Nebula
Nebula is a cloud C2 Framework, which at the moment offers reconnaissance, enumeration, exploitation, post exploitation on AWS, but still working to allow testing other Cloud Providers and DevOps Components.
Install / Use
/learn @gl4ssesbo1/NebulaREADME
Nebula
<img src="./.img/nebulalogo.png" alt="logo" width="100%" align="center"/>Nebula is a Cloud and (hopefully) DevOps Penetration Testing framework. It is build with modules for each provider and each functionality. As of April 2021, it only covers AWS, but is currently an ongoing project and hopefully will continue to grow to test GCP, Azure, Kubernetes, Docker, or automation engines like Ansible, Terraform, Chef, etc. I started writing it while I was reading "Hands-On AWS Penetration Testing with Kali Linux" (https://www.amazon.com/Hands-Penetration-Testing-Kali-Linux/dp/1789136725) and was based on Pacu (https://github.com/RhinoSecurityLabs/pacu)
Presentations:
- BlackHat Europe 2021: https://www.blackhat.com/eu-21/arsenal/schedule/index.html#nebula-a-case-study-in-penetrating-something-as-soft-as-a-cloud-25174
Currently covers:
- AWS, Azure (Graph and Management API) and DigitalOcean enumeration, exploitation and post-exploitation
There are currently 53 modules covering:
- Reconnaissance
- Enumeration
- Exploit
- Cleanup
Version 3.0 Includes:
- Team cooperation with the client-teamserver architecture
- All the requests requires authentication (except for the authentication request ofc)
- All the information is stored into a MongoDB Server and accessible using commands. The information will ofc have to been enumerated before, but this allows you to not enumerate a certain object
Installation
Server
Nebula is coded in python3.11. It uses boto3 library to access AWS.
To install, just go to the teamserver directory and build the container:
$ docker build -t nebula-teamserver .
Then, just run it using docker:
$ docker run -it nebula-teamserver -dH <database host> -du <database user> -dp <database password> -dn <database name> --p <teamserver password>
------------------------------------------------------------
_ _ _ _
| \ | | | | | |
| \| | ___| |__ _ _| | __ _
| . ` |/ _ \ '_ \| | | | |/ _` |
_______ | |\ | __/ |_) | |_| | | (_| |
|__ __||_| \_|\___|_.__/ \__,_|_|\__,_|
| | ___ __ _ _ __ ___ ___ ___ _ ____ _____ _ __
| |/ _ \/ _` | '_ ` _ \/ __|/ _ \ '__\ \ / / _ \ '__|
| | __/ (_| | | | | | \__ \ __/ | \ V / __/ |
|_|\___|\__,_|_| |_| |_|___/\___|_| \_/ \___|_|
-------------------------------------------------------------
37 aws 0 gcp 4 azure 0 office365
0 docker 0 kubernetes 4 misc 11 azuread
4 digitalocean
-------------------------------------------------------------
60 modules 6 cleanup 0 detection
19 enum 5 exploit 2 persistence
1 listeners 0 lateral movement 7 detection bypass
7 privesc 10 reconnaissance 2 stager 0 postexploitation
1 misc
[*] Port is busy. Is a MongoDB instance running there? [y/N] y
------------------------------------------------------------
[*] JWT Secret Key set to: '<secret value>'
[*] Database Server set to: '<db host>:<db port>'
[*] Database set to: '<db name>'
[*] Teamserver IP address is '<teamserver host>'
[*] User 'cosmonaut' was created!
[*] API Server set to: '<api host>:<api port>'
------------------------------------------------------------
Client
Same with client client. Just go to the client directory and build the container:
$ docker build -t nebula-client .
Then, just run it using docker:
$ docker run -it nebula-client -ah <api host> -p <teamserver password> -b
-------------------------------------------------------------
37 aws 0 gcp 4 azure 0 office365
0 docker 0 kubernetes 4 misc 13 azuread
4 digitalocean
-------------------------------------------------------------
62 modules 6 cleanup 0 detection
19 enum 5 exploit 2 persistence
1 listeners 0 lateral movement 7 detection bypass
7 privesc 10 reconnaissance 2 stager
1 misc 2 initialaccess 0 postexploitation
-------------------------------------------------------------
[*] Importing sessions found on ~/.aws
[*] No sessions found on ~/.aws
()()(Nebula) >>>
Usage
...........
...''''''''''''''...
..'''''...........''''''............
..''''.. ...'''''''''''''''...
..'''.. ..............'''''..
.''''. .;loddool:'. ..''''..
..'''. .;clokXWWMWNKkl;. .''''.
.'''. .',,'.. ';dNMMMMMWKko;. .'''..
