4.8 KiB

Raw Blame History

AWS - Access Token & Secrets

URL Services

Service	URL
s3	https://{user_provided}.s3.amazonaws.com
cloudfront	https://{random_id}.cloudfront.net
ec2	ec2-{ip-seperated}.compute-1.amazonaws.com
es	https://{user_provided}-{random_id}.{region}.es.amazonaws.com
elb	http://{user_provided}-{random_id}.{region}.elb.amazonaws.com:80/443
elbv2	https://{user_provided}-{random_id}.{region}.elb.amazonaws.com
rds	mysql://{user_provided}.{random_id}.{region}.rds.amazonaws.com:3306
rds	postgres://{user_provided}.{random_id}.{region}.rds.amazonaws.com:5432
route 53	{user_provided}
execute-api	https://{random_id}.execute-api.{region}.amazonaws.com/{user_provided}
cloudsearch	https://doc-{user_provided}-{random_id}.{region}.cloudsearch.amazonaws.com
transfer	sftp://s-{random_id}.server.transfer.{region}.amazonaws.com
iot	mqtt://{random_id}.iot.{region}.amazonaws.com:8883
iot	https://{random_id}.iot.{region}.amazonaws.com:8443
iot	https://{random_id}.iot.{region}.amazonaws.com:443
mq	https://b-{random_id}-{1,2}.mq.{region}.amazonaws.com:8162
mq	ssl://b-{random_id}-{1,2}.mq.{region}.amazonaws.com:61617
kafka	b-{1,2,3,4}.{user_provided}.{random_id}.c{1,2}.kafka.{region}.amazonaws.com
kafka	{user_provided}.{random_id}.c{1,2}.kafka.useast-1.amazonaws.com
cloud9	https://{random_id}.vfs.cloud9.{region}.amazonaws.com
mediastore	https://{random_id}.data.mediastore.{region}.amazonaws.com
kinesisvideo	https://{random_id}.kinesisvideo.{region}.amazonaws.com
mediaconvert	https://{random_id}.mediaconvert.{region}.amazonaws.com
mediapackage	https://{random_id}.mediapackage.{region}.amazonaws.com/in/v1/{random_id}/channel

Access Key ID & Secret

IAM uses the following prefixes to indicate what type of resource each unique ID applies to. The first four characters are the prefix that depends on the type of the key.

Prefix	Resource type
ABIA	AWS STS service bearer token
ACCA	Context-specific credential
AGPA	User group
AIDA	IAM user
AIPA	Amazon EC2 instance profile
AKIA	Access key
ANPA	Managed policy
ANVA	Version in a managed policy
APKA	Public key
AROA	Role
ASCA	Certificate
ASIA	Temporary (AWS STS) access key

The rest of the string is Base32 encoded and can be used to recover the account id.

import base64
import binascii

def AWSAccount_from_AWSKeyID(AWSKeyID):
    
    trimmed_AWSKeyID = AWSKeyID[4:] #remove KeyID prefix
    x = base64.b32decode(trimmed_AWSKeyID) #base32 decode
    y = x[0:6]
    
    z = int.from_bytes(y, byteorder='big', signed=False)
    mask = int.from_bytes(binascii.unhexlify(b'7fffffffff80'), byteorder='big', signed=False)
    
    e = (z & mask)>>7
    return (e)


print ("account id:" + "{:012d}".format(AWSAccount_from_AWSKeyID("ASIAQNZGKIQY56JQ7WML")))

Regions

US Standard - http://s3.amazonaws.com
Ireland - http://s3-eu-west-1.amazonaws.com
Northern California - http://s3-us-west-1.amazonaws.com
Singapore - http://s3-ap-southeast-1.amazonaws.com
Tokyo - http://s3-ap-northeast-1.amazonaws.com

Gaining AWS Console Access via API Keys

A utility to convert your AWS CLI credentials into AWS console access.

Using NetSPI/aws_consoler

$> aws_consoler -v -a AKIA[REDACTED] -s [REDACTED]
2020-03-13 19:44:57,800 [aws_consoler.cli] INFO: Validating arguments...
2020-03-13 19:44:57,801 [aws_consoler.cli] INFO: Calling logic.
2020-03-13 19:44:57,820 [aws_consoler.logic] INFO: Boto3 session established.
2020-03-13 19:44:58,193 [aws_consoler.logic] WARNING: Creds still permanent, creating federated session.
2020-03-13 19:44:58,698 [aws_consoler.logic] INFO: New federated session established.
2020-03-13 19:44:59,153 [aws_consoler.logic] INFO: Session valid, attempting to federate as arn:aws:sts::123456789012:federated-user/aws_consoler.
2020-03-13 19:44:59,668 [aws_consoler.logic] INFO: URL generated!
https://signin.aws.amazon.com/federation?Action=login&Issuer=consoler.local&Destination=https%3A%2F%2Fconsole.aws.amazon.com%2Fconsole%2Fhome%3Fregion%3Dus-east-1&SigninToken=[REDACTED]

4.8 KiB Raw Blame History