HackTricks CloudAWS - S3 Uthibitisho wa Enum
Reading time: 9 minutes
tip
Jifunze na fanya mazoezi ya AWS Hacking:
HackTricks Training AWS Red Team Expert (ARTE)
Jifunze na fanya mazoezi ya GCP Hacking: 
HackTricks Training GCP Red Team Expert (GRTE)
Jifunze na fanya mazoezi ya Azure Hacking: 
HackTricks Training Azure Red Team Expert (AzRTE)
Support HackTricks
- Angalia mpango wa usajili!
- Jiunge na 💬 kikundi cha Discord au kikundi cha telegram au tufuatilie kwenye Twitter 🐦 @hacktricks_live.
- Shiriki mbinu za hacking kwa kuwasilisha PRs kwa HackTricks na HackTricks Cloud repos za github.
S3 Mifuko ya Umma
Mifuko inachukuliwa kuwa “ya umma” ikiwa mtumiaji yeyote anaweza kuorodhesha maudhui ya mfuko, na “ya faragha” ikiwa maudhui ya mfuko yanaweza kuorodheshwa au kuandikwa tu na watumiaji fulani.
Makampuni yanaweza kuwa na idhini za mifuko zisizo sahihi zinazotoa ufikiaji ama kwa kila kitu au kwa kila mtu aliyejithibitisha katika AWS katika akaunti yoyote (hivyo kwa mtu yeyote). Kumbuka, kwamba hata na makosa kama haya, baadhi ya vitendo vinaweza kutoweza kufanywa kwani mifuko inaweza kuwa na orodha zao za udhibiti wa ufikiaji (ACLs).
Jifunze kuhusu makosa ya AWS-S3 hapa: http://flaws.cloud na http://flaws2.cloud/
Kupata Mifuko ya AWS
Njia tofauti za kupata wakati ukurasa wa wavuti unatumia AWS kuhifadhi baadhi ya rasilimali:
Uthibitishaji & OSINT:
- Kutumia wappalyzer plugin ya kivinjari
- Kutumia burp (kupeleleza wavuti) au kwa kuvinjari kwa mikono kupitia ukurasa, rasilimali zote zilizopakiwa zitahifadhiwa katika Historia.
- Angalia rasilimali katika maeneo kama:
http://s3.amazonaws.com/[bucket_name]/
http://[bucket_name].s3.amazonaws.com/
- Angalia kwa CNAMES kwani
resources.domain.cominaweza kuwa na CNAMEbucket.s3.amazonaws.com - s3dns – Seva nyepesi ya DNS inayotambua kwa pasipo nguvu mifuko ya uhifadhi wa wingu (S3, GCP, Azure) kwa kuchambua trafiki ya DNS. Inatambua CNAMEs, inafuata minyororo ya ufumbuzi, na inalinganisha mifuko, ikitoa njia ya kimya kwa kugundua kwa nguvu au kwa kutumia API. Inafaa kwa recon na mchakato wa OSINT.
- Angalia https://buckets.grayhatwarfare.com, wavuti yenye mifuko ya wazi iliyogunduliwa tayari.
- Jina la mfuko na jina la kikoa la mfuko inahitaji kuwa sawa.
- flaws.cloud iko katika IP 52.92.181.107 na ukitembelea huko inakuelekeza kwenye https://aws.amazon.com/s3/. Pia,
dig -x 52.92.181.107inatoas3-website-us-west-2.amazonaws.com. - Ili kuangalia ni mfuko unaweza pia kutembelea https://flaws.cloud.s3.amazonaws.com/.
