godinezj

Cumulus Toolkit Cliff Notes

By popular demand, here are my notes for running the demo I presented at Blackhat Arsenal 2017. These are not full instructions on how to setup the full environment, please let me know if you are interested in such a thing.

References:

• Blackhat Arsenal 2017 presentation: https://www.blackhat.com/us-17/arsenal.html#cumulus-a-cloud-exploitation-toolkit
• Cumulus - A Cloud Exploitation Toolkit: https://drive.google.com/file/d/0B2Ka7F_6TetSNFdfbkI1cnJHUTQ
• The code, see cumulus branch: https://github.com/godinezj/metasploit-framework
• xxe-example, see https://github.com/rgerganov/xxe-example

godinezj

#aws_console

Because sometimes we just need to show others that we have full control of an AWS account.

msf post(aws_create_iam_user) > use auxiliary/gather/aws_console
msf auxiliary(aws_console) > set ACCESS_KEY AKIA...
ACCESS_KEY => AKIA...
msf auxiliary(aws_console) > set SECRET abc...
SECRET => abc...

godinezj

aws_create_iam_user

aws_create_iam_user is a simple post module that can be used to take over AWS accounts. Sure, it is fun enough to take over a single host, but you can own all hosts in the account if you simply create an admin user.

Privileges

This module depends on administrators being lazy and not using the least privileges possible. Only on rare cases should instances have the following privileges.

godinezj

Keybase proof

I hereby claim:

• I am godinezj on github.
• I am godinezj (https://keybase.io/godinezj) on keybase.
• I have a public key ASDEiV4b_DIA4Ux1sxDusT9B_bPMWLBEAL85fU5WkNwkAAo

To claim this, I am signing this object: