From 288131e103c7ce089a42cb3dc02ec23456404471 Mon Sep 17 00:00:00 2001 From: gurkenhabicht Date: Sun, 11 Feb 2024 18:44:48 +0100 Subject: [PATCH] added more details --- Enumeration/AWS.md | 214 +++++++++++++++++++++++++++++++-------------- 1 file changed, 150 insertions(+), 64 deletions(-) diff --git a/Enumeration/AWS.md b/Enumeration/AWS.md index 041dfbf..41cc806 100644 --- a/Enumeration/AWS.md +++ b/Enumeration/AWS.md @@ -11,69 +11,49 @@ also valid in other regions. Global STS are only valid in default regions. In aws cli, [Regions](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/using-regions-availability-zones.html#concepts-available-segions) go the cli argument `--region` -## Simple Storage Service (S3) - -[S3](https://aws.amazon.com/s3/) is an object storage without volume limits. -The names of buckets are unique and the namespace of buckets is global but they -are stored regionally. - - Methods of access control are as follows -1. [Bucket policies](https://docs.aws.amazon.com/AmazonS3/latest/userguide/bucket-policies.html) -2. [S3 ACL](https://docs.aws.amazon.com/AmazonS3/latest/userguide/managing-acls.html) - -The aws cli scheme is - -```sh -http://.s3.amazonaws.com/file.name -``` - -or - -```sh -http://s3.amazonaws.com/BUCKETNAME/FILENAME.ext -``` - -### Check Permissions of a bucket - -Do a `PUT` method to see if the bucket may be writeable to upload a file via - -```sh -curl -vvv -X PUT $BUCKET_URL --data "Test of write permissions" -``` - -### List content of public bucket via - -```sh -aws s3 ls s3:/// --no-sign-request -``` - -Download via `curl`, `wget` or `s3` cli via - -```sh -aws s3 cp s3:///foo_public.xml . --no-sign-request -``` - -### ACL - -If the ACL is set to - -* `Anyone`, just `curl` -* `AuthenticatedUsers`, `s3` cli with aws key ## Identity Access Management (IAM) Permissions are granted directly through IAM identities (IAM Principals) inside an AWS account or indirectly through -roles the user has joined. +groups and roles the principal (user or service) has joined. + +```sh +aws iam list-users +``` Policy evaluation +Users can be put into groups instead of direct role assignment, to specify +permissions for a collection of users. + + +```sh +aws iam list-groups +``` + +Roles can be assumed by other trusted users through policies. Assumed roles are +needed, so that aws support has access to some resources or external identity Provider (idP) is +connected to AWS SSO as a part of federated access. E.g. the Role for support is `AWSServiceRoleForSupport`. + +```sh +aws iam list-roles +``` + Gaining access to important roles like maintenance opens the door to higher permissions. -An always unique AWS Account ID has a length of 12 digits. + +Services use resources bound to the IAM inside the account. The scheme for +services is `amazonaws.com`. Services, as trusted enitites, assume +roles to gain permissions. + +A `*` represents every principal. Set the `*` to make an instance of a service +public through the Internet. + The IAM is not necessarily used by S3. AK/SK is sufficient for authentication and authorization. +* An AWS unqiue Account ID has a length of 12 digits. * Access key ID, starts with `AKIA` + 20 chars * Secret access key (SK) * Session token, `ASIA` + sessionToken @@ -83,32 +63,72 @@ and authorization. ### Root Accounts -Every AWS account has a single root account bound to an email address. This -account has got the all privileges over the account. A root account has MFA -disabled by default. Has all permissions except Organizational Service Control Policies. +Every AWS account has a single root account bound to an email address, which is +also the username. This account has got the all privileges over the account. A +root account has MFA disabled by default. +It has all permissions except Organizational Service Control Policies. The account is susceptible to an attack if the mail address is accessible but MFA is not activated. +The email address of the root account, which is called `MasterAccountEmail` can +be found as member of an AWS Organization + +```sh +aws organizations describe-organization +``` If the MFA is not set, it is an opportunity for a password reset attack when the account the vulnerable root belongs to is part of an AWS Organization. +If the email address is also linked to an Amazon retail account and it is +shared between people, everyone has full root access. + ### (User) Policies -After authentication of a user (or principal) policies of the account are -checked if the request is allowed. -Policy evaluation can be found in the [AWS docs](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_evaluation-logic.html). -A policy may also be attached to a resource. +Policies are an authorization measurement. After authentication of a user (or +principal) policies of the account are checked if the request is allowed. +A policy may also be attached to a resource. Policy evaluation can be found