{"id":1715,"date":"2020-11-05T15:10:29","date_gmt":"2020-11-05T14:10:29","guid":{"rendered":"https:\/\/andreas-klingler.de\/infosec\/?p=1715"},"modified":"2025-08-29T10:24:33","modified_gmt":"2025-08-29T08:24:33","slug":"dynamodb","status":"publish","type":"post","link":"https:\/\/infosec.andreas-klingler.de\/?p=1715","title":{"rendered":"<span class=\"caps\">AWS<\/span> Amazon Web Service enumeration"},"content":{"rendered":"\n<p class=\"wp-block-paragraph\">Use pro\u00adfiles:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Set the cre\u00adden\u00adtials with <code>aws configure --profile <\/code>$pro\u00adfile.<\/li>\n\n\n\n<li>Use in all com\u00admands <code>--profile $profile<\/code> to use this identity.<\/li>\n<\/ul>\n\n\n\n<p class=\"wp-block-paragraph\">See <a href=\"https:\/\/github.com\/eon01\/AWS-CheatSheet\">https:\/\/github.com\/eon01\/AWS-CheatSheet<\/a> for many com\u00admands or <a href=\"https:\/\/swisskyrepo.github.io\/InternalAllTheThings\/cloud\/aws\/aws-access-token\/\">https:\/\/swisskyrepo.github.io\/InternalAllTheThings\/cloud\/aws\/aws-access-token\/<\/a><\/p>\n\n\n\n<h2 class=\"wp-block-heading\">General<\/h2>\n\n\n\n<p class=\"wp-block-paragraph\">Get Infos of the cur\u00adrent used profile<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\">aws [--profile $profile] sts get-caller-identity<\/pre>\n\n\n\n<p class=\"wp-block-paragraph\">Anoth\u00ader pos\u00adsi\u00adbil\u00adi\u00adty to gain an <span class=\"caps\">ARN<\/span> (with account id) is to call a non-exist\u00ading func\u00adtion and to extract data from the error message.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\"><span class=\"caps\">EC2<\/span><\/h2>\n\n\n\n<p class=\"wp-block-paragraph\">List all <span class=\"caps\">EC2<\/span> images =&nbsp;AMI\u2019s:<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\">aws [--profile $profile] ec2 describe-images --owners amazon --executable-users all<\/pre>\n\n\n\n<p class=\"wp-block-paragraph\">To get a list of all AMI\u2019s from the account of our tar\u00adget orga\u00adni\u00adza\u00adtion, we need the Account <span class=\"caps\">ID<\/span>. To get that, try var\u00adi\u00adous search\u00ades for a string the orga\u00adni\u00adza\u00adtion would prob\u00ada\u00adbly use for their images.<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\">aws [--profile $profile] ec2 describe-images --executable-users all --filters \"Name=description,Values=$string\"<br>aws [--profile $profile] ec2 describe-images --executable-users all --filters \"Name=name,Values=$string\"<\/pre>\n\n\n\n<p class=\"wp-block-paragraph\">You can also try this for snapshots:<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\">aws [--profile $profile] ec2 describe-snapshots --filters \"Name=description,Values=$string\"<br>aws [--profile $profile] ec2 describe-snapshots --filters \"Name=name,Values=$string\"<\/pre>\n\n\n\n<p class=\"wp-block-paragraph\">Then, you can query images, snap\u00adshots, etc. with the found AccountID:<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\">aws [--profile $profile] ec2 describe-images --owners $accountID --executable-users all<br>aws [--profile $profile] ec2 describe-snapshots &gt; \/tmp\/a \/\/ afterwards, scan \/tmp\/a for all AccountIDs to see images from this account.<\/pre>\n\n\n\n<h2 class=\"wp-block-heading\"><span class=\"caps\">IAM<\/span><\/h2>\n\n\n\n<p class=\"wp-block-paragraph\">Back\u00adground:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>An iden\u00adti\u00adty is a <span class=\"caps\">IAM<\/span> resource which can be autho\u00adrized to per\u00adform actions and access resources.<\/li>\n\n\n\n<li>An iden\u00adti\u00adty includes&nbsp;<ul class=\"wp-block-list\">\n<li>users,<\/li>\n\n\n\n<li>roles and<\/li>\n\n\n\n<li>groups.