AWS - EC2, EBS, ELB, SSM, VPC & VPN Enum

Reading time: 12 minutes

tip

Learn & practice AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE)
Learn & practice GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE)

Support HackTricks

VPC & Networking

Learn what a VPC is and about its components in:

AWS - VPC & Networking Basic Information

EC2

Amazon EC2 is utilized for initiating virtual servers. It allows for the configuration of security and networking and the management of storage. The flexibility of Amazon EC2 is evident in its ability to scale resources both upwards and downwards, effectively adapting to varying requirement changes or surges in popularity. This feature diminishes the necessity for precise traffic predictions.

Interesting things to enumerate in EC2:

  • Virtual Machines
    • SSH Keys
    • User Data
    • Existing EC2s/AMIs/Snapshots
  • Networking
    • Networks
    • Subnetworks
    • Public IPs
    • Open ports
  • Integrated connections with other networks outside AWS

Instance Profiles

Using roles to grant permissions to applications that run on EC2 instances requires a bit of extra configuration. An application running on an EC2 instance is abstracted from AWS by the virtualized operating system. Because of this extra separation, you need an additional step to assign an AWS role and its associated permissions to an EC2 instance and make them available to its applications.

This extra step is the creation of an instance profile attached to the instance. The instance profile contains the role and can provide the role's temporary credentials to an application that runs on the instance. Those temporary credentials can then be used in the application's API calls to access resources and to limit access to only those resources that the role specifies. Note that only one role can be assigned to an EC2 instance at a time, and all applications on the instance share the same role and permissions.

Metadata Endpoint

AWS EC2 metadata is information about an Amazon Elastic Compute Cloud (EC2) instance that is available to the instance at runtime. This metadata is used to provide information about the instance, such as its instance ID, the availability zone it is running in, the IAM role associated with the instance, and the instance's hostname.

Cloud SSRF - HackTricks

Enumeration

bash
# Get EC2 instances
aws ec2 describe-instances
aws ec2 describe-instance-status #Get status from running instances

# Get user data from each ec2 instance
for instanceid in $(aws ec2 describe-instances --profile <profile> --region us-west-2 | grep -Eo '"i-[a-zA-Z0-9]+' | tr -d '"'); do
  echo "Instance ID: $instanceid"
  aws ec2 describe-instance-attribute --profile <profile> --region us-west-2 --instance-id "$instanceid" --attribute userData | jq ".UserData.Value" | tr -d '"' | base64 -d
  echo ""
  echo "-------------------"
done

# Instance profiles
aws iam list-instance-profiles
aws iam list-instance-profiles-for-role --role-name <name>

# Get tags
aws ec2 describe-tags

# Get volumes
aws ec2 describe-volume-status
aws ec2 describe-volumes

# Get snapshots
aws ec2 describe-snapshots --owner-ids self

# Scheduled instances
aws ec2 describe-scheduled-instances

# Get custom images
aws ec2 describe-images --owners self

# Get Elastic IPs
aws ec2 describe-addresses

# Get current output
aws ec2 get-console-output --instance-id [id]

# Get VPN customer gateways
aws ec2 describe-customer-gateways
aws ec2 describe-vpn-gateways
aws ec2 describe-vpn-connections

# List conversion tasks to upload/download VMs
aws ec2 describe-conversion-tasks
aws ec2 describe-import-image-tasks

# Get Bundle Tasks
aws ec2 describe-bundle-tasks

# Get Classic Instances
aws ec2 describe-classic-link-instances

# Get Dedicated Hosts
aws ec2 describe-hosts

# Get SSH Key Pairs
aws ec2 describe-key-pairs

# Get Internet Gateways
aws ec2 describe-internet-gateways

# Get NAT Gateways
aws ec2 describe-nat-gateways

# Get subnetworks
aws ec2 describe-subnets

# Get FW rules
aws ec2 describe-network-acls

# Get security groups
aws ec2 describe-security-groups

# Get interfaces
aws ec2 describe-network-interfaces

# Get routes table
aws ec2 describe-route-tables

# Get VPCs
aws ec2 describe-vpcs
aws ec2 describe-vpc-peering-connections

Unauthenticated Access

AWS - EC2 Unauthenticated Enum

Privesc

In the following page you can check how to abuse EC2 permissions to escalate privileges:

