whx
/
killchain-compendium
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity

added more details

This commit is contained in:
Stefan Friese 2024-02-16 00:14:34 +01:00
parent 1f75f615ca
commit 6014a0a01a
1 changed files with 158 additions and 21 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

179
Enumeration/AWS.md
View File

@ -60,6 +60,7 @@ aws sts get-access-key-info --access-key <AKIAkey>
The IAM is not necessarily used by S3. AK/SK is sufficient for authentication
and authorization.
* AWS got [unique ID prefixes](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_identifiers.html#identifiers-prefixes)
* An AWS unqiue Account ID has a length of 12 digits.
* Longterm Access key ID, starts with `AKIA` + 20 chars
* Secret access key (SK)
@ -241,6 +242,13 @@ Find account ID to an access key
aws sts get-access-key-info --access-key-id AKIAEXAMPLE
```
List the (current) user details
```sh
aws sts get-caller-identity
aws sts --profile <username> get-caller-identity
```
Find username to an access key
```sh
@ -259,6 +267,24 @@ In another region
aws ec2 describe-instances --output text --region us-east-1 --profile PROFILENAME
```
Create a user via cloudshell.
```sh
aws iam create-user --user-name <username>
```
Add a user to a group via cloudshell.
```sh
aws iam add-user-to-group --user-name <username> --group-name <groupname>
```
List groups for a user using aws cli. GroupIds begin with `AGPA`.
```sh
aws iam list-groups-for-user --user-name padawan
```
### Credentials
User credentials are called profiles on the webUI and console
@ -306,6 +332,8 @@ aws iam update-access-key --access-key-id <AKIAkey>
aws iam delete-access-key --access-key-id <AKIAkey>
```
### Shortterm Session Keys (STS)
Session keys are short term, they expire. A session key start
with `ASIA`.
@ -339,6 +367,38 @@ The session token can be found via the cloudshell through the use of curl.
curl -H "X-aws-ec2-metadata-token: $AWS_CONTAINER_AUTHORIZATION_TOKEN" $AWS_CONTAINER_CREDENTIALS_FULL_URI
```
#### Assume Roles through STS
A an attack vector, a user can assume a role of higher privileges through the STS. This might happen through a policy bound to a group the user is a member of.
You need an ARN of the role you want to assume
```sh
arn:aws:iam::<ACCOUNT_ID>:role/<rolename>
```
A role session name from the CloudTrail logs is needed, somone who has got the role we want to assume.
Use aws cli to assume the role.
```sh
aws --profile <lowprivuser> sts assume-role --role-arn arn:aws:iam::<ACCOUNT_ID>:role/<rolename> --role-session-name <highprivuserthathastherole>
```
This result of this is to get the `AccessKeyId`, `SecretAccessKey` and `SessionToken` of the user to complete the three needed variables for aquiring the high privilege.
```sh
export AWS_SECRET_ACCESS_KEY=<HighPrivUserSK>
export AWS_ACCESS_KEY_ID=<HighPrivUserAK>
export AWS_SESSION_TOKEN=<SessionToken>
```
Check the current identity after setting the variables via aws cli.
```sh
aws sts get-caller-identity
```
### Secrets
Use the secrets manager via
@ -456,14 +516,71 @@ aws_session_token = TQijaZw==
### Simple Storage Service (S3)
[S3](https://aws.amazon.com/s3/) is an object storage without volume limits.
The names of buckets are unique and the namespace of buckets is global but they
are stored regionally.
A nested directory structure in a bucket is possible,
but pseudo file system for organizing files.
The names of buckets are unique and the namespace of
buckets is global but they are stored regionally.
Versioning of files is possible. Files will not be
overwritten by updated versions. Files are enrypted by
default.
Methods of access control are as follows
1. [Bucket policies](https://docs.aws.amazon.com/AmazonS3/latest/userguide/bucket-policies.html)
2. [S3 ACL](https://docs.aws.amazon.com/AmazonS3/latest/userguide/managing-acls.html)
The aws cli scheme is
#### S3 Policies
Useful permissions to an attack, set through a policy, are `s3:GetObject` and `s3:PutObject`.
There are identity based and resource based policies for s3 buckets.
If global access or read is set, a resource based
policy access to the objects is available in general of everyone, unauthenticated.
```json
{
[...]
"Effect": "Allow",
"Principal": "*",
"Action": [
"s3:GetObject",
"s3:PutObject"
],
[...]
}
```
Check which policies are set
```sh
aws s3api get-bucket-policy-status --bucket <bucketname>
aws s3api get-bucket-ownership-controls --bucket <bucketname>
```
#### ACL
Existed since before AWS IAM. The ACL is generated for
every bucket created. Resource owner gets full
permissions. ACL can be extended through principals'
[canonical
userID](https://docs.aws.amazon.com/AmazonS3/latest/userguide/finding-canonical-user-id.html)
and services which are allowed or forbidden to access
the bucket.
__Attack vector__: The group `Any Authenticated AWS
User` can be set as permissions for a group of every
authenticated AWS user.
If the ACL is set to
* `Anyone`, just `curl`
* `AuthenticatedUsers`, `s3` cli with aws key
#### Scheme
The aws cli scheme for s3 is the following.
```sh
http://<bucketname>.s3.amazonaws.com/file.name
@ -477,10 +594,9 @@ http://s3.amazonaws.com/BUCKETNAME/FILENAME.ext
#### Check Permissions of a bucket
Do a `PUT` method to see if the bucket may be writeable to upload a file via
Use a `PUT` method to see if the bucket may be writeable to upload a file via
```sh
curl -vvv -X PUT $BUCKET_URL --data "Test of write permissions"
```sh curl -vvv -X PUT $BUCKET_URL --data "Test of write permissions"
```
#### List content of public bucket via
@ -495,21 +611,6 @@ Download via `curl`, `wget` or `s3` cli via
aws s3 cp s3://<bucketname>/foo_public.xml . --no-sign-request
```
#### S3 Policies
Check which policies are set
```sh
aws s3api get-bucket-policy-status --bucket <bucketname>
aws s3api get-bucket-ownership-controls --bucket <bucketname>
```
#### ACL
If the ACL is set to
* `Anyone`, just `curl`
* `AuthenticatedUsers`, `s3` cli with aws key
### Lambda
@ -529,3 +630,39 @@ aws lambda get-policy \
--output text \
| jq .
```
### CloudFront
CloudFront is a Content Delivery Network(CDN), which stores static data on Edge
Locations, closer to the customer for performance improvements.
Geo-fences can be placed to access the content. Can also use authorization
based requests,encryption of data is possible.
A Web Application Firewall (WAF) as well as Distributed Denial of Service
(DDoS) prevention can be configured for CloudFront instances.
#### CloudFront Hosts
An "origin" of a CloudFront instance can be resources like EC2, ELBs or S3 buckets.
Origin Access Identities (OAIs), which are resourced based policies for the
resources or "origins" of a CloudFront instance, need to be set the owner.
For an attack to take place, information about the DNS records of a domain is
needed, to find probable CloudFront resources.
Use dig or drill or nslookup to list IP addresses of a (sub-)domain where
assets are hosted, potentially. Do A reverse lookup to get the aws domains of
the resources behind the IP addresses.
```sh
drill assets.example.com
drill <$IP_ADDRESS> -x
```
How to find a potentially interesting CloudFront assets domain
* Enumerate subdomains of a website
* Do some dorking with a search engine to list the content of a bucket behind an S3 subdomian
* Spider a website via wget or [Linkfinder](https://github.com/GerbenJavado/LinkFinder)
* Search for certificate details