Skip to content

Usage

Jump to bottom
Chris Gates edited this page May 15, 2018 · 9 revisions

The following assumes you successfully made it through the Setup process

Set an AWS key pair

WeirdAAL uses boto3 and it handles standard AWS keypair setups. This means that WeirdAAL will also support STS tokens via the boto3 library.

copy env.sample to .env and put in a AWS keypair

$cat env.sample
[default]
aws_access_key_id = <insert key id>
aws_secret_access_key = <insert secret key>

$cp env.sample .env

$vi .env
  • WeirdAAL overwrites the local AWS_SHARED_CREDENTIALS_FILE environment variable with .env
  • .env contains the key we want to test/use

Proxy support

boto3 will pick up proxy variables from the environmental variables (tested on linux & OSX)

check weirdAAL.py file to see where you can just put the ip:port of a proxy that supports SSL, this will override anything currently set while weirdAAL runs.

# os.environ['HTTPS_PROXY'] = 'https://127.0.0.1:8888'

Run the recon module

WeirdAAL assumes you've ran the recon module -m recon_all with your key pair of interest to get things going. So it's best to go ahead and do that.

python3 weirdAAL.py -m recon_all -t MyTarget

If you dont have a valid key, WeirdAAL will let you know and exit.

$ python3 weirdAAL.py -m recon_all -t MyTarget
The AWS Access Keys are not valid/active
Please supply keys as outlined in our README.md file
AKIAJJDUCEIM2O7KG34B : The AWS KEY IS INVALID. Exiting

Assuming the key works the recon module will attempt to enumerate each service available to the boto3 v1.7.4 library

G$ python3 weirdAAL.py -m recon_all -t MyTarget
Account Id: 19XXXXXXXXXX
Root Key!!! [or IAM access]
Printing Account Summary
{    'AccessKeysPerUserQuota': 2,
     'AccountAccessKeysPresent': 1,
     'AccountMFAEnabled': 1,
     'AccountSigningCertificatesPresent': 0,
     'AssumeRolePolicySizeQuota': 2048,
     ........

python3 weirdAAL.py -m recon_all -t MyTarget
Account Id: 382756349351
AKIAIXXXXXXXXXXXXXXX : Is NOT a root key
### Enumerating ACM Permissions ###
An error occurred (AccessDeniedException) when calling the ListCertificates operation: User: arn:aws:iam::XXXXXXXXXXXX:user/training is not authorized to perform: acm:ListCertificates

[-] No acm actions allowed [-]


### Enumerating AWS Certificate Manager Private Certificate Authority (ACM-PCA) Permissions ###
An error occurred (AccessDeniedException) when calling the ListCertificateAuthorities operation: User: arn:aws:iam::XXXXXXXXXXX:user/training is not authorized to perform: acm-pca:ListCertificateAuthorities

[-] No acm-pca actions allowed [-]
...
[+] ec2 Actions allowed are [+]
['DescribeInstances', 'DescribeInstanceStatus', 'DescribeImages', 'DescribeVolumes', 'DescribeSnapshots', 'DescribeAccountAttributes', 'DescribeAddresses', SNIP']
...
### Enumerating ElasticLoadBalancing Permissions ###
DescribeLoadBalancers IS allowed
DescribeAccountLimits IS allowed

[+] elb Actions allowed are [+]
['DescribeLoadBalancers', 'DescribeAccountLimits']
...

