AWS - EC2, EBS, ELB, SSM, VPC & VPN Enum

Tip

Jifunze na ufanye mazoezi ya AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE)
Jifunze na ufanye mazoezi ya GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE)
Jifunze na ufanye mazoezi ya Az Hacking: HackTricks Training Azure Red Team Expert (AzRTE)

Saidia HackTricks

• Angalia the subscription plans!
• Jiunge na 💬 Discord group au the telegram group au utufuate kwenye Twitter 🐦 @hacktricks_live.
• Shiriki hacking tricks kwa kutuma PRs kwa HackTricks and HackTricks Cloud github repos.

VPC & Networking

Jifunze ni VPC ni nini na kuhusu vipengele vyake katika:

AWS - VPC & Networking Basic Information

EC2

Amazon EC2 inatumika kuanzisha seva za virtuali. Inaruhusu usanidi wa usalama na mitandao, pamoja na usimamizi wa hifadhi. Uwezo wa Amazon EC2 kubadilika unaonekana kwa uwezo wake wa kuongeza au kupunguza rasilimali, hivyo kuendana na mabadiliko ya mahitaji au kuongezeka kwa umaarufu. Kipengele hiki hupunguza haja ya kutabiri kwa usahihi trafiki.

Vitu vya kuvutia vya kuorodhesha katika EC2:

• Mashine za virtuali
• SSH Keys
• User Data
• Existing EC2s/AMIs/Snapshots
• Usanidi wa mtandao (Networking)
• Mitandao
• Subnetworks
• Public IPs
• Open ports
• Miunganisho iliyounganishwa na mitandao mengine nje ya AWS

Instance Profiles

Kutumia roles kutoa ruhusa kwa programu zinazoendesha kwenye EC2 instances kunahitaji usanidi wa ziada kidogo. Programu inayofanya kazi kwenye EC2 instance imewekwa juu ya mfumo wa uendeshaji uliotekelezwa, ikitenganisha programu na AWS. Kwa kutengwa kwa ziada hivyo, unahitaji hatua ya ziada ili kujaweka role ya AWS na ruhusa zake kwa EC2 instance na kuzifanya zipatikane kwa programu zake.

Hatua ya ziada ni kuunda [instance profile] iliyounganishwa na instance. instance profile ina ndani role na inaweza kutoa vyeti vya muda vya role kwa programu inayotumia instance hiyo. Vyeti hivyo vya muda vinaweza kutumika katika API calls za programu kufikia rasilimali na kuzuia ufikiaji kwa rasilimali ambazo role inabainisha tu. Kumbuka kwamba tu role moja inaweza kupewa EC2 instance kwa wakati mmoja, na programu zote kwenye instance zinashiriki role na ruhusa hiyo.

Metadata Endpoint

Metadata ya AWS EC2 ni taarifa kuhusu Amazon Elastic Compute Cloud (EC2) instance zinazoruhusiwa kupatikana kwa instance wakati wa runtime. Metadata hii hutumika kutoa taarifa kuhusu instance, kama vile instance ID yake, availability zone inayoendesha, IAM role inayohusishwa na instance, na hostname ya instance.

Cloud SSRF - HackTricks

Enumeration

# Get EC2 instances
aws ec2 describe-instances
aws ec2 describe-instance-status #Get status from running instances

# Get user data from each ec2 instance
for instanceid in $(aws ec2 describe-instances --profile <profile> --region us-west-2 | grep -Eo '"i-[a-zA-Z0-9]+' | tr -d '"'); do
echo "Instance ID: $instanceid"
aws ec2 describe-instance-attribute --profile <profile> --region us-west-2 --instance-id "$instanceid" --attribute userData | jq ".UserData.Value" | tr -d '"' | base64 -d
echo ""
echo "-------------------"
done