in the [AWS docs](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_evaluation-logic.html). + +```sh +aws iam get-policy +``` + + Policy details consists of the following [example](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_elements.html) + +```json +{ + "Version": "2012-10-17", + "Statement": [ + { + "Effect": "Allow", + "Action": "s3:ListAllMyBuckets", + "Resource": "*" + } + ] +} +``` The following graph is taken from the documentation, it shows the evaluation logic inside an account Policy evaluation +A principal can have multiple policies attached. + Policies like `assume-role` and `switch-role` can lead to the gain of roles with higher permissions -## AWS Organizations +A `*` inside a policy represents every principal. Set the `*` to make an instance of a service +public through the Internet. + +Administrator access policies can be queried to see who has elevated permissions. + +```sh +aws iam get-policy --policy-arn arn:aws:iam::aws:policy/AdministratorAccess +aws iam get-policy-version --policy-arn arn:aws:iam::aws:policy/AdministratorAccess --version-id v1 +``` + +### AWS Organizations An organization is a tree structure, made out of a single root account and Organizational Units (UOs). UOs can have children UOs. AN UO may contain @@ -129,11 +149,20 @@ every account inside the organization. This SCP allows subscription to all AWS services. An account can have 5 SCPs at max. Limiting SCPs do not apply to the management account itself. -## User Provisioning +### User Provisioning and Login When using the cli command, the aws configuration and credentials are stored at `~/.aws` +[The +documentation](https://docs.aws.amazon.com/cli/latest/userguide/cli-authentication-user.html) +show how to setup the user login. -Add credentials to profile via +Add the credentials to the default plugin via + +```sh +aws configure +``` + +Add credentials to a profile which is not default via ```sh aws configure --profile PROFILENAME @@ -142,6 +171,7 @@ aws configure --profile PROFILENAME Sanity test a profile through checking its existance via ```sh +aws iam list-users aws s3 ls --profile PROFILENAME ``` @@ -177,7 +207,7 @@ aws secretsmanager list-secrets ws secretsmanager get-secret-value --secret-id --region ``` -## Amazon Resource Name (ARN) +### Amazon Resource Name (ARN) The [ARN](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference-arns.html) is a unique ID which identifies resources. @@ -188,13 +218,21 @@ A Unique ID is create through the following scheme arn:aws::::/ ``` -## Virtual Private Cloud (VPC) +## Services + +An [action on an +API](https://docs.aws.amazon.com/service-authorization-/latest/reference/reference_policies_actions-resources-contextkeys.html) +of a service is structured like `:`. + +### Virtual Private Cloud (VPC) Is a logic network segementation method using its own IP address range. -Contains resources like VMs (EC2) and has an Internet gateway if needed. The +Contains EC2 VMs and has an Internet gateway if needed. The gateway can be either just ingress, egress, or both. EC2 can use elastic IP addresses to provide Ingress. A Gateway Load Balancer can be used to do traffic inspection. +A VPC is part of the EC2 namespace `ec2:CreateVPC` + To connect to a VPC, it does not need to be exposed to the Internet. It is accessible through various connection services like Direct Connect or PrivateLink. @@ -206,7 +244,7 @@ NTP can be found under 169.254.169.123. The DNS resolver `Route 53` can be found under 169.254.169.253. Microsoft's KMS service can be at 169.254.169.250 and 169.254.169.251. -### Metadata Service +#### Metadata Service The instance (Openstack) Metadata service can be found under 169.254.169.254. It can be used @@ -256,3 +294,51 @@ aws_secret_access_key = UeEevJGByhEXAMPLEKEYEXAMPLEKEY aws_session_token = TQijaZw== ``` +### Simple Storage Service (S3) + +[S3](https://aws.amazon.com/s3/) is an object storage without volume limits. +The names of buckets are unique and the namespace of buckets is global but they +are stored regionally. + + Methods of access control are as follows +1. [Bucket policies](https://docs.aws.amazon.com/AmazonS3/latest/userguide/bucket-policies.html) +2. [S3 ACL](https://docs.aws.amazon.com/AmazonS3/latest/userguide/managing-acls.html) + +The aws cli scheme is + +```sh +http://.s3.amazonaws.com/file.name +``` + +or + +```sh +http://s3.amazonaws.com/BUCKETNAME/FILENAME.ext +``` + +#### Check Permissions of a bucket + +Do a `PUT` method to see if the bucket may be writeable to upload a file via + +```sh +curl -vvv -X PUT $BUCKET_URL --data "Test of write permissions" +``` + +#### List content of public bucket via + +```sh +aws s3 ls s3:/// --no-sign-request +``` + +Download via `curl`, `wget` or `s3` cli via + +```sh +aws s3 cp s3:///foo_public.xml . --no-sign-request +``` + +#### ACL + +If the ACL is set to + +* `Anyone`, just `curl` +* `AuthenticatedUsers`, `s3` cli with aws key