Lateral Movement

- EC2 Lateral Movement

To SSH into EC2 Instances:

aws ec2 describe-instances --profile auditor --region {region}

aws ssm start-session --target {target id} --profile auditor --region {region}

- VPC Peering Lateral Movement

VPC Peering allows two Virtual Private Clouds (VPCs) on the same network to connect as if they are part of the same network. This enables you to route traffic between them using private IP addresses, without the traffic going through the public internet.

For example, VPC A can acess B through peering and B access C, so VPC B can be used as a peering pivot to acess VPC C from VPC A.

First, understand which VPCs can communicate with each other:

aws ec2 describe-vpc-peering-connections

Each VPC can have multiple subnets. By listing subnets, you identify where resources are located and if specific subnets have special access permissions to other VPCs:

aws ec2 describe-subnets --filters "Name=vpc-id,Values=ID"

Routing tables define rules, known as routes, that determine where network traffic from your subnets is directed:

aws ec2 describe-route-tables --filters "Name=vpc-id,Values=ID"

To see what machines (instances) are running in VPC A, B, or C:

aws ec2 describe-instances --filters "Name=vpc-id,Values=ID"

This is useful to find what specific machines you can access within that subnet:

aws ec2 describe-instances --filters "Name=subnet-id,Values=ID"