{"id":13684561,"url":"https://github.com/gl4ssesbo1/Nebula","last_synced_at":"2025-04-30T21:31:07.805Z","repository":{"id":45072014,"uuid":"358627334","full_name":"gl4ssesbo1/Nebula","owner":"gl4ssesbo1","description":"Nebula is a cloud C2 Framework, which at the moment offers reconnaissance, enumeration, exploitation, post exploitation on AWS, but still working to allow testing other Cloud Providers and DevOps Components.","archived":false,"fork":false,"pushed_at":"2024-10-28T18:11:02.000Z","size":15667,"stargazers_count":400,"open_issues_count":0,"forks_count":75,"subscribers_count":19,"default_branch":"main","last_synced_at":"2024-10-28T19:26:51.998Z","etag":null,"topics":["aws","c2","cloud","enumeration","nebula","pentesting","reconnaissance"],"latest_commit_sha":null,"homepage":"","language":"Python","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"other","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/gl4ssesbo1.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":".github/FUNDING.yml","license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null},"funding":{"github":null,"patreon":"gl4ssesbo1","open_collective":null,"ko_fi":null,"tidelift":null,"community_bridge":null,"liberapay":null,"issuehunt":null,"otechie":null,"lfx_crowdfunding":null,"custom":null}},"created_at":"2021-04-16T14:33:50.000Z","updated_at":"2024-10-28T18:11:06.000Z","dependencies_parsed_at":"2024-08-06T03:25:15.699Z","dependency_job_id":"4767cfa4-5461-445f-afbf-5d44bf319808","html_url":"https://github.com/gl4ssesbo1/Nebula","commit_stats":null,"previous_names":[],"tags_count":3,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/gl4ssesbo1%2FNebula","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/gl4ssesbo1%2FNebula/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/gl4ssesbo1%2FNebula/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/gl4ssesbo1%2FNebula/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/gl4ssesbo1","download_url":"https://codeload.github.com/gl4ssesbo1/Nebula/tar.gz/refs/heads/main","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":224224798,"owners_count":17276428,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["aws","c2","cloud","enumeration","nebula","pentesting","reconnaissance"],"created_at":"2024-08-02T14:00:34.888Z","updated_at":"2025-04-30T21:31:07.796Z","avatar_url":"https://github.com/gl4ssesbo1.png","language":"Python","funding_links":["https://patreon.com/gl4ssesbo1"],"categories":["蓝队工具","Python"],"sub_categories":["红队工具"],"readme":"# Nebula\n\u003cimg src=\"./.img/nebulalogo.png\" alt=\"logo\" width=\"100%\" align=\"center\"/\u003e\n\nNebula is a Cloud and (hopefully) DevOps Penetration Testing framework. \nIt is build with modules for each provider and each functionality. As of April 2021, it only covers AWS, but is currently an ongoing project and hopefully will continue to grow to test GCP, Azure, Kubernetes, Docker, or automation engines like Ansible, Terraform, Chef, etc.\nI started writing it while I was reading \"Hands-On AWS Penetration Testing with Kali Linux\" (https://www.amazon.com/Hands-Penetration-Testing-Kali-Linux/dp/1789136725) and was based on Pacu (https://github.com/RhinoSecurityLabs/pacu)\n\n**Presentations:**\n- BlackHat Europe 2021: https://www.blackhat.com/eu-21/arsenal/schedule/index.html#nebula-a-case-study-in-penetrating-something-as-soft-as-a-cloud-25174\n\n**Currently covers:**\n- AWS, Azure (Graph and Management API) and DigitalOcean enumeration, exploitation and post-exploitation\n\n**There are currently 53 modules covering:**\n- Reconnaissance\n- Enumeration\n- Exploit\n- Cleanup\n\n**Version 3.0 Includes:**\n- Team