whx
/
killchain-compendium
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity

added more details

This commit is contained in:
gurkenhabicht 2024-02-11 18:44:48 +01:00
parent 62c04caf12
commit 288131e103
1 changed files with 150 additions and 64 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

214
Enumeration/AWS.md
View File

@ -11,69 +11,49 @@ also valid in other regions. Global STS are only valid in default regions.
In aws cli, [Regions](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/using-regions-availability-zones.html#concepts-available-segions) go the cli argument `--region` In aws cli, [Regions](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/using-regions-availability-zones.html#concepts-available-segions) go the cli argument `--region`
## Simple Storage Service (S3)
[S3](https://aws.amazon.com/s3/) is an object storage without volume limits.
The names of buckets are unique and the namespace of buckets is global but they
are stored regionally.
Methods of access control are as follows
1. [Bucket policies](https://docs.aws.amazon.com/AmazonS3/latest/userguide/bucket-policies.html)
2. [S3 ACL](https://docs.aws.amazon.com/AmazonS3/latest/userguide/managing-acls.html)
The aws cli scheme is
```sh
http://<bucketname>.s3.amazonaws.com/file.name
```
or
```sh
http://s3.amazonaws.com/BUCKETNAME/FILENAME.ext
```
### Check Permissions of a bucket
Do a `PUT` method to see if the bucket may be writeable to upload a file via
```sh
curl -vvv -X PUT $BUCKET_URL --data "Test of write permissions"
```
### List content of public bucket via
```sh
aws s3 ls s3://<bucketname>/ --no-sign-request
```
Download via `curl`, `wget` or `s3` cli via
```sh
aws s3 cp s3://<bucketname>/foo_public.xml . --no-sign-request
```
### ACL
If the ACL is set to
* `Anyone`, just `curl`
* `AuthenticatedUsers`, `s3` cli with aws key
## Identity Access Management (IAM) ## Identity Access Management (IAM)
Permissions are granted directly through IAM identities (IAM Principals) inside Permissions are granted directly through IAM identities (IAM Principals) inside
an AWS account or indirectly through an AWS account or indirectly through
roles the user has joined. groups and roles the principal (user or service) has joined.
```sh
aws iam list-users
```
<img src="./include/iam-intro-users-and-groups.diagram.png" alt="Policy evaluation" width="auto" height="auto"> <img src="./include/iam-intro-users-and-groups.diagram.png" alt="Policy evaluation" width="auto" height="auto">
Users can be put into groups instead of direct role assignment, to specify
permissions for a collection of users.
```sh
aws iam list-groups
```
Roles can be assumed by other trusted users through policies. Assumed roles are
needed, so that aws support has access to some resources or external identity Provider (idP) is
connected to AWS SSO as a part of federated access. E.g. the Role for support is `AWSServiceRoleForSupport`.
```sh
aws iam list-roles
```
Gaining access to important roles like maintenance opens the door to higher permissions. Gaining access to important roles like maintenance opens the door to higher permissions.
An always unique AWS Account ID has a length of 12 digits.
Services use resources bound to the IAM inside the account. The scheme for
services is `<servicename>amazonaws.com`. Services, as trusted enitites, assume
roles to gain permissions.
A `*` represents every principal. Set the `*` to make an instance of a service
public through the Internet.
The IAM is not necessarily used by S3. AK/SK is sufficient for authentication The IAM is not necessarily used by S3. AK/SK is sufficient for authentication
and authorization. and authorization.
* An AWS unqiue Account ID has a length of 12 digits.
* Access key ID, starts with `AKIA` + 20 chars * Access key ID, starts with `AKIA` + 20 chars
* Secret access key (SK) * Secret access key (SK)
* Session token, `ASIA` + sessionToken * Session token, `ASIA` + sessionToken
@ -83,32 +63,72 @@ and authorization.
