aws-cli-notes

A combined list of helpful awscli commands from Scott Piper's flaws.cloud exercise (http://flaws.cloud), from Beau Bullock's Breaching the Cloud Training, and from some digging I have done

Commands below are listed in order of the exercises:

1. do DNS lookup on the domain you are investigating (ex: dig [domain.com])

2a. navigate to the IP(s) the domain resolves to in your browser and see if you are redirected to https://aws.amazon.com/s3/, which would indicate that it is an S3 bucket.

2b. if you are not redirected to https://aws.amazon.com/s3/ but the website returns a page with CloudFront references, then you know that the domain is hosted in AWS. An example would be a 403 Error with a message showing "Generated by cloudfront (CloudFront)"

3. then run an nslookup on the IP (ex: nslookup [IP])

3b. If the host is an S3 bucket and has been configured for web hosting, you may see the hostname being on amazonaws.com and the region might also referenced in the hostname returned.

3c. If the host is in AWS but is not a bucket, you may see cloudfront.net in the hostname.

3d. common aws urls: http://[domain].s3.amazonaws.com, https://s3-[region].amazonaws.com/[name]

3e. you can also view the url using the aws cli: aws s3 ls s3://[bucket name] (can also include --profile [profile] as the first arguments if you want to use a specific profile)

NOTE: cyberduck can also browse a bucket and will determine the region for you

4. downloading s3 buckets: aws s3 sync s3://[bucket] [local_dir] (or can also copy certain items from buckets locally using aws s3 cp s3://[bucket]/dir [local_dir]

5. configure a new aws profile locally: aws configure --profile [new_profile_name]

6. aws --profile [profile_name] get-caller-identity --> find account ID and name of the account

7. aws sts get-caller-identity --> returns userID and account number

8. aws ec2 describe-instances --region [region]

9. aws iam list-users

10. aws iam list-roles

Helpful Recon Tools: -Recon-NG -OWASP Amass -Spiderfoot -Gobuster -Sublist3r -https://github.com/initstring/cloud_enum --> multi-cloud OSINT tool.

Asset Discovery: -Bing: can use "ip:[IP]" to see if a domain has been attached to an IP in the past

-Certificate Transparency Logs: Find interesting hosts

-Shodan: (ex: org: "[org]", ssl: "[company]", net: "[range]", etc.)

-DNS Brute forcing: SecLists repo has some good lists; can use them with Gobuster

-MX Records: Can check results to see where mail is hosted --> for office365 domain.mail.protection.outlook.com, for gsuite google.com or googlemail.com or aspmx.l.google.com, for proofpoint pphosted.com

-other interesting sources: hackertarget.com, threatcrowd.org, dnsdumpster.com, search for ASNs at ARIN/LACNIC/APNIC/RIPE/AFRINIC

-https://github.com/oldrho/ip2provider: feed a list of IPs and it checks the known cloud ranges to see if each IP is hosted in a known cloud provider

7. aws --profile [profile_name] ec2 describe-snapshots --owner-id [ownerID] --> look for ec2 snapshot info

8. aws --profile [profile_name] ec2 create-volume --availability-zone [zone] --region [region] --snapshot-id [ID] ---> create a volume using the snapshot and then ssh into it

9. find /mnt -type f -mtime -1 2>/dev/null | grep -v "/var/" | grep -v "/proc/" | grep -v "/dev/" | grep -v "/sys/" | grep -v "/run/" | less --> look for creds

10. "On cloud services, including AWS, the IP 169.254.169.254 is magical. It's the metadata service."

11. aws --profile [profile_name] iam get-user --> find out who you are

12. aws --profile level6 iam list-attached-user-policies --user-name Level6 --> find what policies are attached

13. aws --profile [profile_name] iam get-policy --policy-arn [arn_value] ---> once you know the ARN for a policy, you can get the version id

14. aws --profile [profile_name] iam get-policy-version --policy-arn [arn_value] ---> see what the actual policy is

15. aws --region [region] --profile [profile_name] lambda list-functions ---> if you have SecurityAudit policy, you can see some info on lambdas

16. aws --region [region] --profile [profile_name] lambda get-policy --function-name [name] ---> additional info with rest api info

17. aws --profile [profile_name] --region [region] apigateway get-stages --rest-api-id "[ID]" ----> get info on stage name and lambda function info

18. aws configure list ---> show profile info

Trying to find other secrets from secretsmanager with a set of aws creds:

19. aws --profile [profile] secretsmanager list-secrets: want to key on the "Name" values returned

20. aws --profile [profile] secretsmanager get-secret-value --secret-id "name_value": secret is returned in the "SecretString" field

Trying to find other secrets from the parameter store:

21. aws --profile [profile] ssm describe-parameters: gets a list of parameter names (each "Name" value is what you want to key on)

22. **aws --profile [profile] ssm get-parameters --names "name1_from_step1_above" "name2_from_step1_above" .... **: gets a list of encrypted secrets for each parameter

23. aws --profile [profile] ssm get-parameter --name "name" --with-decryption: returns clear text secret values in "Value" field

24. aws iam create-login-profile --user-name [unique_uname] --password [pw] --password-reset-required: example of creating an iam console login profile