diff --git a/Enumeration/AWS.md b/Enumeration/AWS.md index 5e8ae15..907057e 100644 --- a/Enumeration/AWS.md +++ b/Enumeration/AWS.md @@ -447,6 +447,45 @@ Trufflehog](https://github.com/trufflesecurity/trufflehog). Other repositories, like package repository for programming, are also prone to contain credentials unintentionally. +Credentials can be found in environment variables like `AWS_SESSION_TOKEN`, +`AWS_ACCESS_KEY_ID` and `AWS_SECRET_ACCESS_KEY`, shared credential files inside +home directories like `~/.aws/credentials`, assumed roles cached in +`~/.aws/cli/cached`, aws cli configuration file `~/.aws/configuration`, Boto2 +and Boto3 or via the [IMDS](#Metadata-Service) on EC2 instances. + +You can get the account name through the STS service using the access-key + +```sh +aws sts get-access-key-info --access-key-id +``` + +Identify AccountId, IAM Roles and users as valid principals in an account by +creating a resourced based policy. Create the resource which is in need of a +resource based policy and update it for the principal you want to enumerate. +There are two outcomes + +* The principal exists, the policy will be updated/created +* The principal does not exist and there is an error message returned + +Use [Righteousgambit's Quiet +Riot](https://github.com/righteousgambit/quiet-riot) to enumerate AWS, Azure +,GCP principals. A userlist is needed for enumeration of an AccountId. +ACL can contain email addresses of root users. These addresses can be found by +quiet riot as well. AWS Service Footprinting and roles can be done by quiet +riot, too. + +These different scans are parameters for the `--scan` argument. AWs scans +contain the following numbers. + +```sh +1. AWS Account IDs +2. AWS Services Footprinting +4. AWS Root User E-mail Address +5. AWS IAM Principals + 4.1. IAM Roles + 4.2. IAM Users +``` + #### Gain Access through CloudFormation It is possible to phish credentials through url manipulation and sending it to @@ -726,20 +765,13 @@ Now the VPC and EC2 is accessible through the internet. ### Metadata Service +#### Metdata Service on EC2 + The instance (Openstack) Metadata service can be found under 169.254.169.254. It can be used to gain information about the EC2 via a GET request to `http://169.254.169.254/latest/meta-data`. -The task metadata service can be found at 169.254.170.2 and is used for the -[Elastic Container Service (ECS)](https://docs.aws.amazon.com/AmazonECS/latest/developerguide/task-iam-roles.html) - -From inside a container curl can be used to get the credentials - -```sh -curl 169.254.170.2$AWS_CONTAINER_CREDENTIALS_RELATIVE_URI -``` - The instance metadata service has been used for information disclosure of security credentials before. [Alexander @@ -780,6 +812,24 @@ aws_secret_access_key = UeEevJGByhEXAMPLEKEYEXAMPLEKEY aws_session_token = TQijaZw== ``` +#### Metadata Service on ECS + +This task metadata service can be found at 169.254.170.2 and is used for the +[Elastic Container Service (ECS)](https://docs.aws.amazon.com/AmazonECS/latest/developerguide/task-iam-roles.html) + +Elastic Container Service is using the version 2 of IMDS. The URL for the +metadata service is the following. + +```http +http://169.254.170.2/v2/metadata +``` + +From inside a container curl can be used to get the credentials + +```sh +curl 169.254.170.2$AWS_CONTAINER_CREDENTIALS_RELATIVE_URI +``` + ### Simple Storage Service (S3) [S3](https://aws.amazon.com/s3/) is an object storage without volume limits. diff --git a/Enumeration/include/telemetry-api-concept-diagram.png b/Enumeration/include/telemetry-api-concept-diagram.png new file mode 100644 index 0000000..a9ffb58 Binary files /dev/null and b/Enumeration/include/telemetry-api-concept-diagram.png differ