Brute-Force
Unaweza kupata mifuko kwa kujaribu majina yanayohusiana na kampuni unayoifanya pentesting:
- https://github.com/sa7mon/S3Scanner
- https://github.com/clario-tech/s3-inspector
- https://github.com/jordanpotti/AWSBucketDump (Inajumuisha orodha ya majina ya mifuko yenye uwezekano)
- https://github.com/fellchase/flumberboozle/tree/master/flumberbuckets
- https://github.com/smaranchand/bucky
- https://github.com/tomdev/teh_s3_bucketeers
- https://github.com/RhinoSecurityLabs/Security-Research/tree/master/tools/aws-pentest-tools/s3
- https://github.com/Eilonh/s3crets_scanner
- https://github.com/belane/CloudHunter
# Generate a wordlist to create permutations
curl -s https://raw.githubusercontent.com/cujanovic/goaltdns/master/words.txt > /tmp/words-s3.txt.temp
curl -s https://raw.githubusercontent.com/jordanpotti/AWSBucketDump/master/BucketNames.txt >>/tmp/words-s3.txt.temp
cat /tmp/words-s3.txt.temp | sort -u > /tmp/words-s3.txt
# Generate a wordlist based on the domains and subdomains to test
## Write those domains and subdomains in subdomains.txt
cat subdomains.txt > /tmp/words-hosts-s3.txt
cat subdomains.txt | tr "." "-" >> /tmp/words-hosts-s3.txt
cat subdomains.txt | tr "." "\n" | sort -u >> /tmp/words-hosts-s3.txt
# Create permutations based in a list with the domains and subdomains to attack
goaltdns -l /tmp/words-hosts-s3.txt -w /tmp/words-s3.txt -o /tmp/final-words-s3.txt.temp
## The previous tool is specialized increating permutations for subdomains, lets filter that list
### Remove lines ending with "."
cat /tmp/final-words-s3.txt.temp | grep -Ev "\.$" > /tmp/final-words-s3.txt.temp2
### Create list without TLD
cat /tmp/final-words-s3.txt.temp2 | sed -E 's/\.[a-zA-Z0-9]+$//' > /tmp/final-words-s3.txt.temp3
### Create list without dots
cat /tmp/final-words-s3.txt.temp3 | tr -d "." > /tmp/final-words-s3.txt.temp4http://phantom.s3.amazonaws.com/
### Create list without hyphens
cat /tmp/final-words-s3.txt.temp3 | tr "." "-" > /tmp/final-words-s3.txt.temp5
## Generate the final wordlist
cat /tmp/final-words-s3.txt.temp2 /tmp/final-words-s3.txt.temp3 /tmp/final-words-s3.txt.temp4 /tmp/final-words-s3.txt.temp5 | grep -v -- "-\." | awk '{print tolower($0)}' | sort -u > /tmp/final-words-s3.txt
## Call s3scanner
s3scanner --threads 100 scan --buckets-file /tmp/final-words-s3.txt | grep bucket_exists
Nyara Mifuko ya S3
Kutoa mifuko ya S3 wazi, BucketLoot inaweza moja kwa moja kutafuta taarifa za kuvutia.
Pata Mkoa
Unaweza kupata mikoa yote inayoungwa mkono na AWS katika https://docs.aws.amazon.com/general/latest/gr/s3.html
Kwa DNS
Unaweza kupata mkoa wa mfuko kwa dig na nslookup kwa kufanya ombio la DNS la IP iliyogunduliwa:
dig flaws.cloud
;; ANSWER SECTION:
flaws.cloud. 5 IN A 52.218.192.11
nslookup 52.218.192.11
Non-authoritative answer:
11.192.218.52.in-addr.arpa name = s3-website-us-west-2.amazonaws.com.
Angalia kwamba jina la kikoa lililopatikana lina neno "website".
Unaweza kufikia tovuti ya statiki kwa kutembelea: flaws.cloud.s3-website-us-west-2.amazonaws.com
au unaweza kufikia bucket kwa kutembelea: flaws.cloud.s3-us-west-2.amazonaws.com
Kwa Kujaribu
Ikiwa unajaribu kufikia bucket, lakini katika jina la kikoa unataja eneo lingine (kwa mfano bucket iko katika bucket.s3.amazonaws.com lakini unajaribu kufikia bucket.s3-website-us-west-2.amazonaws.com, basi utaonyeshwa mahali sahihi:
.png)
Kuorodhesha bucket
Ili kujaribu ufunguzi wa bucket, mtumiaji anaweza tu kuingiza URL katika kivinjari chao. Bucket ya kibinafsi itajibu kwa "Access Denied". Bucket ya umma itataja vitu 1,000 vya kwanza vilivyohifadhiwa.
