AWS - Nitro Enum

Learn & practice AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE) Learn & practice GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE)

Support HackTricks

Check the subscription plans!
Join the 💬 Discord group or the telegram group or follow us on Twitter 🐦 @hacktricks_live.
Share hacking tricks by submitting PRs to the HackTricks and HackTricks Cloud github repos.

Basic Information

AWS Nitro ni seti ya teknolojia bunifu ambazo zinaunda jukwaa la msingi kwa ajili ya AWS EC2 instances. Ilianzishwa na Amazon ili kuimarisha usalama, utendaji, na uaminifu, Nitro inatumia vipengele vya vifaa maalum na hypervisor nyepesi. Inachambua sehemu kubwa ya kazi za kawaida za virtualization kwa vifaa na programu maalum, ikiweka chini uso wa shambulio na kuboresha ufanisi wa rasilimali. Kwa kuhamasisha kazi za virtualization, Nitro inaruhusu EC2 instances kutoa utendaji wa karibu na vifaa halisi, na kuifanya kuwa na manufaa hasa kwa programu zinazohitaji rasilimali nyingi. Zaidi ya hayo, Chip ya Usalama ya Nitro inahakikisha usalama wa vifaa na firmware, ikiongeza nguvu ya usanifu wake.

Nitro Enclaves

AWS Nitro Enclaves inatoa mazingira salama, ya kutengwa ya kompyuta ndani ya Amazon EC2 instances, iliyoundwa mahsusi kwa ajili ya kushughulikia data nyeti sana. Kwa kutumia Mfumo wa AWS Nitro, maeneo haya yanahakikisha kutengwa na usalama mzuri, bora kwa kushughulikia taarifa za siri kama PII au rekodi za kifedha. Yana mazingira ya kimsingi, yanayopunguza hatari ya kufichuliwa kwa data. Zaidi ya hayo, Nitro Enclaves inasaidia uthibitisho wa kificho, ikiruhusu watumiaji kuthibitisha kwamba ni msimbo tu ulioidhinishwa unaotumika, muhimu kwa kudumisha utii mkali na viwango vya ulinzi wa data.

Picha za Nitro Enclave zinakimbia kutoka ndani ya EC2 instances na huwezi kuona kutoka kwenye konsoli ya wavuti ya AWS kama EC2 instances inakimbia picha katika Nitro Enclave au la.

Nitro Enclave CLI installation

Fuata maelekezo yote kutoka kwenye nyaraka. Hata hivyo, haya ndiyo muhimu zaidi:

# Install tools
sudo amazon-linux-extras install aws-nitro-enclaves-cli -y
sudo yum install aws-nitro-enclaves-cli-devel -y

# Config perms
sudo usermod -aG ne $USER
sudo usermod -aG docker $USER

# Check installation
nitro-cli --version

# Start and enable the Nitro Enclaves allocator service.
sudo systemctl start nitro-enclaves-allocator.service && sudo systemctl enable nitro-enclaves-allocator.service

Nitro Enclave Images

Picha ambazo unaweza kuendesha katika Nitro Enclave zinategemea picha za docker, hivyo unaweza kuunda picha zako za Nitro Enclave kutoka kwa picha za docker kama:

# You need to have the docker image accesible in your running local registry
# Or indicate the full docker image URL to access the image
nitro-cli build-enclave --docker-uri <docker-img>:<tag> --output-file nitro-img.eif

Kama unavyoona, picha za Nitro Enclave zinatumia kiambatisho eif (Enclave Image File).

Matokeo yataonekana kama:

Using the locally available Docker image...
Enclave Image successfully created.
{
"Measurements": {
"HashAlgorithm": "Sha384 { ... }",
"PCR0": "e199261541a944a93129a52a8909d29435dd89e31299b59c371158fc9ab3017d9c450b0a580a487e330b4ac691943284",
"PCR1": "bcdf05fefccaa8e55bf2c8d6dee9e79bbff31e34bf28a99aa19e6b29c37ee80b214a414b7607236edf26fcb78654e63f",
"PCR2": "2e1fca1dbb84622ec141557dfa971b4f8ea2127031b264136a20278c43d1bba6c75fea286cd4de9f00450b6a8db0e6d3"
}
}

Run an Image

Kulingana na nyaraka, ili kuendesha picha ya enclave unahitaji kuipatia kumbukumbu ya angalau mara 4 ya ukubwa wa faili la eif. Inawezekana kuweka rasilimali za default za kupewa katika faili

/etc/nitro_enclaves/allocator.yaml

Kumbuka daima kwamba unahitaji kuhifadhi rasilimali fulani kwa ajili ya mfano wa EC2 wa mzazi pia!

