Links

AWS - EC2, EBS, ELB, SSM, VPC & VPN Enum

Learn AWS hacking from zero to hero with htARTE (HackTricks AWS Red Team Expert)!
Other ways to support HackTricks:

VPC & Networking

Learn what a VPC is and about its components in:

EC2

Amazon EC2 is utilized for initiating virtual servers. It allows for the configuration of security and networking and the management of storage. The flexibility of Amazon EC2 is evident in its ability to scale resources both upwards and downwards, effectively adapting to varying requirement changes or surges in popularity. This feature diminishes the necessity for precise traffic predictions.
Interesting things to enumerate in EC2:
  • Virtual Machines
    • SSH Keys
    • User Data
    • Existing EC2s/AMIs/Snapshots
  • Networking
    • Networks
    • Subnetworks
    • Public IPs
    • Open ports
  • Integrated connections with other networks outside AWS

Instance Profiles

Using roles to grant permissions to applications that run on EC2 instances requires a bit of extra configuration. An application running on an EC2 instance is abstracted from AWS by the virtualized operating system. Because of this extra separation, you need an additional step to assign an AWS role and its associated permissions to an EC2 instance and make them available to its applications.
This extra step is the creation of an instance profile attached to the instance. The instance profile contains the role and can provide the role's temporary credentials to an application that runs on the instance. Those temporary credentials can then be used in the application's API calls to access resources and to limit access to only those resources that the role specifies. Note that only one role can be assigned to an EC2 instance at a time, and all applications on the instance share the same role and permissions.

Metadata Endpoint

AWS EC2 metadata is information about an Amazon Elastic Compute Cloud (EC2) instance that is available to the instance at runtime. This metadata is used to provide information about the instance, such as its instance ID, the availability zone it is running in, the IAM role associated with the instance, and the instance's hostname.

Enumeration

# Get EC2 instances
aws ec2 describe-instances
aws ec2 describe-instance-status #Get status from running instances
# Get user data from each ec2 instance
for instanceid in $(aws ec2 describe-instances --profile <profile> --region us-west-2 | grep -Eo '"i-[a-zA-Z0-9]+' | tr -d '"'); do
echo "Instance ID: $instanceid"
aws ec2 describe-instance-attribute --profile <profile> --region us-west-2 --instance-id "$instanceid" --attribute userData | jq ".UserData.Value" | tr -d '"' | base64 -d
echo ""
echo "-------------------"
done
# Instance profiles
aws iam list-instance-profiles
aws iam list-instance-profiles-for-role --role-name <name>
# Get tags
aws ec2 describe-tags
# Get volumes
aws ec2 describe-volume-status
aws ec2 describe-volumes
# Get snapshots
aws ec2 describe-snapshots --owner-ids self
# Scheduled instances
aws ec2 describe-scheduled-instances
# Get custom images
aws ec2 describe-images --owners self
# Get Elastic IPs
aws ec2 describe-addresses
# Get current output
aws ec2 get-console-output --instance-id [id]
# Get VPN customer gateways
aws ec2 describe-customer-gateways
aws ec2 describe-vpn-gateways
aws ec2 describe-vpn-connections
# List conversion tasks to upload/download VMs
aws ec2 describe-conversion-tasks
aws ec2 describe-import-image-tasks
# Get Bundle Tasks
aws ec2 describe-bundle-tasks
# Get Classic Instances
aws ec2 describe-classic-link-instances
# Get Dedicated Hosts
aws ec2 describe-hosts
# Get SSH Key Pairs
aws ec2 describe-key-pairs
# Get Internet Gateways
aws ec2 describe-internet-gateways
# Get NAT Gateways
aws ec2 describe-nat-gateways
# Get subnetworks
aws ec2 describe-subnets
# Get FW rules
aws ec2 describe-network-acls
# Get security groups
aws ec2 describe-security-groups
# Get interfaces
aws ec2 describe-network-interfaces
# Get routes table
aws ec2 describe-route-tables
# Get VPCs
aws ec2 describe-vpcs
aws ec2 describe-vpc-peering-connections

Unauthenticated Access

Privesc

In the following page you can check how to abuse EC2 permissions to escalate privileges:

Post-Exploitation

EBS

Amazon EBS (Elastic Block Store) snapshots are basically static backups of AWS EBS volumes. In other words, they are copies of the disks attached to an EC2 Instance at a specific point in time. EBS snapshots can be copied across regions and accounts, or even downloaded and run locally.
Snapshots can contain sensitive information such as source code or APi keys, therefore, if you have the chance, it's recommended to check it.

Difference AMI & EBS

An AMI is used to launch an EC2 instance, while an EC2 Snapshot is used to backup and recover data stored on an EBS volume. While an EC2 Snapshot can be used to create a new AMI, it is not the same thing as an AMI, and it does not include information about the operating system, application server, or other software required to run an application.

Privesc

In the following page you can check how to abuse EBS permissions to escalate privileges:

SSM

Amazon Simple Systems Manager (SSM) allows to remotely manage floats of EC2 instances to make their administrations much more easy. Each of these instances need to be running the SSM Agent service as the service will be the one getting the actions and performing them from the AWS API.
SSM Agent makes it possible for Systems Manager to update, manage, and configure these resources. The agent processes requests from the Systems Manager service in the AWS Cloud, and then runs them as specified in the request.
The SSM Agent comes preinstalled in some AMIs or you need to manually install them on the instances. Also, the IAM Role used inside the instance needs to have the policy AmazonEC2RoleforSSM attached to be able to communicate.

