ) \ || (____/\| )___) )| (___) || (____/\| ) ( |
|/ )_)(_______/|/ \___/ (_______)(_______/|/ \|
Because Clouds are so AWSome
-------------------------------------------------------------
Created by: gl4ssesbo1
-------------------------------------------------------------
87 aws 0 gcp 1 azure 0 office365
0 docker 0 kubernetes 3 misc 2 azuread
-------------------------------------------------------------
93 modules 3 cleanup 0 detection
62 enum 11 exploit 1 persistence
1 listeners 0 lateral movement 2 detection bypass
0 privesc 9 reconnaissance 1 stager
3 misc
Remember:
-------------------------------------------------------------
1) Only use this tool if you have permissions from the
infrastructure's owner. Don't be a dick. Don't choose jail.
And if you have some scruples, don't hack others just because
you can (or cannot, in which case that's why you chose this
tool to do it).
2) There is a template file on module directory that you can
use if you want to develop new modules. If you want to
contribute on this tool, be my guest.
3) Thank you for using this tool and Hack the Planet Legally!
-------------------------------------------------------------
...........
...''''''''''''''...
..'''''...........''''''............
..''''.. ...'''''''''''''''...
..'''.. ..............'''''..
.''''. .;loddool:'. ..''''..
..'''. .;clokXWWMWNKkl;. .''''.
.'''. .',,'.. ';dNMMMMMWKko;. .'''..
.''''. .cx0NWWNX0koc;,'cKMMMMMMMMMWXOo:. .''''....
.'''. .',',:oONMMMMMWNNNWMMMMMMWKk0WMMWXx' .''''''''...
..'''. .,dXMMMMMMMMMMMMMNOl',oONWWd. .......'''''..
...'''''.. :o' cXMMMMMMMMMMMMMWNXKKXNWWKxc,. ..''''..
..''''.... oNKl'. ..oXMMMMMMMMMMMMMMMMMMMMMMMMMNKOdc,.. ..''''.
..''''.. ,OWWX0O0XWMMMMMMMMMMMMMMMMMMWWWWMMMMMMMMMWXOxooxk:. ..'''.
..'''''''''''''''''''''. .l0NMMMMMMMMMMMMMMMMMMMMN0dc;;;coONMMMMMMMMMMMMMK: ..'''.
....................... .,dXMMMMMMMMMMMMMMMMMMWX0ko:. .;OWMMMMMMMMMMMWx. .'''.
.oWMMMMMMMMMMMMMMWNXXXWMMWKd' .:lccclodOXWMWd. .'''.
,lc' .................. ',. .,OWMMMMMMMMMMMMXx:'...:0WMMMKl. .. .'oKO, .'''.
,0MWx. .''''''''''''''''''. ;OKOOOO0NWMMMMMMMMMMMMNl. .cdoox0XOl;'....... ... .'''.
.;ol' ................... ;kXWMMMMMMMMMMMMMMMMMWx. .:0WNKkdo:. ... .'''.
.................... .:ldxk0XWMMMMMMMMMMMW0o' .';;,. .... ..'''.
;k00000000000000000000x' ..;lkXWMMMMMMMMMWXkc. ..'''.
.lXWWWWWWWWWWWWWWWWWWMMWKl. ;OWMMMMMMMMMMMWKx:. ..''''.
.,,,,,,,,,,,,,,,,,:kNMMW0o,. 'kWMMMMMMMMMMMMMMWKd,. ..''''..
.:ONMMMNKkdlc:::::::::ccldkKWMMMMMMMMMMMMMMMMMMNOl' ...........'''''..
.,oOXWMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMWXkc....''''''''''...
.':ldkO0000000000000000000000000000000000000000Ox:. ........
...........................................
_ _______ ______ _ _______
( ( /|( ____ \( ___ \ |\ /|( \ ( ___ )
| \ ( || ( \/| ( ) )| ) ( || ( | ( ) |
| \ | || (__ | (__/ / | | | || | | (___) |
| (\ \) || __) | __ ( | | | || | | ___ |
| | \ || ( | ( \ \ | | | || | | ( ) |
| ) \ || (____/\| )___) )| (___) || (____/\| ) ( |
|/ )_)(_______/|/ \___/ (_______)(_______/|/ \|
Because Clouds are so AWSome
-------------------------------------------------------------
Created by: gl4ssesbo1
-------------------------------------------------------------
48 aws 1 gcp 7 azure 0 office365
0 docker 0 kubernetes 6 misc 4 azuread
4 digitalocean
-------------------------------------------------------------
81 modules 6 cleanup 0 detection
19 enum 22 exploit 2 persistence
2 listeners 0 lateral movement 7 detection bypass
0 privesc 16 reconnaissance 2 stager 1 postexploitation
4 misc
Remember:
-------------------------------------------------------------
1) Only use this tool if you have permissions from the
infrastructure's owner. Don't be a dick. Don't choose jail.
And if you have some scruples, don't hack others just because
you can (or cannot, in which case that's why you chose this
tool to do it).
2) There is a template file on module directory that you can
use if you want to develop new modules. If you want to
contribute on this tool, be my guest.
3) Thank you for using this tool and Hack the Planet Legally!
-------------------------------------------------------------
[*] Importing sessions found on ~/.aws
[*] Imported sessions found on ~/.aws. Enter 'show credentials' to get the credentials.
