whx
/
killchain-compendium
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity

added more details

This commit is contained in:
gurkenhabicht 2024-02-10 20:47:31 +01:00
parent 5be2a146ef
commit b682bbe990
1 changed files with 104 additions and 7 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

111
Enumeration/AWS.md
View File

@ -33,7 +33,8 @@ or
http://s3.amazonaws.com/BUCKETNAME/FILENAME.ext http://s3.amazonaws.com/BUCKETNAME/FILENAME.ext
``` ```
* __List content of public bucket via__ ### List content of public bucket via
```sh ```sh
aws s3 ls s3://<bucketname>/ --no-sign-request aws s3 ls s3://<bucketname>/ --no-sign-request
``` ```
@ -51,9 +52,10 @@ If the ACL is set to
* `Anyone`, just `curl` * `Anyone`, just `curl`
* `AuthenticatedUsers`, `s3` cli with aws key * `AuthenticatedUsers`, `s3` cli with aws key
## IAM ## Identity Access Management (IAM)
Permissions are granted directly through user accounts or indirectly through Permissions are granted directly through IAM identities (IAM Principals) inside
an AWS account or indirectly through
roles the user has joined. roles the user has joined.
<img src="./include/iam-intro-users-and-groups.diagram.png" alt="Policy evaluation" width="auto" height="auto"> <img src="./include/iam-intro-users-and-groups.diagram.png" alt="Policy evaluation" width="auto" height="auto">
@ -75,7 +77,7 @@ and authorization.
Every AWS account has a single root account bound to an email address. This Every AWS account has a single root account bound to an email address. This
account has got the all privileges over the account. A root account has MFA account has got the all privileges over the account. A root account has MFA
disabled by default. disabled by default. Has all permissions except Organizational Service Control Policies.
The account is susceptible to an attack if the mail address is accessible but The account is susceptible to an attack if the mail address is accessible but
MFA is not activated. MFA is not activated.
@ -83,11 +85,13 @@ MFA is not activated.
If the MFA is not set, it is an opportunity for a password reset attack when If the MFA is not set, it is an opportunity for a password reset attack when
the account the vulnerable root belongs to is part of an AWS Organization. the account the vulnerable root belongs to is part of an AWS Organization.
### User Policies ### (User) Policies
After authentication of a user (or principal) policies of the account are After authentication of a user (or principal) policies of the account are
checked if the request is allowed. checked if the request is allowed.
Policy evaluation can be found in the [AWS docs](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_evaluation-logic.html). Policy evaluation can be found in the [AWS docs](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_evaluation-logic.html).
A policy may also be attached to a resource.
The following graph is taken from the documentation, it shows the evaluation The following graph is taken from the documentation, it shows the evaluation
logic inside an account logic inside an account
@ -96,6 +100,27 @@ logic inside an account
Policies like `assume-role` and `switch-role` can lead to the gain of roles Policies like `assume-role` and `switch-role` can lead to the gain of roles
with higher permissions with higher permissions
## AWS Organizations
An organization is a tree structure, made out of a single root account and
Organizational Units (UOs). UOs can have children UOs. AN UO may contain
multiple AWS accounts. An AWS account can contain multiple user accounts.
An organization has IAM and SSO that also works with external identity
Providers (idP). This is done through the AWS IAM Identity Center which is used
to confiure roles and permissions.
Further, there is a management account inside any organization. It owns the
role "OrganizationAccountAccessRole". This account uses the policies/roles
mentioned in the [User Policies](#User-Policies) which are `assume-role` and
`switch-role` on the cli tool and the management web-console to gain
administrative permissions over the UOs inside the organization.
By default the Service Control Policy (SCP) `p-full-access` it attached to
every account inside the organization. This SCP allows subscription to all AWS
services. An account can have 5 SCPs at max. Limiting SCPs do not apply to the
management account itself.
### User Provisioning ### User Provisioning
When using the cli command, the aws configuration and credentials are stored at `~/.aws` When using the cli command, the aws configuration and credentials are stored at `~/.aws`
@ -136,9 +161,12 @@ In another region
aws ec2 describe-instances --output text --region us-east-1 --profile PROFILENAME aws ec2 describe-instances --output text --region us-east-1 --profile PROFILENAME
``` ```
### AWS ARN ### Amazon Resource Name (ARN)
Unique ID is create through the following scheme The [ARN](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference-arns.html)
is a unique ID which identifies resources.
A Unique ID is create through the following scheme
```sh ```sh
arn:aws:<service>:<region>:<account_id>:<resource_type>/<resource_name> arn:aws:<service>:<region>:<account_id>:<resource_type>/<resource_name>
@ -159,3 +187,72 @@ Do a `PUT` method to see if the bucket may be writeable to upload a file via
```sh ```sh
curl -vvv -X PUT $BUCKET_URL --data "Test of write permissions" curl -vvv -X PUT $BUCKET_URL --data "Test of write permissions"
``` ```
## Virtual Private Cloud (VPC)
Is a logic network segementation method using its own IP address range.
Contains resources like VMs (EC2) and has an Internet gateway if needed. The
gateway can be either just ingress, egress, or both. EC2 can use elastic IP
addresses to provide Ingress. A Gateway Load Balancer can be used to do traffic inspection.
To connect to a VPC, it does not need to be exposed to the Internet. It is
accessible through various connection services like Direct Connect or
PrivateLink.
VPCs can have multiple subnets, they use host infrastructure components like
DHCP, NTP and DNS provided by AWS.
NTP can be found under 169.254.169.123. The DNS resolver `Route 53` can be
found under 169.254.169.253. Microsoft's KMS service can be at 169.254.169.250
and 169.254.169.251.
### Metadata Service
The instance (Openstack) Metadata service can be found under 169.254.169.254.
It can be used
to gain information about the EC2 via a GET request to
http://169.254.169.254/latest/meta-data .
The task metadata service can be found at 169.254.170.2 and is used for the
Elastic Container Service (ECS).
The instance metadata service has been used for information disclosure of
security credentials before.
[Alexander
Hose](https://alexanderhose.com/how-to-hack-aws-instances-with-the-metadata-service-enabled/)
describes how to use the credentials through aws-cli.
```sh
[ec2-user ~] curl http://169.254.169.254/latest/meta-data/iam/security-credentials/
ec2S3FullAccess
[ec2-user ~] curl http://169.254.169.254/latest/meta-data/iam/security-credentials/ec2S3FullAccess
{
"Code": "Success",
"LastUpdated": "2022-10-01T15:19:43Z",
"Type": "AWS-HMAC",
"AccessKeyId": "ASIAMFKOAUSJ7EXAMPLE",
"SecretAccessKey": "UeEevJGByhEXAMPLEKEY",
"Token": "TQijaZw==",
"Expiration": "2022-10-01T21:44:45Z"
}
```
Use the credentials to configure aws-cli.
```sh
$ aws configure
AWS Access Key ID [None]: ASIAMFKOAUSJ7EXAMPLE
AWS Secret Access Key [None]: UeEevJGByhEXAMPLEKEYEXAMPLEKEY
Default region name [None]: us-east-2
Default output format [None]: json
```
Add the credentials to the AWS credentials file
```sh
[default]
aws_access_key_id = ASIAMFKOAUSJ7EXAMPLE
aws_secret_access_key = UeEevJGByhEXAMPLEKEYEXAMPLEKEY
aws_session_token = TQijaZw==
```