| Name | EC2StepShell JSON |
| Version |
1.1.2
JSON |
| download |
| home_page | None |
| Summary | EC2StepShell is an AWS post-exploitation tool for getting reverse shells in public or private EC2 instances |
| upload_time | 2024-09-20 10:29:22 |
| maintainer | None |
| docs_url | None |
| author | None |
| requires_python | >=3.6 |
| license | Copyright 2023 saw-your-packet Permission is hereby granted, free of charge, to any person obtaining a copy of this software and associated documentation files (the "Software"), to deal in the Software without restriction, including without limitation the rights to use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of the Software, and to permit persons to whom the Software is furnished to do so, subject to the following conditions: The above copyright notice and this permission notice shall be included in all copies or substantial portions of the Software. THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE. |
| keywords |
cloud security
aws
ec2stepshell
|
| VCS |
 |
| bugtrack_url |
|
| requirements |
No requirements were recorded.
|
| Travis-CI |
No Travis.
|
| coveralls test coverage |
No coveralls.
|
# EC2StepShell
EC2StepShell is an AWS post-exploitation tool for getting high privileges reverse shells in public or private EC2 instances.
It works by sending commands to EC2 instances using ssm:SendCommand and then retrieves the output using ssm:ListCommandInvocations or ssm:GetCommandInvocation.
More details about how the tool works can be found here: https://securitycafe.ro/2023/03/08/ec2stepshell-reverse-shells-private-ec2-instances/
## Installation
```bash
python -m pip install EC2StepShell
```
## Usage
If you target a public EC2 instance, you might be able to get a reverse shell using well known payloads. However, the tool shines for the cases when the instance is in a private network or its security groups don't allow communications with your IP.
```bash
python -m ec2stepshell -h
```
### Requirements
- You need a programmatic access within the account (temporary/persistent access credentials)
- You need two permissions:
- ssm:SendCommand
- ssm:ListCommandInvocations or ssm:GetCommandInvocation
The action ssm:SendCommand must be granted over the target EC2 instance and the documents:
- AWS-RunShellScript
- AWS-RunPowerShellScript
You might not be able to verify this. In most cases of misconfigurations, ssm:SendCommand will be granted with `*`, but if you receive access denied and you're sure that the instance id is correct, then this might be the issue.
### Basic usage
```bash
# running using the default profile configured in AWS CLI
python -m ec2stepshell $instance_id --region $region
# running using a specific profile configured in AWS CLI
python -m ec2stepshell $instance_id --region $region --profile $profile
# running using persistent access credentials
python -m ec2stepshell $instance_id --region $region --access-key $access_key --secret-key $secret_key
# running using temporary access credentials
python -m ec2stepshell $instance_id --region $region --access-key $access_key --secret-key $secret_key --session-token $session_token
```
### Advanced usage
#### OS
The OS is detected automatically, however, if you encounter issues, especially for Windows instances, manually specify it with `--os`
```bash
# for MacOS and UNIX instances
python -m ec2stepshell $instance_id --region $region --os linux
# for Windows instances
python -m ec2stepshell $instance_id --region $region --os windows
```
#### Delay
There is an initial wait time configured before attempting to retrieve the output. Its default value is 0.7 seconds, but for Windows and low resources instances this might not be enough.
The value can be increased with `--delay`. For Windows instances, my recommendation is to go for a 3 seconds delay.
```bash
# set an initial delay of 2.5 seconds
python -m ec2stepshell $instance_id --region $region --delay 2.5
```
#### Retry delay
After the initial wait time passed, the tool will try to retrieve the command's output.
If the command still didn't finished its execution, a new retry delay will come in place as wait time.
This can be adjusted with `--retry-delay`.
The default value is 0.3 seconds.
```bash
# set retry delay of 0.5 seconds
python -m ec2stepshell $instance_id --region $region --retry-delay 0.5
```
#### Number of retries
If the command didn't finish its execution, the tool will retry for a number of times to retrieve its output.
This can be adjusted with `--max-retries`.
The default value is 3.
```bash
# increase the maximum number of retries to 5
python -m ec2stepshell $instance_id --region $region --max-retries 5
```
#### In-shell commands
Once the shell is established, you get access to a new set of commands. You can view them by typing `!help`.
If a command didn't finish its execution in the set number of retries, then it will be put in a queue.
You can view this queue and retry manually the commands when you wish. In the meantime, the reverse shell stays open and can be used freely.
The tool will notify when a command didn't finish its execution and couldn't be retrieved. You can check the queue with not retrieved commands using `!showqueue`.