(work5)()(Nebula) >>>
(test)()(Nebula)
```
### Help
Running *help* command, will give you a list of the commands that can be used:
Expand Down
27 changes: 17 additions & 10 deletions ToDo.txt
View file
Original file line number Diff line number Diff line change
@@ -1,37 +1,44 @@
[*] Reconnaissance
reconnaissance/azure_unauth_user_enum (adfs too)
reconnaissance/aws_find_ip_category
reconnaissance/azure_fuzz_subdomains
reconnaissance/misc_gitdumper

[*] Enum:
enum/get_iam_groups
https://github.com/prowler-cloud/prowler
RoadTools
All Zeus Features: https://github.com/DenizParlak/Zeus

[*] Console
https://github.com/NetSPI/aws_consoler
https://github.com/NetSPI/aws_consoler (Done)

[*] Exploit
Device Code Phishing

Bitlocker Dump: (Get-MgInformationProtectionBitlockerRecoveryKey -All) | ForEach-Object {
$device = (Get-MgDevice -Filter "deviceId eq '$($_.DeviceId)'").DisplayName
$key = (Get-MgInformationProtectionBitlockerRecoveryKey -BitlockerRecoveryKeyId $_.Id -Property Key).Key
[array]$bitlockerReport += "$device,$key"
}
$bitlockerReport

LAPS Dump: Connect-MgGraph -Scopes 'http://DeviceLocalCredential.Read.All'

Get-MgDevice -Filter "OperatingSystem eq 'Windows'" | ForEach-Object {
[array]$b64 = (Get-MgDirectoryDeviceLocalCredential -DeviceLocalCredentialInfoId $_.DeviceId -Property credentials).credentials.PasswordBase64
[string]$pw = if (!([string]::IsNullOrEmpty($b64))) { [Text.Encoding]::UTF8.GetString([Convert]::FromBase64String(($b64)[0])) }
[array]$lapsReport += "$($_.displayName),$pw"
}
$lapsReport

[*] Post Exploitation
https://github.com/Static-Flow/CloudCopy
https://github.com/andresriancho/enumerate-iam (like my enumerate iam)

[*] Bypass Defences
Disable Logging
Disable CloudTrail
Disable monitoring of events from global services
Disable Cloud Trail on specific regions
Delete logs from Bucket
User Agent Change

[*] Persistence
Golden SAML Attack
Update AWS key
Create 2nd key

[*] Commands
list_aws_iam_groups
Expand Down
105 changes: 105 additions & 0 deletions argparse.sh
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,105 @@
#!/bin/bash

# argparse.sh contains bash functions that streamlines the management of
# command-line arguments in Bash scripts

# Example:
# define_arg "username" "" "Username for login" "string" "true"
# parse_args "$@"
#
# echo "Welcome, $username!"
#
# # Usage:
# # ./example.sh --username Alice

# Author: Yaacov Zamir <[email protected]>
# License: MIT License.
# https://github.com/yaacov/argparse-sh/

# Declare an associative array for argument properties
declare -A ARG_PROPERTIES

# Variable for the script description
SCRIPT_DESCRIPTION=""

# Function to display an error message and exit
# Usage: display_error "Error message"
display_error() {
echo -e "Error: $1\n"
show_help
exit 1
}

# Function to set the script description
# Usage: set_description "Description text"
set_description() {
SCRIPT_DESCRIPTION="$1"
}

# Function to define a command-line argument
# Usage: define_arg "arg_name" ["default"] ["help text"] ["action"] ["required"]
define_arg() {
local arg_name=$1
ARG_PROPERTIES["$arg_name,default"]=${2:-""} # Default value
ARG_PROPERTIES["$arg_name,help"]=${3:-""} # Help text
ARG_PROPERTIES["$arg_name,action"]=${4:-"string"} # Action, default is "string"
ARG_PROPERTIES["$arg_name,required"]=${5:-"false"} # Required flag, default is "false"
}

# Function to parse command-line arguments
# Usage: parse_args "$@"
parse_args() {
while [[ $# -gt 0 ]]; do
key="$1"
key="${key#--}" # Remove the '--' prefix

if [[ -n "${ARG_PROPERTIES[$key,help]}" ]]; then
if [[ "${ARG_PROPERTIES[$key,action]}" == "store_true" ]]; then
export "$key"="true"
shift # past the flag argument
else
[[ -z "$2" || "$2" == --* ]] && display_error "Missing value for argument --$key"
export "$key"="$2"
shift # past argument
shift # past value
fi
else
display_error "Unknown option: $key"
fi
done

# Check for required arguments
for arg in "${!ARG_PROPERTIES[@]}"; do
arg_name="${arg%%,*}" # Extract argument name
[[ "${ARG_PROPERTIES[$arg_name,required]}" == "true" && -z "${!arg_name}" ]] && display_error "Missing required argument --$arg_name"
done

# Set defaults for any unset arguments
for arg in "${!ARG_PROPERTIES[@]}"; do
arg_name="${arg%%,*}" # Extract argument name
[[ -z "${!arg_name}" ]] && export "$arg_name"="${ARG_PROPERTIES[$arg_name,default]}"
done
}

# Function to display help
# Usage: show_help
show_help() {
[[ -n "$SCRIPT_DESCRIPTION" ]] && echo -e "$SCRIPT_DESCRIPTION\n"

echo "usage: $0 [options...]"
echo "options:"
for arg in "${!ARG_PROPERTIES[@]}"; do
arg_name="${arg%%,*}" # Extract argument name
[[ "${arg##*,}" == "help" ]] && {
[[ "${ARG_PROPERTIES[$arg_name,action]}" != "store_true" ]] && echo " --$arg_name [TXT]: ${ARG_PROPERTIES[$arg]}" || echo " --$arg_name: ${ARG_PROPERTIES[$arg]}"
}
done
}

# Function to check for help option
# Usage: check_for_help "$@"
check_for_help() {
for arg in "$@"; do
[[ $arg == "-h" || $arg == "--help" ]] && { show_help; exit 0; }
done
}
Loading

0 comments on commit 4cd1639

Please sign in to comment.