Enumeration
Unauthenticated Enumeration
- Cloud Mapping and Initial Info (OSINT)
Use OSINT for unauthenticated enumeration.
Use DNS Enumeration and External Identity Provider.
Enumerate publicly accessible aws resources with OSINT tools like cloud_enum.py.
Search for Leaked Credential on Github to obtain Service Account JSON file.
- Account Ids
To check if an account ID exists:
curl -v https://{acount_id or alias}.signin.aws.amazon.com
If response is 404 it doesn't, if 200, it exists
To brute-force potential Ids or aliases:
https://github.com/dagrz/aws_pwn/blob/master/reconnaissance/validate_accounts.py
- Cognito Unauthenticated Enum
Amazon Cognito is utilized for authentication, authorization, and user management in web and mobile applications. It allows users the flexibility to sign in either directly using a user name and password or indirectly through a third party, including Facebook, Amazon, Google, or Apple.
For this use the cognito__enum and cognito__attack Pacu options.
- Public Web Apps
"Initial Access > Exploiting Web App" section include techniques for unauthenticated enumeration of S3 buckets, EC2, etc.
Authenticated Enumeration
Authentication Methods
- AWS Management Portal
https://console.aws.amazon.com/
IAM Root User’s credential [Username + Password] - Long Term Access
IAM User’s credential [Username + Password] - Long Term Access
SSO User’s credential [Username + Password] - Long Term Access
If we have the password of the root: https://signin.aws.amazon.com/console
If we have the IAM account: https://account-id-here.signin.aws.amazon.com/console
- AWS CLI
Long Term -> Access Key ID + Access Key Secret:
aws configure --profile h4ker
Short Term -> Access Key ID + Access Key Secret + Session Token:
aws configure
set AWS_ACCESS_KEY_ID=…
set AWS_SECRET_ACCESS_KEY=…
set AWS_SESSION_TOKEN=…
Then, in both cases, to get information about configured identity:
aws sts get-caller-identity --profile h4ker
The credentials are stored:
Windows: C:\Users\UserName\.aws
Linux: /home/UserName/.aws
To configure and validate Temporary Credential in AWS CLI:
aws configure set aws_access_key_id [key-id] --profile ec2
aws configure set aws_secret_access_key [key-id] --profile ec2
aws configure set aws_session_token [token] --profile ec2
aws sts get-caller-identity --profile ec2
To easly convert creds to console creds: https://github.com/NetSPI/aws_consoler
AWS CLI Enumeration
- Users
List of IAM Users:
aws iam list-users
List the IAM groups that the specified IAM user belongs to:
aws iam list-groups-for-user --user-name [user-name]
List all manages policies that are attached to the specified IAM user:
aws iam list-attached-user-policies --user-name [user-name]
Lists the names of the inline policies embedded in the specified IAM user:
aws iam list-user-policies --user-name [user-name]
- Groups
List of IAM Groups:
aws iam list-groups
List of all users in a groups:
aws iam get-group --group-name [group-name]
Lists all managed policies that are attached to the specified IAM Group:
aws iam list-attached-group-policies --group-name [group-name]
List the names of the inline policies embedded in the specified IAM Grou:
aws iam list-group-policies --group-name [group-name]
- Roles
List of IAM Roles:
aws iam list-roles
Lists all managed policies that are attached to the specified IAM role:
aws iam list-attached-role-policies --role-name [ role-name]
aws iam list-attached-role-policies --role-name jump-ec2-role --profile h4ker
List the names of the inline policies embedded in the specified IAM role:
aws iam list-role-policies --role-name [ role-name]
aws iam list-role-policies --role-name jump-ec2-role --profile h4ker
- Policies
List of all iam policies:
aws iam list-policies
Retrieves information about the specified managed policy:
aws iam get-policy --policy-arn [policy-arn]
Lists information about the versions of the specified manages policy:
aws iam list-policy-versions --policy-arn [policy-arn]
Retrieve information about the specified version of the specified managed policy:
aws iam get-policy-version --policy-arn policy-arn --version-id [version-id]
Retrieve the specified inline policy document that is embedded on the specified IAM user / group / role:
aws iam get-user-policy --user-name user-name --policy-name [policy-name]
aws iam get-group-policy --group-name group-name --policy-name [policy-name]
aws iam get-role-policy --role-name role-name --policy-name [policy-name]
aws iam get-role-policy --role-name jump-ec2-role --policy-name jump-inline-policy --profile h4ker
- EC2