cooperation with the client-teamserver architecture \n- All the requests requires authentication (except for the authentication request ofc)\n- All the information is stored into a MongoDB Server and accessible using commands. The information will ofc have to been enumerated before, but this allows you to not enumerate a certain object\n\n## Installation\n### Server\nNebula is coded in python3.11. It uses boto3 library to access AWS. \nTo install, just go to the ```teamserver``` directory and build the container:\n```\n$ docker build -t nebula-teamserver .\n```\nThen, just run it using docker:\n```\n$ docker run -it nebula-teamserver -dH \u003cdatabase host\u003e -du \u003cdatabase user\u003e -dp \u003cdatabase password\u003e -dn \u003cdatabase name\u003e --p \u003cteamserver password\u003e\n------------------------------------------------------------\n _ _ _ _\n | \\ | | | | | |\n | \\| | ___| |__ _ _| | __ _\n | . ` |/ _ \\ '_ \\| | | | |/ _` |\n _______ | |\\ | __/ |_) | |_| | | (_| |\n |__ __||_| \\_|\\___|_.__/ \\__,_|_|\\__,_|\n | | ___ __ _ _ __ ___ ___ ___ _ ____ _____ _ __\n | |/ _ \\/ _` | '_ ` _ \\/ __|/ _ \\ '__\\ \\ / / _ \\ '__|\n | | __/ (_| | | | | | \\__ \\ __/ | \\ V / __/ |\n |_|\\___|\\__,_|_| |_| |_|___/\\___|_| \\_/ \\___|_|\n-------------------------------------------------------------\n37 aws 0 gcp 4 azure 0 office365\n0 docker 0 kubernetes 4 misc 11 azuread\n4 digitalocean\n-------------------------------------------------------------\n60 modules 6 cleanup 0 detection\n19 enum 5 exploit 2 persistence\n1 listeners 0 lateral movement 7 detection bypass\n7 privesc 10 reconnaissance 2 stager 0 postexploitation\n1 misc\n\n[*] Port is busy. Is a MongoDB instance running there? [y/N] y\n------------------------------------------------------------\n[*] JWT Secret Key set to: '\u003csecret value\u003e'\n[*] Database Server set to: '\u003cdb host\u003e:\u003cdb port\u003e'\n[*] Database set to: '\u003cdb name\u003e'\n[*] Teamserver IP address is '\u003cteamserver host\u003e'\n[*] User 'cosmonaut' was created!\n[*] API Server set to: '\u003capi host\u003e:\u003capi port\u003e'\n------------------------------------------------------------\n```\n### Client\nSame with client **client**. Just go to the ```client``` directory and build the container:\n```\n$ docker build -t nebula-client .\n```\nThen, just run it using docker:\n```\n$ docker run -it nebula-client -ah \u003capi host\u003e -p \u003cteamserver password\u003e -b\n-------------------------------------------------------------\n37 aws 0 gcp 4 azure 0 office365\n0 docker 0 kubernetes 4 misc 13 azuread\n4 digitalocean\n-------------------------------------------------------------\n62 modules 6 cleanup 0 detection\n19 enum 5 exploit 2 persistence\n1 listeners 0 lateral movement 7 detection bypass\n7 privesc 10 reconnaissance 2 stager\n1 misc 2 initialaccess 0 postexploitation\n-------------------------------------------------------------\n\n[*] Importing sessions found on ~/.aws\n[*] No sessions found on ~/.aws\n()()(Nebula) \u003e\u003e\u003e\n```\n## Usage\n```\n\n ...........\n ...''''''''''''''...\n ..'''''...........''''''............\n ..''''.. ...'''''''''''''''...\n ..'''.. ..............'''''..\n .''''. .;loddool:'. ..''''..\n ..'''. .;clokXWWMWNKkl;. .''''.\n .'''. .',,'.. ';dNMMMMMWKko;. .'''..\n .''''. .cx0NWWNX0koc;,'cKMMMMMMMMMWXOo:. .''''....\n .'''. .',',:oONMMMMMWNNNWMMMMMMWKk0WMMWXx' .''''''''...\n ..'''. .,dXMMMMMMMMMMMMMNOl',oONWWd. .......'''''..\n ...'''''.. :o' cXMMMMMMMMMMMMMWNXKKXNWWKxc,. ..''''..\n ..''''.... oNKl'. ..oXMMMMMMMMMMMMMMMMMMMMMMMMMNKOdc,.. ..''''.\n ..''''.. ,OWWX0O0XWMMMMMMMMMMMMMMMMMMWWWWMMMMMMMMMWXOxooxk:. ..'''