whx
/
killchain-compendium
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity

added details for ec2

This commit is contained in:
gurkenhabicht 2024-02-17 17:28:07 +01:00
parent 1ce5afd912
commit 5378eca051
1 changed files with 116 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

118
Enumeration/AWS.md
View File

@ -681,9 +681,123 @@ How to find a potentially interesting CloudFront assets domain
### EC2 ### EC2
Virtual machine service. Deploy service instances of Virtual machines inside a VPC.
Deployment EC2 instances into 26 regions. Supports multiple OSs.
On-demand billing.
### Restore an Amazon Machine Image #### Connect to an EC2 Instance
Connect to the instance using SSH, RDP, SSM, serial console or webconsole.
A keypair is needed to be owned to connect, for eaxmple EC2 Connect uses
temporary keys. Serial Console has be activated by the adminstrator and
the user which will be used to login needs a password set.
The URL scheme for EC2 Connect through the webconsole is the following.
```sh
https://console.aws.amazon.com/ec2/v2/connect/$USERNAME/$INSTANCE_ID
```
| Method | Network Access needed | Requires Agent | Requires IAM Permissions |
+--------+-----------------------+----------------+--------------------------+
| SSH/RDP | YES | NO | NO |
| Instance Connect | YES | YES (amazon linux 2) | NO |
| SSM Run Command | No | YES | YES |
| SSM Session Manager | NO | YES | YES |
| Serial Console | No | Password needed | NO |
Instance Connect and the SSM Session Manager can be used to reset the root
password via `sudo passwd root`. After that it is possible to connect to the
root user, e.g. using serial console or just use `sudo su root` or `su root` directly.
#### EC2 and IAM
EC2 instances can use nearly any other service provided by AWS.
There only needs to be access to the credentials. This is can be done through
the Instance MetaData Service (IMDS). The IMDS is available through HTTP on
IP address `169.254.169.254` inside every EC2 instance.
##### Request Credentials through IMDS
There are two versions of IMDS in place right now.
Regardless of the version a name of a role needs to be requested through the
IMDS using curl, which is then used to query the token for said role.
###### Query IMDSv1 Permissions
Query the name of the role via curl.
```sh
role_name=$(curl -s http://169.254.169.254/latest/meta-data/iam/security-credentials/)
```
Through the knowledge of the role name we can request the credentials of that role.
```sh
curl -s http://169.254.169.254/latest/meta-data/iam/security-credentials/${role_name}
```
##### Query IMDSv2 Permissions
A token is needed to curl for the name of the role. This is done using curl.
```sh
TOKEN=$(curl -s -XPUT http://169.254.169.254/latest/api/token -H "X-aws-ec2-metadata-token-ttl-seconds: 21600")
```
The token is used to query the name of the role via curl.
```sh
role_name=$(curl -s -H "X-aws-ec2-metadata-token: $TOKEN" http://169.254.169.254/latest/meta-data/iam/security-credentials/)
```
Both, token and name of the role can then be used to request the credentials
via curl.
```sh
curl -s -H "X-aws-ec2-metadata-token: $TOKEN" http://169.254.169.254/latest/meta-data/iam/security-credentials/${role_name}
```
PS:
If you want to activate IMDSv2 an instance ID is needed to activate it through aws cli.
```sh
instance_id=$(curl -s http://169.254.169.254/latest/meta-data/instance-id)
region_name=<region_name>
aws ec2 modify-instance-metadata-options --instance-id $instance_id --https-tokens required --region $region_name
```
#### EC2 & Elastic Network Interface (ENI)
Every EC2 instance has at least one ENI to be made available on the network.
There is a security group bound to each ENI to limit communication to the EC2
instance. Such security contain for example which IP addresses can access the
instance, on which ports and which protocols can be used to access it.
List available ENIs through the webshell of the account.
```sh
aws ec2 describe-network-interfaces
```
#### EC2 & ELastic Block Storage (EBS)
An EC2 instance has EBS as its set block device, either SSD or HDD.
EBS storage is persistent, snapshots can be created.
In contrast to other storage solutions. These other, ephemeral storage
solutions can not be snapshotted.
Snapshots can be created from EBSs, which are stored in S3 buckets.
Snapshots can be encrypted through KMS and can be shared accross accounts.
Snapshots deliver a lot of useful content. List metadata of a snapshot via aws cli.
```sh
aws ec2 describe-snapshots --snapshot-ids <snap-id>
```
#### Restore an Amazon Machine Image
An EC2 VM can be created from an Amazon Machine Image, An EC2 VM can be created from an Amazon Machine Image,
that can be found in some S3 buckets. that can be found in some S3 buckets.