Skip to content

Latest commit

 

History

History
504 lines (336 loc) · 27.3 KB

README.md

File metadata and controls

504 lines (336 loc) · 27.3 KB
Raw

AWS - EC2, EBS, ELB, SSM, VPC & VPN Enum

Support HackTricks and get benefits!

VPC

Amazon Virtual Private Cloud (Amazon VPC) enables you to launch AWS resources into a virtual network that you've defined. This virtual network closely resembles a traditional network that you'd operate in your own data center, with the benefits of using the scalable infrastructure of AWS.

VPC Flow Logs

Within your VPC, you could potentially have hundreds or even thousands of resources all communicating between different subnets both public and private and also between different VPCs through VPC peering connections. VPC Flow Logs allows you to capture IP traffic information that flows between your network interfaces of your resources within your VPC.

Unlike S3 access logs and CloudFront access logs, the log data generated by VPC Flow Logs is not stored in S3. Instead, the log data captured is sent to CloudWatch logs.

Limitations:

  • If you are running a VPC peered connection, then you'll only be able to see flow logs of peered VPCs that are within the same account.
  • If you are still running resources within the EC2-Classic environment, then unfortunately you are not able to retrieve information from their interfaces
  • Once a VPC Flow Log has been created, it cannot be changed. To alter the VPC Flow Log configuration, you need to delete it and then recreate a new one.
  • The following traffic is not monitored and captured by the logs. DHCP traffic within the VPC, traffic from instances destined for the Amazon DNS Server.
  • Any traffic destined to the IP address for the VPC default router and traffic to and from the following addresses, 169.254.169.254 which is used for gathering instance metadata, and 169.254.169.123 which is used for the Amazon Time Sync Service.
  • Traffic relating to an Amazon Windows activation license from a Windows instance
  • Traffic between a network load balancer interface and an endpoint network interface

For every network interface that publishes data to the CloudWatch log group, it will use a different log stream. And within each of these streams, there will be the flow log event data that shows the content of the log entries. Each of these logs captures data during a window of approximately 10 to 15 minutes.

Subnets

Subnets helps to enforce a greater level of security. Logical grouping of similar resources also helps you to maintain an ease of management across your infrastructure.
Valid CIDR are from a /16 netmask to a /28 netmask.
A subnet cannot be in different availability zones at the same time.

By having multiple Subnets with similar resources grouped together, it allows for greater security management. By implementing network level virtual firewalls, called network access control lists, or NACLs, it's possible to filter traffic on specific ports from both an ingress and egress point at the Subnet level.

When you create a subnet the network and broadcast address of the subnet can't be used for host addresses and AWS reserves the first three host IP addresses of each subnet for internal AWS usage: he first host address used is for the VPC router. The second address is reserved for AWS DNS and the third address is reserved for future use.

It's called public subnets to those that have direct access to the Internet, whereas private subnets do not.

In order to make a subnet public you need to create and attach an Internet gateway to your VPC. This Internet gateway is a managed service, controlled, configured, and maintained by AWS. It scales horizontally automatically, and is classified as a highly valuable component of your VPC infrastructure. Once your Internet gateway is attached to your VPC, you have a gateway to the Internet. However, at this point, your instances have no idea how to get out to the Internet. As a result, you need to add a default route to the route table associated with your subnet. The route could have a destination value of 0.0. 0. 0/0, and the target value will be set as your Internet gateway ID.

By default, all subnets have the automatic assigned of public IP addresses turned off but it can be turned on.

A local route within a route table enables communication between VPC subnets.

If you are connection a subnet with a different subnet you cannot access the subnets connected with the other subnet, you need to create connection with them directly. This also applies to internet gateways. You cannot go through a subnet connection to access internet, you need to assign the internet gateway to your subnet.

VPC Peering

VPC peering allows you to connect two or more VPCs together, using IPV4 or IPV6, as if they were a part of the same network.

Once the peer connectivity is established, resources in one VPC can access resources in the other. The connectivity between the VPCs is implemented through the existing AWS network infrastructure, and so it is highly available with no bandwidth bottleneck. As peered connections operate as if they were part of the same network, there are restrictions when it comes to your CIDR block ranges that can be used.
If you have overlapping or duplicate CIDR ranges for your VPC, then you'll not be able to peer the VPCs together.
Each AWS VPC will only communicate with its peer. As an example, if you have a peering connection between VPC 1 and VPC 2, and another connection between VPC 2 and VPC 3 as shown, then VPC 1 and 2 could communicate with each other directly, as can VPC 2 and VPC 3, however, VPC 1 and VPC 3 could not. You can't route through one VPC to get to another.

Relation

Learn how are related the most common elements of networking of AWS: >VPC, network, subnetworks, interfaces, security groups, NAT gateways... in

{% content-ref url="aws-vpcs-network-subnetworks-ifaces-secgroups-nat.md" %} aws-vpcs-network-subnetworks-ifaces-secgroups-nat.md {% endcontent-ref %}

Enumeration

Check the enumeration of the EC2 section below.

Post- Exploitation

Malicious VPC Mirror

VPC traffic mirroring duplicates inbound and outbound traffic for EC2 instances within a VPC without the need to install anything on the instances themselves. This duplicated traffic would commonly be sent to something like a network intrusion detection system (IDS) for analysis and monitoring.
An attacker could abuse this to capture all the traffic and obtain sensitive information from it:

{% content-ref url="aws-malicious-vpc-mirror.md" %} aws-malicious-vpc-mirror.md {% endcontent-ref %}

EC2

You can use Amazon EC2 to launch as many or as few virtual servers as you need, configure security and networking, and manage storage. Amazon EC2 enables you to scale up or down to handle changes in requirements or spikes in popularity, reducing your need to forecast traffic.

Interesting things to enumerate in EC2:

  • Virtual Machines
    • SSH Keys
    • User Data
    • Snapshots
  • Networking
    • Networks
    • Subnetworks
    • Public IPs
    • Open ports
  • Integrated connections with other networks outside AWS

Instance Profiles

Using roles to grant permissions to applications that run on EC2 instances requires a bit of extra configuration. An application running on an EC2 instance is abstracted from AWS by the virtualized operating system. Because of this extra separation, you need an additional step to assign an AWS role and its associated permissions to an EC2 instance and make them available to its applications. This extra step is the creation of an instance profile attached to the instance. The instance profile contains the role and can provide the role's temporary credentials to an application that runs on the instance. Those temporary credentials can then be used in the application's API calls to access resources and to limit access to only those resources that the role specifies. Note that only one role can be assigned to an EC2 instance at a time, and all applications on the instance share the same role and permissions.

Enumeration

# Get EC2 instances
aws ec2 describe-instances
aws ec2 describe-instance-status #Get status from running instances

# Get user data from each ec2 instance
for instanceid in $(aws ec2 describe-instances | grep -Eo '"i-[a-zA-Z0-9]+' | tr -d '"'); do
  aws ec2 describe-instance-attribute --instance-id "$instanceid" --attribute userData
done

# Instance profiles
aws iam list-instance-profiles
aws iam list-instance-profiles-for-role --role-name <name>


# Get tags
aws ec2 describe-tags

# Get volumes
aws ec2 describe-volume-status
aws ec2 describe-volumes

# Get snapshots
aws ec2 describe-snapshots --owner-ids self

# Scheduled instances
aws ec2 describe-scheduled-instances

# Get custom images
aws ec2 describe-images --owners self 

# Get Elastic IPs
aws ec2 describe-addresses

# Get current output
aws ec2 get-console-output --instance-id [id]

# Get VPN customer gateways
aws ec2 describe-customer-gateways
aws ec2 describe-vpn-gateways
aws ec2 describe-vpn-connections 

# List conversion tasks to upload/download VMs
aws ec2 describe-conversion-tasks
aws ec2 describe-import-image-tasks

# Get Bundle Tasks
aws ec2 describe-bundle-tasks

# Get Classic Instances
aws ec2 describe-classic-link-instances

# Get Dedicated Hosts
aws ec2 describe-hosts

# Get SSH Key Pairs
aws ec2 describe-key-pairs

# Get Internet Gateways
aws ec2 describe-internet-gateways

# Get NAT Gateways
aws ec2 describe-nat-gateways 

# Get subnetworks
aws ec2 describe-subnets

# Get FW rules
aws ec2 describe-network-acls

# Get security groups
aws ec2 describe-security-groups

# Get interfaces
aws ec2 describe-network-interfaces

# Get routes table
aws ec2 describe-route-tables

# Get VPCs
aws ec2 describe-vpcs 
aws ec2 describe-vpc-peering-connections

Copy Instance

First you need to extract data about the current instances and their AMI/security groups/subnet : aws ec2 describe-images --region eu-west-1