.\n ..'''''''''''''''''''''. .l0NMMMMMMMMMMMMMMMMMMMMN0dc;;;coONMMMMMMMMMMMMMK: ..'''.\n ....................... .,dXMMMMMMMMMMMMMMMMMMWX0ko:. .;OWMMMMMMMMMMMWx. .'''.\n .oWMMMMMMMMMMMMMMWNXXXWMMWKd' .:lccclodOXWMWd. .'''.\n ,lc' .................. ',. .,OWMMMMMMMMMMMMXx:'...:0WMMMKl. .. .'oKO, .'''.\n ,0MWx. .''''''''''''''''''. ;OKOOOO0NWMMMMMMMMMMMMNl. .cdoox0XOl;'....... ... .'''.\n .;ol' ................... ;kXWMMMMMMMMMMMMMMMMMWx. .:0WNKkdo:. ... .'''.\n .................... .:ldxk0XWMMMMMMMMMMMW0o' .';;,. .... ..'''.\n ;k00000000000000000000x' ..;lkXWMMMMMMMMMWXkc. ..'''.\n .lXWWWWWWWWWWWWWWWWWWMMWKl. ;OWMMMMMMMMMMMWKx:. ..''''.\n .,,,,,,,,,,,,,,,,,:kNMMW0o,. 'kWMMMMMMMMMMMMMMWKd,. ..''''..\n .:ONMMMNKkdlc:::::::::ccldkKWMMMMMMMMMMMMMMMMMMNOl' ...........'''''..\n .,oOXWMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMWXkc....''''''''''...\n .':ldkO0000000000000000000000000000000000000000Ox:. ........\n ...........................................\n\n\n _ _______ ______ _ _______\n ( ( /|( ____ \\( ___ \\ |\\ /|( \\ ( ___ )\n | \\ ( || ( \\/| ( ) )| ) ( || ( | ( ) |\n | \\ | || (__ | (__/ / | | | || | | (___) |\n | (\\ \\) || __) | __ ( | | | || | | ___ |\n | | \\ || ( | ( \\ \\ | | | || | | ( ) |\n | ) \\ || (____/\\| )___) )| (___) || (____/\\| ) ( |\n |/ )_)(_______/|/ \\___/ (_______)(_______/|/ \\|\n Because Clouds are so AWSome\n\n -------------------------------------------------------------\n Created by: gl4ssesbo1\n -------------------------------------------------------------\n 48 aws 1 gcp 7 azure 0 office365\n 0 docker 0 kubernetes 6 misc 4 azuread\n 4 digitalocean\n -------------------------------------------------------------\n 81 modules 6 cleanup 0 detection\n 19 enum 22 exploit 2 persistence\n 2 listeners 0 lateral movement 7 detection bypass\n 0 privesc 16 reconnaissance 2 stager 1 postexploitation\n 4 misc\n\n Remember:\n -------------------------------------------------------------\n 1) Only use this tool if you have permissions from the\n infrastructure's owner. Don't be a dick. Don't choose jail.\n And if you have some scruples, don't hack others just because\n you can (or cannot, in which case that's why you chose this\n tool to do it).\n\n 2) There is a template file on module directory that you can\n use if you want to develop new modules. If you want to\n contribute on this tool, be my guest.\n\n 3) Thank you for using this tool and Hack the Planet Legally!\n -------------------------------------------------------------\n[*] Importing sessions found on ~/.aws\n[*] Imported sessions found on ~/.aws. Enter 'show credentials' to get the credentials.\n(test)()(Nebula)\n```\n### Help\nRunning *help* command, will give you a list of the commands that can be used:\n```\n()()(AWS) \u003e\u003e\u003e help\n\n Help Command: Description:\n ------------- ------------\n\n help Show help for all the commands\n help credentials Show help for credentials\n help module Show help for modules\n help workspace Show help for credentials\n help user-agent Show help for credentials\n help shell Show help for shell connections\n\n\n Module Commands Description\n --------------- -----------\n\n show modules List all the modules\n show enum List all Enumeration modules\n show exploit List all Exploit modules\n show persistence List all Persistence modules\n show privesc List all Privilege Escalation modules\n show reconnaissance List all Reconnaissance modules\n show listener List all Reconnaissance modules\n show cleanup List all Enumeration modules\n show detection List all Exploit modules\n show detectionbypass List all Persistence modules\n show lateralmovement List all Privilege Escalation modules\n show stager List all Reconnaissance modules\n\n use module \u003cmodule\u003e Use a module.