Items in this repo are no longer maintained and some of them have been moved to our other repos.
Exploits written by the Rhino Security Labs team
Exploits written by the Rhino Security Labs team
License: BSD 3-Clause "New" or "Revised" License
Items in this repo are no longer maintained and some of them have been moved to our other repos.
Exploits written by the Rhino Security Labs team
root@s1:~/Security-Research/tools/cfire# python cfire.py -u
[-] ipout archive missing. Downloading to cfdb/ipout.zip
[+] Downloading http://crimeflare.net:82/domains/ipout.zip to cfdb/ipout.zip
[==================================================]
[-] nsout archive missing. Downloading to cfdb/nsout.zip
[+] Downloading http://crimeflare.net:82/domains/nsout.zip to cfdb/nsout.zip
[==================================================]
[-] country archive missing. Downloading to cfdb/country.zip
[+] Downloading http://crimeflare.net:82/domains/country.zip to cfdb/country.zip
[==================================================]
[+] The ipout/nsout archives are up to date
[*] Creating SQLite3 Database into cfdb/cf.db
root@s1:~/Security-Research/tools/cfire# python cfire.py -u
[+] The ipout/nsout archives are up to date
[*] Start: Tue Sep 12 08:08:57 2017
[*] Complete: Tue Sep 12 08:08:57 2017
root@s1:~/Security-Research/tools/cfire# python cfire.py -t xsses.rocks
[*] Start: Tue Sep 12 08:09:02 2017
[*] Looking target up on CrimeFlare database
[*] xsses.rocks (104.27.129.136) is hosted on Cloudflare network
[-] Error connecting to database. Run -u|--update to get update databases
root@s1:~/Security-Research/tools/cfire#
I ran into this issue when trying to run python3 aws_escalate.py
caught_exception) File "/usr/local/lib/python3.6/site-packages/botocore/retryhandler.py", line 223, in __call__ attempt_number, caught_exception) File "/usr/local/lib/python3.6/site-packages/botocore/retryhandler.py", line 359, in _check_caught_exception raise caught_exception File "/usr/local/lib/python3.6/site-packages/botocore/endpoint.py", line 204, in _get_response proxies=self.proxies, timeout=self.timeout) File "/usr/local/lib/python3.6/site-packages/botocore/vendored/requests/sessions.py", line 573, in send r = adapter.send(request, **kwargs) File "/usr/local/lib/python3.6/site-packages/botocore/vendored/requests/adapters.py", line 370, in send timeout=timeout File "/usr/local/lib/python3.6/site-packages/botocore/vendored/requests/packages/urllib3/connectionpool.py", line 544, in urlopen body=body, headers=headers) File "/usr/local/lib/python3.6/site-packages/botocore/vendored/requests/packages/urllib3/connectionpool.py", line 349, in _make_request conn.request(method, url, **httplib_request_kw) File "/usr/local/Cellar/python/3.6.5_1/Frameworks/Python.framework/Versions/3.6/lib/python3.6/http/client.py", line 1239, in request self._send_request(method, url, body, headers, encode_chunked) TypeError: _send_request() takes 5 positional arguments but 6 were given
Searching around and boto3 community said it's a known issue.
Any remediation or workaround would be helpful. Thanks
`$ pip install -r requirements.txt
Collecting argparse (from -r requirements.txt (line 1))
Downloading argparse-1.4.0-py2.py3-none-any.whl
Collecting requests (from -r requirements.txt (line 2))
Downloading requests-2.18.4-py2.py3-none-any.whl (88kB)
100% |████████████████████████████████| 92kB 1.1MB/s
Collecting dnspython (from -r requirements.txt (line 3))
Downloading dnspython-1.15.0-py2.py3-none-any.whl (177kB)
100% |████████████████████████████████| 184kB 1.8MB/s
Collecting dnslib (from -r requirements.txt (line 4))
Downloading dnslib-0.9.7.tar.gz (60kB)
100% |████████████████████████████████| 61kB 2.6MB/s
Collecting netaddr (from -r requirements.txt (line 5))
Downloading netaddr-0.7.19-py2.py3-none-any.whl (1.6MB)
100% |████████████████████████████████| 1.6MB 555kB/s
Collecting sqlite3 (from -r requirements.txt (line 6))
Downloading sqlite3-99.0.tar.gz
Complete output from command python setup.py egg_info:
Traceback (most recent call last):
File "", line 1, in
File "/private/var/folders/xf/j6d7cpsn4qq7rht_ydj1r2zr001118/T/pip-build-6JTwrA/sqlite3/setup.py", line 2, in
raise RuntimeError("Package 'sqlite3' must not be downloaded from pypi")
RuntimeError: Package 'sqlite3' must not be downloaded from pypi
----------------------------------------
Command "python setup.py egg_info" failed with error code 1 in /private/var/folders/xf/j6d7cpsn4qq7rht_ydj1r2zr001118/T/pip-build-6JTwrA/sqlite3/
`
Environment:
$ pip -V pip 9.0.1 from /Library/Python/2.7/site-packages/pip-9.0.1-py2.7.egg (python 2.7)
$ python -V Python 2.7.10
OS X Sierra 10.12.6
@SpenGietz I've read https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/ and also the different escalation methods listed in aws-pentest-tools/aws_escalate.py
.
