whx
/
killchain-compendium
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity

added details

This commit is contained in:
gurkenhabicht 2024-02-14 17:22:01 +01:00
parent 45f98dc1d9
commit 1f75f615ca
1 changed files with 68 additions and 17 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

85
Enumeration/AWS.md
View File

@ -2,15 +2,17 @@
## Regions ## Regions
[A list of services by region](https://aws.amazon.com/about-aws/global-infrastructure/regional-product-services/) is maintained by AWS [A list of services by
region](https://aws.amazon.com/about-aws/global-infrastructure/regional-product-services/)
is maintained by AWS
There are global and regional services. There are global and regional services.
Watch out for the global and regional __Security Token Service__ (STS) which Watch out for the global and regional __Security Token Service__ (STS) which
provides temporary access to third party identities, since regional STS are provides temporary access to third party identities, since regional STS are
also valid in other regions. Global STS are only valid in default regions. also valid in other regions. Global STS are only valid in default regions.
In aws cli, [Regions](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/using-regions-availability-zones.html#concepts-available-segions) go the cli argument `--region` In aws cli, [Regions](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/using-regions-availability-zones.html#concepts-available-segions) got
the cli argument `--region`
## Identity Access Management (IAM) ## Identity Access Management (IAM)
@ -27,14 +29,14 @@ aws iam list-users
Users can be put into groups instead of direct role assignment, to specify Users can be put into groups instead of direct role assignment, to specify
permissions for a collection of users. permissions for a collection of users.
```sh ```sh
aws iam list-groups aws iam list-groups
``` ```
Roles can be assumed by other trusted users through policies. Assumed roles are Roles can be assumed by other trusted users through policies. Assumed roles are
needed, so that aws support has access to some resources or external identity Provider (idP) is needed, so that aws support has access to some resources or external identity
connected to AWS SSO as a part of federated access. E.g. the Role for support is `AWSServiceRoleForSupport`. Provider (idP) is connected to AWS SSO as a part of federated access. E.g. the
Role for support is `AWSServiceRoleForSupport`.
```sh ```sh
aws iam list-roles aws iam list-roles
@ -121,7 +123,9 @@ Policy enforcement is done via the `Effect` keys and either has `allow` or
`deny` keys set in the JSON object. Deny is default. `deny` keys set in the JSON object. Deny is default.
The `Action` keyword contains a Service and an API keyword on on that service The `Action` keyword contains a Service and an API keyword on on that service
in the scheme `<servicename>:<APIKeyword>`. in the scheme `<servicename>:<APIKeyword>`, e.g.
`"Action":["ec2:Get*","ec2:Describe*", "s3:*"]`. See the [Service Authorization
Docs](https://docs.aws.amazon.com/service-authorization/latest/reference/)
The Resource key contains the ARN of the resource the policy is set for. The Resource key contains the ARN of the resource the policy is set for.
@ -129,7 +133,10 @@ The `Principal` key is only set for resource policies and contains the
principal who is able to act on the resource. For example a `*` value allows principal who is able to act on the resource. For example a `*` value allows
public access. public access.
[Operators](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_elements_condition_operators.html) can be used to set conditions [using key value pairs inside policies](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html) [Operators](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_elements_condition_operators.html)
can be used to set conditions [using key value pairs inside
policies](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html)
```json ```json
"Condition": { "Condition": {
"IPAddressIfExists": {"aws:SourceIp": ["xxx"] }, "IPAddressIfExists": {"aws:SourceIp": ["xxx"] },
@ -137,7 +144,8 @@ public access.
} }
``` ```
Principals, resources and actions can also be excluded specifically through `NotPrincipal`, `NotResource` and `NotAction`. Principals, resources and actions can also be excluded specifically through
`NotPrincipal`, `NotResource` and `NotAction`.
The following graph is taken from the documentation, it shows the evaluation The following graph is taken from the documentation, it shows the evaluation
logic inside an account logic inside an account
@ -149,8 +157,8 @@ A principal can have multiple policies attached.
Policies like `assume-role` and `switch-role` can lead to the gain of roles Policies like `assume-role` and `switch-role` can lead to the gain of roles