# create a new image for the instance-id
$ aws ec2 create-image --instance-id i-0438b003d81cd7ec5 --name "AWS Audit" --description "Export AMI" --region eu-west-1  

# add key to AWS
$ aws ec2 import-key-pair --key-name "AWS Audit" --public-key-material file://~/.ssh/id_rsa.pub --region eu-west-1  

# create ec2 using the previously created AMI, use the same security group and subnet to connect easily.
$ aws ec2 run-instances --image-id ami-0b77e2d906b00202d --security-group-ids "sg-6d0d7f01" --subnet-id subnet-9eb001ea --count 1 --instance-type t2.micro --key-name "AWS Audit" --query "Instances[0].InstanceId" --region eu-west-1

# now you can check the instance 
aws ec2 describe-instances --instance-ids i-0546910a0c18725a1 

# If needed : edit groups
aws ec2 modify-instance-attribute --instance-id "i-0546910a0c18725a1" --groups "sg-6d0d7f01"  --region eu-west-1

# be a good guy, clean our instance to avoid any useless cost
aws ec2 stop-instances --instance-id "i-0546910a0c18725a1" --region eu-west-1 
aws ec2 terminate-instances --instance-id "i-0546910a0c18725a1" --region eu-west-1

Privesc

In the following page you can check how to abuse EC2 permissions to escalate privileges:

{% content-ref url="../../aws-privilege-escalation/aws-ec2-privesc.md" %} aws-ec2-privesc.md {% endcontent-ref %}

DNS Exfiltration

Even if you lock down an EC2 so no traffic can get out, it can still exfil via DNS.

  • VPC Flow Logs will not record this.

  • You have no access to AWS DNS logs.

  • Disable this by setting "enableDnsSupport" to false with:

    aws ec2 modify-vpc-attribute --no-enable-dns-support --vpc-id <vpc-id>

Network Persistence

If a defender finds that an EC2 instance was compromised he will probably try to isolate the network of the machine. He could do this with an explicit Deny NACL (but NACLs affect the entire subnet), or changing the security group not allowing any kind of inbound or outbound traffic.

If the attacker had an SSH connection with the machine the change of the security grup will kill this connection. However, if the attacker had a reverse shell originated from the machine, even if no inboud or outbound rule allows this connection, the connection won't be killed due to Security Group Connection Tracking.

Exfiltration via API calls

An attacker could call API endpoints of an account controlled by him. Cloudtrail will log this calls and the attacker will be able to see the exfil data in the Cloudtrail logs.

EBS

Amazon EBS (Elastic Block Store) snapshots are basically static backups of AWS EBS volumes. In other words, they are copies of the disks attached to an EC2 Instance at a specific point in time. EBS snapshots can be copied across regions and accounts, or even downloaded and run locally.

Snapshots can contain sensitive information such as source code or APi keys, therefore, if you have the chance, it's recommended to check it.

Checking a snapshot locally

# Install dependencies
pip install 'dsnap[cli]'
brew install vagrant
brew install virtualbox

# Get snapshot from image
mkdir snap_wordir; cd snap_workdir
dsnap init
## Download a snapshot of the volume of that instance
## If no snapshot existed it will try to create one
dsnap get <instance-id>
dsnap --profile default --region eu-west-1 get i-0d706e33814c1ef9a
## Other way to get a snapshot
dsnap list #List snapshots
dsnap get snap-0dbb0347f47e38b96 #Download snapshot directly

# Run with vagrant
IMAGE="<download_file>.img" vagrant up #Run image with vagrant+virtuabox
IMAGE="<download_file>.img" vagrant ssh #Access the VM
vagrant destroy #To destoy

# Run with docker
git clone https://github.com/RhinoSecurityLabs/dsnap.git
cd dsnap
make docker/build
IMAGE="<download_file>.img" make docker/run #With the snapshot downloaded

For more info on this technique check the original research in https://rhinosecuritylabs.com/aws/exploring-aws-ebs-snapshots/

You can do this with Pacu using the module ebs__download_snapshots

Checking a snapshot in AWS

aws ec2 create-volume --availability-zone us-west-2a --region us-west-2  --snapshot-id  snap-0b49342abd1bdcb89

Mount it in a EC2 VM under your control (it has to be in the same region as the copy of the backup):

step 1: Head over to EC2 –> Volumes and create a new volume of your preferred size and type.

Step 2: Select the created volume, right click and select the “attach volume” option.