### Root Accounts ### Root Accounts
Every AWS account has a single root account bound to an email address. This Every AWS account has a single root account bound to an email address, which is
account has got the all privileges over the account. A root account has MFA also the username. This account has got the all privileges over the account. A
disabled by default. Has all permissions except Organizational Service Control Policies. root account has MFA disabled by default.
It has all permissions except Organizational Service Control Policies.
The account is susceptible to an attack if the mail address is accessible but The account is susceptible to an attack if the mail address is accessible but
MFA is not activated. MFA is not activated.
The email address of the root account, which is called `MasterAccountEmail` can
be found as member of an AWS Organization
```sh
aws organizations describe-organization
```
If the MFA is not set, it is an opportunity for a password reset attack when If the MFA is not set, it is an opportunity for a password reset attack when
the account the vulnerable root belongs to is part of an AWS Organization. the account the vulnerable root belongs to is part of an AWS Organization.
If the email address is also linked to an Amazon retail account and it is
shared between people, everyone has full root access.
### (User) Policies ### (User) Policies
After authentication of a user (or principal) policies of the account are Policies are an authorization measurement. After authentication of a user (or
checked if the request is allowed. principal) policies of the account are checked if the request is allowed.
Policy evaluation can be found in the [AWS docs](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_evaluation-logic.html). A policy may also be attached to a resource. Policy evaluation can be found in the [AWS docs](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_evaluation-logic.html).
A policy may also be attached to a resource.
```sh
aws iam get-policy
```
Policy details consists of the following [example](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_elements.html)
```json
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": "s3:ListAllMyBuckets",
"Resource": "*"
}
]
}
```
The following graph is taken from the documentation, it shows the evaluation The following graph is taken from the documentation, it shows the evaluation
logic inside an account logic inside an account
<img src="./include/PolicyEvaluationHorizontal111621.png" alt="Policy evaluation" width="80%" height="auto"> <img src="./include/PolicyEvaluationHorizontal111621.png" alt="Policy evaluation" width="80%" height="auto">
A principal can have multiple policies attached.
Policies like `assume-role` and `switch-role` can lead to the gain of roles Policies like `assume-role` and `switch-role` can lead to the gain of roles
with higher permissions with higher permissions
## AWS Organizations A `*` inside a policy represents every principal. Set the `*` to make an instance of a service
public through the Internet.
Administrator access policies can be queried to see who has elevated permissions.
```sh
aws iam get-policy --policy-arn arn:aws:iam::aws:policy/AdministratorAccess
aws iam get-policy-version --policy-arn arn:aws:iam::aws:policy/AdministratorAccess --version-id v1
```
### AWS Organizations
An organization is a tree structure, made out of a single root account and An organization is a tree structure, made out of a single root account and
Organizational Units (UOs). UOs can have children UOs. AN UO may contain Organizational Units (UOs). UOs can have children UOs. AN UO may contain
@ -129,11 +149,20 @@ every account inside the organization. This SCP allows subscription to all AWS
services. An account can have 5 SCPs at max. Limiting SCPs do not apply to the services. An account can have 5 SCPs at max. Limiting SCPs do not apply to the
management account itself. management account itself.
## User Provisioning ### User Provisioning and Login
When using the cli command, the aws configuration and credentials are stored at `~/.aws` When using the cli command, the aws configuration and credentials are stored at `~/.aws`
[The
documentation](https://docs.aws.amazon.com/cli/latest/userguide/cli-authentication-user.html)
show how to setup the user login.
Add credentials to profile via Add the credentials to the default plugin via
```sh
aws configure
```
Add credentials to a profile which is not default via
```sh ```sh
aws configure --profile PROFILENAME aws configure --profile PROFILENAME
@ -142,6 +171,7 @@ aws configure --profile PROFILENAME
Sanity test a profile through checking its existance via Sanity test a profile through checking its existance via
```sh ```sh
aws iam list-users
aws s3 ls --profile PROFILENAME aws s3 ls --profile PROFILENAME
``` ```
@ -177,7 +207,7 @@ aws secretsmanager list-secrets
ws secretsmanager get-secret-value --secret-id <Name> --region <region> ws secretsmanager get-secret-value --secret-id <Name> --region <region>
``` ```
## Amazon Resource Name (ARN) ### Amazon Resource Name (ARN)
The [ARN](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference-arns.html) The [ARN](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference-arns.html)
is a unique ID which identifies resources. is a unique ID which identifies resources.
@ -188,13 +218,21 @@ A Unique ID is create through the following scheme
arn:aws:<service>:<region>:<account_id>:<resource_type>/<resource_name> arn:aws:<service>:<region>:<account_id>:<resource_type>/<resource_name>
``` ```
## Virtual Private Cloud (VPC) ## Services
An [action on an
API](https://docs.aws.amazon.com/service-authorization-/latest/reference/reference_policies_actions-resources-contextkeys.html)
of a service is structured like `<servicename>:<APICall>`.
### Virtual Private Cloud (VPC)
Is a logic network segementation method using its own IP address range. Is a logic network segementation method using its own IP address range.
Contains resources like VMs (EC2) and has an Internet gateway if needed. The Contains EC2 VMs and has an Internet gateway if needed. The
gateway can be either just ingress, egress, or both. EC2 can use elastic IP gateway can be either just ingress, egress, or both. EC2 can use elastic IP
addresses to provide Ingress. A Gateway Load Balancer can be used to do traffic inspection. addresses to provide Ingress. A Gateway Load Balancer can be used to do traffic inspection.
A VPC is part of the EC2 namespace `ec2:CreateVPC`
To connect to a VPC, it does not need to be exposed to the Internet. It is To connect to a VPC, it does not need to be exposed to the Internet. It is
accessible through various connection services like Direct Connect or accessible through various connection services like Direct Connect or
PrivateLink. PrivateLink.
@ -206,7 +244,7 @@ NTP can be found under 169.254.169.123. The DNS resolver `Route 53` can be
found under 169.254.169.253. Microsoft's KMS service can be at 169.254.169.250 found under 169.254.169.253. Microsoft's KMS service can be at 169.254.169.250
and 169.254.169.251. and 169.254.169.251.
### Metadata Service #### Metadata Service
The instance (Openstack) Metadata service can be found under 169.254.169.254. The instance (Openstack) Metadata service can be found under 169.254.169.254.
It can be used It can be used
@ -256,3 +294,51 @@ aws_secret_access_key = UeEevJGByhEXAMPLEKEYEXAMPLEKEY
aws_session_token = TQijaZw== aws_session_token = TQijaZw==
``` ```
### Simple Storage Service (S3)
[S3](https://aws.amazon.com/s3/) is an object storage without volume limits.
The names of buckets are unique and the namespace of buckets is global but they
are stored regionally.
Methods of access control are as follows
1. [Bucket policies](https://docs.aws.amazon.com/AmazonS3/latest/userguide/bucket-policies.html)
2. [S3 ACL](https://docs.aws.amazon.com/AmazonS3/latest/userguide/managing-acls.html)
The aws cli scheme is
```sh
http://<bucketname>.s3.amazonaws.com/file.name
```
or
```sh
http://s3.amazonaws.com/BUCKETNAME/FILENAME.ext
```
#### Check Permissions of a bucket
Do a `PUT` method to see if the bucket may be writeable to upload a file via
```sh
curl -vvv -X PUT $BUCKET_URL --data "Test of write permissions"
```
#### List content of public bucket via
```sh
aws s3 ls s3://<bucketname>/ --no-sign-request
```
Download via `curl`, `wget` or `s3` cli via
```sh
aws s3 cp s3://<bucketname>/foo_public.xml . --no-sign-request
```
#### ACL
If the ACL is set to
* `Anyone`, just `curl`
* `AuthenticatedUsers`, `s3` cli with aws key