AWS Pentesting
Basic Information
Before start pentesting an AWS environment there are a few basics things you need to know about how AWS works to help you understand what you need to do, how to find misconfigurations and how to exploit them.
Concepts such as organization hierarchy, IAM and other basic concepts are explained in:
pageAWS - Basic InformationLabs to learn
Tools to simulate attacks:
AWS Pentester/Red Team Methodology
In order to audit an AWS environment it's very important to know: which services are being used, what is being exposed, who has access to what, and how are internal AWS services an external services connected.
From a Red Team point of view, the first step to compromise an AWS environment is to manage to obtain some credentials. Here you have some ideas on how to do that:
Leaks in github (or similar) - OSINT
Social Engineering
Password reuse (password leaks)
Vulnerabilities in AWS-Hosted Applications
Server Side Request Forgery with access to metadata endpoint
Local File Read
/home/USERNAME/.aws/credentialsC:\Users\USERNAME\.aws\credentials
3rd parties breached
Internal Employee
Cognito credentials
Or by compromising an unauthenticated service exposed:
pageAWS - Unauthenticated Enum & AccessOr if you are doing a review you could just ask for credentials with these roles:
pageAWS - Permissions for a PentestAfter you have managed to obtain credentials, you need to know to who do those creds belong, and what they have access to, so you need to perform some basic enumeration:
Basic Enumeration
SSRF
If you found a SSRF in a machine inside AWS check this page for tricks:
Whoami
One of the first things you need to know is who you are (in where account you are in other info about the AWS env):
Note that companies might use canary tokens to identify when tokens are being stolen and used. It's recommended to check if a token is a canary token or not before using it. For more info check this page.
Org Enumeration
pageAWS - Organizations EnumIAM Enumeration
If you have enough permissions checking the privileges of each entity inside the AWS account will help you understand what you and other identities can do and how to escalate privileges.
If you don't have enough permissions to enumerate IAM, you can steal bruteforce them to figure them out. Check how to do the numeration and brute-forcing in:
pageAWS - IAM, Identity Center & SSO EnumNow that you have some information about your credentials (and if you are a red team hopefully you haven't been detected). It's time to figure out which services are being used in the environment. In the following section you can check some ways to enumerate some common services.
Services Enumeration, Post-Exploitation & Persistence
AWS has an astonishing amount of services, in the following page you will find basic information, enumeration cheatsheets**,** how to avoid detection, obtain persistence, and other post-exploitation tricks about some of them:
pageAWS - ServicesNote that you don't need to perform all the work manually, below in this post you can find a section about automatic tools.
Moreover, in this stage you might discovered more services exposed to unauthenticated users, you might be able to exploit them:
pageAWS - Unauthenticated Enum & AccessPrivilege Escalation
If you can check at least your own permissions over different resources you could check if you are able to obtain further permissions. You should focus at least in the permissions indicated in:
pageAWS - Privilege EscalationPublicly Exposed Services
While enumerating AWS services you might have found some of them exposing elements to the Internet (VM/Containers ports, databases or queue services, snapshots or buckets...). As pentester/red teamer you should always check if you can find sensitive information / vulnerabilities on them as they might provide you further access into the AWS account.
In this book you should find information about how to find exposed AWS services and how to check them. About how to find vulnerabilities in exposed network services I would recommend you to search for the specific service in:
Compromising the Organization
From the root/management account
When the management account creates new accounts in the organization, a new role is created in the new account, by default named OrganizationAccountAccessRole and giving AdministratorAccess policy to the management account to access the new account.
So, in order to access as administrator a child account you need:
Compromise the management account and find the ID of the children accounts and the names of the role (OrganizationAccountAccessRole by default) allowing the management account to access as admin.
To find children accounts go to the organizations section in the aws console or run
aws organizations list-accountsYou cannot find the name of the roles directly, so check all the custom IAM policies and search any allowing
sts:AssumeRoleover the previously discovered children accounts.
Compromise a principal in the management account with
sts:AssumeRolepermission over the role in the children accounts (even if the account is allowing anyone from the management account to impersonate, as its an external account, specificsts:AssumeRolepermissions are necessary).
