From 6014a0a01a0e6f583b4d5ce842b297f1b3acd3be Mon Sep 17 00:00:00 2001 From: stefan Date: Fri, 16 Feb 2024 00:14:34 +0100 Subject: [PATCH] added more details --- Enumeration/AWS.md | 179 +++++++++++++++++++++++++++++++++++++++------ 1 file changed, 158 insertions(+), 21 deletions(-) diff --git a/Enumeration/AWS.md b/Enumeration/AWS.md index 76f3a33..378c3c1 100644 --- a/Enumeration/AWS.md +++ b/Enumeration/AWS.md @@ -60,6 +60,7 @@ aws sts get-access-key-info --access-key The IAM is not necessarily used by S3. AK/SK is sufficient for authentication and authorization. +* AWS got [unique ID prefixes](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_identifiers.html#identifiers-prefixes) * An AWS unqiue Account ID has a length of 12 digits. * Longterm Access key ID, starts with `AKIA` + 20 chars * Secret access key (SK) @@ -241,6 +242,13 @@ Find account ID to an access key aws sts get-access-key-info --access-key-id AKIAEXAMPLE ``` +List the (current) user details + +```sh +aws sts get-caller-identity +aws sts --profile get-caller-identity +``` + Find username to an access key ```sh @@ -259,6 +267,24 @@ In another region aws ec2 describe-instances --output text --region us-east-1 --profile PROFILENAME ``` +Create a user via cloudshell. + +```sh +aws iam create-user --user-name +``` + +Add a user to a group via cloudshell. + +```sh +aws iam add-user-to-group --user-name --group-name +``` + +List groups for a user using aws cli. GroupIds begin with `AGPA`. + +```sh +aws iam list-groups-for-user --user-name padawan +``` + ### Credentials User credentials are called profiles on the webUI and console @@ -306,6 +332,8 @@ aws iam update-access-key --access-key-id aws iam delete-access-key --access-key-id ``` +### Shortterm Session Keys (STS) + Session keys are short term, they expire. A session key start with `ASIA`. @@ -339,6 +367,38 @@ The session token can be found via the cloudshell through the use of curl. curl -H "X-aws-ec2-metadata-token: $AWS_CONTAINER_AUTHORIZATION_TOKEN" $AWS_CONTAINER_CREDENTIALS_FULL_URI ``` +#### Assume Roles through STS + +A an attack vector, a user can assume a role of higher privileges through the STS. This might happen through a policy bound to a group the user is a member of. + +You need an ARN of the role you want to assume + +```sh +arn:aws:iam:::role/ +``` + +A role session name from the CloudTrail logs is needed, somone who has got the role we want to assume. + +Use aws cli to assume the role. + +```sh +aws --profile sts assume-role --role-arn arn:aws:iam:::role/ --role-session-name +``` + +This result of this is to get the `AccessKeyId`, `SecretAccessKey` and `SessionToken` of the user to complete the three needed variables for aquiring the high privilege. + +```sh +export AWS_SECRET_ACCESS_KEY= +export AWS_ACCESS_KEY_ID= +export AWS_SESSION_TOKEN= +``` + +Check the current identity after setting the variables via aws cli. + +```sh +aws sts get-caller-identity +``` + ### Secrets Use the secrets manager via @@ -456,14 +516,71 @@ aws_session_token = TQijaZw== ### Simple Storage Service (S3) [S3](https://aws.amazon.com/s3/) is an object storage without volume limits. -The names of buckets are unique and the namespace of buckets is global but they -are stored regionally. + +A nested directory structure in a bucket is possible, +but pseudo file system for organizing files. + +The names of buckets are unique and the namespace of +buckets is global but they are stored regionally. + +Versioning of files is possible. Files will not be +overwritten by updated versions. Files are enrypted by +default. Methods of access control are as follows 1. [Bucket policies](https://docs.aws.amazon.com/AmazonS3/latest/userguide/bucket-policies.html) 2. [S3 ACL](https://docs.aws.amazon.com/AmazonS3/latest/userguide/managing-acls.html) -The aws cli scheme is +#### S3 Policies + +Useful permissions to an attack, set through a policy, are `s3:GetObject` and `s3:PutObject`. + +There are identity based and resource based policies for s3 buckets. +If global access or read is set, a resource based +policy access to the objects is available in general of everyone, unauthenticated. + +```json +{ + [...] + "Effect": "Allow", + "Principal": "*", + "Action": [ + "s3:GetObject", + "s3:PutObject" + ], + [...] +} +``` + +Check which policies are set + +```sh +aws s3api get-bucket-policy-status --bucket +aws s3api get-bucket-ownership-controls --bucket +``` + +#### ACL + +Existed since before AWS IAM. The ACL is generated for +every bucket created. Resource owner gets full +permissions. ACL can be extended through principals' +[canonical +userID](https://docs.aws.amazon.com/AmazonS3/latest/userguide/finding-canonical-user-id.html) +and services which are allowed or forbidden to access +the bucket. + +__Attack vector__: The group `Any Authenticated AWS +User` can be set as permissions for a group of every +authenticated AWS user. + +If the ACL is set to + +* `Anyone`, just `curl` +* `AuthenticatedUsers`, `s3` cli with aws key + +#### Scheme + +The aws cli scheme for s3 is the following. ```sh http://.s3.amazonaws.com/file.name @@ -477,10 +594,9 @@ http://s3.amazonaws.com/BUCKETNAME/FILENAME.ext #### Check Permissions of a bucket -Do a `PUT` method to see if the bucket may be writeable to upload a file via +Use a `PUT` method to see if the bucket may be writeable to upload a file via -```sh -curl -vvv -X PUT $BUCKET_URL --data "Test of write permissions" +```sh curl -vvv -X PUT $BUCKET_URL --data "Test of write permissions" ``` #### List content of public bucket via @@ -495,21 +611,6 @@ Download via `curl`, `wget` or `s3` cli via aws s3 cp s3:///foo_public.xml . --no-sign-request ``` -#### S3 Policies - -Check which policies are set - -```sh -aws s3api get-bucket-policy-status --bucket -aws s3api get-bucket-ownership-controls --bucket -``` - -#### ACL - -If the ACL is set to - -* `Anyone`, just `curl` -* `AuthenticatedUsers`, `s3` cli with aws key ### Lambda @@ -529,3 +630,39 @@ aws lambda get-policy \ --output text \ | jq . ``` + +### CloudFront + +CloudFront is a Content Delivery Network(CDN), which stores static data on Edge +Locations, closer to the customer for performance improvements. + +Geo-fences can be placed to access the content. Can also use authorization +based requests,encryption of data is possible. + +A Web Application Firewall (WAF) as well as Distributed Denial of Service +(DDoS) prevention can be configured for CloudFront instances. + +#### CloudFront Hosts + +An "origin" of a CloudFront instance can be resources like EC2, ELBs or S3 buckets. +Origin Access Identities (OAIs), which are resourced based policies for the +resources or "origins" of a CloudFront instance, need to be set the owner. +For an attack to take place, information about the DNS records of a domain is +needed, to find probable CloudFront resources. + +Use dig or drill or nslookup to list IP addresses of a (sub-)domain where +assets are hosted, potentially. Do A reverse lookup to get the aws domains of +the resources behind the IP addresses. + +```sh +drill assets.example.com +drill <$IP_ADDRESS> -x + +``` + +How to find a potentially interesting CloudFront assets domain + +* Enumerate subdomains of a website +* Do some dorking with a search engine to list the content of a bucket behind an S3 subdomian +* Spider a website via wget or [Linkfinder](https://github.com/GerbenJavado/LinkFinder) +* Search for certificate details