HackTricks CloudAWS - EC2, EBS, ELB, SSM, VPC & VPN 枚举
Tip
学习并练习 AWS Hacking:
HackTricks Training AWS Red Team Expert (ARTE)
学习并练习 GCP Hacking:HackTricks Training GCP Red Team Expert (GRTE)
学习并练习 Az Hacking:HackTricks Training Azure Red Team Expert (AzRTE)
支持 HackTricks
- 查看 subscription plans!
- 加入 💬 Discord group 或者 telegram group 或 关注 我们的 Twitter 🐦 @hacktricks_live.
- 通过向 HackTricks 和 HackTricks Cloud github 仓库 提交 PRs 来分享 hacking tricks。
VPC 与 网络
了解 VPC 是什么以及其组件,请参见:
AWS - VPC & Networking Basic Information
EC2
Amazon EC2 用于启动 虚拟服务器。它允许配置 安全 和 网络 并管理 存储。Amazon EC2 的灵活性体现在其能够向上或向下扩展资源,以便有效适应不同的需求变化或流量激增。这一特性减少了对精确流量预测的必要性。
在 EC2 中值得枚举的内容包括:
- 虚拟机
- SSH Keys
- User Data
- Existing EC2s/AMIs/Snapshots
- 网络
- 网络
- 子网
- 公共 IPs
- 开放端口
- 与 AWS 以外其他网络的集成连接
Instance Profiles
使用 roles 将权限授予在 EC2 instances 上运行的应用需要一些额外配置。运行在 EC2 实例上的应用由虚拟化的操作系统将其与 AWS 抽象隔离。由于这种额外的隔离,您需要采取额外步骤将 AWS 角色及其相关权限分配给 EC2 实例,并使这些权限对实例上的应用可用。
This extra step is the creation of an instance profile attached to the instance. The instance profile contains the role and can provide the role’s temporary credentials to an application that runs on the instance. Those temporary credentials can then be used in the application’s API calls to access resources and to limit access to only those resources that the role specifies. Note that only one role can be assigned to an EC2 instance at a time, and all applications on the instance share the same role and permissions.
Metadata Endpoint
AWS EC2 metadata 是在运行时可供 Amazon Elastic Compute Cloud (EC2) 实例使用的有关该实例的信息。该元数据用于提供关于实例的信息,例如其 instance ID、运行所在的 availability zone、与实例关联的 IAM role 以及实例的 hostname。
枚举
# Get EC2 instances
aws ec2 describe-instances
aws ec2 describe-instance-status #Get status from running instances
# Get user data from each ec2 instance
for instanceid in $(aws ec2 describe-instances --profile <profile> --region us-west-2 | grep -Eo '"i-[a-zA-Z0-9]+' | tr -d '"'); do
echo "Instance ID: $instanceid"
aws ec2 describe-instance-attribute --profile <profile> --region us-west-2 --instance-id "$instanceid" --attribute userData | jq ".UserData.Value" | tr -d '"' | base64 -d
echo ""
echo "-------------------"
done
# Instance profiles
aws iam list-instance-profiles
aws iam list-instance-profiles-for-role --role-name <name>
# Get tags
aws ec2 describe-tags
# Get volumes
aws ec2 describe-volume-status
aws ec2 describe-volumes
# Get snapshots
aws ec2 describe-snapshots --owner-ids self
# Scheduled instances
aws ec2 describe-scheduled-instances
# Get custom images
aws ec2 describe-images --owners self
# Get Elastic IPs
aws ec2 describe-addresses
# Get current output
aws ec2 get-console-output --instance-id [id]
# Get a JPG-format screenshot of a running instance
aws ec2 get-console-screenshot --instance [id]
# Get VPN customer gateways
aws ec2 describe-customer-gateways
aws ec2 describe-vpn-gateways
aws ec2 describe-vpn-connections
# List conversion tasks to upload/download VMs
aws ec2 describe-conversion-tasks
aws ec2 describe-import-image-tasks
# Get Bundle Tasks
aws ec2 describe-bundle-tasks
# Get Classic Instances
aws ec2 describe-classic-link-instances
# Get Dedicated Hosts
aws ec2 describe-hosts
# Get SSH Key Pairs
aws ec2 describe-key-pairs
# Get Internet Gateways
aws ec2 describe-internet-gateways
# Get NAT Gateways
aws ec2 describe-nat-gateways
# Get subnetworks
aws ec2 describe-subnets
# Get FW rules
aws ec2 describe-network-acls
# Get security groups
aws ec2 describe-security-groups
# Get interfaces
aws ec2 describe-network-interfaces
# Get routes table
aws ec2 describe-route-tables
# Get VPCs
aws ec2 describe-vpcs
aws ec2 describe-vpc-peering-connections
未认证访问
AWS - EC2 Unauthenticated Enum
Privesc
在下面的页面你可以查看如何 滥用 EC2 权限以提升权限:
Post-Exploitation
AWS - EC2, EBS, SSM & VPC Post Exploitation
EBS
Amazon EBS (Elastic Block Store) 的 快照 (snapshots) 本质上是 AWS EBS 卷的静态 备份。换句话说,它们是在特定时间点附加到 EC2 实例上的 磁盘 的 拷贝。EBS snapshots 可以跨区域和账户复制,甚至可以下载并在本地运行。
快照可能包含 敏感信息,例如 源代码或 APi keys,因此如果有机会,建议检查它们。
AMI 与 EBS 的区别
一个 AMI 用于 启动 EC2 实例,而 EC2 的 Snapshot 用于 备份并恢复存储在 EBS 卷上的数据。虽然 EC2 Snapshot 可以用来创建新的 AMI,但它并不是 AMI 本身,也不包含运行应用程序所需的操作系统、应用服务器或其他软件的信息。
Privesc
在下面的页面你可以查看如何 滥用 EBS 权限以提升权限:
SSM
Amazon Simple Systems Manager (SSM) 允许远程管理大量 EC2 实例,从而简化它们的管理。每个实例都需要运行 SSM Agent service,因为该服务将接收来自 AWS API 的操作并执行它们。
SSM Agent 使 Systems Manager 能够更新、管理和配置这些资源。该 agent 会处理来自 AWS Cloud 中 Systems Manager 服务的请求,然后按请求中指定的方式运行它们。
The SSM Agent comes preinstalled in some AMIs or you need to manually install them on the instances. Also, the IAM Role used inside the instance needs to have the policy AmazonEC2RoleforSSM attached to be able to communicate.
Enumeration
aws ssm describe-instance-information
aws ssm describe-parameters
aws ssm describe-sessions --state [Active|History]
aws ssm describe-instance-patches --instance-id <id>
aws ssm describe-instance-patch-states --instance-ids <id>
aws ssm describe-instance-associations-status --instance-id <id>
您可以在 EC2 实例中仅通过执行以下命令来检查 Systems Manager 是否正在运行:
ps aux | grep amazon-ssm
Privesc
在以下页面你可以查看如何 abuse SSM permissions to escalate privileges:
Perssistence
在以下页面你可以查看如何 abuse SSM permissions to achieve persistence:
ELB
Elastic Load Balancing (ELB) 是 Amazon Web Services (AWS) 部署中的负载均衡服务。ELB 会自动 分发传入的应用流量 并根据流量需求扩展资源以满足负载。
Enumeration
# List internet-facing ELBs
aws elb describe-load-balancers
aws elb describe-load-balancers | jq '.LoadBalancerDescriptions[]| select( .Scheme | contains("internet-facing"))|.DNSName'
# DONT FORGET TO CHECK VERSION 2
aws elbv2 describe-load-balancers
aws elbv2 describe-load-balancers | jq '.LoadBalancers[].DNSName'
aws elbv2 describe-listeners --load-balancer-arn <load_balancer_arn>
Launch Templates & Autoscaling Groups
枚举
# Launch templates
aws ec2 describe-launch-templates
aws ec2 describe-launch-templates --launch-template-id <launch_template_id>
## Get details, like user data
aws ec2 describe-launch-template-versions --launch-template-id <launch_template_id>
# Autoscaling
aws autoscaling describe-auto-scaling-groups
aws autoscaling describe-auto-scaling-instances
aws autoscaling describe-launch-configurations
aws autoscaling describe-load-balancer-target-groups
aws autoscaling describe-load-balancers
Nitro
AWS Nitro 是一套构成 AWS EC2 instances 底层平台的 创新技术。由 Amazon 引入以 增强安全性、性能和可靠性,Nitro 利用定制的 硬件组件和轻量级 hypervisor。它将大量传统虚拟化功能抽象到专用的硬件和软件中,最小化攻击面并提高资源效率。通过卸载虚拟化功能,Nitro 使 EC2 instances 能提供 接近裸金属性能,这对资源密集型应用尤其有利。此外,Nitro Security Chip 专门确保持有 硬件和固件的安全性,进一步巩固其稳健的架构。
Get more information and how to enumerate it from:
VPN
A VPN allows to connect your on-premise network (site-to-site VPN) or the workers laptops (Client VPN) with a AWS VPC so services can accessed without needing to expose them to the internet.