Baada ya kujua rasilimali za kutoa kwa picha na hata kuwa umerekebisha faili la usanidi, inawezekana kuendesha picha ya enclave na:

# Restart the service so the new default values apply
sudo systemctl start nitro-enclaves-allocator.service && sudo systemctl enable nitro-enclaves-allocator.service

# Indicate the CPUs and memory to give
nitro-cli run-enclave --cpu-count 2 --memory 3072 --eif-path hello.eif --debug-mode --enclave-cid 16

Orodhesha Enclaves

Ikiwa unavunja EC2 mwenyeji, inawezekana kupata orodha ya picha za enclave zinazotembea kwa:

nitro-cli describe-enclaves

Ni haiwezekani kupata shell ndani ya picha ya enclave inayotembea kwa sababu hiyo ndiyo sababu kuu ya enclave, hata hivyo, ikiwa umetumia parameter --debug-mode, inawezekana kupata stdout yake kwa:

ENCLAVE_ID=$(nitro-cli describe-enclaves | jq -r ".[0].EnclaveID")
nitro-cli console --enclave-id ${ENCLAVE_ID}

Terminate Enclaves

Ikiwa mshambuliaji atashambulia EC2 instance, kwa kawaida hatakuwa na uwezo wa kupata shell ndani yao, lakini ataweza terminate them na:

nitro-cli terminate-enclave --enclave-id ${ENCLAVE_ID}

Vsocks

Njia pekee ya kuwasiliana na enclave inayotumia picha ni kutumia vsocks.

Virtual Socket (vsock) ni familia ya soketi katika Linux iliyoundwa mahsusi kuwezesha mawasiliano kati ya mashine za virtual (VMs) na hypervisors zao, au kati ya VMs wenyewe. Vsock inaruhusu mawasiliano bora, ya pande mbili bila kutegemea muundo wa mtandao wa mwenyeji. Hii inafanya iwezekane kwa VMs kuwasiliana hata bila mipangilio ya mtandao, wakitumia 32-bit Context ID (CID) na nambari za port kutambua na kudhibiti muunganisho. API ya vsock inasaidia aina zote za soketi za mtiririko na datagram, sawa na TCP na UDP, ikitoa chombo chenye matumizi mengi kwa programu za kiwango cha mtumiaji katika mazingira ya virtual.

Hivyo, anwani ya vsock inaonekana kama hii: <CID>:<Port>

Ili kupata CIDs za enclave zinazotumia picha unaweza tu kutekeleza cmd ifuatayo na kupata EnclaveCID:

nitro-cli describe-enclaves

[
{
"EnclaveName": "secure-channel-example",
"EnclaveID": "i-0bc274f83ade02a62-enc18ef3d09c886748",
"ProcessID": 10131,
    "EnclaveCID": 16,
    "NumberOfCPUs": 2,
"CPUIDs": [
1,
3
],
"MemoryMiB": 1024,
"State": "RUNNING",
"Flags": "DEBUG_MODE",
"Measurements": {
"HashAlgorithm": "Sha384 { ... }",
"PCR0": "e199261541a944a93129a52a8909d29435dd89e31299b59c371158fc9ab3017d9c450b0a580a487e330b4ac691943284",
"PCR1": "bcdf05fefccaa8e55bf2c8d6dee9e79bbff31e34bf28a99aa19e6b29c37ee80b214a414b7607236edf26fcb78654e63f",
"PCR2": "2e1fca1dbb84622ec141557dfa971b4f8ea2127031b264136a20278c43d1bba6c75fea286cd4de9f00450b6a8db0e6d3"
}
}
]

Kumbuka kwamba kutoka kwa mwenyeji hakuna njia ya kujua kama CID inafichua bandari yoyote! Isipokuwa kwa kutumia vsock port scanner kama https://github.com/carlospolop/Vsock-scanner.

Vsock Server/Listener

Pata hapa mifano kadhaa:

https://github.com/aws-samples/aws-nitro-enclaves-workshop/blob/main/resources/code/my-first-enclave/secure-local-channel/server.py

Simple Python Listener

```python #!/usr/bin/env python3

From

https://medium.com/@F.DL/understanding-vsock-684016cf0eb0

import socket

CID = socket.VMADDR_CID_HOST PORT = 9999

s = socket.socket(socket.AF_VSOCK, socket.SOCK_STREAM) s.bind((CID, PORT)) s.listen() (conn, (remote_cid, remote_port)) = s.accept()

print(f"Connection opened by cid={remote_cid} port={remote_port}")

while True: buf = conn.recv(64) if not buf: break

print(f"Received bytes: {buf}")

</details>
```bash
# Using socat
socat VSOCK-LISTEN:<port>,fork EXEC:"echo Hello from server!"

Vsock Client

Mifano:

https://github.com/aws-samples/aws-nitro-enclaves-workshop/blob/main/resources/code/my-first-enclave/secure-local-channel/client.py

PreviousAWS - EC2, EBS, ELB, SSM, VPC & VPN Enum NextAWS - VPC & Networking Basic Information

Last updated 1 month ago