akde/infosec

Information security is ultimately about managing risk

AWS Amazon Web Service enumeration

, ,

Use pro­files:

  • Set the cre­den­tials with aws configure --profile $pro­file.
  • Use in all com­mands --profile $profile to use this identity.

See https://github.com/eon01/AWS-CheatSheet for many com­mands or https://swisskyrepo.github.io/InternalAllTheThings/cloud/aws/aws-access-token/

General

Get Infos of the cur­rent used profile

aws [--profile $profile] sts get-caller-identity

Anoth­er pos­si­bil­i­ty to gain an ARN (with account id) is to call a non-exist­ing func­tion and to extract data from the error message.

EC2

List all EC2 images = AMI’s:

aws [--profile $profile] ec2 describe-images --owners amazon --executable-users all

To get a list of all AMI’s from the account of our tar­get orga­ni­za­tion, we need the Account ID. To get that, try var­i­ous search­es for a string the orga­ni­za­tion would prob­a­bly use for their images.

aws [--profile $profile] ec2 describe-images --executable-users all --filters "Name=description,Values=$string"
aws [--profile $profile] ec2 describe-images --executable-users all --filters "Name=name,Values=$string"

You can also try this for snapshots:

aws [--profile $profile] ec2 describe-snapshots --filters "Name=description,Values=$string"
aws [--profile $profile] ec2 describe-snapshots --filters "Name=name,Values=$string"

Then, you can query images, snap­shots, etc. with the found AccountID:

aws [--profile $profile] ec2 describe-images --owners $accountID --executable-users all
aws [--profile $profile] ec2 describe-snapshots > /tmp/a // afterwards, scan /tmp/a for all AccountIDs to see images from this account.

IAM

Back­ground:

  • An iden­ti­ty is a IAM resource which can be autho­rized to per­form actions and access resources.
  • An iden­ti­ty includes 
    • users,
    • roles and
    • groups.
  • An iden­ti­ty can be assigned 
    • invi­did­ual / inline poli­cies (which were giv­en specific/manually to this user) or
    • man­aged poli­cies (shared poli­cies which can be assigned var­i­ous users/groups).
  • Iden­ti­ties can be recursive.

Cre­ate a new user

aws [--profile $profile] iam create-user --user-name $newUserName

Cre­ate access and secret key so that we can inter­act with the AWS CLI as this user:

aws [--profile $profile] iam create-access-key --user-name $newUserName

Now, set a new pro­file with the new keys:

aws configure --profile $newProfileName

Assign per­mis­sions to the new user (per default, a new user does not have any permissions.) 

Enumerate

See var­i­ous infor­ma­tion (also user count!):

aws --profile $profile iam get-account-summary

Get all users

aws --profile $profile iam list-users

Get all groups

aws --profile $profile iam list-groups

Get all roles

aws --profile $profile iam list-roles

Get all man­aged policies

  • which were defined from this account (–scope Local) and
  • which are actu­al­ly used by at least one iden­ti­ty (–only-attached)
aws --profile $profile iam list-policies --scope Local --only-attached

All of above in pacu:

run iam__enum_users_roles_policies_groups

Enumerate IAM users from other accounts

Pre­req­ui­sites:

  • You have a account id.
  • You want to enu­mer­ate users of this account.

Cre­ate a new S3 bucket:

aws [--profile $profile] s3 mb s3://b-$RANDOM-$RANDOM

Cre­ate a policy:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "AllowUserToListBucket",
            "Effect": "Allow",
            "Resource": "arn:aws:s3:::$createdBucketName",
            "Principal": {
                "AWS": ["arn:aws:iam::$accountId:user/cloudadmin"]
            },
            "Action": "s3:ListBucket"

        }
    ]
}

Apply the policy:

aws [--profile $profile] s3api put-bucket-policy --bucket $bucketName --policy file://policy.json
  • If there is no return, the users exists.
  • Else: User does not exist.

Enumerate IAM privileges

Sce­nario:

  • You have an AWS access and want to know what is pos­si­ble with it (which IAM per­mis­sions it have).