.''''. .cx0NWWNX0koc;,'cKMMMMMMMMMWXOo:. .''''....
.'''. .',',:oONMMMMMWNNNWMMMMMMWKk0WMMWXx' .''''''''...
..'''. .,dXMMMMMMMMMMMMMNOl',oONWWd. .......'''''..
...'''''.. :o' cXMMMMMMMMMMMMMWNXKKXNWWKxc,. ..''''..
..''''.... oNKl'. ..oXMMMMMMMMMMMMMMMMMMMMMMMMMNKOdc,.. ..''''.
..''''.. ,OWWX0O0XWMMMMMMMMMMMMMMMMMMWWWWMMMMMMMMMWXOxooxk:. ..'''.
..'''''''''''''''''''''. .l0NMMMMMMMMMMMMMMMMMMMMN0dc;;;coONMMMMMMMMMMMMMK: ..'''.
....................... .,dXMMMMMMMMMMMMMMMMMMWX0ko:. .;OWMMMMMMMMMMMWx. .'''.
.oWMMMMMMMMMMMMMMWNXXXWMMWKd' .:lccclodOXWMWd. .'''.
,lc' .................. ',. .,OWMMMMMMMMMMMMXx:'...:0WMMMKl. .. .'oKO, .'''.
,0MWx. .''''''''''''''''''. ;OKOOOO0NWMMMMMMMMMMMMNl. .cdoox0XOl;'....... ... .'''.
.;ol' ................... ;kXWMMMMMMMMMMMMMMMMMWx. .:0WNKkdo:. ... .'''.
.................... .:ldxk0XWMMMMMMMMMMMW0o' .';;,. .... ..'''.
;k00000000000000000000x' ..;lkXWMMMMMMMMMWXkc. ..'''.
.lXWWWWWWWWWWWWWWWWWWMMWKl. ;OWMMMMMMMMMMMWKx:. ..''''.
.,,,,,,,,,,,,,,,,,:kNMMW0o,. 'kWMMMMMMMMMMMMMMWKd,. ..''''..
.:ONMMMNKkdlc:::::::::ccldkKWMMMMMMMMMMMMMMMMMMNOl' ...........'''''..
.,oOXWMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMWXkc....''''''''''...
.':ldkO0000000000000000000000000000000000000000Ox:. ........
...........................................
_ _______ ______ _ _______
( ( /|( ____ \( ___ \ |\ /|( \ ( ___ )
| \ ( || ( \/| ( ) )| ) ( || ( | ( ) |
| \ | || (__ | (__/ / | | | || | | (___) |
| (\ \) || __) | __ ( | | | || | | ___ |
| | \ || ( | ( \ \ | | | || | | ( ) |
| ) \ || (____/\| )___) )| (___) || (____/\| ) ( |
|/ )_)(_______/|/ \___/ (_______)(_______/|/ \|
Because Clouds are so AWSome
-------------------------------------------------------------
Created by: gl4ssesbo1
-------------------------------------------------------------
48 aws 1 gcp 7 azure 0 office365
0 docker 0 kubernetes 6 misc 4 azuread
4 digitalocean
-------------------------------------------------------------
81 modules 6 cleanup 0 detection
19 enum 22 exploit 2 persistence
2 listeners 0 lateral movement 7 detection bypass
0 privesc 16 reconnaissance 2 stager 1 postexploitation
4 misc
Remember:
-------------------------------------------------------------
1) Only use this tool if you have permissions from the
infrastructure's owner. Don't be a dick. Don't choose jail.
And if you have some scruples, don't hack others just because
you can (or cannot, in which case that's why you chose this
tool to do it).
2) There is a template file on module directory that you can
use if you want to develop new modules. If you want to
contribute on this tool, be my guest.
3) Thank you for using this tool and Hack the Planet Legally!
-------------------------------------------------------------
[*] Importing sessions found on ~/.aws
[*] Imported sessions found on ~/.aws. Enter 'show credentials' to get the credentials.
(test)()(Nebula)
Help
Running help command,
Related Skills
node-connect
351.8kDiagnose OpenClaw node connection and pairing failures for Android, iOS, and macOS companion apps
claude-opus-4-5-migration
110.9kMigrate prompts and code from Claude Sonnet 4.0, Sonnet 4.5, or Opus 4.1 to Opus 4.5
frontend-design
110.9kCreate distinctive, production-grade frontend interfaces with high design quality. Use this skill when the user asks to build web components, pages, or applications. Generates creative, polished code that avoids generic AI aesthetics.
openai-whisper-api
351.8kTranscribe audio via OpenAI Audio Transcriptions API (Whisper).