<\/li>\n<\/ul>\n<\/li>\n\n\n\n<li>An iden\u00adti\u00adty can be assigned&nbsp;<ul class=\"wp-block-list\">\n<li>invi\u00addid\u00adual \/ inline poli\u00adcies (which were giv\u00aden specific\/manually to this user)&nbsp;or<\/li>\n\n\n\n<li>man\u00adaged poli\u00adcies (shared poli\u00adcies which can be assigned var\u00adi\u00adous users\/groups).<\/li>\n<\/ul>\n<\/li>\n\n\n\n<li>Iden\u00adti\u00adties can be recursive.<\/li>\n<\/ul>\n\n\n\n<p class=\"wp-block-paragraph\">Cre\u00adate a new&nbsp;user<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\">aws [--profile $profile] iam create-user --user-name $newUserName<\/pre>\n\n\n\n<p class=\"wp-block-paragraph\">Cre\u00adate access and secret key so that we can inter\u00adact with the <span class=\"caps\">AWS<\/span> <span class=\"caps\">CLI<\/span> as this&nbsp;user:<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\">aws [--profile $profile] iam create-access-key --user-name $newUserName<\/pre>\n\n\n\n<p class=\"wp-block-paragraph\">Now, set a new pro\u00adfile with the new&nbsp;keys:<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\">aws configure --profile $newProfileName<\/pre>\n\n\n\n<p class=\"wp-block-paragraph\">Assign per\u00admis\u00adsions to the new user (per default, a new user does not have any permissions.)&nbsp;<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">Enumerate<\/h3>\n\n\n\n<p class=\"wp-block-paragraph\">See var\u00adi\u00adous infor\u00adma\u00adtion (also user&nbsp;count!):<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\">aws --profile $profile iam get-account-summary<\/pre>\n\n\n\n<p class=\"wp-block-paragraph\">Get all&nbsp;users<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\">aws --profile $profile iam list-users<\/pre>\n\n\n\n<p class=\"wp-block-paragraph\">Get all groups<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\">aws --profile $profile iam list-groups<\/pre>\n\n\n\n<p class=\"wp-block-paragraph\">Get all&nbsp;roles<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\">aws --profile $profile iam list-roles<\/pre>\n\n\n\n<p class=\"wp-block-paragraph\">Get all man\u00adaged policies<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>which were defined from this account (\u2013scope Local) and<\/li>\n\n\n\n<li>which are actu\u00adal\u00adly used by at least one iden\u00adti\u00adty (\u2013only-attached)<\/li>\n<\/ul>\n\n\n\n<pre class=\"wp-block-preformatted\">aws --profile $profile iam list-policies --scope Local --only-attached<\/pre>\n\n\n\n<p class=\"wp-block-paragraph\">All of above in&nbsp;pacu:<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\">run iam__enum_users_roles_policies_groups<\/pre>\n\n\n\n<h3 class=\"wp-block-heading\">Enumerate <span class=\"caps\">IAM<\/span> users from other accounts<\/h3>\n\n\n\n<p class=\"wp-block-paragraph\">Pre\u00adreq\u00adui\u00adsites:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>You have a account id.<\/li>\n\n\n\n<li>You want to enu\u00admer\u00adate users of this account.<\/li>\n<\/ul>\n\n\n\n<p class=\"wp-block-paragraph\">Cre\u00adate a new <span class=\"caps\">S3<\/span> bucket:<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\">aws [--profile $profile] s3 mb s3:\/\/b-$RANDOM-$RANDOM<\/pre>\n\n\n\n<p class=\"wp-block-paragraph\">Cre\u00adate a policy:<\/p>\n\n\n\n<pre class=\"EnlighterJSRAW\" data-enlighter-language=\"json\" data-enlighter-theme data-enlighter-highlight data-enlighter-linenumbers data-enlighter-lineoffset data-enlighter-title data-enlighter-group>{\n    \"Version\": \"2012-10-17\",\n    \"Statement\": [\n        {\n            \"Sid\": \"AllowUserToListBucket\",\n            \"Effect\": \"Allow\",\n            \"Resource\": \"arn:aws:s3:::$createdBucketName\",\n            \"Principal\": {\n                \"AWS\": [\"arn:aws:iam::$accountId:user\/cloudadmin\"]\n            },\n            \"Action\": \"s3:ListBucket\"\n\n        }\n    ]\n}<\/pre>\n\n\n\n<p class=\"wp-block-paragraph\">Apply the policy:<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\">aws [--profile $profile] s3api put-bucket-policy --bucket $bucketName --policy file:\/\/policy.json<\/pre>\n\n\n\n<ul class=\"wp-block-list\">\n<li>If there is no return, the users exists.