# Instance profiles
aws iam list-instance-profiles
aws iam list-instance-profiles-for-role --role-name <name>

# Get tags
aws ec2 describe-tags

# Get volumes
aws ec2 describe-volume-status
aws ec2 describe-volumes

# Get snapshots
aws ec2 describe-snapshots --owner-ids self

# Scheduled instances
aws ec2 describe-scheduled-instances

# Get custom images
aws ec2 describe-images --owners self

# Get Elastic IPs
aws ec2 describe-addresses

# Get current output
aws ec2 get-console-output --instance-id [id]

# Get a JPG-format screenshot of a running instance
aws ec2 get-console-screenshot --instance [id]

# Get VPN customer gateways
aws ec2 describe-customer-gateways
aws ec2 describe-vpn-gateways
aws ec2 describe-vpn-connections

# List conversion tasks to upload/download VMs
aws ec2 describe-conversion-tasks
aws ec2 describe-import-image-tasks

# Get Bundle Tasks
aws ec2 describe-bundle-tasks

# Get Classic Instances
aws ec2 describe-classic-link-instances

# Get Dedicated Hosts
aws ec2 describe-hosts

# Get SSH Key Pairs
aws ec2 describe-key-pairs

# Get Internet Gateways
aws ec2 describe-internet-gateways

# Get NAT Gateways
aws ec2 describe-nat-gateways

# Get subnetworks
aws ec2 describe-subnets

# Get FW rules
aws ec2 describe-network-acls

# Get security groups
aws ec2 describe-security-groups

# Get interfaces
aws ec2 describe-network-interfaces

# Get routes table
aws ec2 describe-route-tables

# Get VPCs
aws ec2 describe-vpcs
aws ec2 describe-vpc-peering-connections

Ufikiaji Bila Uthibitisho

AWS - EC2 Unauthenticated Enum

Privesc

Katika ukurasa unaofuata unaweza kuona jinsi ya abuse EC2 permissions to escalate privileges:

AWS - EC2 Privesc

Post-Exploitation

AWS - EC2, EBS, SSM & VPC Post Exploitation

EBS

Amazon EBS (Elastic Block Store) snapshots kwa msingi ni chelezo za kudumu za volumes za AWS EBS. Kwa maneno mengine, ni nakala za diski zilizoambatanishwa na EC2 Instance kwa wakati maalum. EBS snapshots zinaweza kunakiliwa kati ya mikoa na akaunti, au hata kupakuliwa na kuendeshwa kwa ndani.

Snapshots zinaweza kuwa na tafsiri nyeti kama vile source code au APi keys, kwa hivyo, ikiwa utapata fursa, inashauriwa kuzichunguza.

Difference AMI & EBS

AMI hutumika kuanzisha EC2 instance, wakati EC2 Snapshot hutumika kufanya backup na kurejesha data iliyohifadhiwa kwenye EBS volume. Ingawa EC2 Snapshot inaweza kutumika kuunda AMI mpya, si kitu kile kile na AMI, na haijumuishi taarifa kuhusu operating system, application server, au programu nyingine zinazohitajika kuendesha application.

Privesc

Katika ukurasa unaofuata unaweza kuona jinsi ya abuse EBS permissions to escalate privileges:

AWS - EBS Privesc

SSM

Amazon Simple Systems Manager (SSM) huruhusu kusimamia kwa mbali fleets za EC2 instances ili kufanya usimamizi wao kuwa rahisi zaidi. Kila moja ya instances hizi inapaswa kuwa inakimbia huduma ya SSM Agent kwani huduma hiyo itakuwa inayopokea vitendo na kuvitenda kutoka kwa AWS API.

SSM Agent inafanya iwezekane kwa Systems Manager kusasisha, kusimamia, na kusanifu rasilimali hizi. Agent huyo huchakata maombi kutoka kwa Systems Manager service katika AWS Cloud, kisha huendesha kama ilivyoainishwa katika ombi.

SSM Agent inakuja preinstalled in some AMIs au unahitaji kuiweka manually kwenye instances. Pia, IAM Role inayotumika ndani ya instance inahitaji kuwa na sera AmazonEC2RoleforSSM imeambatishwa ili iweze kuwasiliana.