\n options Show options of a module you have selected.\n run Run a module you have selected. Eg: 'run \u003cmodule name\u003e'\n search Search for a module via pattern. Eg: 'search s3'\n back Unselect a module\n set \u003coption\u003e Set option of a module. Need to have the module used first.\n unset \u003coption\u003e Unset option of a module. Need to have the module used first.\n\n\n User-Agent commands Description\n ------------------- -----------\n\n set user-agent windows Set a windows client user agent\n set user-agent linux Set a linux client user agent\n set user-agent custom Set a custom client user agent\n show user-agent Show the current user-agent\n unset user-agent Use the user agent that boto3 produces\n\n\n Workspace Commands Description\n ------------------ -----------\n\n create workspace \u003cwp\u003e Create a workspace\n use workspace \u003cwp\u003e Use one of the workspaces\n remove workspace \u003cwp\u003e Remove a workspace\n\n\n Shell commands Description\n ------------------- -----------\n\n shell check_env Check the environment you are in, get data and meta-data\n shell exit Kill a connection\n shell \u003ccommand\u003e Run a command on a system. You don't need \" on the command, just shell \u003ccommand1\u003e \u003ccommand2\u003e\n```\n### Enum Privs\nWhen you have a set of credentials, you can enter *getuid* to get the user or *enum_user_privs* to check the Read permission of a set of credentials.\n#### GetUID\n```\n(test)()(AWS) \u003e\u003e\u003e getuid\n------------------------------------------------\nUserId: A******************Q\n------------------------------------------------\n UserID: A******************Q\n Arn: arn:aws:iam::012345678912:user/user_user\n Account: 012345678912\n[*] Output is saved to './workspaces/test/12_07_2021_02_22_54_getuid_dev_brian'\n```\n\nIf the creds do not have the below privs on himself,\n```\nSTS:GetUserIdentity\nIAM:GetUser\nIAM:ListAttachedUserPolicies\nIAM:GetPolicy (for all policies)\n```\nyou will get an error:\n```\n[*] An error occurred (AccessDenied) when calling the GetUser operation: User: arn:aws:iam::012345678912:user/user_user is not authorized to perform: iam:GetUser on resource: user user_user\n```\n#### Enum_User_Privs\nThis command checks List and Describe Privileges on a set of credentials.\n```\n(test)()(AWS) \u003e\u003e\u003e enum_user_privs\nUser: user_user\n UserID: A******************Q\n Arn: arn:aws:iam::012345678912:user/user_user\n Account: 012345678912\n--------------------------\nService: ec2\n--------------------------\n[*] Trying the 'Describe' functions:\n[*] 'describe_account_attributes' worked!\n[*] 'describe_addresses' worked!\n[*] 'describe_aggregate_id_format' worked!\n[*] 'describe_availability_zones' worked!\n[*] 'describe_bundle_tasks' worked!\n[*] 'describe_capacity_reservations' worked!\n[*] 'describe_client_vpn_endpoints' worked!\n[*] 'describe_coip_pools' worked!\n[*] 'describe_customer_gateways' worked!\n[*] 'describe_dhcp_options' worked!\n[*] 'describe_egress_only_internet_gateways' worked!\n^C[*] Stopping. It might take a while. Please wait.\n[*] Output of the allowed functions is saved to './workspaces/test/12_07_2021_02_24_09_enum_user_privs'\n[*] The list of the allowed functions is saved to './workspaces/test/12_07_2021_02_24_09_allowed_functions'\n```\n\n### Modules\n#### Listing modules\nYou can list all the modules or specific module:\n```\n()()(AWS) \u003e\u003e\u003e show modules\n cleanup/aws_iam_delete_access_key Delete access key of a user by providing\n it.