whx
/
killchain-compendium
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity

added details for VPN

This commit is contained in:
gurkenhabicht 2024-02-20 23:16:15 +01:00
parent bb8df3b3d0
commit 05da866d3f
2 changed files with 127 additions and 13 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

140
Enumeration/AWS.md
View File

@ -454,25 +454,136 @@ curl -H "X-aws-ec2-metadata-token: $AWS_CONTAINER_AUTHORIZATION_TOKEN" $AWS_CONT
### Virtual Private Cloud (VPC) ### Virtual Private Cloud (VPC)
Is a logic network segementation method using its own IP address range. Is a logic network segementation method using its own IP address range. It is a
Contains EC2 VMs and has an Internet gateway if needed. The software defined network.
gateway can be either just ingress, egress, or both. EC2 can use elastic IP
addresses to provide Ingress. A Gateway Load Balancer can be used to do traffic inspection. A VPC ID starts with `vpc-` and had a length of 8 characters, since 2018 it has
a length of 17 characters.
A VPC is part of the EC2 namespace `ec2:CreateVPC` A VPC is part of the EC2 namespace `ec2:CreateVPC`
To connect to a VPC, it does not need to be exposed to the Internet. It is VPC is a regional service. VPCs can have multiple subnets bound to a single AZ,
accessible through various connection services like Direct Connect or they use host infrastructure components like DHCP, NTP and DNS provided by AWS.
PrivateLink.
VPCs can have multiple subnets, they use host infrastructure components like
DHCP, NTP and DNS provided by AWS.
NTP can be found under 169.254.169.123. The DNS resolver `Route 53` can be NTP can be found under 169.254.169.123. The DNS resolver `Route 53` can be
found under 169.254.169.253. Microsoft's KMS service can be at 169.254.169.250 found under 169.254.169.253. Microsoft's KMS service can be at 169.254.169.250
and 169.254.169.251. and 169.254.169.251.
#### Metadata Service VPCs have ARP only for compatibility but do not need them. Therefore, ARP
poisoning is not an option.
Resources inside a VPC have an Elastic Network Interface, a public IP is bound
to such a network interface. ENIs nside a VPC are secured by ACL and Security
Groups. Other services are secured by IAM.
List available network interfaces with a specific IP address via aws cli.
```sh
aws ec2 describe-network-interfaces | \
jq '.Networkinterfaces[] | select(.PrivateIpAddress == "10.100.47.11")'
```
#### VPC & Subnet Routing
A VPC Contains EC2 VMs and has an Internet gateway (router) if needed.
There are private gateways VPN Gateway (VGW) and Internet Gateways
The gateway can be either just ingress, egress, or both.
To connect to a VPC, it does not need to be exposed to the Internet. It is
accessible through various connection services like Direct Connect or
PrivateLink.
A subnet is connected to a NAT gateway, which then connects to a VGW or
Internet Gateway. If no explicit routing table is selected for a subnet, it
will inherit the main routing table. The routing table sets the availability of
the subnet in regards to the Internet Gateway. Routing of the Internet Gateway
is a separate rule.
Routes can be set on groupis of CIDR blocks, which are named [Managed Prefix
Lists](https://docs.aws.amazon.com/vpc/latest/userguide/managed-prefix-lists.html).
A prefix list controls access to public IP addresses as well.
Describe the prefix lists via aws cli.
```sh
aws ec2 describe-prefix-lists
```
#### Network Access Control Lists (NACLs)
NACLs are logical, stateless firewalls for entire subnets. Inbound & Outbound
traffic have to be authorized by `Allow` and `Deny`. Rules are processed
procedural, a `Deny` does not override an `Allow`. Default NACL is `Deny All`.
![EffectivePermissionsShort](./include/EffectivePermissionsShort.png)
#### Security Groups
Security Groups are stateful and get attached to resources like EC2 or Database
services through selecting IP address(ranges) or other Security Groups, protocol
and port(ranges). Security Groups works with `Allow` only and separates Ingress