<\/li>\n\n\n\n<li>Else: User does not&nbsp;exist.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Enumerate <span class=\"caps\">IAM<\/span> privileges<\/h3>\n\n\n\n<p class=\"wp-block-paragraph\">Sce\u00adnario:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>You have an <span class=\"caps\">AWS<\/span> access and want to know what is pos\u00adsi\u00adble with it (which <span class=\"caps\">IAM<\/span> per\u00admis\u00adsions it&nbsp;have).<\/li>\n<\/ul>\n\n\n\n<p class=\"wp-block-paragraph\">Get inline poli\u00adcies of the&nbsp;user:<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\">aws --profile $profile iam list-user-policies --user-name $username<\/pre>\n\n\n\n<p class=\"wp-block-paragraph\">Get man\u00adaged poli\u00adcies of the&nbsp;user:<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\">aws --profile $profile iam list-attached-user-policies --user-name $username<\/pre>\n\n\n\n<p class=\"wp-block-paragraph\">Get groups in which is user is part&nbsp;of:<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\">aws --profile $profile iam list-groups-for-user --user-name $username<\/pre>\n\n\n\n<ul class=\"wp-block-list\">\n<li>If you found groups: Get for each group infos&nbsp;which&nbsp;<ul class=\"wp-block-list\">\n<li>inline poli\u00adcies they include with<br><code>aws --profile $profile iam list-group-policies --group-name $foundGroupName<\/code><\/li>\n\n\n\n<li>and man\u00adaged poli\u00adcies they include with<br><code>aws --profile $profile<\/code><code> iam list-attached-group-policies --group-name $foundGroupName<\/code>\n<ul class=\"wp-block-list\">\n<li>If you fand a man\u00adaged pol\u00adi\u00adcy, you can get the ver\u00adsions of it with<br><code>aws --profile $profile iam list-policy-versions --policy-arn \"arn:aws:iam::aws:policy\/$foundPolicy\"<\/code><\/li>\n\n\n\n<li>Now, you can retrieve the pol\u00adi\u00adcy of this man\u00adaged pol\u00adi\u00adcy with all the per\u00admis\u00adsions it has:<br><code>aws --profile $profile iam get-policy-version --policy-arn arn:aws:iam::aws:policy\/$foundPolicy --version-id $foundVersion<\/code><\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n\n\n\n<h2 class=\"wp-block-heading\">Database<\/h2>\n\n\n\n<p class=\"wp-block-paragraph\">List\u00ading the tables via the&nbsp;<span class=\"caps\">API<\/span>:<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\">aws dynamodb list-tables [--endpoint-url http:\/\/s3.bucket.htb\/shell\/]<\/pre>\n\n\n\n<p class=\"wp-block-paragraph\">Note: If cre\u00adden\u00adtials are miss\u00ading, exe\u00adcute <em>aws con\u00adfig\u00adure<\/em> before.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">Get the struc\u00adture of a&nbsp;table:<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\">aws dynamodb describe-table --table-name users [--endpoint-url http:\/\/s3.bucket.htb\/shell\/]<\/pre>\n\n\n\n<p class=\"wp-block-paragraph\">Query a table with the&nbsp;<span class=\"caps\">CLI<\/span>:<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\">aws dynamodb scan --table-name users [--endpoint-url http:\/\/s3.bucket.htb\/shell\/]<\/pre>\n\n\n\n<p class=\"wp-block-paragraph\">List buck\u00adet content:<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\">aws --endpoint-url=http:\/\/s3.bucket.htb\/ s3 ls adserver\/images\/<\/pre>\n\n\n\n<h2 