\n\n cleanup/aws_iam_delete_login_profile Delete access of a user to the Management\n Console\n\n enum/aws_ec2_enum_elastic_ips Lists User data of an Instance provided.\n Requires Secret Key and Access Key of an IAM that has access\n to it.\n\n enum/aws_ec2_enum_images List all ec2 images. Needs credentials of an\n IAM with DescribeImages right. Output is dumpled on a file.\n It takes a sh*tload of time, unfortunately. And boy, is it a\n huge output.\n\n enum/aws_ec2_enum_instances Describes instances attribues: Instances, VCP,\n Zones, Images, Security Groups, Snapshots, Subnets, Tags,\n Volumes. Requires Secret Key and Access Key of an IAM that\n has access to all or any of the API calls:\n DescribeAvailabilityZones, DescribeImages,\n DescribeInstances, DescribeKeyPairs, DescribeSecurityGroups,\n DescribeSnapshots, DescribeSubnets, DescribeTags,\n DescribeVolumes, DescribeVpcs\n```\n\nAnd like that you can use:\n```\n show module\n show enum\n show exploit\n show persistence\n show privesc\n show reconnaissance\n show listener\n show cleanup\n show detection\n show detectionbypass\n show lateralmovement\n show stager\n```\n#### Searching for modules\nUse **search** command to search modules with a specific word:\n```\n()()(AWS) \u003e\u003e\u003e search instance\n enum/aws_ec2_enum_instances Describes instances attribues: Instances, VCP,\n Zones, Images, Security Groups, Snapshots, Subnets, Tags,\n Volumes. Requires Secret Key and Access Key of an IAM that\n has access to all or any of the API calls:\n DescribeAvailabilityZones, DescribeImages,\n DescribeInstances, DescribeKeyPairs, DescribeSecurityGroups,\n DescribeSnapshots, DescribeSubnets, DescribeTags,\n DescribeVolumes, DescribeVpcs\n\n enum/aws_iam_list_instance_profiles List all the instance profiles.\n\n exploit/aws_ec2_create_instance_with_user_data You must provide policies in JSON format in\n IAM. However, for AWS CloudFormation templates formatted in\n YAML, you can provide the policy in JSON or YAML format. AWS\n CloudFormation always converts a YAML policy to JSON format\n before submitting it to IAM.\n\n()()(AWS) \u003e\u003e\u003e\n```\n\n#### Using Modules\nTo use a module, just type *use* and the name of the module. The 3 brackets will have the name of the module.\n```\n(work1)()(enum/aws_ec2_enum_instances) \u003e\u003e\u003e use module enum/aws_iam_get_group\n(work1)()(enum/aws_ec2_enum_instances) \u003e\u003e\u003e\n```\n\n#### Options\nUsing *options*, we can list the information on the module:\n```\n(work1)()(enum/aws_ec2_enum_instances) \u003e\u003e\u003e options\nDesctiption:\n-----------------------------\n Describes instances attribues: Instances, VCP, Zones, Images, Security Groups, Snapshots, Subnets, Tags, Volumes. Requires Secret Key and Access Key of an IAM that has access to all or any of the API calls: DescribeAvailabilityZones, DescribeImages, DescribeInstances, DescribeKeyPairs, DescribeSecurityGroups, DescribeSnapshots, DescribeSubnets, DescribeTags, DescribeVolumes, DescribeVpcs\n\nAuthor:\n-----------------------------\n name: gl4ssesbo1\n twitter: https://twitter.com/gl4ssesbo1\n github: https://github.com/gl4ssesbo1\n blog: https://www.pepperclipp.com/\n\nAWSCLI Command:\n-----------------------------\n aws ec2 describe-instances --region {} --profile {}\n\nNeeds Credentials: True\n-----------------------------\n\nOptions:\n-----------------------------\n SERVICE: ec2\n Required: true\n Description: The service that will be used to run the module. It cannot be changed.\n\n INSTANCE-ID:\n Required: false\n Description: The ID of the instance you want to enumerate. If not supplied, all instances will be enumerated.