Step 3: Select the instance from the instance text box as shown below.\

Step 4: Now, login to your ec2 instance and list the available disks using the following command.

lsblk

The above command will list the disk you attached to your instance.

Step5:

You can do this with Pacu using the module ebs__explore_snapshots

Checking a snapshot in AWS (using cli)

aws ec2 create-volume --availability-zone us-west-2a --region us-west-2 --snapshot-id <snap-0b49342abd1bdcb89>

# Attach new volume to instance
$ aws ec2 attach-volume --device /dev/sdh --instance-id <INSTANCE-ID> --volume-id <VOLUME-ID>

# mount the snapshot from within the VM
$ sudo file -s /dev/xvdb1
# Returns:
# /dev/xvdb1: Linux rev 1.0 ext4 filesystem data, UUID=5a2075d0-d095-4511-bef9-802fd8a7610e, volume name "cloudimg-rootfs" (extents) (large files) (huge files)
$ sudo mount /dev/xvdb1 /mnt

Shadow Copy

Any AWS user possessing the EC2:CreateSnapshot permission can steal the hashes of all domain users by creating a snapshot of the Domain Controller mounting it to an instance they control and exporting the NTDS.dit and SYSTEM registry hive file for use with Impacket's secretsdump project.

You can use this tool to automate the attack: https://github.com/Static-Flow/CloudCopy or you could use one of the previous techniques after creating a snapshot.

Privesc

In the following page you can check how to abuse EBS permissions to escalate privileges:

{% content-ref url="../../aws-privilege-escalation/aws-ebs-privesc.md" %} aws-ebs-privesc.md {% endcontent-ref %}

SSM

Amazon Simple Systems Manager (SSM) allows to remotely manage floats of EC2 instances to make their administrations much more easy. Each of these instances need to be running the SSM Agent service as the service will be the one getting the actions and performing them from the AWS API.

SSM Agent makes it possible for Systems Manager to update, manage, and configure these resources. The agent processes requests from the Systems Manager service in the AWS Cloud, and then runs them as specified in the request.

The SSM Agent comes preinstalled in some AMIs or you need to manually install them on the instances. Also, the IAM Role used inside the instance needs to have the policy AmazonEC2RoleforSSM attached to be able to communicate.

Enumeration

aws ssm describe-instance-information
aws ssm describe-parameters
aws ssm describe-sessions --state [Active|History]
aws ssm describe-instance-patches --instance-id <id>
aws ssm describe-instance-patch-states --instance-ids <id>
aws ssm describe-instance-associations-status --instance-id <id>

Privesc

In the following page you can check how to abuse SSM permissions to escalate privileges:

{% content-ref url="../../aws-privilege-escalation/aws-ssm-privesc.md" %} aws-ssm-privesc.md {% endcontent-ref %}

Post-Exploitation

Techniques like SSM message interception can be found in the SSM post-exploitation page:

{% content-ref url="aws-ssm-post-exploitation.md" %} aws-ssm-post-exploitation.md {% endcontent-ref %}

ELB

Elastic Load Balancing (ELB) is a load-balancing service for Amazon Web Services (AWS) deployments. ELB automatically distributes incoming application traffic and scales resources to meet traffic demands.

Enumeration

# List internet-facing ELBs
aws elb describe-load-balancers
aws elb describe-load-balancers | jq '.LoadBalancerDescriptions[]| select( .Scheme | contains("internet-facing"))|.DNSName'

# DONT FORGET TO CHECK VERSION 2
aws elbv2 describe-load-balancers
aws elbv2 describe-load-balancers | jq '.LoadBalancers[].DNSName'
aws elbv2 describe-listeners --load-balancer-arn <load_balancer_arn>

Launch Templates & Autoscaling Groups

Enumeration

# Launch templates
aws ec2 describe-launch-templates
aws ec2 describe-launch-template-versions --launch-template-id <launch_template_id>

# Autoscaling
aws autoscaling describe-auto-scaling-groups
aws autoscaling describe-auto-scaling-instances
aws autoscaling describe-launch-configurations
aws autoscaling describe-load-balancer-target-groups
aws autoscaling describe-load-balancers

VPN

Site-to-Site VPN

Connect your on premisses network with your VPC.

Concepts

  • VPN connection: A secure connection between your on-premises equipment and your VPCs.

  • VPN tunnel: An encrypted link where data can pass from the customer network to or from AWS.

    Each VPN connection includes two VPN tunnels which you can simultaneously use for high availability.

