SOLDIERX.COM Nobody Can Stop Information Insemination

Tools for fingerprinting and exploiting Amazon cloud infrastructures. These tools are a PoC which I developed for my "Pivoting in Amazon clouds" talk, developed using the great boto library for accessing Amazon's API.

The nimbostratus toolset is usually used together with nimbostratus-target, which helps you setup a legal environment where this tool can be tested.

Installation
git clone [email protected]:andresriancho/nimbostratus.git
cd nimbostratus
pip install -r requirements.txt

Usage
Providing AWS credentials
Some nimbostratus sub-commands require you to provide AWS credentials. They are provided using the following command line arguments:
--access-key
--secret-key
--token , which is only used when the credentials were extracted from the instance profile.

Dump credentials
Identify the credentials available in this host and prints them out to the console. This is usually the first command to run after gaining access to an EC2 instance.
$ nimbostratus dump-credentials
Found credentials
Access key: ...
Secret key: ...

Once you've got the credentials from an EC2 instance you've exploited, you can continue to work from any other host with internet access (remember: EC2 instances are in many cases spawned for a specific task and then terminated).

IMPORTANT: This will extract information from boto's credential configuration sources and from the instance meta-data. If the system uses other libraries to connect to AWS the credentials won't be dumped.

Dump permissions
This tool will dump all permissions for the provided credentials. This tool is commonly used right after dump-credentials to know which permissions are available for you.
$ nimbostratus dump-permissions --access-key=... --secret-key=...
Starting dump-permissions
These credentials belong to low_privileged_user, not to the root account
Getting access keys for user low_privileged_user
User for key AKIAIV...J6KVA is low_privileged_user

Web-Spa is a Java web knocking tool for sending a single HTTP/S request to your web server, in order to authorize the execution of a premeditated Operating System (O/S) command on it.

This is equivalent to port-knocking on the web layer, but with much more control: All O/S commands must be pre-defined and have a time-window of execution. Also, all users have to be registered and authorized to run any given action.

In running the standalone jar file (i.e.
webspa-{xx}.jar, you have to select one of the
following four (4) options:

-client : Run the client, generate requests
-help : Print this usage message
-server : Run the server
-version : 0.6

If no option is selected, the help message
detailing the above options will be displayed.

With each download of the standalone jar file
(i.e. webspa-{xx}.zip, see section above)
there is a rather basic shell script available,
named 'web-spa.sh'.

This script performs a `which java` and sets
the initial and maximum Java heap size.

This script needs to be chmod-ed to have execute
permissions. If you have followed the
instructions above and placed web-spa in /opt
issue the following:

bash-3.00# chmod 744 /opt/web-spa-0.6/web-spa.sh

You can test the web-spa script, by issuing:
bash-3.00# ./web-spa.sh -version
0.6
bash-3.00#

You will be required to have a java 1.6 JRE or
JDK installed. For more information see the
INSTALL file.

The Zed Attack Proxy (ZAP) is an easy to use integrated penetration testing tool for finding vulnerabilities in web applications.

It is designed to be used by people with a wide range of security experience and as such is ideal for developers and functional testers who are new to penetration testing.

ZAP provides automated scanners as well as a set of tools that allow you to find security vulnerabilities manually.

Ip phone Scanning Made Easy (ISME) scans a VOIP environment, adapts to enterprise VOIP, and exploits the possibilities of being connected directly to an IP Phone VLAN. It seeks to get the phone's configuration file directly from a TFTP server, enable SIP/SIPS (TCP/UDP), communicate with an embedded Web server and Web server banner, identify the editor by MAC address, and identify potential default login/password combinations which should be changed.

The following libraries are needed:
· LWP::UserAgent; # http://search.cpan.org/~gaas/libwww-perl-
6.03/lib/LWP/UserAgent.pm
· HTML::Parser; # http://search.cpan.org/dist/HTML-Parser/Parser.pm
· Net::Ping; # http://search.cpan.org/~smpeters/Net-Ping-2.36/lib/Net/Ping.pm
· Net::Netmask; # http://search.cpan.org/dist/Net-Netmask/
· Net::Subnets;
· Net::TFTP; # http://search.cpan.org/~gbarr/Net-TFTP-0.16/TFTP.pm
· Net::DHCP::Packet; # http://search.cpan.org/~djzort/Net-DHCP-
0.69/lib/Net/DHCP/Packet.pm
· Net::DHCP::Constants; # http://search.cpan.org/~djzort/Net-DHCP-
0.69/lib/Net/DHCP/Constants.pm
· Net::Libdnet::Arp;
· Crypt::SSLeay; #http://search.cpan.org/~nanis/Crypt-SSLeay/SSLeay.pm
· LWP::Protocol::https ; #http://search.cpan.org/~gaas/LWP-Protocol-https-
6.02/lib/LWP/Protocol/https.pm
· Mozilla ::CA;#s http://search.cpan.org/~abh/Mozilla-CA-
20111025/lib/Mozilla/CA.pm
· HTTP::Request::Common; # http://search.cpan.org/~gaas/HTTP-Message-
6.02/lib/HTTP/Request/Common.pm
· Net::Subnets
· Tk; #http://search.cpan.org/~ni-s/Tk-804.027/pod/UserGuide.pod
· Net::RawIP; #http://search.cpan.org/~saper/Net-RawIP-0.25/lib/Net/RawIP.pm
· Net::SSH
· SIP/Digest
Take care, even if libraries are not explicitly declared in the script, there are needed
nonetheless.
Java must be installed on the computer if you intend to use Fuzzing SIP – Protos.

This tool stores up to 426 bytes in the MBR's bootloader code section of unused devices such as usb drivers, hrd disks (which are not supposed to boot) and other media. GRUB detection is implemented for safety reasons, Windows bootloader code will be shamelessly overwritten.

JBrute is an open source tool written in Java to audit security and stronghold of stored password for several open source and commercial apps. It is focused to provide multi-platform support and flexible parameters to cover most of the possible password-auditing scenarios.
Java Runtime version 1.7 or higher is required for running JBrute.

Muli-platform support (by Java VM)
Several hashing algorithms supported
Flexible chained hashes decryption (like MD5(SHA1(MD5())))
Both brute force and dictionary decryption methods supported
Build-In rule pre-processor for dictionary decryption
Multi-threading support for both brute force decryption and dictionary decryption

Supported algorithms:
MD5
MD4
SHA-256
SHA-512
MD5CRYPT
SHA1
ORACLE-10G
ORACLE-11G
NTLM
LM
MSSQL-2000
MSSQL-2005
MSSQL-2012
MYSQL-322
MYSQL-411
POSTGRESQL
SYBASE-ASE1502
INFORMIX-1170

Author: Gonzalo L. Camino
Icon Art: Ivan Zubillaga
Made in: Argentina

ExploitPack, an open source GPLv3 licensed bundle of scripts with an easy to use GUI and a SID IDE; it’s built on JAVA and Python.
ExploitPack uses SWT and it is integrated as part of the Eclipse plug-in API, for standalone application development it is best to develop against the SWT standalone download.