Get inline poli­cies of the user:

aws --profile $profile iam list-user-policies --user-name $username

Get man­aged poli­cies of the user:

aws --profile $profile iam list-attached-user-policies --user-name $username

Get groups in which is user is part of:

aws --profile $profile iam list-groups-for-user --user-name $username
  • If you found groups: Get for each group infos which 
    • inline poli­cies they include with
      aws --profile $profile iam list-group-policies --group-name $foundGroupName
    • and man­aged poli­cies they include with
      aws --profile $profile iam list-attached-group-policies --group-name $foundGroupName
      • If you fand a man­aged pol­i­cy, you can get the ver­sions of it with
        aws --profile $profile iam list-policy-versions --policy-arn "arn:aws:iam::aws:policy/$foundPolicy"
      • Now, you can retrieve the pol­i­cy of this man­aged pol­i­cy with all the per­mis­sions it has:
        aws --profile $profile iam get-policy-version --policy-arn arn:aws:iam::aws:policy/$foundPolicy --version-id $foundVersion

Database

List­ing the tables via the API:

aws dynamodb list-tables [--endpoint-url http://s3.bucket.htb/shell/]

Note: If cre­den­tials are miss­ing, exe­cute aws con­fig­ure before.

Get the struc­ture of a table:

aws dynamodb describe-table --table-name users [--endpoint-url http://s3.bucket.htb/shell/]

Query a table with the CLI:

aws dynamodb scan --table-name users [--endpoint-url http://s3.bucket.htb/shell/]

List buck­et content:

aws --endpoint-url=http://s3.bucket.htb/ s3 ls adserver/images/

S3 Buckets

List all buckets

aws s3api list-buckets [--endpoint-url http://s3.bucket.htb/]

Sync a whole bucket:

aws s3 sync s3://adserver . [--endpoint-url http://s3.bucket.htb/]

Copy a file:

aws s3 cp t.php s3://adserver/t.php [--endpoint-url http://s3.bucket.htb/]

Enumerate S3 bucket names

Sce­nario:

  • You have AWS CLI access from an account.
  • You want to enu­mer­ate S3 buck­et names.

What to do:

  • Cre­ate anoth­er user B
  • Give B per­mis­sions to read S3 buck­ets only when the account ID starts with 0.
  • Try access­ing it. If there is access denied, the account ID does not start with 0.
  • Repeat with 1.
  • Repeat…

Cre­ate a new user called enu­mUser and a new pro­file. See the IAM sec­tion above.

Define a pol­i­cy which allowes to read only for buck­ets which start with 0:

{
     "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "AllowResourceAccount",
            "Effect": "Allow",
            "Action": [
                "s3:ListBucket",
                "s3:GetObject"
            ],
            "Resource": "*",
            "Condition": {
                "StringLike": {"s3:ResourceAccount": ["0*"]}
            }
        }
    ]
}

Apply this pol­i­cy to the new user enu­mUser:

aws --profile $profile iam put-user-policy --user-name enumUser --policy-name s3-read --policy-document file://policy-file.json

Ver­i­fy that the per­mis­sions were granted:

aws --profile $profile iam list-user-policies --user-name enumUse

Check access:

aws --profile enumUser s3 ls $bucket
  • If there is access denied: Edit the pol­i­cy file, incre­ment the num­ber, set the pol­i­cy file, check access again. Repeat.
  • If there is no access denied: You’ve found one dig­it of the account Id. Repeat with the next digit.

s3recon

Scan for pub­lic buck­ets: (Pos­si­ble wordlist)

s3recon wordlist.txt -o "results.json" --public

cloud_enum

See Cloud enu­mer­a­tion post

Tools

Leave a Reply

About

Personal collection of some infosec stuff. Primary purpose of this site is to collect and organize for myself.

Note: Some content is not publicly visible due to copyright issues. Therefore, some links could be broken.

Checklists

Categories

Checklists: Ports

python -c 'import pty;pty.spawn("/bin/bash")';

python3 -c 'import pty;pty.spawn("/bin/bash")';