with higher permissions with higher permissions
A `*` inside a "Principal" value represents every principal. Set the `*` to make an instance of a service A `*` inside a "Principal" value represents every principal. Set the `*` to
public through the Internet like this make an instance of a service public through the Internet like this following rule.
```json ```json
"Principal": { "Principal": {
@ -165,6 +173,21 @@ aws iam get-policy --policy-arn arn:aws:iam::aws:policy/AdministratorAccess
aws iam get-policy-version --policy-arn arn:aws:iam::aws:policy/AdministratorAccess --version-id v1 aws iam get-policy-version --policy-arn arn:aws:iam::aws:policy/AdministratorAccess --version-id v1
``` ```
The `AdministratorAccess` policy looks like this
```json
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": "*",
"Resource": "*"
}
]
}
```
### AWS Organizations ### AWS Organizations
An organization is a tree structure, made out of a single root account and An organization is a tree structure, made out of a single root account and
@ -310,6 +333,12 @@ You can get the username of an account through the STS service using the access-
aws sts get-access-key-info --access-key-id <AKIA-key> aws sts get-access-key-info --access-key-id <AKIA-key>
``` ```
The session token can be found via the cloudshell through the use of curl.
```sh
curl -H "X-aws-ec2-metadata-token: $AWS_CONTAINER_AUTHORIZATION_TOKEN" $AWS_CONTAINER_CREDENTIALS_FULL_URI
```
### Secrets ### Secrets
Use the secrets manager via Use the secrets manager via
@ -337,6 +366,17 @@ An [action on an
API](https://docs.aws.amazon.com/service-authorization-/latest/reference/reference_policies_actions-resources-contextkeys.html) API](https://docs.aws.amazon.com/service-authorization-/latest/reference/reference_policies_actions-resources-contextkeys.html)
of a service is structured like `<servicename>:<APICall>`. of a service is structured like `<servicename>:<APICall>`.
Session tokens can also be created for services for temporary access of
resources. This can be done through metadata service on an EC2 instance. The
session token and AK/SK are also visible in the environment variables of AWS
Lambda.
The session token can be found via the cloudshell through the use of curl.
```sh
curl -H "X-aws-ec2-metadata-token: $AWS_CONTAINER_AUTHORIZATION_TOKEN" $AWS_CONTAINER_CREDENTIALS_FULL_URI
```
### Virtual Private Cloud (VPC) ### Virtual Private Cloud (VPC)
Is a logic network segementation method using its own IP address range. Is a logic network segementation method using its own IP address range.
@ -362,10 +402,16 @@ and 169.254.169.251.
The instance (Openstack) Metadata service can be found under 169.254.169.254. The instance (Openstack) Metadata service can be found under 169.254.169.254.
It can be used It can be used
to gain information about the EC2 via a GET request to to gain information about the EC2 via a GET request to
http://169.254.169.254/latest/meta-data . `http://169.254.169.254/latest/meta-data`.
The task metadata service can be found at 169.254.170.2 and is used for the The task metadata service can be found at 169.254.170.2 and is used for the
Elastic Container Service (ECS). [Elastic Container Service (ECS)](https://docs.aws.amazon.com/AmazonECS/latest/developerguide/task-iam-roles.html)
From inside a container curl can be used to get the credentials
```sh
curl 169.254.170.2$AWS_CONTAINER_CREDENTIALS_RELATIVE_URI
```
The instance metadata service has been used for information disclosure of The instance metadata service has been used for information disclosure of
security credentials before. security credentials before.
@ -452,6 +498,7 @@ aws s3 cp s3://<bucketname>/foo_public.xml . --no-sign-request
#### S3 Policies #### S3 Policies
Check which policies are set Check which policies are set
```sh ```sh
aws s3api get-bucket-policy-status --bucket <bucketname> aws s3api get-bucket-policy-status --bucket <bucketname>
aws s3api get-bucket-ownership-controls --bucket <bucketname> aws s3api get-bucket-ownership-controls --bucket <bucketname>
@ -466,15 +513,19 @@ If the ACL is set to
### Lambda ### Lambda
Execute a lambda function via aws cli.
Execute a lambda function
```sh ```sh
aws lambda invoke --function-name arn:aws:lambda:<region>:<account_id>:function:<function_name> <arg1> aws lambda invoke \
--function-name arn:aws:lambda:<region>:<account_id>:function:<function_name> <arg1>
``` ```
List policies List policies
```sh ```sh
aws lambda get-policy --function-name arn:aws:lambda:<region>:<account_id>:function:<function_name> --query Policy --output text | jq . aws lambda get-policy \
--function-name arn:aws:lambda:<region>:<account_id>:function:<function_name> \
--query Policy \
--output text \
| jq .
``` ```