Recon / Initial Access / Enum

AWS - Initial Recon

Recon - AWS Eye

Found an account ID:

Awseye - See Inside AWS Accountsawseye.com

AWS Extender - Burp Extension

GitHub - VirtueSecurity/aws-extender: AWS Extender (Cloud Storage Tester) is a Burp plugin to assess permissions of cloud storage containers on AWS, Google Cloud and Azure.GitHub

Credz in git repos

Credentials in git repos

trufflehog --regex --entropy=False <repo>
sudo docker run -v "$PWD":/scan ghcr.io/praetorian-inc/noseyparker:latest scan -d <repo>.np --git-url <git url>
sudo docker run -v "$PWD":/scan ghcr.io/praetorian-inc/noseyparker:latest report -d <repo>.np

Credz on Host - Hardcoded Secrets

cat ~/.aws/credentials
cat ~/.aws/config

Spray AWS Console IAM Logins

IAM User enumeration

aws iam list-users
aws iam list-users --query "Users[*].Arn"

Or see IAM part

GoAWSConsoleSpray

GitHub - WhiteOakSecurity/GoAWSConsoleSpray: Tool to spray AWS Console IAM LoginsGitHub

./GoAWSConsoleSpray -a ACCOUNTID -u ../../users -p ../../passwords

To get the ACCOUNTID , run aws sts get-caller-identity with a known account

AWeSomeUserFinder

GitHub - dievus/AWeSomeUserFinder: AWS IAM Username Enumerator and Password Spraying Tool in Python3GitHub

python3 AWeSomeUserFinder.py -a <account id> -s -p <password> -r <users> -t <time>

Subdomain Takeover

AWS Elastic Beanstalk

Using PD tools to find my first subdomain takeover — ProjectDiscovery BlogProjectDiscovery

Subdomain takeover via AWS s3 bucketMedium

DNS (53)

CloudTap

GitHub - PanosoikoGr/CloudTap: Comprehensive AWS cloud reconnaissance and privilege escalation toolkit written in Python. Features IAM, EC2, S3, Lambda, ECS, Secrets Manager, and more — with multi-region scanning and auto-suggested privilege escalation paths.GitHub

AWS Enumerator

Credentials found

GitHub - shabarkin/aws-enumerator: The AWS Enumerator was created for service enumeration and info dumping for investigations of penetration testers during Black-Box testing. The tool is intended to speed up the process of Cloud review in case the security researcher compromised AWS Account Credentials.GitHub

./aws-enumerator cred -aws_access_key_id AKIA***********XKU -aws_region us-west-2 -aws_secret_access_key kIm6m********************5JPF


./aws-enumerator enum --services all

# Permissions
./aws-enumerator dump --services dynamodb

Cloudfox

GitHub - BishopFox/cloudfox: Automating situational awareness for cloud penetration tests.GitHub

cloudfox -p <profile> all-checks

Security Groups - Segmentation

My AWS “Segmentation Test” Methodology for Pentesters v1.0Medium

GitHub - SherifTalaat/AWS-SG-Analyzer: Python script to analyze and extract all Security Groups informationGitHub

AWS Attack Path Management Tool

GitHub - hotnops/apeman: AWS Attack Path Management Tool - Walking on the MoonGitHub

Authenticated Recon

ScoutSuite

GitHub - nccgroup/ScoutSuite: Multi-Cloud Security Auditing ToolGitHub

Prowler

GitHub - prowler-cloud/prowler: Prowler is the world’s most widely used open-source cloud security platform that automates security and compliance across any cloud environment.GitHub

White Box Recon

You must have the following privileges (these grant various read access of metadata):

• arn:aws:iam::aws:policy/SecurityAudit

• arn:aws:iam::aws:policy/job-function/ViewOnlyAccess

GitHub - duo-labs/cloudmapper: CloudMapper helps you analyze your Amazon Web Services (AWS) environments.GitHub

Interesting Book

Interesting Books

Disclaimer: As an Amazon Associate, I earn from qualifying purchases. This helps support this GitBook project at no extra cost to you.

• Advanced Penetration Testing: Hacking AWS 2 This book delves deeper into analyzing the security of various AWS services and shows techniques and tactics used by an attacker to breach an AWS environment

• Hands-On AWS Penetration Testing with Kali Linux Set up a virtual lab and pentest major AWS services, including EC2, S3, Lambda, and Cloud