IMHO in the blog post, 13. Updating the code of an existing Lambda function
could allow admin privilege escalation only if the function does run as admin, because lambda:UpdateFunctionCode
does not allow you to change the role with which the function runs. This means that maybe you want to remove that from the script, or make the output look differently? For example: Partial privilege escalation
?
On the other side, neither the blog post or code references lambda:UpdateFunctionConfiguration which does allow you to set the role with which the function will run as.
What do you think about adding these to escalation_methods:
'UpdateExistingLambdaFunctionConfigurationWithRole': {
'lambda:UpdateFunctionConfiguration': True,
'lambda:InvokeFunction': True
}
Hello,
I followed the steps after downloading the python file. However getting the below error. Please let me know what went wrong.
Step-1: I created a file 'mydocs.docx' and have written Hello World
Step-2: I run the below command. And observed that a new file 'infected.docx' has been created at the same location and with the same content with 'mydoc.docx'. There is no other data inside 'infected.docx' file. I also received an error while running the command.
C:\Users\Sofily\Study\PythonCodes>python subdoc_injector.py -i mydoc.docx -o infected.docx -u ///127.0.0.1/subdoctest -d 100
[+] Infecting mydoc.docx
Traceback (most recent call last):
File "subdoc_injector.py", line 227, in
main()
File "subdoc_injector.py", line 220, in main
infectDoc(args.infile, args.outfile, args.url, args.identifier, False)
File "subdoc_injector.py", line 179, in infectDoc
closepos = docx.index('/>')
TypeError: a bytes-like object is required, not 'str'
C:\Users\Sofily\Study\PythonCodes>
That will simplify running this without having to disclose access key and secret on CLI or in logs. prowler
, as an example, accepts a -p
flag for profile.
The resource is no longer available, any alternative?
Error:
[-] nsout archive missing. Downloading to cfdb/nsout.zip
[+] Downloading http://crimeflare.net:82/domains/nsout.zip to cfdb/nsout.zip
[-] http://crimeflare.net:82/domains/nsout.zip not found. Please enter correct host/path
The files in this repository appear not to have a license specified for them.
Please can you add to the repo:
Ideally, please use this license (the AGPLv3).
Thank you.
[*] Start: Tue Sep 12 09:19:20 2017
[*] Looking target up on CrimeFlare database
[*] www.cloudstress.com (104.24.99.64) is hosted on Cloudflare network
[-] No records found for www.cloudstress.com
[*] Complete: Tue Sep 12 09:19:21 2017
SSL leaks real ip...
https://censys.io/ipv4/137.74.107.240
Would it help to be able to point this script at an organization and be able to scan all accounts underneath? Perhaps we could have a --org
and --role
flags and require that the user passed in has DescribeOrganization
and AssumeRole
permissions? That will simplify running this from a central InfoSec/Compliance account. Happy to submit a PR if this is deemed useful.
Would it possible to get a mirror of cf.db? It seems like GitHub has cut you guys off.
Error downloading object: tools/cfire/cfdb/cf.db (da64bd2): Smudge error: Error downloading tools/cfire/cfdb/cf.db (da64bd273b371fbed06bb093139846aac1ee9e8c6314087bca73723e56ae056c): batch response: This repository is over its data quota. Purchase more data packs to restore access.
raceback (most recent call last):
File "./aws_escalate.py", line 533, in
main(args)
File "./aws_escalate.py", line 41, in main
current_user = client.get_user()['User']
File "/root/Downloads/tools/cloudmapper-master/venv/lib/python3.6/site-packages/botocore/client.py", line 324, in _api_call
return self._make_api_call(operation_name, kwargs)
File "/root/Downloads/tools/cloudmapper-master/venv/lib/python3.6/site-packages/botocore/client.py", line 622, in _make_api_call
raise error_class(parsed_response, operation_name)
botocore.exceptions.ClientError: An error occurred (AccessDenied) when calling the GetUser operation: User: arn:aws:iam::aaaaaaa:user/xxxxxx@yyyyyyyy is not authorized to perform: iam:GetUser on resource: user xxxx@yyyyyyyyy with an explicit deny
my AWS user doesn't have permission to run:
current_user = client.get_user()['User'] (line 41) and it stops there.
Can you do something about this?
Thanks,
A
Hi, is this method need any specific flag on remote Responder? it not work with default flags and when use other scripts for testing ntlm auth it works properly. so there is a problem with word requests.
cfire.py -u
[-] Could not make connection to http://www.crimeflare.org:82/zippy.html. Confirm you have correct host.
A declarative, efficient, and flexible JavaScript library for building user interfaces.
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google ❤️ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.