Open lovecashmeer opened 6 years ago
andrewkrug
commented
6 years ago Thanks for the detailed output. I'll try and reproduce and triage a bit later today. A few questions:
lovecashmeer
commented
6 years ago Yes. The target EC2 instance is in a public subnet. Examiner CIDR provided is in RFC 1918 Open SSh serve status is running .
However I tried using a target system which is in private subnet. This time it seems paramiko was able to connect but failed with below error margaritashotgun - ERROR - The kernel module for 4.14.72-73.55.amzn2.x86_64 does not exist, searched https://threatresponse-lime-modules.s3.amazonaws.com for availible modules
Please advise.
Thanks,
andrewkrug
commented
6 years ago @lovecashmeer we don't quite yet support amazonlinux2 ... there's some code to catch up in our kernel module build system. I've captured the task in a second issue here: https://github.com/ThreatResponse/margaritashotgun/issues/31
I have installed aws_ir on AWS linux instance. I am trying to run instance-compromise command on this server for another aws Ec2 server . Here is the error I get with Paramiko failing to connect to the server.
aws_ir --examiner-cidr-range '****' instance-compromise --target **** --user ec2-user --ssh-key ~/sample.pem 2018-11-06T22:56:54 - aws_ir.cli - INFO - Initialization successful proceeding to incident plan. 2018-11-06T22:56:54 - aws_ir.libs.case - INFO - Initial connection to AmazonWebServices made. 2018-11-06T22:57:03 - aws_ir.libs.case - INFO - Inventory AWS Regions Complete 15 found. 2018-11-06T22:57:03 - aws_ir.libs.case - INFO - Inventory Availability Zones Complete 43 found. 2018-11-06T22:57:03 - aws_ir.libs.case - INFO - Beginning inventory of resources world wide. This might take a minute... 2018-11-06T22:57:03 - aws_ir.libs.inventory - INFO - Searching ap-south-1 for instance. 2018-11-06T22:57:13 - aws_ir.libs.case - INFO - Inventory complete. Proceeding to resource identification. 2018-11-06T22:57:13 - aws_ir.libs.connection - INFO - Returning session for default profile. 2018-11-06T22:57:13 - aws_ir.plans.host - INFO - Proceeding with incident plan steps included are ['gather_host', 'isolate_host', 'tag_host', 'snapshotdisks_host', 'examineracl_host', 'get_memory', 'stop_host'] 2018-11-06T22:57:13 - aws_ir.plans.host - INFO - Executing step gather_host. 2018-11-06T22:57:13 - aws_ir.plans.host - INFO - Executing step isolate_host. 2018-11-06T22:57:15 - aws_ir.plans.host - INFO - Executing step tag_host. 2018-11-06T22:57:15 - aws_ir.plans.host - INFO - Executing step snapshotdisks_host. True 2018-11-06T22:57:15 - aws_ir.plans.host - INFO - Executing step examineracl_host. 2018-11-06T22:57:17 - aws_ir.plans.host - INFO - Executing step get_memory. 2018-11-06T22:57:17 - aws_ir.plans.host - INFO - attempting memory run 2018-11-06T22:57:17 - aws_ir.plans.host - INFO - Attempting run margarita shotgun for ec2-user on 50.241.26.41 with /sample.pem { "uids": ["Lime Signing Key (Threat Response Official Lime Signing Key) security@threatresponse.cloud"], "fingerprint": "EFB6A0CE172EF3D5C8BD67F20F66E271E68B0D50" }
{ "uids": ["Lime Signing Key (Threat Response Official Lime Signing Key) security@threatresponse.cloud"], "fingerprint": "EFB6A0CE172EF3D5C8BD67F20F66E271E68B0D50" }
2018-11-06T22:57:37 - margaritashotgun - ERROR - Paramiko failed to connect to ****:22 with the exception: timed out {'failed': ['*****'], 'completed': [], 'total': 1} 2018-11-06T22:57:37 - aws_ir.plans.host - INFO - memory capture completed for: [], failed for: ['54.245.56.57'] 2018-11-06T22:57:37 - aws_ir.plans.host - INFO - Executing step stop_host.