AWS Key Patterns

This commit is contained in:
Swissky 2023-06-22 19:03:06 +02:00
parent fc36b38430
commit e9c1ce1c09
5 changed files with 68 additions and 30 deletions

View File

@ -8,7 +8,6 @@
- [Exploit](#exploit) - [Exploit](#exploit)
- [Google Maps](#google-maps) - [Google Maps](#google-maps)
- [Algolia](#algolia) - [Algolia](#algolia)
- [AWS Access Key ID & Secret](#aws-access-key-id--secret)
- [Slack API Token](#slack-api-token) - [Slack API Token](#slack-api-token)
- [Facebook Access Token](#facebook-access-token) - [Facebook Access Token](#facebook-access-token)
- [Github client id and client secret](#github-client-id-and-client-secret) - [Github client id and client secret](#github-client-id-and-client-secret)

View File

@ -8,7 +8,9 @@
- [Summary](#summary) - [Summary](#summary)
- [Training](#training) - [Training](#training)
- [Tools](#tools) - [Tools](#tools)
- [AWS Patterns](#aws-patterns) - [AWS - Patterns](#aws---patterns)
- [URL Services](#url-services)
- [Access Key ID & Secret](#access-key-id--secret)
- [AWS - Metadata SSRF](#aws---metadata-ssrf) - [AWS - Metadata SSRF](#aws---metadata-ssrf)
- [Method for Elastic Cloud Compute (EC2)](#method-for-elastic-cloud-compute-ec2) - [Method for Elastic Cloud Compute (EC2)](#method-for-elastic-cloud-compute-ec2)
- [Method for Container Service (Fargate)](#method-for-container-service-fargate) - [Method for Container Service (Fargate)](#method-for-container-service-fargate)
@ -188,35 +190,58 @@
## AWS Patterns ## AWS - Patterns
| Service | URL |
|-------------|--------| ### URL Services
| s3 | https://{user_provided}.s3.amazonaws.com |
| cloudfront | https://{random_id}.cloudfront.net | | Service | URL |
| ec2 | ec2-{ip-seperated}.compute-1.amazonaws.com | |--------------|-----------------------|
| es | https://{user_provided}-{random_id}.{region}.es.amazonaws.com | | s3 | https://{user_provided}.s3.amazonaws.com |
| elb | http://{user_provided}-{random_id}.{region}.elb.amazonaws.com:80/443 | | cloudfront | https://{random_id}.cloudfront.net |
| elbv2 | https://{user_provided}-{random_id}.{region}.elb.amazonaws.com | | ec2 | ec2-{ip-seperated}.compute-1.amazonaws.com |
| rds | mysql://{user_provided}.{random_id}.{region}.rds.amazonaws.com:3306 | | es | https://{user_provided}-{random_id}.{region}.es.amazonaws.com |
| rds | postgres://{user_provided}.{random_id}.{region}.rds.amazonaws.com:5432 | | elb | http://{user_provided}-{random_id}.{region}.elb.amazonaws.com:80/443 |
| route 53 | {user_provided} | | elbv2 | https://{user_provided}-{random_id}.{region}.elb.amazonaws.com |
| execute-api | https://{random_id}.execute-api.{region}.amazonaws.com/{user_provided} | | rds | mysql://{user_provided}.{random_id}.{region}.rds.amazonaws.com:3306 |
| cloudsearch | https://doc-{user_provided}-{random_id}.{region}.cloudsearch.amazonaws.com | | rds | postgres://{user_provided}.{random_id}.{region}.rds.amazonaws.com:5432 |
| transfer | sftp://s-{random_id}.server.transfer.{region}.amazonaws.com | | route 53 | {user_provided} |
| iot | mqtt://{random_id}.iot.{region}.amazonaws.com:8883 | | execute-api | https://{random_id}.execute-api.{region}.amazonaws.com/{user_provided} |
| iot | https://{random_id}.iot.{region}.amazonaws.com:8443 | | cloudsearch | https://doc-{user_provided}-{random_id}.{region}.cloudsearch.amazonaws.com |
| iot | https://{random_id}.iot.{region}.amazonaws.com:443 | | transfer | sftp://s-{random_id}.server.transfer.{region}.amazonaws.com |
| mq | https://b-{random_id}-{1,2}.mq.{region}.amazonaws.com:8162 | | iot | mqtt://{random_id}.iot.{region}.amazonaws.com:8883 |
| mq | ssl://b-{random_id}-{1,2}.mq.{region}.amazonaws.com:61617 | | iot | https://{random_id}.iot.{region}.amazonaws.com:8443 |
| kafka | b-{1,2,3,4}.{user_provided}.{random_id}.c{1,2}.kafka.{region}.amazonaws.com | | iot | https://{random_id}.iot.{region}.amazonaws.com:443 |
| kafka | {user_provided}.{random_id}.c{1,2}.kafka.useast-1.amazonaws.com | | mq | https://b-{random_id}-{1,2}.mq.{region}.amazonaws.com:8162 |
| cloud9 | https://{random_id}.vfs.cloud9.{region}.amazonaws.com | | mq | ssl://b-{random_id}-{1,2}.mq.{region}.amazonaws.com:61617 |
| mediastore | https://{random_id}.data.mediastore.{region}.amazonaws.com | | kafka | b-{1,2,3,4}.{user_provided}.{random_id}.c{1,2}.kafka.{region}.amazonaws.com |
| kafka | {user_provided}.{random_id}.c{1,2}.kafka.useast-1.amazonaws.com |
| cloud9 | https://{random_id}.vfs.cloud9.{region}.amazonaws.com |
| mediastore | https://{random_id}.data.mediastore.{region}.amazonaws.com |
| kinesisvideo | https://{random_id}.kinesisvideo.{region}.amazonaws.com | | kinesisvideo | https://{random_id}.kinesisvideo.{region}.amazonaws.com |
| mediaconvert | https://{random_id}.mediaconvert.{region}.amazonaws.com | | mediaconvert | https://{random_id}.mediaconvert.{region}.amazonaws.com |
| mediapackage | https://{random_id}.mediapackage.{region}.amazonaws.com/in/v1/{random_id}/channel | | mediapackage | https://{random_id}.mediapackage.{region}.amazonaws.com/in/v1/{random_id}/channel |
### Access Key ID & Secret
> IAM uses the following prefixes to indicate what type of resource each unique ID applies to.
| Prefix | Resource type |
|--------------|-------------------------|
| ABIA | AWS STS service bearer token |
| ACCA | Context-specific credential |
| AGPA | User group |
| AIDA | IAM user |
| AIPA | Amazon EC2 instance profile |
| AKIA | Access key |
| ANPA | Managed policy |
| ANVA | Version in a managed policy |
| APKA | Public key |
| AROA | Role |
| ASCA | Certificate |
| ASIA | Temporary (AWS STS) access key |
## AWS - Metadata SSRF ## AWS - Metadata SSRF
> AWS released additional security defences against the attack. > AWS released additional security defences against the attack.