To manually retry to retrieve the command, you can use `!retry command_id`.
If the retry worked, then the command will be removed from the queue. To manually clear ALL the commands in the queue, run `!clearqueue`.
If you have the command id, you can still try to retrieve them later as the command is still valid. It's just not present in the queue.
Raw data
{
"_id": null,
"home_page": null,
"name": "EC2StepShell",
"maintainer": null,
"docs_url": null,
"requires_python": ">=3.6",
"maintainer_email": null,
"keywords": "cloud security, AWS, EC2StepShell",
"author": null,
"author_email": "Eduard Agavriloae <eduard.agavriloae@hacktodef.com>",
"download_url": "https://files.pythonhosted.org/packages/1e/a3/6b16731651a340b5dbf9ce54188d11fc33129a423ca2e574856c8809f6f3/ec2stepshell-1.1.2.tar.gz",
"platform": null,
"description": "# EC2StepShell\r\n\r\nEC2StepShell is an AWS post-exploitation tool for getting high privileges reverse shells in public or private EC2 instances.\r\nIt works by sending commands to EC2 instances using ssm:SendCommand and then retrieves the output using ssm:ListCommandInvocations or ssm:GetCommandInvocation.\r\n\r\nMore details about how the tool works can be found here: https://securitycafe.ro/2023/03/08/ec2stepshell-reverse-shells-private-ec2-instances/\r\n\r\n## Installation\r\n\r\n```bash\r\npython -m pip install EC2StepShell\r\n```\r\n\r\n## Usage\r\n\r\nIf you target a public EC2 instance, you might be able to get a reverse shell using well known payloads. However, the tool shines for the cases when the instance is in a private network or its security groups don't allow communications with your IP.\r\n\r\n\r\n\r\n```bash\r\npython -m ec2stepshell -h\r\n```\r\n\r\n\r\n\r\n### Requirements\r\n\r\n- You need a programmatic access within the account (temporary/persistent access credentials)\r\n- You need two permissions:\r\n - ssm:SendCommand\r\n - ssm:ListCommandInvocations or ssm:GetCommandInvocation\r\n\r\nThe action ssm:SendCommand must be granted over the target EC2 instance and the documents:\r\n- AWS-RunShellScript\r\n- AWS-RunPowerShellScript\r\n\r\nYou might not be able to verify this. In most cases of misconfigurations, ssm:SendCommand will be granted with `*`, but if you receive access denied and you're sure that the instance id is correct, then this might be the issue.\r\n\r\n### Basic usage\r\n\r\n```bash\r\n# running using the default profile configured in AWS CLI\r\npython -m ec2stepshell $instance_id --region $region\r\n\r\n# running using a specific profile configured in AWS CLI\r\npython -m ec2stepshell $instance_id --region $region --profile $profile\r\n\r\n# running using persistent access credentials\r\npython -m ec2stepshell $instance_id --region $region --access-key $access_key --secret-key $secret_key\r\n\r\n# running using temporary access credentials\r\npython -m ec2stepshell $instance_id --region $region --access-key $access_key --secret-key $secret_key --session-token $session_token\r\n```\r\n\r\n### Advanced usage\r\n\r\n#### OS\r\n\r\nThe OS is detected automatically, however, if you encounter issues, especially for Windows instances, manually specify it with `--os` \r\n\r\n```bash\r\n# for MacOS and UNIX instances\r\npython -m ec2stepshell $instance_id --region $region --os linux \r\n\r\n# for Windows instances\r\npython -m ec2stepshell $instance_id --region $region --os windows \r\n```\r\n\r\n#### Delay\r\n\r\nThere is an initial wait time configured before attempting to retrieve the output. Its default value is 0.7 seconds, but for Windows and low resources instances this might not be enough.\r\n\r\nThe value can be increased with `--delay`. For Windows instances, my recommendation is to go for a 3 seconds delay.\r\n\r\n```bash\r\n# set an initial delay of 2.5 seconds\r\npython -m ec2stepshell $instance_id --region $region --delay 2.5\r\n```\r\n\r\n#### Retry delay\r\n\r\nAfter the initial wait time passed, the tool will try to retrieve the command's output.\r\nIf the command still didn't finished its execution, a new retry delay will come in place as wait time.\r\n\r\nThis can be adjusted with `--retry-delay`.\r\n\r\nThe default value is 0.3 seconds.