-
Notifications
You must be signed in to change notification settings - Fork 0
/
goPhish-AWS-Deploy.py
301 lines (232 loc) · 12.8 KB
/
goPhish-AWS-Deploy.py
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
import argparse
import boto3
import requests
import time
MinCount = 1
MaxCount =1
def _create_instance_proflie(client, instance_profile_name):
try:
profiles = client.list_instance_profiles()
for profile in profiles['InstanceProfiles']:
if instance_profile_name in profile['InstanceProfileName']:
print('[*] Using existing Instance Profile: {}'.format(profile['InstanceProfileName']))
return True
instance_profile = client.create_instance_profile(InstanceProfileName=instance_profile_name)
if instance_profile['ResponseMetadata']['HTTPStatusCode'] is 200:
print('[*] A new Instance Profile named "{}" was created'.format(instance_profile_name))
return True
else:
print('[*] Failed to create a new Instance Profile: {}'.format(instance_profile))
return False
except Exception as e:
print('[***] Failed to create a Instance Profile: {}'.format(e))
return False
def _create_role(client, role_name):
try:
roles = client.list_roles()
for role in roles['Roles']:
if role_name in role['RoleName']:
print('[*] Using existing Role: {}'.format(role['RoleName']))
return True
role = client.create_role(RoleName=role_name, AssumeRolePolicyDocument='{"Version": "2012-10-17", "Statement": [{"Effect": "Allow", "Principal": {"Service": "ec2.amazonaws.com"}, "Action": "sts:AssumeRole"}]}', Description='A role to allows SSM access to the {} instance for provisioning'.format(role_name))
if role['ResponseMetadata']['HTTPStatusCode'] is 200:
print('[*] A new Role named "{}" was created'.format(role_name))
return True
else:
print('[***] Failed to created a new Role: {}'.format(role))
return False
except Exception as e:
print('[***] Failed to create a new Role: {}'.format(e))
return False
def _attach_policy_to_role(client, role_name):
try:
response = client.attach_role_policy(
PolicyArn='arn:aws:iam::aws:policy/AmazonSSMFullAccess',
RoleName=role_name,
)
if response['ResponseMetadata']['HTTPStatusCode'] == 200:
return True
else:
print('[***] Failed to attach a Policy to Role: {}'.format(response))
return False
except Exception as e:
print('[***] Failed to attach a Policy to Role: {}'.format(e))
return False
def _add_role_to_profile(client, instance_profile_name, role_name):
try:
profile = client.get_instance_profile(InstanceProfileName=instance_profile_name)
if len(profile['InstanceProfile']['Roles']) > 0:
for role in profile['InstanceProfile']['Roles']:
if role['RoleName'] in role_name:
print('[*] The Profile: "{}" already has a Role: "{}" associated'.format(instance_profile_name, role_name))
return True
else:
print('[***] The Profile "{}" has an incorrect Role "{}" associated'.format(instance_profile_name, role_name))
return False
else:
add_role = client.add_role_to_instance_profile(InstanceProfileName=instance_profile_name, RoleName=role_name)
if add_role['ResponseMetadata']['HTTPStatusCode'] is 200:
print('[*] Added Role: "{}" to the Instance Profile: "{}"'.format(role_name, instance_profile_name))
return True
else:
print('[*] Failed to add the Role: "()" to the Profiel: {}'.format(role_name, instance_profile_name))
return False
except Exception as e:
print('[***] Failed to create a Instance Profile: {}'.format(e))
return False
def _check_command_status(client, command_id):
try:
response = client.list_command_invocations(CommandId=command_id)
if response['CommandInvocations'][0]['Status'] == 'Success':
return 200
else:
time.sleep(5)
_check_command_status(client, command_id)
except Exception as e:
print('[***] Failed to check the SSM command status: {}'.format(e))
return False
def create_key_pairs(client, key_name):
try:
key_pairs = client.describe_key_pairs()
for key_pair in key_pairs['KeyPairs']:
if key_pair['KeyName'] == key_name:
print('[*] Using existing Key Pair: {}'.format(key_name))
return True
response = client.create_key_pair(KeyName=key_name)
if response['ResponseMetadata']['HTTPStatusCode'] == 200:
print('[*] A new Key Pair named "{}" was created\n[*] Key Fingerpring: \n{}\n[*] Key Material: \n{}\n'.format(response['KeyName'], response['KeyFingerprint'], response['KeyMaterial']))
return True
else:
print('[***] Failed to create a Key Pair: {}'.format(response))
return False
except Exception as e:
print('[***] Failed to create Key Pair: {}'.format(e))
return False
def create_secutiry_groups(client, group_name, instance_name):
try:
security_groups = client.describe_security_groups()
for security_group in security_groups['SecurityGroups']:
if group_name in security_group['GroupName']:
print('[*] Using existing Security Group: {}'.format(group_name))
return True
response = client.create_security_group(GroupName=group_name, Description='A security group that provides access to the {} instance'.format(instance_name))
src_ip = '{}/32'.format(requests.get('http://jsonip.com').json()['ip'])
client.authorize_security_group_ingress(GroupId=response['GroupId'], IpProtocol="tcp", CidrIp=src_ip, FromPort=22, ToPort=22)
client.authorize_security_group_ingress(GroupId=response['GroupId'], IpProtocol="tcp", CidrIp='0.0.0.0/32', FromPort=443, ToPort=443)
client.authorize_security_group_ingress(GroupId=response['GroupId'], IpProtocol="tcp", CidrIp=src_ip, FromPort=3333, ToPort=3333)