List services by key

$ python3 weirdAAL.py -m list_services_by_key -t MyTarget
Services enumerated for AKIAXXXXXXXXXXXXXX
autoscaling:DescribeAccountLimits
autoscaling:DescribeAdjustmentTypes
autoscaling:DescribeAutoScalingInstances
autoscaling:DescribeAutoScalingGroups
autoscaling:DescribeLaunchConfigurations
autoscaling:DescribeScheduledActions
autoscaling:DescribeTags
autoscaling:DescribeTerminationPolicyTypes
autoscaling:DescribePolicies
cloudwatch:ListMetrics
cloudwatch:DescribeAlarmHistory
cloudwatch:DescribeAlarms
ec2:DescribeInstances
ec2:DescribeInstanceStatus
ec2:DescribeImages
ec2:DescribeVolumes
ec2:DescribeSnapshots
ec2:DescribeAccountAttributes
ec2:DescribeAddresses
ec2:DescribeAvailabilityZones
ec2:DescribeBundleTasks
ec2:DescribeClassicLinkInstances
ec2:DescribeConversionTasks
ec2:DescribeCustomerGateways
ec2:DescribeDhcpOptions
ec2:DescribeEgressOnlyInternetGateways
ec2:DescribeExportTasks
ec2:DescribeFlowLogs
ec2:DescribeHostReservations
ec2:DescribeIamInstanceProfileAssociations
ec2:DescribeImportImageTasks
ec2:DescribeImportSnapshotTasks
ec2:DescribeInternetGateways
ec2:DescribeKeyPairs
ec2:DescribeLaunchTemplates
ec2:DescribeMovingAddresses
ec2:DescribeNatGateways
ec2:DescribeNetworkAcls
ec2:DescribeNetworkInterfaces
ec2:DescribePlacementGroups
ec2:DescribePrefixLists
ec2:DescribeReservedInstances
ec2:DescribeReservedInstancesModifications
ec2:DescribeRouteTables
ec2:DescribeScheduledInstances
ec2:DescribeSecurityGroups
ec2:DescribeSpotDatafeedSubscription
ec2:DescribeSubnets
ec2:DescribeTags
ec2:DescribeVolumeStatus
ec2:DescribeVpcClassicLink
ec2:DescribeVpcClassicLinkDnsSupport
ec2:DescribeVpcEndpointServices
ec2:DescribeVpcEndpoints
ec2:DescribeVpcPeeringConnections
ec2:DescribeVpcs
ec2:DescribeVpnConnections
ec2:DescribeVpnGateways
elasticbeanstalk:DescribeApplications
elasticbeanstalk:DescribeApplicationVersions
elasticbeanstalk:DescribeEnvironments
elasticbeanstalk:DescribeEvents
elb:DescribeLoadBalancers
elb:DescribeAccountLimits
elbv2:DescribeLoadBalancers
elbv2:DescribeAccountLimits
elbv2:DescribeTargetGroups
opsworks:DescribeStacks
route53:ListGeoLocations
sts:GetCallerIdentity

Use available services to pivot for more data

$ python3 weirdAAL.py -m ec2_describe_instances_basic -t MyTarget
[+] Listing instances for region: us-east-1 [+]
InstanceID: i-<REMOVED>, InstanceType: t2.micro, State: {'Code': 16, 'Name': 'running'}, Launchtime: 2015-03-02 17:54:36+00:00
InstanceID: i-<REMOVED>, InstanceType: t2.micro, State: {'Code': 80, 'Name': 'stopped'}, Launchtime: 2017-07-21 10:08:41+00:00
InstanceID: i-<REMOVED>, InstanceType: t2.micro, State: {'Code': 80, 'Name': 'stopped'}, Launchtime: 2016-12-28 10:58:43+00:00
[-] List instances allowed for us-east-2 but no results [-]
[-] List instances allowed for us-west-1 but no results [-]
[-] List instances allowed for us-west-2 but no results [-]
[-] List instances allowed for ca-central-1 but no results [-]
[-] List instances allowed for eu-central-1 but no results [-]
[+] Listing instances for region: eu-west-1 [+]
InstanceID: i-<REMOVED>, InstanceType: t2.large, State: {'Code': 80, 'Name': 'stopped'}, Launchtime: 2018-04-12 09:59:56+00:00
InstanceID: i-<REMOVED>, InstanceType: t2.large, State: {'Code': 80, 'Name': 'stopped'}, Launchtime: 2018-04-18 08:18:09+00:00
[-] List instances allowed for eu-west-2 but no results [-]
[-] List instances allowed for ap-northeast-1 but no results [-]
[-] List instances allowed for ap-northeast-2 but no results [-]
[-] List instances allowed for ap-southeast-1 but no results [-]
[-] List instances allowed for ap-southeast-2 but no results [-]

$ python3 weirdAAL.py -m cloudwatch_list_metrics -t MyTarget
### Printing Cloudwatch List Metrics ###
### Listing Metrics for us-east-1 ###
{    'Dimensions': [    {'Name': 'ServiceName', 'Value': 'AmazonEC2'},
                        {'Name': 'Currency', 'Value': 'USD'}],
     'MetricName': 'EstimatedCharges',
     'Namespace': 'AWS/Billing'}
{    'Dimensions': [    {'Name': 'ServiceName', 'Value': 'awskms'},
                        {'Name': 'Currency', 'Value': 'USD'}],
     'MetricName': 'EstimatedCharges',
     'Namespace': 'AWS/Billing'}
{    'Dimensions': [    {'Name': 'ServiceName', 'Value': 'AmazonGlacier'},
                        {'Name': 'Currency', 'Value': 'USD'}],
     'MetricName': 'EstimatedCharges',
     'Namespace': 'AWS/Billing'}
...

TLDR

  1. cp env.sample to .env and put in a key pair
  2. python3 weirdAAL.py -m recon_all -t MyTarget
  3. python3 weirdAAL.py -m list_services_by_key -t MyTarget
  4. pivot from there based on available services

Modules

Clone this wiki locally