diff --git a/content/aws/avoiding-detection/guardduty-pentest.md b/content/aws/avoiding-detection/guardduty-pentest.md index 6631bf8..37abd0a 100644 --- a/content/aws/avoiding-detection/guardduty-pentest.md +++ b/content/aws/avoiding-detection/guardduty-pentest.md @@ -1,7 +1,7 @@ --- author: Nick Frichette title: Bypass GuardDuty Pentest Findings -description: Prevent Kali Linux, ParrotOS, and Pentoo Linux from throwing GuardDuty alerts by modifying the User Agent string +description: Prevent Kali Linux, ParrotOS, and Pentoo Linux from throwing GuardDuty alerts by modifying the User Agent string. enableEditBtn: true editBaseURL: https://github.com/Hacking-the-Cloud/hackingthe.cloud/blob/master/content --- diff --git a/content/aws/avoiding-detection/steal-keys-undetected.md b/content/aws/avoiding-detection/steal-keys-undetected.md index 6bdb374..2d7c534 100644 --- a/content/aws/avoiding-detection/steal-keys-undetected.md +++ b/content/aws/avoiding-detection/steal-keys-undetected.md @@ -1,7 +1,7 @@ --- author: Nick Frichette title: Bypass Credential Exfiltration Detection -description: When stealing IAM credentials from an EC2 instance you can avoid a GuardDuty detection by using the keys from another EC2 instance +description: When stealing IAM credentials from an EC2 instance you can avoid a GuardDuty detection by using the keys from another EC2 instance. enableEditBtn: true editBaseURL: https://github.com/Hacking-the-Cloud/hackingthe.cloud/blob/master/content --- diff --git a/content/aws/enumeration/enum_iam_user_role.md b/content/aws/enumeration/enum_iam_user_role.md index 6b1882a..6904f71 100644 --- a/content/aws/enumeration/enum_iam_user_role.md +++ b/content/aws/enumeration/enum_iam_user_role.md @@ -1,7 +1,7 @@ --- author: Nick Frichette title: Unauthenticated Enumeration of IAM Users and Roles -description: Leverage cross account behaviors to enumerate IAM users and roles in a different AWS account without authentication +description: Leverage cross account behaviors to enumerate IAM users and roles in a different AWS account without authentication. enableEditBtn: true editBaseURL: https://github.com/Hacking-the-Cloud/hackingthe.cloud/blob/master/content --- diff --git a/content/aws/enumeration/whoami.md b/content/aws/enumeration/whoami.md new file mode 100644 index 0000000..e5d4e10 --- /dev/null +++ b/content/aws/enumeration/whoami.md @@ -0,0 +1,35 @@ +--- +author: Nick Frichette +title: Whoami - Get Principal Name From Keys +description: During an assessment you may find AWS IAM credentials. Use these tactics to identify the principal of the keys. +enableEditBtn: true +editBaseURL: https://github.com/Hacking-the-Cloud/hackingthe.cloud/blob/master/content +--- +After finding or stealing IAM credentials during an assessment you will need to identify what they are used for, or if they are valid. The most common method for doing so would be to call the [get-caller-identity](https://awscli.amazonaws.com/v2/documentation/api/latest/reference/sts/get-caller-identity.html) API call. This is beneficial for a few reasons, in particular that it requires no special permissions to call. + +Unfortunately, because it is so simple many defenders are monitoring for these API calls. As a result we need alternatives. The good news for us is that a lot of AWS services will disclose the calling role along with the account ID as a result of an error. The following is certainly not a comprehensive list, and note that the principal needs to **NOT** have IAM permissions to make this call to return the information as an error. + +Not all API calls exhibit this behavior. Failed EC2 API calls, for example, will return a variant of the following. + +``` +An error occurred (UnauthorizedOperation) when calling the DescribeInstances operation: You are not authorized to perform this operation. +``` + +### sdb list-domains +As found by [Spencer Gietzen](https://twitter.com/SpenGietz/status/1283843401008336896), the API call for [sdb list-domains](https://awscli.amazonaws.com/v2/documentation/api/latest/reference/sdb/list-domains.html) will return verify similar information to get-caller-identity. + +``` +user@host:$ aws sdb list-domains --region us-east-1 + +An error occurred (AuthorizationFailure) when calling the ListDomains operation: User (arn:aws:sts::123456789012:assumed-role/example_role/i-00000000000000000) does not have permission to perform (sdb:ListDomains) on resource (arn:aws:sdb:us-east-1:123456789012:domain/). Contact account owner. +``` + +{{< notice warning "Note" >}} +According to Andrew Certain as of August 15, 2020 these calls are now tracked in CloudTrail ([tweet](https://twitter.com/tacertain/status/1294726441850900480)). +{{< /notice >}} + +### route53 get-account-limit +[route53 get-account-limit](https://awscli.amazonaws.com/v2/documentation/api/latest/reference/route53/get-account-limit.html) will produce a similar result. + +### logs associate-kms-key +[logs associate-kms-key](https://awscli.amazonaws.com/v2/documentation/api/latest/reference/logs/associate-kms-key.html) will produce a similar result. \ No newline at end of file diff --git a/content/aws/exploitation/ec2-metadata-ssrf.md b/content/aws/exploitation/ec2-metadata-ssrf.md index 7b5a631..8f3eec8 100644 --- a/content/aws/exploitation/ec2-metadata-ssrf.md +++ b/content/aws/exploitation/ec2-metadata-ssrf.md @@ -1,7 +1,7 @@ --- author: Nick Frichette title: Steal EC2 Metadata Credentials via SSRF -description: Old faithful; How to steal IAM Role credentials via the EC2 Metadata service via SSRF +description: Old faithful; How to steal IAM Role credentials via the EC2 Metadata service via SSRF. enableEditBtn: true editBaseURL: https://github.com/Hacking-the-Cloud/hackingthe.cloud/blob/master/content --- diff --git a/content/aws/exploitation/lambda-steal-iam-credentials.md b/content/aws/exploitation/lambda-steal-iam-credentials.md index 39644de..c542c32 100644 --- a/content/aws/exploitation/lambda-steal-iam-credentials.md +++ b/content/aws/exploitation/lambda-steal-iam-credentials.md @@ -1,7 +1,7 @@ --- author: Nick Frichette title: Steal IAM Credentials and Event Data from Lambda -description: Leverage file read and SSRF vulnerabilities to steam IAM credentials and event data from Lambda +description: Leverage file read and SSRF vulnerabilities to steam IAM credentials and event data from Lambda. enableEditBtn: true editBaseURL: https://github.com/Hacking-the-Cloud/hackingthe.cloud/blob/master/content --- diff --git a/content/aws/exploitation/local-priv-esc-mod-instance-att.md b/content/aws/exploitation/local-priv-esc-mod-instance-att.md index c85f3ca..0acb3a5 100644 --- a/content/aws/exploitation/local-priv-esc-mod-instance-att.md +++ b/content/aws/exploitation/local-priv-esc-mod-instance-att.md @@ -1,7 +1,7 @@ --- author: Nick Frichette title: "Local Privilege Escalation: User Data" -description: Escalate privileges on an EC2 instance by modifying the user-data scripts with modify-instance-attribute +description: Escalate privileges on an EC2 instance by modifying the user-data scripts with modify-instance-attribute. enableEditBtn: true editBaseURL: https://github.com/Hacking-the-Cloud/hackingthe.cloud/blob/master/content weight: 4 diff --git a/content/aws/exploitation/local-priv-esc-user-data-s3.md b/content/aws/exploitation/local-priv-esc-user-data-s3.md index 013c6f3..b9fd8b0 100644 --- a/content/aws/exploitation/local-priv-esc-user-data-s3.md +++ b/content/aws/exploitation/local-priv-esc-user-data-s3.md @@ -1,7 +1,7 @@ --- author: Nick Frichette title: "Local Privilege Escalation: User Data 2" -description: Escalate privileges on an EC2 instance by modifying scripts and packages called by user data +description: Escalate privileges on an EC2 instance by modifying scripts and packages called by user data. enableEditBtn: true editBaseURL: https://github.com/Hacking-the-Cloud/hackingthe.cloud/blob/master/content weight: 5 diff --git a/content/aws/general-knowledge/connection-tracking.md b/content/aws/general-knowledge/connection-tracking.md index c3ab47f..c274899 100644 --- a/content/aws/general-knowledge/connection-tracking.md +++ b/content/aws/general-knowledge/connection-tracking.md @@ -1,7 +1,7 @@ --- author: "Nick Frichette" title: "Connection Tracking" -description: "Abuse security group connection tracking to maintain persistence even when security group rules are changed" +description: "Abuse security group connection tracking to maintain persistence even when security group rules are changed." enableEditBtn: true editBaseURL: "https://github.com/Hacking-the-Cloud/hackingthe.cloud/blob/master/content" --- diff --git a/content/aws/general-knowledge/iam-key-identifiers.md b/content/aws/general-knowledge/iam-key-identifiers.md index 741f70c..8cdd0ee 100644 --- a/content/aws/general-knowledge/iam-key-identifiers.md +++ b/content/aws/general-knowledge/iam-key-identifiers.md @@ -1,7 +1,7 @@ --- author: "Nick Frichette" title: IAM ID Identifiers -description: Chart of the IAM ID Prefixes +description: Chart of the IAM ID Prefixes. enableEditBtn: true editBaseURL: "https://github.com/Hacking-the-Cloud/hackingthe.cloud/blob/master/content" --- diff --git a/content/aws/persistence/aws_consoler.md b/content/aws/persistence/aws_consoler.md index f4ffd00..4fd9773 100644 --- a/content/aws/persistence/aws_consoler.md +++ b/content/aws/persistence/aws_consoler.md @@ -1,7 +1,7 @@ --- author: "Nick Frichette" title: "AWS Consoler" -description: "Leverage stolen credentials to use the AWS Console" +description: "Leverage stolen credentials to use the AWS Console." enableEditBtn: true editBaseURL: https://github.com/Hacking-the-Cloud/hackingthe.cloud/blob/master/content --- diff --git a/content/aws/persistence/role-chain-juggling.md b/content/aws/persistence/role-chain-juggling.md index 36bfdbc..1a81054 100644 --- a/content/aws/persistence/role-chain-juggling.md +++ b/content/aws/persistence/role-chain-juggling.md @@ -1,7 +1,7 @@ --- author: "Nick Frichette" title: "Role Chain Juggling" -description: "Keep your access by chaining assume-role calls" +description: "Keep your access by chaining assume-role calls." enableEditBtn: true editBaseURL: https://github.com/Hacking-the-Cloud/hackingthe.cloud/blob/master/content ---