\n\n(work1)()(enum/aws_ec2_enum_instances) \u003e\u003e\u003e\n```\nTo set options, use *set* and the name of the option:\n```\n(work1)()(enum/aws_ec2_enum_instances) \u003e\u003e\u003e set INSTANCE-ID 1234\n(work1)()(enum/aws_ec2_enum_instances) \u003e\u003e\u003e options\nDesctiption:\n-----------------------------\n Describes instances attribues: Instances, VCP, Zones, Images, Security Groups, Snapshots, Subnets, Tags, Volumes. Requires Secret Key and Access Key of an IAM that has access to all or any of the API calls: DescribeAvailabilityZones, DescribeImages, DescribeInstances, DescribeKeyPairs, DescribeSecurityGroups, DescribeSnapshots, DescribeSubnets, DescribeTags, DescribeVolumes, DescribeVpcs\n\nAuthor:\n-----------------------------\n name: gl4ssesbo1\n twitter: https://twitter.com/gl4ssesbo1\n github: https://github.com/gl4ssesbo1\n blog: https://www.pepperclipp.com/\n\nNeeds Credentials: True\n-----------------------------\n\nAWSCLI Command:\n-----------------------------\n aws ec2 describe-instances --region {} --profile {}\n\nOptions:\n-----------------------------\n SERVICE: ec2\n Required: true\n Description: The service that will be used to run the module. It cannot be changed.\n\n INSTANCE-ID: 1234\n Required: false\n Description: The ID of the instance you want to enumerate. If not supplied, all instances will be enumerated.\n\n(work1)()(enum/aws_ec2_enum_instances) \u003e\u003e\u003e\n```\nAlso unsetting them, using **unset**.\n```\n(work1)()(enum/aws_ec2_enum_instances) \u003e\u003e\u003e unset INSTANCE-ID\n(work1)()(enum/aws_ec2_enum_instances) \u003e\u003e\u003e\n```\n#### Running the module\nTo run the module, if it requires credentials, you will need to have imported a set of credentials with the permission required to run it. This is shown on a module's options as:\n```\nNeeds Credentials: True\n-----------------------------\n```\nTo run it, just enter **run**. Depending on the output, it will either show a pagainated view, or just print it. The pagination, uses less binary, which for Windows uses the binary from **https://github.com/jftuga/less-Windows**. A copy of the exe is on less_binary directory.\nThe output is also saved on files on the workspace directory:\n```\n(work1)()(enum/aws_ec2_enum_instances) \u003e\u003e\u003e run\n[*] Content dumped on file './workspaces/work1/16_04_2021_18_16_48_ec2_enum_instances'.\n```\n\n### Credentials\n####Inputing Credentials\nNebula can use both AccessKeyID + SecretKey combination and AccessKeyID + SecretKey+SessionKey combination to authenticate into the infratructure.\nTo insert a set of credentials, use:\n```\n()()(AWS) \u003e\u003e\u003e set credentials test1\nProfile Name: test1\nAccess Key ID: A*********2\nSecret Key ID: a****************************7\nRegion: us-west-3\n\nDo you also have a session token?[y/N]\n[*] Credentials set. Use 'show credentials' to check them.\n[*] Currect credential profile set to 'test1'.Use 'show current-creds' to check them.\n```\nAnd you will get some inputs allowing you to set them. Session token can be added when entering credentials, by inputing **y** when asked **Do you also have a session token?[y/N]**.\n\n####Using Credentials\nTo use another credential, just enter:\n```\n()()(AWS) \u003e\u003e\u003e use credentials test1\n[*] Currect credential profile set to 'test1'.Use 'show current-creds' to check them.\n```\n####Current Credentials\nWhen you enter the credentials, they are automatically made the current credentials, meaning the ones you will authenticate with. To check the current credentials, use:\n```\n()()(AWS) \u003e\u003e\u003e show current-creds\n{\n \"profile\": \"test1\",\n \"access_key_id\": \"A*********2\",\n \"secret_key\": \"a****************************7\",\n \"region\": \"us-west-3\"\n}\n```\n####Removing Credentials\nIn case you don't want your credentials, you can can remove them using:\n```\n()()(AWS) \u003e\u003e\u003e remove credentials test1\nYou are about to remove credential 'test1'. Are you sure? [y/N] y\n```\n####Dumping and importing credentials\nIn case you want your credentials saved on the machine, you can use:\n```\n()()(AWS) \u003e\u003e\u003e dump credentials\n[*] Credentials dumped on file './credentials/16_04_2021_17_37_59'.\n```\nAnd they will be saved on a file containing the time and date of the dump on directory *credentials* on Nebula directory.\nTo import them, just enter:\n```\n()()(AWS) \u003e\u003e\u003e import credentials 16_04_2021_17_37_59\n()()(AWS) \u003e\u003e\u003e show credentials\n[\n {\n \"profile\": \"test1\",\n \"access_key_id\": \"A*********2\",\n \"secret_key\": \"a****************************7\",\n \"region\": \"us-west-3\"\n }\n]\n```\n### Workspaces\nNebula uses workspaces to save the output from every command. The output is saved as json data (except for s3_name_fuzzer which saves it as XML) on a folder created on directory *workspaces*.\n#### Create Workspaces\nTo create one, enter:\n```\n()()(AWS) \u003e\u003e\u003e create workspace work1\n[*] Workspace 'work1' created.\n[*] Current workspace set at 'work1'.\n(work1)()(AWS) \u003e\u003e\u003e ls ./workspaces\n\n\n Directory: C:\\Users\\***\\Desktop\\Nebula\\workspaces\n\n\nMode LastWriteTime Length Name\n---- ------------- ------ ----\nd----- 4/16/2021 5:42 PM work1\n-a---- 4/16/2021 4:40 PM 0 __init__.py\n```\nWhen created, the first brackets will contain the name of the workspace you are working at.\nIf you want to use an existing workspace, just type:\n```\n()()(AWS) \u003e\u003e\u003e use workspace work1\n(work1)()(AWS) \u003e\u003e\u003e\n```\nWorkspaces are required to be used, so even if you are not using any at the moment, while running a module, it will ask you to create one with random name or to just create one with a custom name yourself.\n```\n()()(enum/aws_ec2_enum_instances) \u003e\u003e\u003e run\nA workspace is not configured. Workstation 'qxryiuct' will be created. Are you sure? [y/N] n\n[*] Create a workstation first using 'create workstation \u003cworkstation name\u003e'.\n()()(enum/aws_ec2_enum_instances) \u003e\u003e\u003e\n```\n#### List workspaces\nTo get a list of workspaces, use:\n```\n(work1)()(enum/aws_ec2_enum_instances) \u003e\u003e\u003e show workspaces\n-----------------------------------\nWorkspaces:\n-----------------------------------\n work1\n\n(work1)()(enum/aws_ec2_enum_instances) \u003e\u003e\u003e\n```\n#### Remove Workspaces\nTo remove a workspace, enter:\n```\n()()(AWS) \u003e\u003e\u003e remove workspace work1\n[*] Are you sure you want to delete the workspace? [y/N] y\n()()(AWS) \u003e\u003e\u003e show workspaces\n-----------------------------------\nWorkspaces:\n-----------------------------------\n\n()()(AWS) \u003e\u003e\u003e\n```\n### Reverse Shell\nTo create a Reverse Shell, you need to create a stager and run a listener. To use this feature, you need to have Nebula run as root (to open ports).\n#### Stager\nTo generate a stager, use modules on *stagers*:\n```\n()()(AWS) \u003e\u003e\u003e use module stager/aws_python_tcp\n()()(stager/aws_python_tcp) \u003e\u003e\u003e options\nDesctiption:\n-----------------------------\n The TCP Reverse Shell that is used by listeners/aws_python_tcp_listener\n\nAuthor:\n-----------------------------\n name: gl4ssesbo1\n twitter: https://twitter.com/gl4ssesbo1\n github: https://github.com/gl4ssesbo1\n blog: https://www.pepperclipp.com/\n\nNeeds Credentials: False\n-----------------------------\n\nAWSCLI Command:\n-----------------------------\n None\n\nOptions:\n-----------------------------\n SERVICE: none\n Required: true\n Description: The service that will be used to run the module. It cannot be changed.