whx
/
killchain-compendium
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity

added details

This commit is contained in:
gurkenhabicht 2024-02-13 23:20:07 +01:00
parent 110acc6fb7
commit 45f98dc1d9
1 changed files with 134 additions and 12 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

146
Enumeration/AWS.md
View File

@ -49,14 +49,19 @@ roles to gain permissions.
A `*` represents every principal. Set the `*` to make an instance of a service A `*` represents every principal. Set the `*` to make an instance of a service
public through the Internet. public through the Internet.
Identify an unknown accountname by using an access key
```sh
aws sts get-access-key-info --access-key <AKIAkey>
```
The IAM is not necessarily used by S3. AK/SK is sufficient for authentication The IAM is not necessarily used by S3. AK/SK is sufficient for authentication
and authorization. and authorization.
* An AWS unqiue Account ID has a length of 12 digits. * An AWS unqiue Account ID has a length of 12 digits.
* Access key ID, starts with `AKIA` + 20 chars * Longterm Access key ID, starts with `AKIA` + 20 chars
* Secret access key (SK) * Secret access key (SK)
* Session token, `ASIA` + sessionToken * Shortterm Session token, `ASIA` + sessionToken
* AWS Organizations control accounts who joined * AWS Organizations control accounts who joined
* Third party identity providers are supported * Third party identity providers are supported
* IAM identity center of an organization allows provision of accounts from third parties through the AWS SSO * IAM identity center of an organization allows provision of accounts from third parties through the AWS SSO
@ -83,11 +88,15 @@ the account the vulnerable root belongs to is part of an AWS Organization.
If the email address is also linked to an Amazon retail account and it is If the email address is also linked to an Amazon retail account and it is
shared between people, everyone has full root access. shared between people, everyone has full root access.
### (User) Policies ### Principal, Resource & Service Policies
Policies are an authorization measurement. After authentication of a user (or Policies are an authorization measurement. After authentication of a user (or
principal) policies of the account are checked if the request is allowed. principal) policies of the account are checked if the request is allowed.
A policy may also be attached to a resource. Policy evaluation can be found in the [AWS docs](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_evaluation-logic.html). There are resource and identity based policies. A policy may also be attached to a resource or (in an organization) a service.
Policy evaluation can be found in
the [AWS
docs](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_evaluation-logic.html).
There are resource and identity based policies.
```sh ```sh
aws iam get-policy --policy-arn <ARN> aws iam get-policy --policy-arn <ARN>
@ -108,13 +117,27 @@ aws iam get-policy --policy-arn <ARN>
} }
``` ```
Policy enforcement is done via the `Effect` keys and either has `allow` or `deny` keys set in the JSON object. Deny is default. Policy enforcement is done via the `Effect` keys and either has `allow` or
`deny` keys set in the JSON object. Deny is default.
The `Action` keyword contains a Service and an API keyword on on that service in the scheme `<servicename>:<APIKeyword>`. The `Action` keyword contains a Service and an API keyword on on that service
in the scheme `<servicename>:<APIKeyword>`.
The Resource key contains the ARN of the resource the policy is set for. The Resource key contains the ARN of the resource the policy is set for.
The `Principal` key is only set for resource policies and contains the principal who is able to act on the resource. For example a `*` value allows public access. The `Principal` key is only set for resource policies and contains the
principal who is able to act on the resource. For example a `*` value allows
public access.
[Operators](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_elements_condition_operators.html) can be used to set conditions [using key value pairs inside policies](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html)
```json
"Condition": {
"IPAddressIfExists": {"aws:SourceIp": ["xxx"] },
"StringEqualsIfExists": {"aws:sourceVpc": ["yyy"]}
}
```
