Merge pull request nccgroup#36 from Hacking-the-Cloud/add_content

Added article on whoami enumeration

content/aws/avoiding-detection/guardduty-pentest.md

@@ -1,7 +1,7 @@
 ---
 author: Nick Frichette
 title: Bypass GuardDuty Pentest Findings
-description: Prevent Kali Linux, ParrotOS, and Pentoo Linux from throwing GuardDuty alerts by modifying the User Agent string
+description: Prevent Kali Linux, ParrotOS, and Pentoo Linux from throwing GuardDuty alerts by modifying the User Agent string.
 enableEditBtn: true
 editBaseURL: https://github.com/Hacking-the-Cloud/hackingthe.cloud/blob/master/content
 ---

content/aws/avoiding-detection/steal-keys-undetected.md

@@ -1,7 +1,7 @@
 ---
 author: Nick Frichette
 title: Bypass Credential Exfiltration Detection
-description: When stealing IAM credentials from an EC2 instance you can avoid a GuardDuty detection by using the keys from another EC2 instance
+description: When stealing IAM credentials from an EC2 instance you can avoid a GuardDuty detection by using the keys from another EC2 instance.
 enableEditBtn: true
 editBaseURL: https://github.com/Hacking-the-Cloud/hackingthe.cloud/blob/master/content
 ---

content/aws/enumeration/enum_iam_user_role.md

@@ -1,7 +1,7 @@
 ---
 author: Nick Frichette
 title: Unauthenticated Enumeration of IAM Users and Roles
-description: Leverage cross account behaviors to enumerate IAM users and roles in a different AWS account without authentication
+description: Leverage cross account behaviors to enumerate IAM users and roles in a different AWS account without authentication.
 enableEditBtn: true
 editBaseURL: https://github.com/Hacking-the-Cloud/hackingthe.cloud/blob/master/content
 ---

content/aws/enumeration/whoami.md

@@ -0,0 +1,35 @@
+---
+author: Nick Frichette
+title: Whoami - Get Principal Name From Keys
+description: During an assessment you may find AWS IAM credentials. Use these tactics to identify the principal of the keys.
+enableEditBtn: true
+editBaseURL: https://github.com/Hacking-the-Cloud/hackingthe.cloud/blob/master/content
+---
+After finding or stealing IAM credentials during an assessment you will need to identify what they are used for, or if they are valid. The most common method for doing so would be to call the [get-caller-identity](https://awscli.amazonaws.com/v2/documentation/api/latest/reference/sts/get-caller-identity.html) API call. This is beneficial for a few reasons, in particular that it requires no special permissions to call.
+
+Unfortunately, because it is so simple many defenders are monitoring for these API calls. As a result we need alternatives. The good news for us is that a lot of AWS services will disclose the calling role along with the account ID as a result of an error. The following is certainly not a comprehensive list, and note that the principal needs to **NOT** have IAM permissions to make this call to return the information as an error.
+
+Not all API calls exhibit this behavior. Failed EC2 API calls, for example, will return a variant of the following.
+
+```
+An error occurred (UnauthorizedOperation) when calling the DescribeInstances operation: You are not authorized to perform this operation.
+```
+
+### sdb list-domains
+As found by [Spencer Gietzen](https://twitter.com/SpenGietz/status/1283843401008336896), the API call for [sdb list-domains](https://awscli.amazonaws.com/v2/documentation/api/latest/reference/sdb/list-domains.html) will return verify similar information to get-caller-identity.
+
+```
+user@host:$ aws sdb list-domains --region us-east-1
+
+An error occurred (AuthorizationFailure) when calling the ListDomains operation: User (arn:aws:sts::123456789012:assumed-role/example_role/i-00000000000000000) does not have permission to perform (sdb:ListDomains) on resource (arn:aws:sdb:us-east-1:123456789012:domain/). Contact account owner.
+```
+
+{{< notice warning "Note" >}}
+According to Andrew Certain as of August 15, 2020 these calls are now tracked in CloudTrail ([tweet](https://twitter.com/tacertain/status/1294726441850900480)).
+{{< /notice >}}
+
+### route53 get-account-limit
+[route53 get-account-limit](https://awscli.amazonaws.com/v2/documentation/api/latest/reference/route53/get-account-limit.html) will produce a similar result.
+
+### logs associate-kms-key
+[logs associate-kms-key](https://awscli.amazonaws.com/v2/documentation/api/latest/reference/logs/associate-kms-key.html) will produce a similar result.