Automated Tools
Recon
aws-recon: A multi-threaded AWS security-focused inventory collection tool written in Ruby.
cloudlist: Cloudlist is a multi-cloud tool for getting Assets (Hostnames, IP Addresses) from Cloud Providers.
cloudmapper: CloudMapper helps you analyze your Amazon Web Services (AWS) environments. It now contains much more functionality, including auditing for security issues.
cartography: Cartography is a Python tool that consolidates infrastructure assets and the relationships between them in an intuitive graph view powered by a Neo4j database.
starbase: Starbase collects assets and relationships from services and systems including cloud infrastructure, SaaS applications, security controls, and more into an intuitive graph view backed by the Neo4j database.
aws-inventory: (Uses python2) This is a tool that tries to discover all AWS resources created in an account.
aws_public_ips: It's a tool to fetch all public IP addresses (both IPv4/IPv6) associated with an AWS account.
Privesc & Exploiting
SkyArk: Discover the most privileged users in the scanned AWS environment, including the AWS Shadow Admins. It uses powershell. You can find the definition of privileged policies in the function
Check-PrivilegedPolicyin https://github.com/cyberark/SkyArk/blob/master/AWStealth/AWStealth.ps1.pacu: Pacu is an open-source AWS exploitation framework, designed for offensive security testing against cloud environments. It can enumerate, find miss-configurations and exploit them. You can find the definition of privileged permissions in https://github.com/RhinoSecurityLabs/pacu/blob/866376cd711666c775bbfcde0524c817f2c5b181/pacu/modules/iam__privesc_scan/main.py#L134 inside the
user_escalation_methodsdict.Note that pacu only checks your own privescs paths (not account wide).
PMapper: Principal Mapper (PMapper) is a script and library for identifying risks in the configuration of AWS Identity and Access Management (IAM) for an AWS account or an AWS organization. It models the different IAM Users and Roles in an account as a directed graph, which enables checks for privilege escalation and for alternate paths an attacker could take to gain access to a resource or action in AWS. You can check the permissions used to find privesc paths in the filenames ended in
_edges.pyin https://github.com/nccgroup/PMapper/tree/master/principalmapper/graphing
cloudsplaining: Cloudsplaining is an AWS IAM Security Assessment tool that identifies violations of least privilege and generates a risk-prioritized HTML report. It will show you potentially over privileged customer, inline and aws policies and which principals has access to them. (It not only checks for privesc but also other kind of interesting permissions, recommended to use).
cloudjack: CloudJack assesses AWS accounts for subdomain hijacking vulnerabilities as a result of decoupled Route53 and CloudFront configurations.
ccat: List ECR repos -> Pull ECR repo -> Backdoor it -> Push backdoored image
Dufflebag: Dufflebag is a tool that searches through public Elastic Block Storage (EBS) snapshots for secrets that may have been accidentally left in.
Audit
cloudsploit: CloudSploit by Aqua is an open-source project designed to allow detection of security risks in cloud infrastructure accounts, including: Amazon Web Services (AWS), Microsoft Azure, Google Cloud Platform (GCP), Oracle Cloud Infrastructure (OCI), and GitHub (It doesn't look for ShadowAdmins).
Prowler: Prowler is an Open Source security tool to perform AWS security best practices assessments, audits, incident response, continuous monitoring, hardening and forensics readiness.
CloudFox: CloudFox helps you gain situational awareness in unfamiliar cloud environments. It’s an open source command line tool created to help penetration testers and other offensive security professionals find exploitable attack paths in cloud infrastructure.
ScoutSuite: Scout Suite is an open source multi-cloud security-auditing tool, which enables security posture assessment of cloud environments.
cs-suite: Cloud Security Suite (uses python2.7 and looks unmaintained)
Zeus: Zeus is a powerful tool for AWS EC2 / S3 / CloudTrail / CloudWatch / KMS best hardening practices (looks unmaintained). It checks only default configured creds inside the system.
Constant Audit
cloud-custodian: Cloud Custodian is a rules engine for managing public cloud accounts and resources. It allows users to define policies to enable a well managed cloud infrastructure, that's both secure and cost optimized. It consolidates many of the adhoc scripts organizations have into a lightweight and flexible tool, with unified metrics and reporting.
pacbot: Policy as Code Bot (PacBot) is a platform for continuous compliance monitoring, compliance reporting and security automation for the cloud. In PacBot, security and compliance policies are implemented as code. All resources discovered by PacBot are evaluated against these policies to gauge policy conformance. The PacBot auto-fix framework provides the ability to automatically respond to policy violations by taking predefined actions.
streamalert: StreamAlert is a serverless, real-time data analysis framework which empowers you to ingest, analyze, and alert on data from any environment, using data sources and alerting logic you define. Computer security teams use StreamAlert to scan terabytes of log data every day for incident detection and response.
DEBUG: Capture AWS cli requests
References
Last updated
