Swahili - Ht Cloud
HackTricks TrainingTwitterLinkedinSponsor

AWS - S3 Unauthenticated Enum

Support HackTricks

S3 Public Buckets

A bucket is considered “public” if mtumiaji yeyote anaweza kuorodhesha maudhui ya bucket, na “private” ikiwa maudhui ya bucket yanaweza kuorodheshwa au kuandikwa tu na watumiaji fulani.

Makampuni yanaweza kuwa na mipangilio ya ruhusa za buckets isiyo sahihi ikitoa ufikiaji ama kwa kila kitu au kwa kila mtu aliyejithibitisha katika AWS katika akaunti yoyote (hivyo kwa mtu yeyote). Kumbuka, kwamba hata na mipangilio kama hiyo, baadhi ya vitendo vinaweza kutoweza kufanywa kwani buckets zinaweza kuwa na orodha zao za udhibiti wa ufikiaji (ACLs).

Jifunze kuhusu AWS-S3 misconfiguration hapa: http://flaws.cloud na http://flaws2.cloud/

Finding AWS Buckets

Njia tofauti za kupata wakati ukurasa wa wavuti unatumia AWS kuhifadhi baadhi ya rasilimali:

Enumeration & OSINT:

  • Kutumia wappalyzer plugin ya kivinjari

  • Kutumia burp (spidering wavuti) au kwa kuvinjari kwa mikono kupitia ukurasa wote rasilimali zilizopakiwa zitahifadhiwa katika Historia.

  • Angalia kwa rasilimali katika maeneo kama:

http://s3.amazonaws.com/[bucket_name]/
http://[bucket_name].s3.amazonaws.com/

  • Angalia kwa CNAMES kama resources.domain.com inaweza kuwa na CNAME bucket.s3.amazonaws.com

  • Angalia https://buckets.grayhatwarfare.com, wavuti yenye buckets wazi zilizogunduliwa tayari.

  • Jina la bucket na jina la domain la bucket inahitaji kuwa sawa.

  • flaws.cloud iko katika IP 52.92.181.107 na ukitembelea huko inakuelekeza kwenye https://aws.amazon.com/s3/. Pia, dig -x 52.92.181.107 inatoa s3-website-us-west-2.amazonaws.com.

  • Ili kuangalia ni bucket unaweza pia kutembelea https://flaws.cloud.s3.amazonaws.com/.

Brute-Force

Unaweza kupata buckets kwa kujaribu majina yanayohusiana na kampuni unayofanya pentesting:

# Generate a wordlist to create permutations
curl -s https://raw.githubusercontent.com/cujanovic/goaltdns/master/words.txt > /tmp/words-s3.txt.temp
curl -s https://raw.githubusercontent.com/jordanpotti/AWSBucketDump/master/BucketNames.txt >>/tmp/words-s3.txt.temp
cat /tmp/words-s3.txt.temp | sort -u > /tmp/words-s3.txt

# Generate a wordlist based on the domains and subdomains to test
## Write those domains and subdomains in subdomains.txt
cat subdomains.txt > /tmp/words-hosts-s3.txt
cat subdomains.txt | tr "." "-" >> /tmp/words-hosts-s3.txt
cat subdomains.txt | tr "." "\n" | sort -u >> /tmp/words-hosts-s3.txt

# Create permutations based in a list with the domains and subdomains to attack
goaltdns -l /tmp/words-hosts-s3.txt -w /tmp/words-s3.txt -o /tmp/final-words-s3.txt.temp
## The previous tool is specialized increating permutations for subdomains, lets filter that list
### Remove lines ending with "."
cat /tmp/final-words-s3.txt.temp | grep -Ev "\.$" > /tmp/final-words-s3.txt.temp2
### Create list without TLD
cat /tmp/final-words-s3.txt.temp2 | sed -E 's/\.[a-zA-Z0-9]+$//' > /tmp/final-words-s3.txt.temp3
### Create list without dots
cat /tmp/final-words-s3.txt.temp3 | tr -d "." > /tmp/final-words-s3.txt.temp4http://phantom.s3.amazonaws.com/
### Create list without hyphens
cat /tmp/final-words-s3.txt.temp3 | tr "." "-" > /tmp/final-words-s3.txt.temp5

## Generate the final wordlist
cat /tmp/final-words-s3.txt.temp2 /tmp/final-words-s3.txt.temp3 /tmp/final-words-s3.txt.temp4 /tmp/final-words-s3.txt.temp5 | grep -v -- "-\." | awk '{print tolower($0)}' | sort -u > /tmp/final-words-s3.txt

## Call s3scanner
s3scanner --threads 100 scan --buckets-file /tmp/final-words-s3.txt  | grep bucket_exists

Loot S3 Buckets

Kutoa S3 buckets wazi, BucketLoot inaweza moja kwa moja kutafuta taarifa za kuvutia.