content/aws/exploitation/ec2-metadata-ssrf.md

@@ -1,7 +1,7 @@
 ---
 author: Nick Frichette
 title: Steal EC2 Metadata Credentials via SSRF
-description: Old faithful; How to steal IAM Role credentials via the EC2 Metadata service via SSRF
+description: Old faithful; How to steal IAM Role credentials via the EC2 Metadata service via SSRF.
 enableEditBtn: true
 editBaseURL: https://github.com/Hacking-the-Cloud/hackingthe.cloud/blob/master/content
 ---

content/aws/exploitation/lambda-steal-iam-credentials.md

@@ -1,7 +1,7 @@
 ---
 author: Nick Frichette
 title: Steal IAM Credentials and Event Data from Lambda
-description: Leverage file read and SSRF vulnerabilities to steam IAM credentials and event data from Lambda
+description: Leverage file read and SSRF vulnerabilities to steam IAM credentials and event data from Lambda.
 enableEditBtn: true
 editBaseURL: https://github.com/Hacking-the-Cloud/hackingthe.cloud/blob/master/content
 ---

content/aws/exploitation/local-priv-esc-mod-instance-att.md

@@ -1,7 +1,7 @@
 ---
 author: Nick Frichette
 title: "Local Privilege Escalation: User Data"
-description: Escalate privileges on an EC2 instance by modifying the user-data scripts with modify-instance-attribute
+description: Escalate privileges on an EC2 instance by modifying the user-data scripts with modify-instance-attribute.
 enableEditBtn: true
 editBaseURL: https://github.com/Hacking-the-Cloud/hackingthe.cloud/blob/master/content
 weight: 4

content/aws/exploitation/local-priv-esc-user-data-s3.md

@@ -1,7 +1,7 @@
 ---
 author: Nick Frichette
 title: "Local Privilege Escalation: User Data 2"
-description: Escalate privileges on an EC2 instance by modifying scripts and packages called by user data
+description: Escalate privileges on an EC2 instance by modifying scripts and packages called by user data.
 enableEditBtn: true
 editBaseURL: https://github.com/Hacking-the-Cloud/hackingthe.cloud/blob/master/content
 weight: 5

content/aws/general-knowledge/connection-tracking.md

@@ -1,7 +1,7 @@
 ---
 author: "Nick Frichette"
 title: "Connection Tracking"
-description: "Abuse security group connection tracking to maintain persistence even when security group rules are changed"
+description: "Abuse security group connection tracking to maintain persistence even when security group rules are changed."
 enableEditBtn: true
 editBaseURL: "https://github.com/Hacking-the-Cloud/hackingthe.cloud/blob/master/content"
 ---

content/aws/general-knowledge/iam-key-identifiers.md

@@ -1,7 +1,7 @@
 ---
 author: "Nick Frichette"
 title: IAM ID Identifiers
-description: Chart of the IAM ID Prefixes
+description: Chart of the IAM ID Prefixes.
 enableEditBtn: true
 editBaseURL: "https://github.com/Hacking-the-Cloud/hackingthe.cloud/blob/master/content"
 ---

content/aws/persistence/aws_consoler.md

@@ -1,7 +1,7 @@
 ---
 author: "Nick Frichette"
 title: "AWS Consoler"
-description: "Leverage stolen credentials to use the AWS Console"
+description: "Leverage stolen credentials to use the AWS Console."
 enableEditBtn: true
 editBaseURL: https://github.com/Hacking-the-Cloud/hackingthe.cloud/blob/master/content
 ---

content/aws/persistence/role-chain-juggling.md

@@ -1,7 +1,7 @@
 ---
 author: "Nick Frichette"
 title: "Role Chain Juggling"
-description: "Keep your access by chaining assume-role calls"
+description: "Keep your access by chaining assume-role calls."
 enableEditBtn: true
 editBaseURL: https://github.com/Hacking-the-Cloud/hackingthe.cloud/blob/master/content
 ---