AWS - EC2 Privesc

Post-Exploitation

AWS - EC2, EBS, SSM & VPC Post Exploitation

EBS

Amazon EBS (Elastic Block Store) snapshots are basically static backups of AWS EBS volumes. In other words, they are copies of the disks attached to an EC2 Instance at a specific point in time. EBS snapshots can be copied across regions and accounts, or even downloaded and run locally.

Snapshots can contain sensitive information such as source code or APi keys, therefore, if you have the chance, it's recommended to check it.

Difference AMI & EBS

An AMI is used to launch an EC2 instance, while an EC2 Snapshot is used to backup and recover data stored on an EBS volume. While an EC2 Snapshot can be used to create a new AMI, it is not the same thing as an AMI, and it does not include information about the operating system, application server, or other software required to run an application.

Privesc

In the following page you can check how to abuse EBS permissions to escalate privileges:

AWS - EBS Privesc

SSM

Amazon Simple Systems Manager (SSM) allows to remotely manage floats of EC2 instances to make their administrations much more easy. Each of these instances need to be running the SSM Agent service as the service will be the one getting the actions and performing them from the AWS API.

SSM Agent makes it possible for Systems Manager to update, manage, and configure these resources. The agent processes requests from the Systems Manager service in the AWS Cloud, and then runs them as specified in the request.

The SSM Agent comes preinstalled in some AMIs or you need to manually install them on the instances. Also, the IAM Role used inside the instance needs to have the policy AmazonEC2RoleforSSM attached to be able to communicate.

Enumeration

bash
aws ssm describe-instance-information
aws ssm describe-parameters
aws ssm describe-sessions --state [Active|History]
aws ssm describe-instance-patches --instance-id <id>
aws ssm describe-instance-patch-states --instance-ids <id>
aws ssm describe-instance-associations-status --instance-id <id>

You can check in an EC2 instance if Systems Manager is runnign just by executing:

bash
ps aux | grep amazon-ssm

Privesc

In the following page you can check how to abuse SSM permissions to escalate privileges:

AWS - SSM Privesc

ELB

Elastic Load Balancing (ELB) is a load-balancing service for Amazon Web Services (AWS) deployments. ELB automatically distributes incoming application traffic and scales resources to meet traffic demands.

Enumeration

bash
# List internet-facing ELBs
aws elb describe-load-balancers
aws elb describe-load-balancers | jq '.LoadBalancerDescriptions[]| select( .Scheme | contains("internet-facing"))|.DNSName'

# DONT FORGET TO CHECK VERSION 2
aws elbv2 describe-load-balancers
aws elbv2 describe-load-balancers | jq '.LoadBalancers[].DNSName'
aws elbv2 describe-listeners --load-balancer-arn <load_balancer_arn>

Launch Templates & Autoscaling Groups

Enumeration

bash
# Launch templates
aws ec2 describe-launch-templates
aws ec2 describe-launch-templates --launch-template-id <launch_template_id>
## Get details, like user data
aws ec2 describe-launch-template-versions --launch-template-id <launch_template_id>

# Autoscaling
aws autoscaling describe-auto-scaling-groups
aws autoscaling describe-auto-scaling-instances
aws autoscaling describe-launch-configurations
aws autoscaling describe-load-balancer-target-groups
aws autoscaling describe-load-balancers

Nitro

AWS Nitro is a suite of innovative technologies that form the underlying platform for AWS EC2 instances. Introduced by Amazon to enhance security, performance, and reliability, Nitro leverages custom hardware components and a lightweight hypervisor. It abstracts much of the traditional virtualization functionality to dedicated hardware and software, minimizing the attack surface and improving resource efficiency. By offloading virtualization functions, Nitro allows EC2 instances to deliver near bare-metal performance, making it particularly beneficial for resource-intensive applications. Additionally, the Nitro Security Chip specifically ensures the security of the hardware and firmware, further solidifying its robust architecture.