Iko wazi kwa kila mtu:
.png)
Binafsi:
.png)
Unaweza pia kuangalia hii kwa cli:
#Use --no-sign-request for check Everyones permissions
#Use --profile <PROFILE_NAME> to indicate the AWS profile(keys) that youwant to use: Check for "Any Authenticated AWS User" permissions
#--recursive if you want list recursivelyls
#Opcionally you can select the region if you now it
aws s3 ls s3://flaws.cloud/ [--no-sign-request] [--profile <PROFILE_NAME>] [ --recursive] [--region us-west-2]
Ikiwa bakuli haina jina la kikoa, unapojaribu kuhesabu, weka jina la bakuli tu na si kikoa zima cha AWSs3. Mfano: s3://<BUCKETNAME>
Kiolezo cha URL ya Umma
https://{user_provided}.s3.amazonaws.com
Pata Kitambulisho cha Akaunti kutoka kwa Bucket ya Umma
Inawezekana kubaini akaunti ya AWS kwa kutumia S3:ResourceAccount Key ya Masharti ya Sera. Masharti haya yanapunguza ufikiaji kulingana na bucket ya S3 ambayo akaunti iko ndani (sera nyingine za msingi wa akaunti zinapunguza kulingana na akaunti ambayo kiongozi anayehitaji yuko ndani).
Na kwa sababu sera inaweza kuwa na wildcards inawezekana kupata nambari ya akaunti nambari moja kwa wakati mmoja.
Chombo hiki kinara mchakato:
# Installation
pipx install s3-account-search
pip install s3-account-search
# With a bucket
s3-account-search arn:aws:iam::123456789012:role/s3_read s3://my-bucket
# With an object
s3-account-search arn:aws:iam::123456789012:role/s3_read s3://my-bucket/path/to/object.ext
H technique hii pia inafanya kazi na API Gateway URLs, Lambda URLs, Data Exchange data sets na hata kupata thamani ya tags (ikiwa unajua ufunguo wa tag). Unaweza kupata maelezo zaidi katika utafiti wa asili na zana conditional-love ili kuendesha uhalifu huu.
Kuthibitisha kwamba bucket inamhusu akaunti ya AWS
Kama ilivyoelezwa katika hiki blogu, ikiwa una ruhusa za kuorodhesha bucket inawezekana kuthibitisha accountID ambayo bucket inamhusu kwa kutuma ombi kama:
curl -X GET "[bucketname].amazonaws.com/" \
-H "x-amz-expected-bucket-owner: [correct-account-id]"
<?xml version="1.0" encoding="UTF-8"?>
<ListBucketResult xmlns="http://s3.amazonaws.com/doc/2006-03-01/">...</ListBucketResult>
Ikiwa kosa ni "Access Denied" inamaanisha kwamba ID ya akaunti ilikuwa mbaya.
Kutumia Barua Pepe kama Uainishaji wa Akaunti ya Mzizi
Kama ilivyoelezwa katika hiki kipande cha blog, inawezekana kuangalia ikiwa anwani ya barua pepe inahusiana na akaunti yoyote ya AWS kwa kujaribu kutoa ruhusa kwa barua pepe juu ya bakuli la S3 kupitia ACLs. Ikiwa hii haitasababisha kosa, inamaanisha kwamba barua pepe hiyo ni mtumiaji wa mzizi wa akaunti fulani ya AWS:
s3_client.put_bucket_acl(
Bucket=bucket_name,
AccessControlPolicy={
'Grants': [
{
'Grantee': {
'EmailAddress': 'some@emailtotest.com',
'Type': 'AmazonCustomerByEmail',
},
'Permission': 'READ'
},
],
'Owner': {
'DisplayName': 'Whatever',
'ID': 'c3d78ab5093a9ab8a5184de715d409c2ab5a0e2da66f08c2f6cc5c0bdeadbeef'
}
}
)
Marejeo
- https://www.youtube.com/watch?v=8ZXRw4Ry3mQ
- https://cloudar.be/awsblog/finding-the-account-id-of-any-public-s3-bucket/
tip
Jifunze na fanya mazoezi ya AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE)
Jifunze na fanya mazoezi ya GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE)
Jifunze na fanya mazoezi ya Azure Hacking: HackTricks Training Azure Red Team Expert (AzRTE)
Support HackTricks
- Angalia mpango wa usajili!
- Jiunge na 💬 kikundi cha Discord au kikundi cha telegram au tufuatilie kwenye Twitter 🐦 @hacktricks_live.
- Shiriki mbinu za hacking kwa kuwasilisha PRs kwa HackTricks na HackTricks Cloud repos za github.