AWS - KMS Post Exploitation
Last updated
Last updated
Ucz się i ćwicz Hacking AWS:HackTricks Szkolenie AWS Red Team Expert (ARTE) Ucz się i ćwicz Hacking GCP: HackTricks Szkolenie GCP Red Team Expert (GRTE)
Aby uzyskać więcej informacji, sprawdź:
AWS - KMS Enumfileb://
and file://
are URI schemes used in AWS CLI commands to specify the path to local files:
fileb://:
Reads the file in binary mode, commonly used for non-text files.
file://:
Reads the file in text mode, typically used for plain text files, scripts, or JSON that doesn't have special encoding requirements.
Note that if you want to decrypt some data inside a file, the file must contain the binary data, not base64 encoded data. (fileb://)
Using a symmetric key
Using a asymmetric key:
An attacker with privileged access over KMS could modify the KMS policy of keys and grant his account access over them, removing the access granted to the legit account.
Then, the legit account users won't be able to access any informatcion of any service that has been encrypted with those keys, creating an easy but effective ransomware over the account.
Note that AWS managed keys aren't affected by this attack, only Customer managed keys.
Also note the need to use the param --bypass-policy-lockout-safety-check
(the lack of this option in the web console makes this attack only possible from the CLI).
Note that if you change that policy and only give access to an external account, and then from this external account you try to set a new policy to give the access back to original account, you won't be able.
There is another way to perform a global KMS Ransomware, which would involve the following steps:
Create a new key with a key material imported by the attacker
Re-encrypt older data encrypted with the previous version with the new one.
Delete the KMS key
Now only the attacker, who has the original key material could be able to decrypt the encrypted data
Note that AWS now prevents the previous actions from being performed from a cross account:
Learn & practice AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE) Learn & practice GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE)