spin-up: Quickly Launch a Provisioned EC2 Attack Server

by | Oct 6, 2016 | #_shellntel, Blog, Penetration Testing

When on an engagement, sometimes we’ll encounter an eager blue team hellbent on identify and blocking our attacks. Typical in those instances we’d use proxy-cannon and route through multiple (ever changing) Amazon EC2 hosts.  However, what if you send shells back to a host that is easily “burnable”.

Introducing spin-up: A quick tool used designed to provision EC2 hosts on the fly for engagements where you want quick listener in the cloud.

Spin-up, in its current form, is a python script that will connect to EC2 and provision and connect you to one of the following instance:

  • Metasploit
  • Empire
  • Pentesters Framework
  • A simple WWW server
  • A server with dirb
  • A simple server with no configuration

 

Setup

Before we can begin, there are two things you need, one being optional:

  • Amazon AMI access keys
  • Route53 Account (optional)

We use Amazons AMI Access keys to launch instances on the fly. And we use Route53 (also through amazon) to register DNS. It is possible to buy domain records on the fly, though in our case we’re re-using existing records. All of this information can then be placed into the config and referenced at launch time.

Example of a DNS record in Amazons Route53

Example Config

 

Example: Spin-up Empire

Lets say you want to spin up a single instance of Empire, with a DNS name (useful for when your servers are blocked but your agents are still calling home… just update that record). Over HTTPS on port 443. For that you’d do:

./spin-up –config /etc/spin-up.conf -p 443 –dns totallysafe empire

Note: The consoles on the right auto fire for you:)

 

Example: Spin-up Metasploit

Lets say you want to spin up a single instance of Metasploit, with DNS, over port 8443. For that you’d do:

./spin-up –config /etc/spin-up.conf -t m3.medium -p 8443 –dns totallysafe msf

Note: You have the option to load a locally source RC file and have it run on the remote system.

Note 2 : Some instances require more horse power so for MSF you must use a m3.medium instance or greater.

 

Example: Spin-up WWW

Lets say you want to spin up a single instance of a WWW server, hosting your awesome phish/malware. For that you’d do:

./spin-up –config /etc/spin-up.conf -p 80 –dns totallysafe www

 

Example: Spin-up Pentesters Framework

Lastly, if you wanted to spin up a single instance of Pentestsers Framework, assign it a DNS name of totally safe and open inbound port 8080, then you’d do:

./spin-up –config /etc/spin-up.conf -p 8080 –dns totallysafe ptf

 

Conclusion

You get the idea. Spin-up also supports a plain version where you’ll be dropped to shell prompt to install whatever you’d like.  All instances are launched within a screened session, so if you ever need to move locations, or your session dies for whatever reason, you can always come back to it. (SSH keys are stored in temp). When you’re done, just hit ctrl-c and the instance will shutdown cleanly, and you’re good to move on.  Check it out, and if you have any issue please submit them via github.

@jarsnah12