Enumeration

aws ssm describe-instance-information
aws ssm describe-parameters
aws ssm describe-sessions --state [Active|History]
aws ssm describe-instance-patches --instance-id <id>
aws ssm describe-instance-patch-states --instance-ids <id>
aws ssm describe-instance-associations-status --instance-id <id>
You can check in an EC2 instance if Systems Manager is runnign just by executing:
ps aux | grep amazon-ssm

Privesc

In the following page you can check how to abuse SSM permissions to escalate privileges:

Post-Exploitation

Techniques like SSM message interception can be found in the SSM post-exploitation page:

ELB

Elastic Load Balancing (ELB) is a load-balancing service for Amazon Web Services (AWS) deployments. ELB automatically distributes incoming application traffic and scales resources to meet traffic demands.

Enumeration

# List internet-facing ELBs
aws elb describe-load-balancers
aws elb describe-load-balancers | jq '.LoadBalancerDescriptions[]| select( .Scheme | contains("internet-facing"))|.DNSName'
# DONT FORGET TO CHECK VERSION 2
aws elbv2 describe-load-balancers
aws elbv2 describe-load-balancers | jq '.LoadBalancers[].DNSName'
aws elbv2 describe-listeners --load-balancer-arn <load_balancer_arn>

Launch Templates & Autoscaling Groups

Enumeration

# Launch templates
aws ec2 describe-launch-templates
aws ec2 describe-launch-templates --launch-template-id <launch_template_id>
## Get details, like user data
aws ec2 describe-launch-template-versions --launch-template-id <launch_template_id>
# Autoscaling
aws autoscaling describe-auto-scaling-groups
aws autoscaling describe-auto-scaling-instances
aws autoscaling describe-launch-configurations
aws autoscaling describe-load-balancer-target-groups
aws autoscaling describe-load-balancers

VPN

A VPN allows to connect your on-premise network (site-to-site VPN) or the workers laptops (Client VPN) with a AWS VPC so services can accessed without needing to expose them to the internet.

Basic AWS VPN Components

  1. 1.
    Customer Gateway:
    • A Customer Gateway is a resource that you create in AWS to represent your side of a VPN connection.
    • It is essentially a physical device or software application on your side of the Site-to-Site VPN connection.
    • You provide routing information and the public IP address of your network device (such as a router or a firewall) to AWS to create a Customer Gateway.
    • It serves as a reference point for setting up the VPN connection and doesn't incur additional charges.
  2. 2.
    Virtual Private Gateway:
    • A Virtual Private Gateway (VPG) is the VPN concentrator on the Amazon side of the Site-to-Site VPN connection.
    • It is attached to your VPC and serves as the target for your VPN connection.
    • VPG is the AWS side endpoint for the VPN connection.
    • It handles the secure communication between your VPC and your on-premises network.
  3. 3.
    Site-to-Site VPN Connection:
    • A Site-to-Site VPN connection connects your on-premises network to a VPC through a secure, IPsec VPN tunnel.
    • This type of connection requires a Customer Gateway and a Virtual Private Gateway.
    • It's used for secure, stable, and consistent communication between your data center or network and your AWS environment.
    • Typically used for regular, long-term connections and is billed based on the amount of data transferred over the connection.
  4. 4.
    Client VPN Endpoint:
    • A Client VPN endpoint is a resource that you create in AWS to enable and manage client VPN sessions.
    • It is used for allowing individual devices (like laptops, smartphones, etc.) to securely connect to AWS resources or your on-premises network.
    • It differs from Site-to-Site VPN in that it is designed for individual clients rather than connecting entire networks.
    • With Client VPN, each client device uses a VPN client software to establish a secure connection.

Enumeration

# VPN endpoints
## Check used subnetwork, authentication, SGs, connected...
aws ec2 describe-client-vpn-endpoints
## Get AWS network info related to the vpn endpoint
aws ec2 describe-client-vpn-target-networks --client-vpn-endpoint-id <id>
## Get AWS subnet & ip range the VPN iconnected to
aws ec2 describe-client-vpn-routes --client-vpn-endpoint-id <id>
## Check authorization rules
aws ec2 describe-client-vpn-authorization-rules --client-vpn-endpoint-id <id>
## Get current connections to the VPN endpoint
aws ec2 describe-client-vpn-connections --client-vpn-endpoint-id <id>
# Get VPN gateways and check with which VPC each is connected
aws ec2 describe-vpn-gateways
# Get VPN site-to-site connections
aws ec2 describe-vpn-connections

Local Enumeration

Local Temporary Credentials
When AWS VPN Client is used to connect to a VPN, the user will usually login in AWS to get access to the VPN. Then, some AWS credentials are created and stored locally to establish the VPN connection. These credentials are stored in $HOME/.config/AWSVPNClient/TemporaryCredentials/<region>/temporary-credentials.txt and contains an AccessKey, a SecretKey and a Token.
The credentials belong to the user arn:aws:sts::<acc-id>:assumed-role/aws-vpn-client-metrics-analytics-access-role/CognitoIdentityCredentials (TODO: research more about the permissions of this credentials).
opvn config files
If a VPN connection was stablished you should search for .opvn config files in the system. Moreover, one place where you could find the configurations is in $HOME/.config/AWSVPNClient/OpenVpnConfigs

Post Exploitaiton

References

Learn AWS hacking from zero to hero with htARTE (HackTricks AWS Red Team Expert)!
Other ways to support HackTricks: