Recon / Initial Access / Enum

AWS - Initial Recon

Recon - AWS Eye

Found an account ID:

AWS Extender - Burp Extension

GitHub - VirtueSecurity/aws-extender: AWS Extender (Cloud Storage Tester) is a Burp plugin to assess permissions of cloud storage containers on AWS, Google Cloud and Azure.GitHub

Credz in git repos

Credentials in git repos

trufflehog --regex --entropy=False <repo>
sudo docker run -v "$PWD":/scan ghcr.io/praetorian-inc/noseyparker:latest scan -d <repo>.np --git-url <git url>
sudo docker run -v "$PWD":/scan ghcr.io/praetorian-inc/noseyparker:latest report -d <repo>.np

Credz on Host - Hardcoded Secrets

cat ~/.aws/credentials
cat ~/.aws/config

Spray AWS Console IAM Logins

IAM User enumeration

aws iam list-users
aws iam list-users --query "Users[*].Arn"

Or see IAM part

GoAWSConsoleSpray

GitHub - WhiteOakSecurity/GoAWSConsoleSpray: Tool to spray AWS Console IAM LoginsGitHub

./GoAWSConsoleSpray -a ACCOUNTID -u ../../users -p ../../passwords

To get the ACCOUNTID , run aws sts get-caller-identity with a known account

AWeSomeUserFinder

GitHub - dievus/AWeSomeUserFinder: AWS IAM Username Enumerator and Password Spraying Tool in Python3GitHub

python3 AWeSomeUserFinder.py -a <account id> -s -p <password> -r <users> -t <time>

Subdomain Takeover

AWS Elastic Beanstalk

Using PD tools to find my first subdomain takeoverProjectDiscovery Blog

Subdomain takeover via AWS s3 bucketInfoSec Write-ups

DNS (53)

CloudTap

GitHub - PanosoikoGr/CloudTapGitHub

AWS Enumerator

Credentials found

GitHub - shabarkin/aws-enumerator: The AWS Enumerator was created for service enumeration and info dumping for investigations of penetration testers during Black-Box testing. The tool is intended to speed up the process of Cloud review in case the security researcher compromised AWS Account Credentials.GitHub

./aws-enumerator cred -aws_access_key_id AKIA***********XKU -aws_region us-west-2 -aws_secret_access_key kIm6m********************5JPF


./aws-enumerator enum --services all

# Permissions
./aws-enumerator dump --services dynamodb

Cloudfox

GitHub - BishopFox/cloudfox: Automating situational awareness for cloud penetration tests.GitHub

cloudfox -p <profile> all-checks

Security Groups - Segmentation

My AWS “Segmentation Test” Methodology for Pentesters v1.0Medium

GitHub - SherifTalaat/AWS-SG-Analyzer: Python script to analyze and extract all Security Groups informationGitHub

AWS Attack Path Management Tool

GitHub - hotnops/apeman: AWS Attack Path Management Tool - Walking on the MoonGitHub

Authenticated Recon

ScoutSuite

GitHub - nccgroup/ScoutSuite: Multi-Cloud Security Auditing ToolGitHub

Prowler

GitHub - prowler-cloud/prowler: Prowler is an Open Source security tool to perform AWS security best practices assessments, audits, incident response, continuous monitoring, hardening and forensics readiness. It contains more than 200 controls covering CIS, PCI-DSS, ISO27001, GDPR, HIPAA, FFIEC, SOC2, AWS FTR, ENS and custom security frameworks.GitHub

White Box Recon

You must have the following privileges (these grant various read access of metadata):

arn:aws:iam::aws:policy/SecurityAudit
arn:aws:iam::aws:policy/job-function/ViewOnlyAccess

GitHub - duo-labs/cloudmapper: CloudMapper helps you analyze your Amazon Web Services (AWS) environments.GitHub

Interesting Book

Interesting Books

Disclaimer: As an Amazon Associate, I earn from qualifying purchases. This helps support this GitBook project at no extra cost to you.

Advanced Penetration Testing: Hacking AWS 2 This book delves deeper into analyzing the security of various AWS services and shows techniques and tactics used by an attacker to breach an AWS environment
Hands-On AWS Penetration Testing with Kali Linux Set up a virtual lab and pentest major AWS services, including EC2, S3, Lambda, and Cloud

PreviousAWS NextAWS CLI

Last updated 19 days ago