  • Customer gateway: An AWS resource which provides information to AWS about your customer gateway device.

  • Customer gateway device: A physical device or software application on your side of the Site-to-Site VPN connection.

  • Virtual private gateway: The VPN concentrator on the Amazon side of the Site-to-Site VPN connection. You use a virtual private gateway or a transit gateway as the gateway for the Amazon side of the Site-to-Site VPN connection.

  • Transit gateway: A transit hub that can be used to interconnect your VPCs and on-premises networks. You use a transit gateway or virtual private gateway as the gateway for the Amazon side of the Site-to-Site VPN connection.

Limitations

  • IPv6 traffic is not supported for VPN connections on a virtual private gateway.
  • An AWS VPN connection does not support Path MTU Discovery.

In addition, take the following into consideration when you use Site-to-Site VPN.

  • When connecting your VPCs to a common on-premises network, we recommend that you use non-overlapping CIDR blocks for your networks.

Components of Client VPN

Connect from your machine to your VPC

Concepts

  • Client VPN endpoint: The resource that you create and configure to enable and manage client VPN sessions. It is the resource where all client VPN sessions are terminated.
  • Target network: A target network is the network that you associate with a Client VPN endpoint. A subnet from a VPC is a target network. Associating a subnet with a Client VPN endpoint enables you to establish VPN sessions. You can associate multiple subnets with a Client VPN endpoint for high availability. All subnets must be from the same VPC. Each subnet must belong to a different Availability Zone.
  • Route: Each Client VPN endpoint has a route table that describes the available destination network routes. Each route in the route table specifies the path for traffic to specific resources or networks.
  • Authorization rules: An authorization rule restricts the users who can access a network. For a specified network, you configure the Active Directory or identity provider (IdP) group that is allowed access. Only users belonging to this group can access the specified network. By default, there are no authorization rules and you must configure authorization rules to enable users to access resources and networks.
  • Client: The end user connecting to the Client VPN endpoint to establish a VPN session. End users need to download an OpenVPN client and use the Client VPN configuration file that you created to establish a VPN session.
  • Client CIDR range: An IP address range from which to assign client IP addresses. Each connection to the Client VPN endpoint is assigned a unique IP address from the client CIDR range. You choose the client CIDR range, for example, 10.2.0.0/16.
  • Client VPN ports: AWS Client VPN supports ports 443 and 1194 for both TCP and UDP. The default is port 443.
  • Client VPN network interfaces: When you associate a subnet with your Client VPN endpoint, we create Client VPN network interfaces in that subnet. Traffic that's sent to the VPC from the Client VPN endpoint is sent through a Client VPN network interface. Source network address translation (SNAT) is then applied, where the source IP address from the client CIDR range is translated to the Client VPN network interface IP address.
  • Connection logging: You can enable connection logging for your Client VPN endpoint to log connection events. You can use this information to run forensics, analyze how your Client VPN endpoint is being used, or debug connection issues.
  • Self-service portal: You can enable a self-service portal for your Client VPN endpoint. Clients can log into the web-based portal using their credentials and download the latest version of the Client VPN endpoint configuration file, or the latest version of the AWS provided client.

Limitations

  • Client CIDR ranges cannot overlap with the local CIDR of the VPC in which the associated subnet is located, or any routes manually added to the Client VPN endpoint's route table.

  • Client CIDR ranges must have a block size of at least /22 and must not be greater than /12.

  • A portion of the addresses in the client CIDR range are used to support the availability model of the Client VPN endpoint, and cannot be assigned to clients. Therefore, we recommend that you assign a CIDR block that contains twice the number of IP addresses that are required to enable the maximum number of concurrent connections that you plan to support on the Client VPN endpoint.

  • The client CIDR range cannot be changed after you create the Client VPN endpoint.

  • The subnets associated with a Client VPN endpoint must be in the same VPC.

  • You cannot associate multiple subnets from the same Availability Zone with a Client VPN endpoint.

  • A Client VPN endpoint does not support subnet associations in a dedicated tenancy VPC.

  • Client VPN supports IPv4 traffic only.

  • Client VPN is not Federal Information Processing Standards (FIPS) compliant.

  • If multi-factor authentication (MFA) is disabled for your Active Directory, a user password cannot be in the following format.

    SCRV1:<base64_encoded_string>:<base64_encoded_string>

  • The self-service portal is not available for clients that authenticate using mutual authentication.

Enumeration

Check EC2 enumeration.

Support HackTricks and get benefits!