Enumeration

aws ssm describe-instance-information
aws ssm describe-parameters
aws ssm describe-sessions --state [Active|History]
aws ssm describe-instance-patches --instance-id <id>
aws ssm describe-instance-patch-states --instance-ids <id>
aws ssm describe-instance-associations-status --instance-id <id>

Unaweza kuangalia kwenye instance ya EC2 ikiwa Systems Manager inakimbia kwa kutekeleza tu:

ps aux | grep amazon-ssm

Privesc

Kwenye ukurasa ufuatao unaweza kuona jinsi ya abuse SSM permissions to escalate privileges:

AWS - SSM Privesc

Perssistence

Kwenye ukurasa ufuatao unaweza kuona jinsi ya abuse SSM permissions to achieve persistence:

AWS - SSM Perssitence

ELB

Elastic Load Balancing (ELB) ni huduma ya kugawanya mzigo kwa deployments za Amazon Web Services (AWS). ELB kwa kawaida hueneza trafiki ya maombi inayokuja na huongeza au hupunguza rasilimali ili kukidhi mahitaji ya trafiki.

# List internet-facing ELBs
aws elb describe-load-balancers
aws elb describe-load-balancers | jq '.LoadBalancerDescriptions[]| select( .Scheme | contains("internet-facing"))|.DNSName'

# DONT FORGET TO CHECK VERSION 2
aws elbv2 describe-load-balancers
aws elbv2 describe-load-balancers | jq '.LoadBalancers[].DNSName'
aws elbv2 describe-listeners --load-balancer-arn <load_balancer_arn>

Launch Templates & Autoscaling Groups

Enumeration

# Launch templates
aws ec2 describe-launch-templates
aws ec2 describe-launch-templates --launch-template-id <launch_template_id>
## Get details, like user data
aws ec2 describe-launch-template-versions --launch-template-id <launch_template_id>

# Autoscaling
aws autoscaling describe-auto-scaling-groups
aws autoscaling describe-auto-scaling-instances
aws autoscaling describe-launch-configurations
aws autoscaling describe-load-balancer-target-groups
aws autoscaling describe-load-balancers

Nitro

AWS Nitro ni mkusanyiko wa teknolojia bunifu zinazounda msingi wa instances za AWS EC2. Iliotangazwa na Amazon ili kuimarisha usalama, utendaji, na uaminifu, Nitro inatumia komponenti maalum za vifaa na hypervisor mwepesi. Inaburuta sehemu kubwa ya utendakazi wa kawaida wa virtualization hadi kwenye vifaa na programu zilizotengwa, kupunguza eneo la mashambulizi na kuboresha ufanisi wa rasilimali. Kwa kuhamisha kazi za virtualization, Nitro inaruhusu EC2 instances kutoa near bare-metal performance, na hivyo kuwa faida hasa kwa programu zinazohitaji rasilimali nyingi. Zaidi ya hayo, Nitro Security Chip inahakikisha mahsusi usalama wa hardware na firmware, ikithibitisha zaidi usanifu wake thabiti.

Get more information and how to enumerate it from:

AWS - Nitro Enum

VPN

VPN inaruhusu kuunganisha mtandao wako wa on-premise (site-to-site VPN) au kompyuta za kazi (Client VPN) na AWS VPC ili huduma ziweze kupatikana bila kuhitaji kuziacha wazi kwenye intaneti.

Basic AWS VPN Components

1. Customer Gateway:

• Customer Gateway ni rasilimali unayoiunda kwenye AWS kuwakilisha upande wako wa muunganisho wa VPN.
• Kwa msingi ni kifaa cha kimwili au programu upande wako wa muunganisho wa Site-to-Site VPN.
• Unatoa taarifa za routing na anwani ya IP ya umma ya kifaa chako cha mtandao (kama router au firewall) kwa AWS ili kuunda Customer Gateway.
• Inatumikia kama kiashiria kwa kusanidi muunganisho wa VPN na haileti gharama za ziada.

2. Virtual Private Gateway:

• Virtual Private Gateway (VPG) ni VPN concentrator upande wa Amazon wa muunganisho wa Site-to-Site VPN.
• Imeunganishwa kwenye VPC yako na inatumika kama lengo la muunganisho wako wa VPN.
• VPG ni endpoint upande wa AWS kwa muunganisho wa VPN.
• Inasimamia mawasiliano salama kati ya VPC yako na mtandao wako wa on-premises.

