AWS - MSK Enum

Learn & practice AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE) Learn & practice GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE)

Support HackTricks

Check the subscription plans!
Join the 💬 Discord group or the telegram group or follow us on Twitter 🐦 @hacktricks_live.
Share hacking tricks by submitting PRs to the HackTricks and HackTricks Cloud github repos.

Amazon MSK

Amazon Managed Streaming for Apache Kafka (Amazon MSK) ni huduma inayosimamiwa kikamilifu, ikirahisisha maendeleo na utekelezaji wa programu zinazoshughulikia data za mtiririko kupitia Apache Kafka. Operesheni za control-plane, ikiwa ni pamoja na uundaji, sasisho, na kufuta clusters, zinatolewa na Amazon MSK. Huduma hii inaruhusu matumizi ya operesheni za data-plane za Apache Kafka, zinazojumuisha uzalishaji na matumizi ya data. Inafanya kazi kwenye toleo la chanzo wazi la Apache Kafka, ikihakikisha ufanisi na programu zilizopo, zana, na plugins kutoka kwa washirika na jamii ya Apache Kafka, ikiondoa hitaji la mabadiliko katika msimbo wa programu.

Kwa upande wa uaminifu, Amazon MSK imeundwa ili kuweza kugundua na kupona kiotomatiki kutoka kwa hali za kawaida za kushindwa kwa cluster, ikihakikisha kwamba programu za wazalishaji na watumiaji zinaendelea na shughuli zao za kuandika na kusoma data bila usumbufu mkubwa. Aidha, inakusudia kuboresha michakato ya kuiga data kwa kujaribu kurudisha matumizi ya hifadhi ya wakala walioondolewa, hivyo kupunguza kiasi cha data kinachohitajika kuigwa na Apache Kafka.

Aina

Kuna aina 2 za Kafka clusters ambazo AWS inaruhusu kuunda: Provisioned na Serverless.

Kutoka kwa mtazamo wa mshambuliaji unahitaji kujua kwamba:

Serverless haiwezi kuwa hadharani moja kwa moja (inaweza kukimbia tu kwenye VPN bila IP yoyote iliyofichuliwa hadharani). Hata hivyo, Provisioned inaweza kuwekwa ili kupata IP ya hadharani (kwa kawaida haipatikani) na kuweka kikundi cha usalama ili kufichua bandari zinazohusika.
Serverless inasaidia tu IAM kama njia ya uthibitisho. Provisioned inasaidia uthibitisho wa SASL/SCRAM (nenosiri), uthibitisho wa IAM, uthibitisho wa Msimamizi wa Cheti cha AWS (ACM) na ufikiaji usio na uthibitisho.
Kumbuka kwamba haiwezekani kufichua hadharani Kafka ya Provisioned ikiwa ufikiaji usio na uthibitisho umewezeshwa.

Enumeration

#Get clusters
aws kafka list-clusters
aws kafka list-clusters-v2

# Check the supported authentication
aws kafka list-clusters |  jq -r ".ClusterInfoList[].ClientAuthentication"

# Get Zookeeper endpoints
aws kafka list-clusters | jq -r ".ClusterInfoList[].ZookeeperConnectString, .ClusterInfoList[].ZookeeperConnectStringTls"

# Get nodes and node enspoints
aws kafka kafka list-nodes --cluster-arn <cluster-arn>
aws kafka kafka list-nodes --cluster-arn <cluster-arn> | jq -r ".NodeInfoList[].BrokerNodeInfo.Endpoints" # Get endpoints

# Get used kafka configs
aws kafka list-configurations #Get Kafka config file
aws kafka describe-configuration --arn <config-arn> # Get version of config
aws kafka describe-configuration-revision --arn <config-arn> --revision <version> # Get content of config version

# If using SCRAN authentication, get used AWS secret name (not secret value)
aws kafka list-scram-secrets --cluster-arn <cluster-arn>

Kafka IAM Access (in serverless)

# Guide from https://docs.aws.amazon.com/msk/latest/developerguide/create-serverless-cluster.html
# Download Kafka
wget https://archive.apache.org/dist/kafka/2.8.1/kafka_2.12-2.8.1.tgz
tar -xzf kafka_2.12-2.8.1.tgz

# In kafka_2.12-2.8.1/libs download the MSK IAM JAR file.
cd kafka_2.12-2.8.1/libs
wget https://github.com/aws/aws-msk-iam-auth/releases/download/v1.1.1/aws-msk-iam-auth-1.1.1-all.jar

# Create file client.properties in kafka_2.12-2.8.1/bin
security.protocol=SASL_SSL
sasl.mechanism=AWS_MSK_IAM
sasl.jaas.config=software.amazon.msk.auth.iam.IAMLoginModule required;
sasl.client.callback.handler.class=software.amazon.msk.auth.iam.IAMClientCallbackHandler

# Export endpoints address
export BS=boot-ok2ngypz.c2.kafka-serverless.us-east-1.amazonaws.com:9098
## Make sure you will be able to access the port 9098 from the EC2 instance (check VPS, subnets and SG)

# Create a topic called msk-serverless-tutorial
kafka_2.12-2.8.1/bin/kafka-topics.sh --bootstrap-server $BS --command-config client.properties --create --topic msk-serverless-tutorial --partitions 6

# Send message of every new line
kafka_2.12-2.8.1/bin/kafka-console-producer.sh --broker-list $BS --producer.config client.properties --topic msk-serverless-tutorial

# Read messages
kafka_2.12-2.8.1/bin/kafka-console-consumer.sh --bootstrap-server $BS --consumer.config client.properties --topic msk-serverless-tutorial --from-beginning

Privesc

AWS - MSK Privesc

Unauthenticated Access

AWS - MSK Unauthenticated Enum

Persistence

Ikiwa uta kuwa na ufikiaji wa VPC ambapo Kafka iliyotolewa iko, unaweza kuwezesha ufikiaji usioidhinishwa, ikiwa uthibitishaji wa SASL/SCRAM, soma nenosiri kutoka kwa siri, toa mwingine mtumiaji aliye na ruhusa za IAM (ikiwa IAM au serverless inatumika) au kudumu na vyeti.

References

https://docs.aws.amazon.com/msk/latest/developerguide/what-is-msk.html

Learn & practice AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE) Learn & practice GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE)

Support HackTricks

Check the subscription plans!
Join the 💬 Discord group or the telegram group or follow us on Twitter 🐦 @hacktricks_live.
Share hacking tricks by submitting PRs to the HackTricks and HackTricks Cloud github repos.

PreviousAWS - MQ Enum NextAWS - Organizations Enum

Last updated 1 month ago