Principals, resources and actions can also be excluded specifically through `NotPrincipal`, `NotResource` and `NotAction`.
The following graph is taken from the documentation, it shows the evaluation The following graph is taken from the documentation, it shows the evaluation
logic inside an account logic inside an account
@ -126,8 +149,14 @@ A principal can have multiple policies attached.
Policies like `assume-role` and `switch-role` can lead to the gain of roles Policies like `assume-role` and `switch-role` can lead to the gain of roles
with higher permissions with higher permissions
A `*` inside a policy represents every principal. Set the `*` to make an instance of a service A `*` inside a "Principal" value represents every principal. Set the `*` to make an instance of a service
public through the Internet. public through the Internet like this
```json
"Principal": {
"AWS": "*"
}
```
Administrator access policies can be queried to see who has elevated permissions. Administrator access policies can be queried to see who has elevated permissions.
@ -195,7 +224,7 @@ Find username to an access key
aws sts get-caller-identity --profile PROFILENAME aws sts get-caller-identity --profile PROFILENAME
``` ```
Listing EC2 instances of an account List EC2 instances of an account
```sh ```sh
aws ec2 describe-instances --output text --profile PROFILENAME aws ec2 describe-instances --output text --profile PROFILENAME
@ -207,12 +236,88 @@ In another region
aws ec2 describe-instances --output text --region us-east-1 --profile PROFILENAME aws ec2 describe-instances --output text --region us-east-1 --profile PROFILENAME
``` ```
### Credentials
User credentials are called profiles on the webUI and console
Password is used by the aws cli tool and queried APIs.
Create a user password via aws cli
```sh
aws iam create-login-profile --user <username> --password <password>
```
Change the password using the aws cli
```sh
aws iam update-login-profile --user <username> --password <password>
```
Take a look at the password policy via aws cli
```sh
aws iam get-account-password-policy
```
### API Access Keys
Longterm, non-expiring Access key ID start with `AKIA` + 20 chars
List the access keys via aws cli.
```sh
aws iam list-access-keys
```
Create an access key via the aws cli.
```sh
aws iam create-access-key --user-name <username>
```
Disable, enable or delete an access key via the aws cli
```sh
aws iam update-access-key --access-key-id <AKIAkey>
aws iam update-access-key --access-key-id <AKIAkey>
aws iam delete-access-key --access-key-id <AKIAkey>
```
Session keys are short term, they expire. A session key start
with `ASIA`.
These are generated by the Security Token Service.
Use aws cli to create a session token through STS.
```sh
aws sts get-session-token
```
Token can be applied to a user as a second factor. If the user is provided by another
federated entity through idP the MFA needs to be provided
through this solution.
List users with MFA enabled via aws cli.
```sh
aws iam list-virtual-mfa-devices
```
You can get the username of an account through the STS service using the access-key
```sh
aws sts get-access-key-info --access-key-id <AKIA-key>
```
### Secrets ### Secrets
Use the secrets manager via
```sh ```sh
aws secretsmanager help aws secretsmanager help
aws secretsmanager list-secrets aws secretsmanager list-secrets
ws secretsmanager get-secret-value --secret-id <Name> --region <region> aws secretsmanager get-secret-value --secret-id <Name> --region <region>
``` ```
### Amazon Resource Name (ARN) ### Amazon Resource Name (ARN)
@ -346,8 +451,10 @@ aws s3 cp s3://<bucketname>/foo_public.xml . --no-sign-request
#### S3 Policies #### S3 Policies
Check which policies are set
```sh ```sh
aws s3api get-bucket-policy --bucket <bucketname>--query Policy --output text aws s3api get-bucket-policy-status --bucket <bucketname>
aws s3api get-bucket-ownership-controls --bucket <bucketname>
``` ```
#### ACL #### ACL
@ -356,3 +463,18 @@ If the ACL is set to
* `Anyone`, just `curl` * `Anyone`, just `curl`
* `AuthenticatedUsers`, `s3` cli with aws key * `AuthenticatedUsers`, `s3` cli with aws key
### Lambda
Execute a lambda function
```sh
aws lambda invoke --function-name arn:aws:lambda:<region>:<account_id>:function:<function_name> <arg1>
```
List policies
```sh
aws lambda get-policy --function-name arn:aws:lambda:<region>:<account_id>:function:<function_name> --query Policy --output text | jq .
```