killchain-compendium/Enumeration/AWS.md

95 lines
2.2 KiB
Markdown
Raw Normal View History

2022-11-13 01:16:26 +01:00
# AWS S3 Enumeration
## Usage
* [Regions](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/using-regions-availability-zones.html#concepts-available-segions)
* `--region`
2023-02-21 21:18:14 +01:00
2022-11-13 01:16:26 +01:00
### Simple Storage Service (S3)
* [S3](https://aws.amazon.com/s3/)
* Methods of access control are as follows
* [Bucket policies](https://docs.aws.amazon.com/AmazonS3/latest/userguide/bucket-policies.html)
* [S3 ACL](https://docs.aws.amazon.com/AmazonS3/latest/userguide/managing-acls.html)
* Scheme is
```sh
http://<bucketname>.s3.amazonaws.com/file.name
```
or
```sh
http://s3.amazonaws.com/BUCKETNAME/FILENAME.ext
```
* __List content of public bucket via__
```sh
aws s3 ls s3://<bucketname>/ --no-sign-request
```
* Download via `curl`, `wget` or `s3` cli via
```sh
aws s3 cp s3://<bucketname>/foo_public.xml . --no-sign-request
```
#### ACL
2023-02-21 21:18:14 +01:00
2022-11-13 01:16:26 +01:00
* `Anyone`, just `curl`
* `AuthenticatedUsers`, `s3` cli with aws key
## IAM
2023-02-21 21:18:14 +01:00
2022-11-13 01:16:26 +01:00
* Not necessarily used by s3
* Access key ID, starts with `AKIA` + 20 chars
* Secret access key
* Session token, `ASIA` + sessionToken
* Add credentials to profile via
```sh
aws configure --profile PROFILENAME
```
* Config and credentials is stored at `~/.aws`
* Sanity test profile via
```sh
aws s3 ls --profile PROFILENAME
```
* Find account ID to an access key
```sh
aws sts get-access-key-info --access-key-id AKIAEXAMPLE
```
* Find username to an access key
```sh
aws sts get-caller-identity --profile PROFILENAME
```
* Listing EC2 instances of an account
```sh
aws ec2 describe-instances --output text --profile PROFILENAME
```
* aws ec2 describe-instances --output text --profile PROFILENAME
```sh
aws ec2 describe-instances --output text --profile PROFILENAME
```
* In another region
```sh
aws ec2 describe-instances --output text --region us-east-1 --profile PROFILENAME
```
### AWS ARN
* Unique ID is create via the following scheme
```sh
arn:aws:<service>:<region>:<account_id>:<resource_type>/<resource_name>
```
### Secrets
```sh
aws secretsmanager help
aws secretsmanager list-secrets
ws secretsmanager get-secret-value --secret-id <Name> --region <region>
```
2023-02-21 21:18:14 +01:00
## Check Permissions on S3 Bucket
* Do a `PUT` method to see if the bucket may be writeable to upload a file via
```sh
curl -vvv -X PUT $BUCKET_URL --data "Test of write permissions"
```