\n\n HOST:\n Required: true\n Description: The Host/IP of the C2 Server.\n\n PORT:\n Required: true\n Description: The C2 Server Port.\n\n FORMAT:\n Required: true\n Description: The format of the stager. Currently only allows 'py' for Python and 'elf' for ELF Binary.\n\n CALLBACK-TIME: None\n Required: true\n Description: The time in seconds between callbacks from Stager. The Stager calls back even if the server crashes or is stoped in a loop.\n\n OUTPUT-FILE-NAME:\n Required: true\n Description: The name of the stager output file.\n```\nThe options to fill are:\n - **HOST**: The IP or domain of the C2 Server\n - **Port**: The C2 Server Port\n - **Format**: Currently only supports python raw file and elf binary\n - **Callback-Time**: The time in seconds for which the sessions should call back. It calls back even if a current session is up, and even if the server crushes or is closed, so that you don't loose access to the machine.\n - **Output File Name**: The name of the output file.\n\nRunning the module will generate a stager saved on **./workspaces/workspacename/stagername**\n\n#### Listener\nThe listener is simple. Just configure Host (by default set to 0.0.0.0) and Port and it creates the server. To run the listener, you need to have Nebula run as root.\n```\n()()(stager/aws_python_tcp) \u003e\u003e\u003e use module listeners/aws_python_tcp_listener\n()()(listeners/aws_python_tcp_listener) \u003e\u003e\u003e options\nDesctiption:\n-----------------------------\n TCP Listener for Reverse Shell stagers/aws_python_tcp\n\nAuthor:\n-----------------------------\n name: gl4ssesbo1\n twitter: https://twitter.com/gl4ssesbo1\n github: https://github.com/gl4ssesbo1\n blog: https://www.pepperclipp.com/\n\nNeeds Credentials: False\n-----------------------------\n\nAWSCLI Command:\n-----------------------------\n None\n\nOptions:\n-----------------------------\n SERVICE: none\n Required: true\n Description: The service that will be used to run the module. It cannot be changed.\n\n HOST: 0.0.0.0\n Required: true\n Description: The Host/IP of the C2 Server.\n\n PORT:\n Required: true\n Description: The C2 Server Port.\n```\n\n### User Agents\nUser agents can be set as linux ones, windows ones or custom. To show them, just use *show*.\n```\n()()(AWS) \u003e\u003e\u003e set user-agent linux\nUser Agent: Boto3/1.9.89 Python/3.8.1 Linux/4.1.2-34-generic was set\n()()(AWS) \u003e\u003e\u003e show user-agent\n[*] User Agent is: Boto3/1.9.89 Python/3.8.1 Linux/4.1.2-34-generic\n()()(AWS) \u003e\u003e\u003e set user-agent windows\nUser Agent: Boto3/1.7.48 Python/3.9.1 Windows/7 Botocore/1.10.48 was set\n()()(AWS) \u003e\u003e\u003e show user-agent\n[*] User Agent is: Boto3/1.7.48 Python/3.9.1 Windows/7 Botocore/1.10.48\n()()(AWS) \u003e\u003e\u003e set user-agent custom\nEnter the User-Agent you want: sth\nUser Agent: sth was set\n()()(AWS) \u003e\u003e\u003e show user-agent\n[*] User Agent is: sth\n()()(AWS) \u003e\u003e\u003e\n```\nTo unset a user agent, enter:\n```\n()()(AWS) \u003e\u003e\u003e unset user-agent\n[*] User Agent set to empty.\n```\nWhich will have the system's user agent.\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fgl4ssesbo1%2FNebula","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fgl4ssesbo1%2FNebula","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fgl4ssesbo1%2FNebula/lists"}