added details for VPN

Enumeration/AWS.md

@@ -454,25 +454,136 @@ curl -H "X-aws-ec2-metadata-token: $AWS_CONTAINER_AUTHORIZATION_TOKEN" $AWS_CONT
 
 ### Virtual Private Cloud (VPC)
 
-Is a logic network segementation method using its own IP address range.
-Contains EC2 VMs and has an Internet gateway if needed. The
-gateway can be either just ingress, egress, or both. EC2 can use elastic IP
-addresses to provide Ingress. A Gateway Load Balancer can be used to do traffic inspection.
+Is a logic network segementation method using its own IP address range. It is a
+software defined network.
+
+A VPC ID starts with `vpc-` and had a length of 8 characters, since 2018 it has
+a length of 17 characters.
 
 A VPC is part of the EC2 namespace `ec2:CreateVPC`
 
-To connect to a VPC, it does not need to be exposed to the Internet. It is
-accessible through various connection services like Direct Connect or
-PrivateLink.
-
-VPCs can have multiple subnets, they use host infrastructure components like
-DHCP, NTP and DNS provided by AWS.
+VPC is a regional service. VPCs can have multiple subnets bound to a single AZ,
+they use host infrastructure components like DHCP, NTP and DNS provided by AWS.
 
 NTP can be found under 169.254.169.123. The DNS resolver `Route 53` can be
 found under 169.254.169.253. Microsoft's KMS service can be at 169.254.169.250
 and 169.254.169.251.
 
-#### Metadata Service
+VPCs have ARP only for compatibility but do not need them. Therefore, ARP
+poisoning is not an option.
+
+Resources inside a VPC have an Elastic Network Interface, a public IP is bound
+to such a network interface. ENIs nside a VPC are secured by ACL and Security
+Groups. Other services are secured by IAM.
+
+List available network interfaces with a specific IP address via aws cli.
+
+```sh
+aws ec2 describe-network-interfaces | \
+jq '.Networkinterfaces[] | select(.PrivateIpAddress == "10.100.47.11")'
+```
+
+#### VPC & Subnet Routing
+
+A VPC Contains EC2 VMs and has an Internet gateway (router) if needed.
+There are private gateways VPN Gateway (VGW) and Internet Gateways
+The gateway can be either just ingress, egress, or both.
+To connect to a VPC, it does not need to be exposed to the Internet. It is
+accessible through various connection services like Direct Connect or
+PrivateLink.
+
+A subnet is connected to a NAT gateway, which then connects to a VGW or
+Internet Gateway. If no explicit routing table is selected for a subnet, it
+will inherit the main routing table. The routing table sets the availability of
+the subnet in regards to the Internet Gateway. Routing of the Internet Gateway
+is a separate rule.
+
+Routes can be set on groupis of CIDR blocks, which are named [Managed Prefix
+Lists](https://docs.aws.amazon.com/vpc/latest/userguide/managed-prefix-lists.html).
+A prefix list controls access to public IP addresses as well.
+
+Describe the prefix lists via aws cli.
+
+```sh
+aws ec2 describe-prefix-lists
+```
+
+#### Network Access Control Lists (NACLs)
+
+NACLs are logical, stateless firewalls for entire subnets. Inbound & Outbound
+traffic have to be authorized by `Allow` and `Deny`. Rules are processed
+procedural, a `Deny` does not override an `Allow`. Default NACL is `Deny All`.
+
+![EffectivePermissionsShort](./include/EffectivePermissionsShort.png)
+
+#### Security Groups
+
+Security Groups are stateful and get attached to resources like EC2 or Database
+services through selecting IP address(ranges) or other Security Groups, protocol
+and port(ranges). Security Groups works with `Allow` only and separates Ingress
+& Egress.
+
+#### VPC Endpoints
+
+VPC Endpoints connect a VPC with an outside service. The route is set through a
+table of CIDRs or Managed Prefix Lists.
+
+An attacker may add VPC endpoints to exfiltrate data to S3 buckets under his control.
+
+List available endpoints via aws cli.
+
+```sh
+aws ec2 describe-vpc-endpoints
+```
+
+After listing the endpoints take a look at the routing tables via aws cli.
+
+```sh
+aws ec2 describe-route-tables --route-table-ids <routeTableId>
+```
+
+#### Private Link
+
+Private Link is a network interface (ENI) which can be used from the outside
+without a direct connection to the Internet.
+
+#### VPC & DNS
+
+Besides Route53, which is available through 169.254.169.253, there is a DNS
+server in every VPC. It is located at the gateway IP address + 1.
+
+#### VPC & Monitoring
+
+VPC Flogs log the headers of the packets inside the network traffic. These logs
+can be send to CloudWatch or a simple S3 bucket.
+
+VPC Traffic Mirroring is used for Deep Packet Inspection (DPI) through
+mirroring the traffic along a L3 route.
+
+DNS logs are sent to the Cloud Watch Logging in the group named "VPCResolverLogs"
+
+Amazon Guard Duty is used for threat detection and uses Flow & DNS logs.
+
+### VPC Connections
+
+Connect the VPC to on-prem via Direct Connect through a dedicated link. Needs a
+routing table.
+
+Site to Site VPN leverages an IPSec connection through a configured customer
+gateway instead of a dedicated link, which is cheaper. The customer gateway is
+linked to the VGW. Needs a routing table.
+
+VPC Peering connects VPCs of different accounts and regions. Useful for
+disaster recovery. Needs an entry in each routing table. A network connection
+is always a stub, no connection to third networks through a hop over another
+one.
+
+Transit Gateway allows multiple hops between VPCs through other VPCs.
+
+Client VPN is a simple VPN connection to the VPCs of an AWS account in use
+leveraging MFA authentication.
+
+### Metadata Service
 
 The instance (Openstack) Metadata service can be found under 169.254.169.254.
 It can be used
@@ -618,6 +729,7 @@ Use the aws cli to store data from a bucket locally.
 
 ```sh
 aws s3 sync --no-sign-request s3://<bucket-name> .
+```
 
 #### Check Permissions of a bucket
 
@@ -639,7 +751,6 @@ Download via `curl`, `wget` or `s3` cli via
 aws s3 cp s3://<bucketname>/foo_public.xml . --no-sign-request
 ```
 
-
 ### Lambda
 
 Execute a lambda function via aws cli.
@@ -700,6 +811,9 @@ Deploy service instances of Virtual machines inside a VPC.
 Deployment EC2 instances into 26 regions. Supports multiple OSs.
 On-demand billing.
 
+EC2 can use elastic IP addresses to provide Ingress.
+A Gateway Load Balancer can be used to do traffic inspection.
+
 #### Enumerate EC2 Instances
 
 List EC2 instances in the account via aws cli.
@@ -970,7 +1084,7 @@ aws ec2 run-instances --image-id <ImageIdOfGeneratedAMI> --instance-type t3a.mic
 
 Take a look at the EC2 dashboard inside the webconsole to see the IP address of the created EC2 instance. Connect to the VM via SSH, using the generated keypair.
 
-#### Elastic Loadbalancer (ELB)
+### Elastic Loadbalancer (ELB)
 
 * The AutoScaling Group (ASG) scales down the oldest instance.
 * Only the Loadbalancer gets exposed, not the EC2 VMs.