& Egress.
#### VPC Endpoints
VPC Endpoints connect a VPC with an outside service. The route is set through a
table of CIDRs or Managed Prefix Lists.
An attacker may add VPC endpoints to exfiltrate data to S3 buckets under his control.
List available endpoints via aws cli.
```sh
aws ec2 describe-vpc-endpoints
```
After listing the endpoints take a look at the routing tables via aws cli.
```sh
aws ec2 describe-route-tables --route-table-ids <routeTableId>
```
#### Private Link
Private Link is a network interface (ENI) which can be used from the outside
without a direct connection to the Internet.
#### VPC & DNS
Besides Route53, which is available through 169.254.169.253, there is a DNS
server in every VPC. It is located at the gateway IP address + 1.
#### VPC & Monitoring
VPC Flogs log the headers of the packets inside the network traffic. These logs
can be send to CloudWatch or a simple S3 bucket.
VPC Traffic Mirroring is used for Deep Packet Inspection (DPI) through
mirroring the traffic along a L3 route.
DNS logs are sent to the Cloud Watch Logging in the group named "VPCResolverLogs"
Amazon Guard Duty is used for threat detection and uses Flow & DNS logs.
### VPC Connections
Connect the VPC to on-prem via Direct Connect through a dedicated link. Needs a
routing table.
Site to Site VPN leverages an IPSec connection through a configured customer
gateway instead of a dedicated link, which is cheaper. The customer gateway is
linked to the VGW. Needs a routing table.
VPC Peering connects VPCs of different accounts and regions. Useful for
disaster recovery. Needs an entry in each routing table. A network connection
is always a stub, no connection to third networks through a hop over another
one.
Transit Gateway allows multiple hops between VPCs through other VPCs.
Client VPN is a simple VPN connection to the VPCs of an AWS account in use
leveraging MFA authentication.
### Metadata Service
The instance (Openstack) Metadata service can be found under 169.254.169.254. The instance (Openstack) Metadata service can be found under 169.254.169.254.
It can be used It can be used
@ -618,6 +729,7 @@ Use the aws cli to store data from a bucket locally.
```sh ```sh
aws s3 sync --no-sign-request s3://<bucket-name> . aws s3 sync --no-sign-request s3://<bucket-name> .
```
#### Check Permissions of a bucket #### Check Permissions of a bucket
@ -639,7 +751,6 @@ Download via `curl`, `wget` or `s3` cli via
aws s3 cp s3://<bucketname>/foo_public.xml . --no-sign-request aws s3 cp s3://<bucketname>/foo_public.xml . --no-sign-request
``` ```
### Lambda ### Lambda
Execute a lambda function via aws cli. Execute a lambda function via aws cli.
@ -700,6 +811,9 @@ Deploy service instances of Virtual machines inside a VPC.
Deployment EC2 instances into 26 regions. Supports multiple OSs. Deployment EC2 instances into 26 regions. Supports multiple OSs.
On-demand billing. On-demand billing.
EC2 can use elastic IP addresses to provide Ingress.
A Gateway Load Balancer can be used to do traffic inspection.
#### Enumerate EC2 Instances #### Enumerate EC2 Instances
List EC2 instances in the account via aws cli. List EC2 instances in the account via aws cli.
@ -970,7 +1084,7 @@ aws ec2 run-instances --image-id <ImageIdOfGeneratedAMI> --instance-type t3a.mic
Take a look at the EC2 dashboard inside the webconsole to see the IP address of the created EC2 instance. Connect to the VM via SSH, using the generated keypair. Take a look at the EC2 dashboard inside the webconsole to see the IP address of the created EC2 instance. Connect to the VM via SSH, using the generated keypair.
#### Elastic Loadbalancer (ELB) ### Elastic Loadbalancer (ELB)
* The AutoScaling Group (ASG) scales down the oldest instance. * The AutoScaling Group (ASG) scales down the oldest instance.
* Only the Loadbalancer gets exposed, not the EC2 VMs. * Only the Loadbalancer gets exposed, not the EC2 VMs.

BIN
Enumeration/include/EffectivePermissionsShort.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 54 KiB