class=\"wp-block-heading\"><span class=\"caps\">S3<\/span> Buckets<\/h2>\n\n\n\n<p class=\"wp-block-paragraph\">List all buckets<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\">aws s3api list-buckets [--endpoint-url http:\/\/s3.bucket.htb\/]<\/pre>\n\n\n\n<p class=\"wp-block-paragraph\">Sync a whole bucket:<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\">aws s3 sync s3:\/\/adserver . [--endpoint-url http:\/\/s3.bucket.htb\/]<\/pre>\n\n\n\n<p class=\"wp-block-paragraph\">Copy a&nbsp;file:<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\">aws s3 cp t.php s3:\/\/adserver\/t.php [--endpoint-url http:\/\/s3.bucket.htb\/]<\/pre>\n\n\n\n<h3 class=\"wp-block-heading\">Enumerate <span class=\"caps\">S3<\/span> bucket names<\/h3>\n\n\n\n<p class=\"wp-block-paragraph\">Sce\u00adnario:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>You have <span class=\"caps\">AWS<\/span> <span class=\"caps\">CLI<\/span> access from an account.<\/li>\n\n\n\n<li>You want to enu\u00admer\u00adate <span class=\"caps\">S3<\/span> buck\u00adet&nbsp;names.<\/li>\n<\/ul>\n\n\n\n<p class=\"wp-block-paragraph\">What to&nbsp;do:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Cre\u00adate anoth\u00ader user&nbsp;B<\/li>\n\n\n\n<li>Give B per\u00admis\u00adsions to read <span class=\"caps\">S3<\/span> buck\u00adets only when the account <span class=\"caps\">ID<\/span> starts with&nbsp;0.<\/li>\n\n\n\n<li>Try access\u00ading it. If there is access denied, the account <span class=\"caps\">ID<\/span> does not start with&nbsp;0.<\/li>\n\n\n\n<li>Repeat with&nbsp;1.<\/li>\n\n\n\n<li>Repeat\u2026<\/li>\n\n\n\n<li><\/li>\n<\/ul>\n\n\n\n<p class=\"wp-block-paragraph\">Cre\u00adate a new user called enu\u00admUser and a new pro\u00adfile. See the <span class=\"caps\">IAM<\/span> sec\u00adtion&nbsp;above.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">Define a pol\u00adi\u00adcy which allowes to read only for buck\u00adets which start with&nbsp;0:<\/p>\n\n\n\n<pre class=\"EnlighterJSRAW\" data-enlighter-language=\"json\" data-enlighter-theme data-enlighter-highlight data-enlighter-linenumbers data-enlighter-lineoffset data-enlighter-title data-enlighter-group>{\n     \"Version\": \"2012-10-17\",\n    \"Statement\": [\n        {\n            \"Sid\": \"AllowResourceAccount\",\n            \"Effect\": \"Allow\",\n            \"Action\": [\n                \"s3:ListBucket\",\n                \"s3:GetObject\"\n            ],\n            \"Resource\": \"*\",\n            \"Condition\": {\n                \"StringLike\": {\"s3:ResourceAccount\": [\"0*\"]}\n            }\n        }\n    ]\n}<\/pre>\n\n\n\n<p class=\"wp-block-paragraph\">Apply this pol\u00adi\u00adcy to the new user <em>enu\u00admUser<\/em>:<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\">aws --profile $profile iam put-user-policy --user-name enumUser --policy-name s3-read --policy-document file:\/\/policy-file.json<\/pre>\n\n\n\n<p class=\"wp-block-paragraph\">Ver\u00adi\u00adfy that the per\u00admis\u00adsions were granted:<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\">aws --profile $profile iam list-user-policies --user-name enumUse<code data-enlighter-language=\"json\" class=\"EnlighterJSRAW\"><\/code><\/pre>\n\n\n\n<p class=\"wp-block-paragraph\">Check access:<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\">aws --profile enumUser s3 ls $bucket<\/pre>\n\n\n\n<ul class=\"wp-block-list\">\n<li>If there is access denied: Edit the pol\u00adi\u00adcy file, incre\u00adment the num\u00adber, set the pol\u00adi\u00adcy file, check access again. Repeat.<\/li>\n\n\n\n<li>If there is no access denied: You\u2019ve found one dig\u00adit of the account Id. Repeat with the next&nbsp;digit.