Listing information about all instances:
aws ec2 describe-instances --profile auditor
Listing information about a specific region:
aws ec2 describe-instances --region region
Listing information about specific instance:
aws ec2 describe-instances --instance-ids ID
Extracting UserData attribute of specified instance (this gathers the metadata from the instance, like commands or secrets and the output is base64 encoded):
aws ec2 describe-instance-attribute --attribute userData --instance-id instanceID
Listing roles of an instance:
aws ec2 describe-iam-instance-profile-associations
With pacu framework:
run ec2_enum
data ec2
To list all EC2 public Ips, first, create regions.txt:
Then run the following one-liner:
while read r; do aws ec2 describe-instances --query=Reservations[].Instances[].PublicIpAddress --region $r | jq -r '.[]' >> ec2-public-ips.txt; done < regions.txt; sort -u ec2-public-ips.txt -o ec2-public-ips.txt
To also list all ELB DNS addresses:
while read r; do aws elbv2 describe-load-balancers --query LoadBalancers[*].DNSName --region $r | jq -r '.[]' >> elb-public-dns.txt; aws elb describe-load-balancers --query LoadBalancerDescriptions[*].DNSName --region $r | jq -r '.[]' >> elb-public-dns.txt; done < regions.txt; sort -u elb-public-dns.txt -o elb-public-dns.txt
- S3
List S3 buckets accessible to an account:
aws s3 ls
Listing all buckets in aws account:
aws s3api list-buckets
Getting information about a specific bucket:
aws s3api get-bucket-acl --bucket name
Getting information about a specific bucket policy:
aws s3api get-bucket-policy --bucket name
Getting the Public Access Block configuration for an S3 bucket:
aws s3api get-public-access-block --bucket name
Listing all objects in a specific bucket:
aws s3api list-objects --bucket name
Getting ACL information about specific object:
aws s3api get-object-acl --bucket-name name --key object_name
List the contents of an S3 bucket:
aws s3 ls s3://<bucketname>/
List all S3 buckets:
aws s3 ls | awk '{print $3}' >> s3-all-buckets.txt
To list objects in all the S3 buckets discovered with the previous command:
while read p; do echo $p; aws s3 ls s3://$p; done < s3-all-buckets.txt
- Lambda
To list all lambda functions:
aws lambda list-functions
To list information about a specific lambda function and download the source code of the lambda function (in which we could find keys or interesting info):
aws lambda get-function --function-name function_name
To list policy information about the function and can get informations about who can execute this functions, ID and other info:
aws lambda get-policy --function-name function_name
To list the event source mapping information about a lambda function:
aws lambda list-event-source-mappings --function-name function_name
To obtain Lambda Layers (Depedencies):
aws lambda list-layers
Then, to list full information about a lambda layer:
aws lambda get-layer-version --layer-name name --version-number version_number
- API Gateway
To obtain Rest API'S:
aws apigateway get-rest-apis
For listing information about a specific API:
aws apigateway get-rest-api --rest-api-id ID
To get information about endpoints:
aws apigateway get-resources --rest-api-id ID
To list information about a specific endpoint:
aws apigateway get-resource --rest-api-id ID --resource-id ID
To get information about a method (test all of them to see if the API supports them):
aws apigateway get-method --rest-api-id ApiID --resource-id ID --http-method method
For listing all versions of a rest api:
aws apigateway get-stages --rest-api-id ID
Getting informatin about a specific version:
aws apigateway get-stage --res-api-id ID --stage-name NAME
Listing API KEYS:
aws apigateway get-api-keys --include-values
Then, for getting information about a specific API Key:
aws apigateway get-api-key --api-key KEY
- Secret Manager
To list all secrets stored by AWS Secrets Manager:
aws secretsmanager list-secrets
To retrieve detailed information about a specific secret:
aws secretsmanager describe-secret --secret-id <secret_id>
To get the resource policy attached to a specific secret:
aws secretsmanager get-resource-policy --secret-id <secret_id>
To list all keys managed by AWS Key Management Service (KMS):
aws kms list-keys
To obtain detailed information about a specific KMS key:
aws kms describe-key --key-id <key_id>
To list policies attached to a specific KMS key:
aws kms list-key-policies --key-id <key_id>
To get full details about a policy attached to a KMS key:
aws kms get-key-policy --policy-name <policy_name> --key-id <key_id>
- ECR
Listing all repositories in container registry:
aws ecr describe-repositories
Listing information about repository policy:
aws ecr get-repository-policy --repository-name <repository_name>
Listing all images in a specific repository:
aws ecr list-images --repository-name <repository_name>
Listing information about an image:
aws ecr describe-images --repository-name <repository_name> --image-ids imageTag=<tag_name>
- ECS
Listing all ECS clusters:
aws ecs list-clusters
Listing information about a specific cluster:
aws ecs describe-clusters --clusters <cluster_name>
Listing all services in specified cluster:
aws ecs list-services --cluster <cluster_name>
Listing information about a specific service:
aws ecs describe-services --cluster <cluster_name> --services <service_name>
Listing tasks in a specific cluster:
aws ecs list-tasks --cluster <cluster_name>
Listing information about a specific task and obtain information about network:
aws ecs describe-tasks --cluster <cluster_name> --tasks <task_arn>
Listing all containers in specified cluster:
aws ecs list-container-instances --cluster <cluster_name>
- EKS
Listing all EKS clusters:
aws eks list-clusters
Listing information about a specific cluster:
aws eks describe-cluster --name <cluster_name>
Listing all node groups in specified cluster:
aws eks list-nodegroups --cluster-name <cluster_name>
Listing specific information about a node group in a cluster:
aws eks describe-nodegroup --cluster-name <cluster_name> --nodegroup-name <nodegroup_name>
Listing Fargate profiles in specified cluster:
aws eks list-fargate-profiles --cluster-name <cluster_name>
Listing information about a Fargate profile in a cluster:
aws eks describe-fargate-profile --cluster-name <cluster_name> --fargate-profile-name <profile_name>
Update kubeconfig:
aws eks update-kubeconfig --name <cluster-name> --region <region>
- Elastic Block Store
First, enumerate EBS volumes:
aws ec2 describe-volumes
If the volume is available, it can be attached to an EC2 instance. We should also check if the EBS is encrypted.
Then, to enumerate Snapshots (also check if is encrypted):
aws ec2 describe-snapshots --owner-ids self
- RDS
Listing information about clusters in RDS:
aws rds describe-db-clusters
Listing information about RDS instances (if IAMDatabaseAuthenticationEnabled is set to false, then we need password to access the instance):
aws rds describe-db-instances
Listing information about subnet groups in RDS:
aws rds describe-db-subnet-groups
Listing information about database security groups in RDS:
aws rds describe-db-security-groups
Listing information about database proxies:
aws rds describe-db-proxies
To list all public RDS DNS addresses (use regions.txt from EC2 section):
while read r; do aws rds describe-db-instances --query=DBInstances[*].Endpoint.Address --region $r | jq -r '.[]' >> rds-public-dns.txt; done < regions.txt; sort -u rds-public-dns.txt -o rds-public-dns.txt
List all RDS Snapshots:
aws rds describe-db-snapshots --region us-east-1 --snapshot-type manual --query=DBSnapshots[*].DBSnapshotIdentifier
List RDS Snapshot Attributes (If AttributeValues field is set to "all" then the snapshot is publicly available for any account to restore):
aws rds describe-db-snapshot-attributes --db-snapshot-identifier <db identifier from previous command> --region us-east-1 --query=DBSnapshotAttributesResult.DBSnapshotAttributes
- WebApps
aws deploy list-applications
- VPC
Listing VPC's:
aws ec2 describe-vpcs
Listing VPC's specifing the region:
aws ec2 describe-vpcs --region us-west-1
Listing VPC information by ID:
aws ec2 describe-vpcs --filters "Name=vpc-id,Values=ID"
Listing subnet's:
aws ec2 describe-subnets
Listing subnet's by VPC-id:
aws ec2 describe-subnets --filters "Name=vpc-id,Values=ID"
List ec2 network interfaces:
aws ec2 describe-network-interfaces
Listing routing tables:
aws ec2 describe-route-tables
Listing routing tables by VPC-id:
aws ec2 describe-route-tables --filters "Name=vpc-id,Values=ID"
Listing Network ACL's:
aws ec2 describe-network-acls
List DirectConnect (VPN) connections:
aws directconnect describe-connections
- CloudFormation
To get CloudFormation outputs (use regions.txt from EC2 section):
while read r; do aws cloudformation describe-stacks --query 'Stacks[*].[StackName, Description, Parameters, Outputs]' --region $r | jq -r '.[]' >> cloudformation-outputs.txt; done < regions.txt
Automated Recon
- WeirdAAL
https://github.com/carnal0wnage/weirdAAL
To run recon against all AWS services to enumerate access for a set of keys:
python3 weirdAAL.py -m recon_all -t <name>
Last updated