View File

@ -288,6 +288,9 @@ PS C:\> Add-MpPreference -ExclusionPath "C:\Temp"
PS C:\> Add-MpPreference -ExclusionPath "C:\Windows\Tasks" PS C:\> Add-MpPreference -ExclusionPath "C:\Windows\Tasks"
PS C:\> Set-MpPreference -ExclusionProcess "word.exe", "vmwp.exe" PS C:\> Set-MpPreference -ExclusionProcess "word.exe", "vmwp.exe"
# exclude using wmi
PS C:\> WMIC /Namespace:\\root\Microsoft\Windows\Defender class MSFT_MpPreference call Add ExclusionPath="C:\Users\Public\wmic"
# remove signatures (if Internet connection is present, they will be downloaded again): # remove signatures (if Internet connection is present, they will be downloaded again):
PS > & "C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.2008.9-0\MpCmdRun.exe" -RemoveDefinitions -All PS > & "C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.2008.9-0\MpCmdRun.exe" -RemoveDefinitions -All
PS > & "C:\Program Files\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All PS > & "C:\Program Files\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All

View File

@ -57,10 +57,11 @@
## Tools ## Tools
- [SSRFmap - https://github.com/swisskyrepo/SSRFmap](https://github.com/swisskyrepo/SSRFmap) - [swisskyrepo/SSRFmap](https://github.com/swisskyrepo/SSRFmap) - Automatic SSRF fuzzer and exploitation tool
- [Gopherus - https://github.com/tarunkant/Gopherus](https://github.com/tarunkant/Gopherus) - [tarunkant/Gopherus](https://github.com/tarunkant/Gopherus) - Generates gopher link for exploiting SSRF and gaining RCE in various servers
- [See-SURF - https://github.com/In3tinct/See-SURF](https://github.com/In3tinct/See-SURF) - [In3tinct/See-SURF](https://github.com/In3tinct/See-SURF) - Python based scanner to find potential SSRF parameters
- [SSRF Sheriff - https://github.com/teknogeek/ssrf-sheriff](https://github.com/teknogeek/ssrf-sheriff) - [teknogeek/SSRF Sheriff](https://github.com/teknogeek/ssrf-sheriff) - Simple SSRF-testing sheriff written in Go
* [assetnote/surf](https://github.com/assetnote/surf) - Returns a list of viable SSRF candidates
## Payloads with localhost ## Payloads with localhost

View File

@ -42,6 +42,16 @@
![LooseTypeComparison](https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Type%20Juggling/Images/table_representing_behavior_of_PHP_with_loose_type_comparisons.png?raw=true) ![LooseTypeComparison](https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Type%20Juggling/Images/table_representing_behavior_of_PHP_with_loose_type_comparisons.png?raw=true)
Loose Type Comparisons occurs in many languages:
* [MariaDB](https://github.com/Hakumarachi/Loose-Compare-Tables/tree/master/results/Mariadb)
* [MySQL](https://github.com/Hakumarachi/Loose-Compare-Tables/tree/master/results/Mysql)
* [NodeJS](https://github.com/Hakumarachi/Loose-Compare-Tables/tree/master/results/NodeJS)
* [PHP](https://github.com/Hakumarachi/Loose-Compare-Tables/tree/master/results/PHP)
* [Perl](https://github.com/Hakumarachi/Loose-Compare-Tables/tree/master/results/Perl)
* [Postgres](https://github.com/Hakumarachi/Loose-Compare-Tables/tree/master/results/Postgres)
* [Python](https://github.com/Hakumarachi/Loose-Compare-Tables/tree/master/results/Python)
* [SQLite](https://github.com/Hakumarachi/Loose-Compare-Tables/tree/master/results/SQLite/2.6.0)
### NULL statements ### NULL statements