Find the Region

Unaweza kupata maeneo yote yanayoungwa mkono na AWS katika https://docs.aws.amazon.com/general/latest/gr/s3.html

By DNS

Unaweza kupata eneo la bucket kwa dig na nslookup kwa kufanya ombwe la DNS la IP iliyogunduliwa:

dig flaws.cloud
;; ANSWER SECTION:
flaws.cloud.    5    IN    A    52.218.192.11

nslookup 52.218.192.11
Non-authoritative answer:
11.192.218.52.in-addr.arpa name = s3-website-us-west-2.amazonaws.com.

Check that the resolved domain have the word "website". You can access the static website going to: flaws.cloud.s3-website-us-west-2.amazonaws.com or you can access the bucket visiting: flaws.cloud.s3-us-west-2.amazonaws.com

By Trying

If you try to access a bucket, but in the domain name you specify another region (for example the bucket is in bucket.s3.amazonaws.com but you try to access bucket.s3-website-us-west-2.amazonaws.com, then you will be indicated to the correct location:

Enumerating the bucket

Ili kujaribu ufunguzi wa bucket, mtumiaji anaweza tu kuingiza URL katika kivinjari chao cha wavuti. Bucket ya kibinafsi itajibu na "Access Denied". Bucket ya umma itataja vitu 1,000 vya kwanza ambavyo vimehifadhiwa.

Open to everyone:

Private:

You can also check this with the cli:

#Use --no-sign-request for check Everyones permissions
#Use --profile <PROFILE_NAME> to indicate the AWS profile(keys) that youwant to use: Check for "Any Authenticated AWS User" permissions
#--recursive if you want list recursivelyls
#Opcionally you can select the region if you now it
aws s3 ls s3://flaws.cloud/ [--no-sign-request] [--profile <PROFILE_NAME>] [ --recursive] [--region us-west-2]

Ikiwa ndoo haina jina la kikoa, unapojaribu kuhesabu, weka jina la ndoo tu na si kikoa zima la AWSs3. Mfano: s3://<BUCKETNAME>

Kiolezo cha URL ya Umma

https://{user_provided}.s3.amazonaws.com

Pata Kitambulisho cha Akaunti kutoka kwa Baki ya Umma

Inawezekana kubaini akaunti ya AWS kwa kutumia faida ya S3:ResourceAccount Key ya Masharti ya Sera mpya. Masharti haya yanapunguza ufikiaji kulingana na baki ya S3 ambayo akaunti iko ndani (sera nyingine za msingi wa akaunti zinapunguza kulingana na akaunti ambayo kiongozi anayehitaji yuko ndani). Na kwa sababu sera inaweza kuwa na wildcards inawezekana kupata nambari ya akaunti nambari moja kwa wakati.

Chombo hiki kinafanya mchakato huo kuwa otomatiki:

# Installation
pipx install s3-account-search
pip install s3-account-search
# With a bucket
s3-account-search arn:aws:iam::123456789012:role/s3_read s3://my-bucket
# With an object
s3-account-search arn:aws:iam::123456789012:role/s3_read s3://my-bucket/path/to/object.ext

H technique hii pia inafanya kazi na API Gateway URLs, Lambda URLs, Data Exchange data sets na hata kupata thamani ya tags (ikiwa unajua ufunguo wa tag). Unaweza kupata maelezo zaidi katika utafiti wa asili na zana conditional-love ili kuendesha uhalifu huu.

Kuthibitisha kuwa bucket inamhusu akaunti ya AWS

Kama ilivyoelezwa katika hiki blog post, ikiwa una ruhusa za kuorodhesha bucket inawezekana kuthibitisha accountID ambayo bucket inamhusu kwa kutuma ombi kama:

curl -X GET "[bucketname].amazonaws.com/" \
-H "x-amz-expected-bucket-owner: [correct-account-id]"

<?xml version="1.0" encoding="UTF-8"?>
<ListBucketResult xmlns="http://s3.amazonaws.com/doc/2006-03-01/">...</ListBucketResult>

Ikiwa kosa ni "Access Denied" inamaanisha kuwa ID ya akaunti ilikuwa mbaya.

Kutumia Barua Pepe kama uainishaji wa akaunti ya mzizi

Kama ilivyoelezwa katika hiki kipande cha blogu, inawezekana kuangalia ikiwa anwani ya barua pepe inahusiana na akaunti yoyote ya AWS kwa kujaribu kutoa ruhusa kwa barua pepe juu ya S3 bucket kupitia ACLs. Ikiwa hii haitasababisha kosa, inamaanisha kuwa barua pepe hiyo ni mtumiaji wa mzizi wa akaunti fulani ya AWS:

s3_client.put_bucket_acl(
Bucket=bucket_name,
AccessControlPolicy={
'Grants': [
{
'Grantee': {
'EmailAddress': 'some@emailtotest.com',
'Type': 'AmazonCustomerByEmail',
},
'Permission': 'READ'
},
],
'Owner': {
'DisplayName': 'Whatever',
'ID': 'c3d78ab5093a9ab8a5184de715d409c2ab5a0e2da66f08c2f6cc5c0bdeadbeef'
}
}
)

References

Support HackTricks
PreviousAWS - SNS Unauthenticated EnumNextAzure Pentesting

Last updated