3. Site-to-Site VPN Connection:

• Muunganisho wa Site-to-Site VPN unaunganisha mtandao wako wa on-premises na VPC kupitia tuneli salama ya IPsec VPN.
• Aina hii ya muunganisho inahitaji Customer Gateway na Virtual Private Gateway.
• Inatumiwa kwa mawasiliano salama, imara, na ya mara kwa mara kati ya kituo chako cha data au mtandao na mazingira yako ya AWS.
• Kwa kawaida hutumika kwa miunganisho ya kawaida, ya muda mrefu na hulipishwa kulingana na kiasi cha data kinachosafirishwa kwa muunganisho huo.

4. Client VPN Endpoint:

• Client VPN endpoint ni rasilimali unayoiunda kwenye AWS kuwezesha na kusimamia vikao vya Client VPN.
• Inatumiwa kuruhusu vifaa vya mtu binafsi (kama laptops, simu za mkononi, n.k.) kuunganishwa kwa usalama na rasilimali za AWS au mtandao wako wa on-premises.
• Inatofautiana na Site-to-Site VPN kwa kuwa imeundwa kwa wateja binafsi badala ya kuunganisha mitandao yote.
• Kwa Client VPN, kila kifaa cha mteja hutumia programu ya mteja wa VPN kuanzisha muunganisho salama.

You can find more information about the benefits and components of AWS VPNs here.

Enumeration

# VPN endpoints
## Check used subnetwork, authentication, SGs, connected...
aws ec2 describe-client-vpn-endpoints

## Get AWS network info related to the vpn endpoint
aws ec2 describe-client-vpn-target-networks --client-vpn-endpoint-id <id>

## Get AWS subnet & ip range the VPN iconnected to
aws ec2 describe-client-vpn-routes --client-vpn-endpoint-id <id>

## Check authorization rules
aws ec2 describe-client-vpn-authorization-rules --client-vpn-endpoint-id <id>

## Get current connections to the VPN endpoint
aws ec2 describe-client-vpn-connections --client-vpn-endpoint-id <id>

# Get VPN gateways and check with which VPC each is connected
aws ec2 describe-vpn-gateways

# Get VPN site-to-site connections
aws ec2 describe-vpn-connections

Kuorodhesha kwa Ndani

Local Temporary Credentials

Unapotumia AWS VPN Client kuunganishwa kwenye VPN, mtumiaji kawaida atakuwa ingia kwenye AWS ili kupata ufikiaji wa VPN. Kisha, baadhi ya AWS credentials zinaundwa na kuhifadhiwa ndani ya mfumo ili kuanzisha muunganisho wa VPN. Credentials hizi zimehifadhiwa katika $HOME/.config/AWSVPNClient/TemporaryCredentials/<region>/temporary-credentials.txt na zina AccessKey, SecretKey na Token.

Credentials hizi zinamilikiwa na mtumiaji arn:aws:sts::<acc-id>:assumed-role/aws-vpn-client-metrics-analytics-access-role/CognitoIdentityCredentials (TODO: fanya utafiti zaidi kuhusu ruhusa za credentials hizi).

opvn config files

Ikiwa muunganisho wa VPN ulianzishwa, unapaswa kutafuta faili za .opvn kwenye mfumo. Zaidi ya hayo, mahali ambapo unaweza kupata configurations ni $HOME/.config/AWSVPNClient/OpenVpnConfigs

Post Exploitaiton

AWS - VPN Post Exploitation

Marejeo

• https://docs.aws.amazon.com/batch/latest/userguide/getting-started-ec2.html

Tip

Jifunze na ufanye mazoezi ya AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE)
Jifunze na ufanye mazoezi ya GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE)
Jifunze na ufanye mazoezi ya Az Hacking: HackTricks Training Azure Red Team Expert (AzRTE)

Saidia HackTricks

• Angalia the subscription plans!
• Jiunge na 💬 Discord group au the telegram group au utufuate kwenye Twitter 🐦 @hacktricks_live.
• Shiriki hacking tricks kwa kutuma PRs kwa HackTricks and HackTricks Cloud github repos.