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">s3recon<\/h3>\n\n\n\n<p class=\"wp-block-paragraph\">Scan for pub\u00adlic buck\u00adets: (<a href=\"https:\/\/raw.githubusercontent.com\/aljazceru\/s3-bucket-scanner\/master\/wordlist.txt\">Pos\u00adsi\u00adble wordlist<\/a>)<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\">s3recon wordlist.txt -o \"results.json\" --public<\/pre>\n\n\n\n<h3 class=\"wp-block-heading\">cloud_enum<\/h3>\n\n\n\n<p class=\"wp-block-paragraph\"><a href=\"https:\/\/andreas-klingler.de\/infosec\/?p=4380\" data-type=\"post\" data-id=\"4380\">See Cloud enu\u00admer\u00ada\u00adtion&nbsp;post<\/a><\/p>\n\n\n\n<h2 class=\"wp-block-heading\">Tools<\/h2>\n\n\n\n<ul class=\"wp-block-list\">\n<li><a href=\"https:\/\/github.com\/clarketm\/s3recon\">Buck\u00adet finder<\/a><\/li>\n\n\n\n<li><a href=\"https:\/\/github.com\/andresriancho\/nimbostratus\">Fin\u00adger\u00adprint\u00ading and exploit\u00ading <span class=\"caps\">AWS<\/span> infrastructure<\/a><\/li>\n\n\n\n<li><a href=\"https:\/\/github.com\/aljazceru\/s3-bucket-scanner\"><span class=\"caps\">S3<\/span> Buck\u00adet scanner<\/a><\/li>\n\n\n\n<li><a href=\"https:\/\/github.com\/michenriksen\/bucketlist\">buck\u00adetlist<\/a><\/li>\n\n\n\n<li>https:\/\/github.com\/swisskyrepo\/PayloadsAllTheThings\/blob\/master\/Methodology%20and%20Resources\/Cloud%20-%<span class=\"caps\">20AWS<\/span>%20Pentest.md <\/li>\n\n\n\n<li>https:\/\/six2dez.gitbook.io\/pentest-book\/enumeration\/cloud\/aws<\/li>\n<\/ul>\n","protected":false},"excerpt":{"rendered":"<p>Use pro\u00adfiles: See https:\/\/github.com\/eon01\/AWS-CheatSheet for many com\u00admands or https:\/\/swisskyrepo.github.io\/InternalAllTheThings\/cloud\/aws\/aws-access-token\/ Gen\u00ader\u00adal Get Infos of the cur\u00adrent used pro\u00adfile aws [\u2013pro\u00adfile $pro\u00adfile] sts get-caller-iden\u00adti\u00adty Anoth\u00ader pos\u00adsi\u00adbil\u00adi\u00adty to gain an <span class=\"caps\">ARN<\/span> (with account id) is to call a non-exist\u00ading func\u00adtion and to extract data from the error mes\u00adsage. <span class=\"caps\">EC2<\/span> List all <span class=\"caps\">EC2<\/span> images =&nbsp;<span class=\"caps\">AMI<\/span>\u2019s: aws [\u2013pro\u00adfile $pro\u00adfile]&nbsp;ec2&nbsp;[\u2026]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"wp_typography_post_enhancements_disabled":false,"footnotes":""},"categories":[468],"tags":[287,288,289],"class_list":["post-1715","post","type-post","status-publish","format-standard","hentry","category-general","tag-aws","tag-dynamodb","tag-nimbostratus"],"_links":{"self":[{"href":"https:\/\/infosec.andreas-klingler.de\/index.php?rest_route=\/wp\/v2\/posts\/1715","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/infosec.andreas-klingler.de\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/infosec.andreas-klingler.de\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/infosec.andreas-klingler.de\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/infosec.andreas-klingler.de\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=1715"}],"version-history":[{"count":35,"href":"https:\/\/infosec.andreas-klingler.de\/index.php?rest_route=\/wp\/v2\/posts\/1715\/revisions"}],"predecessor-version":[{"id":4879,"href":"https:\/\/infosec.andreas-klingler.de\/index.php?rest_route=\/wp\/v2\/posts\/1715\/revisions\/4879"}],"wp:attachment":[{"href":"https:\/\/infosec.andreas-klingler.de\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=1715"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/infosec.andreas-klingler.de\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=1715"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/infosec.andreas-klingler.de\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=1715"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}