print('[*] A new Security Group named "{}" was creased. Admin access granted from {}'.format(group_name, src_ip))
return True
except Exception as e:
print('[***] Failed to create Security Group: {}'.format(e))
return False
def create_iam_profile(client, instance_name):
InstanceProfileName = '{}InstanceProfile'.format(instance_name)
RoleName = '{}Role'.format(instance_name)
if _create_instance_proflie(client, InstanceProfileName):
if _create_role(client, RoleName):
if _attach_policy_to_role(client, RoleName):
if _add_role_to_profile(client, InstanceProfileName, RoleName):
return True
else:
return False
def create_instance(client, ec2, instance_name, image_id, key_name, instance_type, security_group, admin_contact):
try:
running_instances = client.describe_instances()
if len(running_instances['Reservations']) > 0:
for reservations in running_instances['Reservations']:
for ec2_instance in reservations['Instances']:
if ec2_instance['State']['Name'] == 'running':
for tag in ec2_instance['Tags']:
if 'Name' in tag['Key'] and instance_name == tag['Value']:
print('[***] An instance named {} already exists. Stopping the deployment of Gophish. \n Rename the existing instance or provide the a differnat InsstanceName argument.'.format(instance_name))
return False
if admin_contact is None:
admin_contact = 'No Admin Contact Provided'
instance = ec2.create_instances(
ImageId=image_id,
MinCount=MinCount,
MaxCount=MaxCount,
KeyName=key_name,
InstanceType=instance_type,
SecurityGroups=[security_group],
TagSpecifications=[
{'ResourceType': 'instance',
'Tags': [
{'Key': 'Name', 'Value': instance_name},
{'Key': 'admin_contact', 'Value': admin_contact},
{'Key': 'service_id', 'Value': instance_name},
{'Key': 'service_data', 'Value': 'env=Dev'}
]
}])[0]
print('[*] A new EC2 Instance is being spun up')
new_instance = ec2.Instance(instance.id)
new_instance.wait_until_running()
print('[*] The instance is up and running. Waiting for checks to complete.')
client.associate_iam_instance_profile(
IamInstanceProfile = {'Arn': 'arn:aws:iam::054732315499:instance-profile/{}InstanceProfile'.format(instance_name),
'Name': '{}Role'.format(instance_name)},
InstanceId=instance.id)
print('[*] Added the required permissions to allow SSM')
print('[*] Waiting for the instance to finish starting up')
waiter = client.get_waiter('instance_status_ok')
waiter.wait(InstanceIds=[new_instance.id])
print('[*] The new Instance ({}) is now ready to go'.format(instance.id))
return instance.id
except Exception as e:
if 'InvalidKeyPair.NotFound' in str(e):
print('[***]No Key Pair named {} was found. Please create this Key Pair first and store the keys safely.'.format(key_name))
return False
else:
print('[***] Failed to create Instance: {}'.format(e))
return False
def execute_commands_on_instance(client, Commands, Instance):
try:
print('[*] Preparing to install Gophish')
response = client.send_command(
DocumentName="AWS-RunShellScript",
Parameters={'commands': Commands},
InstanceIds=Instance,
)
if response['ResponseMetadata']['HTTPStatusCode'] == 200:
print('[*] The Gophish installation has started')
else:
print('[***] Failed to install Gophish: {}'.format(command))
return False
if _check_command_status(client, response['Command']['CommandId']) == None:
print('[*] The Gophish installation has completed')
return True
else:
return False
except Exception as e:
print('[***] Failed to execute commands: {}'.format(e))
return False
def main(args):
client_ec2 = boto3.client('ec2', region_name=args.Region)
client_iam = boto3.client('iam', region_name=args.Region)
client_ssm = boto3.client('ssm', region_name=args.Region)
ec2 = boto3.resource('ec2', region_name=args.Region)
SecurityGroup = '{}Group'.format(args.InstanceName)
KeyName = '{}Key'.format(args.InstanceName)
if create_key_pairs(client_ec2, KeyName):
if create_secutiry_groups(client_ec2, SecurityGroup, args.InstanceName):
if create_iam_profile(client_iam, args.InstanceName):
instance = create_instance(client_ec2, ec2, args.InstanceName, args.ImageId, KeyName, args.InstanceType, SecurityGroup, args.AdminContact)
if instance:
instance = instance.split(',')
if execute_commands_on_instance(client_ssm,
['git clone https://github.com/Status-418/gophish-aws-deploy.git',
'cd gophish-aws-deploy/tools',
'sudo bash install.sh'
],
instance):
public_ip = client_ec2.describe_instances(InstanceIds=instance)['Reservations'][0]['Instances'][0]['PublicIpAddress']
print('[*] The setup of Gophish is complete please try connecting to the admin pannel: https://{}:3333'.format(public_ip))
if __name__ == '__main__':
parser = argparse.ArgumentParser()
parser.add_argument('--InstanceName', required=True, help='Provide the name of the instance you want to stand up')
parser.add_argument('--Region', default='us-west-1', help='Provide the Region to be used (Default: us-west-1)')
parser.add_argument('--InstanceType', default='t2.micro', help='Provide the type of the instance you want to stand up (Default: t2.micro)')
parser.add_argument('--ImageId', default='ami-4aa04129', help='Provide the ImageID for the image you want to deploy (Default: ami-4aa04129)')
parser.add_argument('--AdminContact', help='Provide the project admin account email address')
args = parser.parse_args()
main(args)