Get more information and how to enumerate it from:

AWS - Nitro Enum

VPN

A VPN allows to connect your on-premise network (site-to-site VPN) or the workers laptops (Client VPN) with a AWS VPC so services can accessed without needing to expose them to the internet.

Basic AWS VPN Components

  1. Customer Gateway:
    • A Customer Gateway is a resource that you create in AWS to represent your side of a VPN connection.
    • It is essentially a physical device or software application on your side of the Site-to-Site VPN connection.
    • You provide routing information and the public IP address of your network device (such as a router or a firewall) to AWS to create a Customer Gateway.
    • It serves as a reference point for setting up the VPN connection and doesn't incur additional charges.
  2. Virtual Private Gateway:
    • A Virtual Private Gateway (VPG) is the VPN concentrator on the Amazon side of the Site-to-Site VPN connection.
    • It is attached to your VPC and serves as the target for your VPN connection.
    • VPG is the AWS side endpoint for the VPN connection.
    • It handles the secure communication between your VPC and your on-premises network.
  3. Site-to-Site VPN Connection:
    • A Site-to-Site VPN connection connects your on-premises network to a VPC through a secure, IPsec VPN tunnel.
    • This type of connection requires a Customer Gateway and a Virtual Private Gateway.
    • It's used for secure, stable, and consistent communication between your data center or network and your AWS environment.
    • Typically used for regular, long-term connections and is billed based on the amount of data transferred over the connection.
  4. Client VPN Endpoint:
    • A Client VPN endpoint is a resource that you create in AWS to enable and manage client VPN sessions.
    • It is used for allowing individual devices (like laptops, smartphones, etc.) to securely connect to AWS resources or your on-premises network.
    • It differs from Site-to-Site VPN in that it is designed for individual clients rather than connecting entire networks.
    • With Client VPN, each client device uses a VPN client software to establish a secure connection.

You can find more information about the benefits and components of AWS VPNs here.

Enumeration

bash
# VPN endpoints
## Check used subnetwork, authentication, SGs, connected...
aws ec2 describe-client-vpn-endpoints

## Get AWS network info related to the vpn endpoint
aws ec2 describe-client-vpn-target-networks --client-vpn-endpoint-id <id>

## Get AWS subnet & ip range the VPN iconnected to
aws ec2 describe-client-vpn-routes --client-vpn-endpoint-id <id>

## Check authorization rules
aws ec2 describe-client-vpn-authorization-rules --client-vpn-endpoint-id <id>

## Get current connections to the VPN endpoint
aws ec2 describe-client-vpn-connections --client-vpn-endpoint-id <id>

# Get VPN gateways and check with which VPC each is connected
aws ec2 describe-vpn-gateways

# Get VPN site-to-site connections
aws ec2 describe-vpn-connections

Local Enumeration

Local Temporary Credentials

When AWS VPN Client is used to connect to a VPN, the user will usually login in AWS to get access to the VPN. Then, some AWS credentials are created and stored locally to establish the VPN connection. These credentials are stored in $HOME/.config/AWSVPNClient/TemporaryCredentials/<region>/temporary-credentials.txt and contains an AccessKey, a SecretKey and a Token.

The credentials belong to the user arn:aws:sts::<acc-id>:assumed-role/aws-vpn-client-metrics-analytics-access-role/CognitoIdentityCredentials (TODO: research more about the permissions of this credentials).

opvn config files

If a VPN connection was stablished you should search for .opvn config files in the system. Moreover, one place where you could find the configurations is in $HOME/.config/AWSVPNClient/OpenVpnConfigs

Post Exploitaiton

AWS - VPN Post Exploitation

References

tip

Learn & practice AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE)
Learn & practice GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE)

Support HackTricks