Basic AWS VPN Components
- Customer Gateway:
- A Customer Gateway is a resource that you create in AWS to represent your side of a VPN connection.
- It is essentially a physical device or software application on your side of the Site-to-Site VPN connection.
- You provide routing information and the public IP address of your network device (such as a router or a firewall) to AWS to create a Customer Gateway.
- It serves as a reference point for setting up the VPN connection and doesn’t incur additional charges.
- Virtual Private Gateway:
- A Virtual Private Gateway (VPG) is the VPN concentrator on the Amazon side of the Site-to-Site VPN connection.
- It is attached to your VPC and serves as the target for your VPN connection.
- VPG is the AWS side endpoint for the VPN connection.
- It handles the secure communication between your VPC and your on-premises network.
- Site-to-Site VPN Connection:
- A Site-to-Site VPN connection connects your on-premises network to a VPC through a secure, IPsec VPN tunnel.
- This type of connection requires a Customer Gateway and a Virtual Private Gateway.
- It’s used for secure, stable, and consistent communication between your data center or network and your AWS environment.
- Typically used for regular, long-term connections and is billed based on the amount of data transferred over the connection.
- Client VPN Endpoint:
- A Client VPN endpoint is a resource that you create in AWS to enable and manage client VPN sessions.
- It is used for allowing individual devices (like laptops, smartphones, etc.) to securely connect to AWS resources or your on-premises network.
- It differs from Site-to-Site VPN in that it is designed for individual clients rather than connecting entire networks.
- With Client VPN, each client device uses a VPN client software to establish a secure connection.
您可以在此处 查找有关 AWS VPN 优势和组件的更多信息。
枚举
# VPN endpoints
## Check used subnetwork, authentication, SGs, connected...
aws ec2 describe-client-vpn-endpoints
## Get AWS network info related to the vpn endpoint
aws ec2 describe-client-vpn-target-networks --client-vpn-endpoint-id <id>
## Get AWS subnet & ip range the VPN iconnected to
aws ec2 describe-client-vpn-routes --client-vpn-endpoint-id <id>
## Check authorization rules
aws ec2 describe-client-vpn-authorization-rules --client-vpn-endpoint-id <id>
## Get current connections to the VPN endpoint
aws ec2 describe-client-vpn-connections --client-vpn-endpoint-id <id>
# Get VPN gateways and check with which VPC each is connected
aws ec2 describe-vpn-gateways
# Get VPN site-to-site connections
aws ec2 describe-vpn-connections
Local Enumeration
本地临时凭证
当使用 AWS VPN Client 连接到 VPN 时,用户通常会 登录 AWS 以获取对 VPN 的访问权限。随后,会在本地创建并存储一些 AWS 凭证 以建立 VPN 连接。 这些凭证被 存储在 $HOME/.config/AWSVPNClient/TemporaryCredentials/<region>/temporary-credentials.txt,并包含一个 AccessKey、一个 SecretKey 和一个 Token。
这些凭证属于用户 arn:aws:sts::<acc-id>:assumed-role/aws-vpn-client-metrics-analytics-access-role/CognitoIdentityCredentials(TODO: research more about the permissions of this credentials)。
opvn 配置文件
如果已经建立了 VPN 连接,应在系统中搜索 .opvn 配置文件。此外,可以在 $HOME/.config/AWSVPNClient/OpenVpnConfigs 找到这些 配置。
Post Exploitaiton
参考资料
Tip
学习并练习 AWS Hacking:
学习并练习 GCP Hacking:
学习并练习 Az Hacking:支持 HackTricks
- 查看 subscription plans!
- 加入 💬 Discord group 或者 telegram group 或 关注 我们的 Twitter 🐦 @hacktricks_live.
- 通过向 HackTricks 和 HackTricks Cloud github 仓库 提交 PRs 来分享 hacking tricks。