x

Enumerating AWS Cloud Infra

This module provides techniques and methodologies for discovering and enumerating Amazon Web Services (AWS) resources and Identity and Access Management (IAM) entities. The goal is to identify potential vulnerabilities and weaknesses within a target's AWS environment, often from an external perspective or after initial compromise.

1. Initial Reconnaissance & Credential Analysis

Understanding Compromised Credentials:

  • Utilize aws sts get-caller-identity to determine the IAM user or role associated with compromised AWS credentials.
  • This command returns details such as Account, UserId, and Arn, which are crucial for understanding the scope of access.

Obtaining AWS Account IDs: Essential for many enumeration activities.

2. Internet-Based Reconnaissance

This phase focuses on gathering information about AWS resources that are publicly accessible or can be inferred from public sources.

S3 Bucket Enumeration:

  • Website Content Analysis: Inspect website source code (curl -s https://example.com | grep -o "s3[a-zA-Z0-9.-]*") for direct references to S3 buckets.

Naming Conventions: Leverage common S3 bucket naming conventions and poorly implemented random strings to guess bucket names.

Public Access Check: If a bucket name is found, attempt to list its contents using aws s3 ls s3://<bucket-name> to check for public read access.
Discovery of Publicly Shared Resources:

  • Look for publicly exposed Amazon Machine Images (AMIs), Elastic Block Storage (EBS) snapshots, and Relational Database Service (RDS) snapshots.
  • These are typically found by querying CSP APIs directly, as they usually lack direct domain names or URLs.

3. API-Based Reconnaissance (Post-Compromise / Authenticated)

Once initial access or compromised credentials are obtained, API interaction allows for deeper enumeration.

  • AWS CLI Configuration: Ensure the AWS CLI is correctly configured with the compromised credentials.
  • Processing API Data with JMESPath: Use JMESPath for efficient filtering and processing of large JSON outputs from AWS API calls.

IAM Resource Enumeration:

  • Users and Groups: Enumerate IAM users and groups to map out the identity landscape.
  • Policy Analysis: Understand the permissions granted by attached policies. Pay close attention to AWS Managed Policies (e.g., SupportUser) which might grant broader permissions than expected.
  • Filtering Queries: Construct advanced queries to filter IAM results based on paths or other attributes.

-Enumerating Other Services: Systematically enumerate other AWS services (e.g., EC2, Lambda, VPC) based on the permissions of the compromised credentials.

4. Automated Enumeration Tools

  • Pacu:
    • A powerful AWS exploitation framework that automates many enumeration tasks.
    • Installation: Follow Pacu's installation instructions.

    • Usage:

      1. Start Pacu.
      2. Create a new session.
      3. Import AWS CLI credentials.
      4. Run various enumeration modules provided by Pacu.

5. Stealth & Evasion

  • Abusing Error Messages: Some AWS error messages are not logged by default in CloudTrail, which can be leveraged for stealthy enumeration attempts.
  • Manual vs. Automated:
    • Manual Enumeration: Offers greater stealth and control, making it harder to detect.
    • Automated Tools: While efficient, they can generate a high volume of API calls, increasing the risk of detection if not carefully managed.

Importance: AWS reconnaissance is a critical phase in penetration testing. It allows an attacker to gather intelligence about the target's cloud infrastructure, identify misconfigurations, and discover accessible resources. This information is then used to tailor attack vectors, escalate privileges, and devise effective social engineering tactics for deeper compromise.

Left-click: follow link, Right-click: select node, Scroll: zoom
x