Paramiko failed to connect

[lovecashmeer]

I have installed aws_ir on AWS linux instance.
I am trying to run instance-compromise command on this server for another aws Ec2 server . Here is the error I get with Paramiko failing to connect to the server.

aws_ir --examiner-cidr-range '********' instance-compromise --target ******** --user ec2-user --ssh-key ~/sample.pem
2018-11-06T22:56:54 - aws_ir.cli - INFO - Initialization successful proceeding to incident plan.
2018-11-06T22:56:54 - aws_ir.libs.case - INFO - Initial connection to AmazonWebServices made.
2018-11-06T22:57:03 - aws_ir.libs.case - INFO - Inventory AWS Regions Complete 15 found.
2018-11-06T22:57:03 - aws_ir.libs.case - INFO - Inventory Availability Zones Complete 43 found.
2018-11-06T22:57:03 - aws_ir.libs.case - INFO - Beginning inventory of resources world wide. This might take a minute...
2018-11-06T22:57:03 - aws_ir.libs.inventory - INFO - Searching ap-south-1 for instance.
2018-11-06T22:57:13 - aws_ir.libs.case - INFO - Inventory complete. Proceeding to resource identification.
2018-11-06T22:57:13 - aws_ir.libs.connection - INFO - Returning session for default profile.
2018-11-06T22:57:13 - aws_ir.plans.host - INFO - Proceeding with incident plan steps included are ['gather_host', 'isolate_host', 'tag_host', 'snapshotdisks_host', 'examineracl_host', 'get_memory', 'stop_host']
2018-11-06T22:57:13 - aws_ir.plans.host - INFO - Executing step gather_host.
2018-11-06T22:57:13 - aws_ir.plans.host - INFO - Executing step isolate_host.
2018-11-06T22:57:15 - aws_ir.plans.host - INFO - Executing step tag_host.
2018-11-06T22:57:15 - aws_ir.plans.host - INFO - Executing step snapshotdisks_host.
True
2018-11-06T22:57:15 - aws_ir.plans.host - INFO - Executing step examineracl_host.
2018-11-06T22:57:17 - aws_ir.plans.host - INFO - Executing step get_memory.
2018-11-06T22:57:17 - aws_ir.plans.host - INFO - attempting memory run
2018-11-06T22:57:17 - aws_ir.plans.host - INFO - Attempting run margarita shotgun for ec2-user on 50.241.26.41 with /sample.pem
{
"uids": ["Lime Signing Key (Threat Response Official Lime Signing Key) [email protected]"],
"fingerprint": "EFB6A0CE172EF3D5C8BD67F20F66E271E68B0D50"
}

{
"uids": ["Lime Signing Key (Threat Response Official Lime Signing Key) [email protected]"],
"fingerprint": "EFB6A0CE172EF3D5C8BD67F20F66E271E68B0D50"
}

2018-11-06T22:57:37 - margaritashotgun - ERROR - Paramiko failed to connect to :22 with the exception: timed out
{'failed': ['*'], 'completed': [], 'total': 1}
2018-11-06T22:57:37 - aws_ir.plans.host - INFO - memory capture completed for: [], failed for: ['54.245.56.57']
2018-11-06T22:57:37 - aws_ir.plans.host - INFO - Executing step stop_host.

[andrewkrug]

Thanks for the detailed output. I'll try and reproduce and triage a bit later today. A few questions:

1. Is this a public or private VPC?
2. Was the examiner CIDR provided RFC 1918 ( ex : 192.168.x.x, 10.x.x.x, 172.16.x.x ) ?
3. Was the target server running openssh at the time?

[lovecashmeer]

Yes. The target EC2 instance is in a public subnet.
Examiner CIDR provided is in RFC 1918
Open SSh serve status is running .

However I tried using a target system which is in private subnet. This time it seems paramiko was able to connect but failed with below error
margaritashotgun - ERROR - The kernel module for 4.14.72-73.55.amzn2.x86_64 does not exist, searched https://threatresponse-lime-modules.s3.amazonaws.com for availible modules

Please advise.

Thanks,

[andrewkrug]

@lovecashmeer we don't quite yet support amazonlinux2 ... there's some code to catch up in our kernel module build system. I've captured the task in a second issue here: ThreatResponse/margaritashotgun#31