RDS - Relational Database Service

RDS exploitation

Amazon RDS - Relational Database Service

AWS Relational Database Service (RDS) is an easy-to-manage relational database service.

Amazon RDS supports several database instances including:

Amazon Aurora (port 3306)
PostgreSQL (5432)
MySQL (port 3306)
MariaDB (port 3306)
Oracle Database (port 1521)
SQL Server (port 1433)

Enumeration

Information about the clusters in RDS

aws rds describe-db-clusters

Information about the database instances in RDS

aws rds describe-db-instances

Describe Database Snapshots

aws rds describe-db-snapshots --region <region>

Information about the subnet group in RDS

aws rds describe-db-subnet-groups

Information about the database security groups in RDS

aws rds describe-db-security-groups

Information about the database proxies in RDS

aws rds describe-db-proxies

Data Exfiltration

Password Based

mysql -h hostname -u username -P port -p password

Bruteforce attack:

MySQL (3306)

The tmpdir variable provides further confirmation that this is an AWS RDS instance

SHOW GLOBAL VARIABLES like 'tmpdir';

IAM Based Authentication (token)

Get the database instance connection temporary token from the RDS endpoint

aws rds generate-db-auth-token --hostname [hostname] --port [port] --username [username] --region [region]

Connect to mysql using temporary token

mysql -h hostname -u username -P port --enable-cleartext-plugin --password=$TOKEN

Snapshots

Public snapshots from single RDS database instances that belong to AWS account ID

aws rds describe-db-snapshots --snapshot-type public --include-public --region us-east-1 | grep [account-ID]

Public snapshots from RDS database cluster instances

aws rds describe-db-cluster-snapshots --snapshot-type public --include-public --region us-east-1 | grep [account-ID]

The snapshot can be restored. From the Actions menuin GUI, select Restore snapshot

Interesting Book

Interesting Books

Disclaimer: As an Amazon Associate, I earn from qualifying purchases. This helps support this GitBook project at no extra cost to you.

Advanced Penetration Testing: Hacking AWS 2 This book delves deeper into analyzing the security of various AWS services and shows techniques and tactics used by an attacker to breach an AWS environment
Hands-On AWS Penetration Testing with Kali Linux Set up a virtual lab and pentest major AWS services, including EC2, S3, Lambda, and Cloud

PreviousS3 - Simple Storage Service NextDynamoDB

Last updated 8 months ago

hashtagAmazon RDS - Relational Database Service

hashtagEnumeration

hashtagInformation about the clusters in RDS

hashtagInformation about the database instances in RDS

hashtagDescribe Database Snapshots

hashtagInformation about the subnet group in RDS

hashtagInformation about the database security groups in RDS

hashtagInformation about the database proxies in RDS

hashtagData Exfiltration

hashtagPassword Based

hashtagIAM Based Authentication (token)

hashtagSnapshots

hashtagInteresting Book