\r\n\r\n```bash\r\n# set retry delay of 0.5 seconds\r\npython -m ec2stepshell $instance_id --region $region --retry-delay 0.5\r\n```\r\n\r\n#### Number of retries\r\n\r\nIf the command didn't finish its execution, the tool will retry for a number of times to retrieve its output.\r\n\r\nThis can be adjusted with `--max-retries`.\r\n\r\nThe default value is 3.\r\n\r\n```bash\r\n# increase the maximum number of retries to 5\r\npython -m ec2stepshell $instance_id --region $region --max-retries 5\r\n```\r\n\r\n#### In-shell commands\r\n\r\nOnce the shell is established, you get access to a new set of commands. You can view them by typing `!help`.\r\n\r\n\r\n\r\nIf a command didn't finish its execution in the set number of retries, then it will be put in a queue.\r\n\r\nYou can view this queue and retry manually the commands when you wish. In the meantime, the reverse shell stays open and can be used freely.\r\n\r\nThe tool will notify when a command didn't finish its execution and couldn't be retrieved. You can check the queue with not retrieved commands using `!showqueue`.\r\n\r\n\r\n\r\nTo manually retry to retrieve the command, you can use `!retry command_id`.\r\n\r\n\r\n\r\nIf the retry worked, then the command will be removed from the queue. To manually clear ALL the commands in the queue, run `!clearqueue`.\r\n\r\nIf you have the command id, you can still try to retrieve them later as the command is still valid. It's just not present in the queue.\r\n",
"bugtrack_url": null,
"license": "Copyright 2023 saw-your-packet Permission is hereby granted, free of charge, to any person obtaining a copy of this software and associated documentation files (the \"Software\"), to deal in the Software without restriction, including without limitation the rights to use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of the Software, and to permit persons to whom the Software is furnished to do so, subject to the following conditions: The above copyright notice and this permission notice shall be included in all copies or substantial portions of the Software. THE SOFTWARE IS PROVIDED \"AS IS\", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.",
"summary": "EC2StepShell is an AWS post-exploitation tool for getting reverse shells in public or private EC2 instances",
"version": "1.1.2",
"project_urls": {
"Homepage": "https://github.com/saw-your-packet/EC2StepShell"
},
"split_keywords": [
"cloud security",
" aws",
" ec2stepshell"
],
"urls": [
{
"comment_text": "",
"digests": {
"blake2b_256": "dcea14efeab5515931f6c224bea099b26dbc73dd3fb17597afe40edf37a855b3",
"md5": "b55b0386e659b83701b3036532cc2220",
"sha256": "96360b8fbe774031ab8c0a1021141a85675fec119c8086fb643c8ba8436180c3"
},
"downloads": -1,
"filename": "EC2StepShell-1.1.2-py3-none-any.whl",
"has_sig": false,
"md5_digest": "b55b0386e659b83701b3036532cc2220",
"packagetype": "bdist_wheel",
"python_version": "py3",
"requires_python": ">=3.6",
"size": 13340,
"upload_time": "2024-09-20T10:29:20",
"upload_time_iso_8601": "2024-09-20T10:29:20.665493Z",
"url": "https://files.pythonhosted.org/packages/dc/ea/14efeab5515931f6c224bea099b26dbc73dd3fb17597afe40edf37a855b3/EC2StepShell-1.1.2-py3-none-any.whl",
"yanked": false,
"yanked_reason": null
},
{
"comment_text": "",
"digests": {
"blake2b_256": "1ea36b16731651a340b5dbf9ce54188d11fc33129a423ca2e574856c8809f6f3",
"md5": "8c85588781110ec580b2ee7267d98d77",
"sha256": "1900be0c82517519fb9983c676e318fcdaff566d993c2f1a181d68faa725c95c"
},
"downloads": -1,
"filename": "ec2stepshell-1.1.2.tar.gz",
"has_sig": false,
"md5_digest": "8c85588781110ec580b2ee7267d98d77",
"packagetype": "sdist",
"python_version": "source",
"requires_python": ">=3.6",
"size": 11550,
"upload_time": "2024-09-20T10:29:22",
"upload_time_iso_8601": "2024-09-20T10:29:22.607152Z",
"url": "https://files.pythonhosted.org/packages/1e/a3/6b16731651a340b5dbf9ce54188d11fc33129a423ca2e574856c8809f6f3/ec2stepshell-1.1.2.tar.gz",
"yanked": false,
"yanked_reason": null
}
],
"upload_time": "2024-09-20 10:29:22",
"github": true,
"gitlab": false,
"bitbucket": false,
"codeberg": false,
"github_user": "saw-your-packet",
"github_project": "EC2StepShell",
"travis_ci": false,
"coveralls": false,
"github_actions": false,
"requirements": [],
"lcname": "ec2stepshell"
}
