diff --git a/Enumeration/AWS.md b/Enumeration/AWS.md index 70ba617..040f2c6 100644 --- a/Enumeration/AWS.md +++ b/Enumeration/AWS.md @@ -681,9 +681,123 @@ How to find a potentially interesting CloudFront assets domain ### EC2 -Virtual machine service. +Deploy service instances of Virtual machines inside a VPC. +Deployment EC2 instances into 26 regions. Supports multiple OSs. +On-demand billing. -### Restore an Amazon Machine Image +#### Connect to an EC2 Instance + +Connect to the instance using SSH, RDP, SSM, serial console or webconsole. +A keypair is needed to be owned to connect, for eaxmple EC2 Connect uses +temporary keys. Serial Console has be activated by the adminstrator and +the user which will be used to login needs a password set. + +The URL scheme for EC2 Connect through the webconsole is the following. + +```sh +https://console.aws.amazon.com/ec2/v2/connect/$USERNAME/$INSTANCE_ID +``` + +| Method | Network Access needed | Requires Agent | Requires IAM Permissions | ++--------+-----------------------+----------------+--------------------------+ +| SSH/RDP | YES | NO | NO | +| Instance Connect | YES | YES (amazon linux 2) | NO | +| SSM Run Command | No | YES | YES | +| SSM Session Manager | NO | YES | YES | +| Serial Console | No | Password needed | NO | + +Instance Connect and the SSM Session Manager can be used to reset the root +password via `sudo passwd root`. After that it is possible to connect to the +root user, e.g. using serial console or just use `sudo su root` or `su root` directly. + +#### EC2 and IAM + +EC2 instances can use nearly any other service provided by AWS. +There only needs to be access to the credentials. This is can be done through +the Instance MetaData Service (IMDS). The IMDS is available through HTTP on +IP address `169.254.169.254` inside every EC2 instance. + +##### Request Credentials through IMDS + +There are two versions of IMDS in place right now. +Regardless of the version a name of a role needs to be requested through the +IMDS using curl, which is then used to query the token for said role. + +###### Query IMDSv1 Permissions + +Query the name of the role via curl. + +```sh +role_name=$(curl -s http://169.254.169.254/latest/meta-data/iam/security-credentials/) +``` + +Through the knowledge of the role name we can request the credentials of that role. + +```sh +curl -s http://169.254.169.254/latest/meta-data/iam/security-credentials/${role_name} +``` + +##### Query IMDSv2 Permissions + +A token is needed to curl for the name of the role. This is done using curl. + +```sh +TOKEN=$(curl -s -XPUT http://169.254.169.254/latest/api/token -H "X-aws-ec2-metadata-token-ttl-seconds: 21600") +``` + +The token is used to query the name of the role via curl. + +```sh +role_name=$(curl -s -H "X-aws-ec2-metadata-token: $TOKEN" http://169.254.169.254/latest/meta-data/iam/security-credentials/) +``` + +Both, token and name of the role can then be used to request the credentials +via curl. + +```sh +curl -s -H "X-aws-ec2-metadata-token: $TOKEN" http://169.254.169.254/latest/meta-data/iam/security-credentials/${role_name} +``` + +PS: +If you want to activate IMDSv2 an instance ID is needed to activate it through aws cli. + +```sh +instance_id=$(curl -s http://169.254.169.254/latest/meta-data/instance-id) +region_name= +aws ec2 modify-instance-metadata-options --instance-id $instance_id --https-tokens required --region $region_name +``` + +#### EC2 & Elastic Network Interface (ENI) + +Every EC2 instance has at least one ENI to be made available on the network. +There is a security group bound to each ENI to limit communication to the EC2 +instance. Such security contain for example which IP addresses can access the +instance, on which ports and which protocols can be used to access it. + +List available ENIs through the webshell of the account. + +```sh +aws ec2 describe-network-interfaces +``` + +#### EC2 & ELastic Block Storage (EBS) + +An EC2 instance has EBS as its set block device, either SSD or HDD. + +EBS storage is persistent, snapshots can be created. +In contrast to other storage solutions. These other, ephemeral storage +solutions can not be snapshotted. + +Snapshots can be created from EBSs, which are stored in S3 buckets. +Snapshots can be encrypted through KMS and can be shared accross accounts. + +Snapshots deliver a lot of useful content. List metadata of a snapshot via aws cli. + +```sh +aws ec2 describe-snapshots --snapshot-ids +``` + +#### Restore an Amazon Machine Image An EC2 VM can be created from an Amazon Machine Image, that can be found in some S3 buckets.