aws recon

# External and Internal Recon

# Tools for automate

Scan cloud IP ranges to find domains/subdommains from SSl certs

aws ip ranges:

• Amazon: http://bit.ly/2vUSjED

• https://github.com/lord-alfred/ipranges/blob/main/all/ipv4_merged.txt

• http://kaeferjaeger.gay/

CloudRecon tool

• https://github.com/g0ldencybersec/cloudrecon

• parse cloudrecon tool data collected:

  • $ grep -F '.DOMAIN.COM' domainfile_DB.txt | awk -F '[][]''{print $2}' | sed 's##\n#g' "DOMAIN.COM" | sort -fu | cut -d ',' -f1 | sort -u

  • $ grep -F '.DOMAIN.COM' domainfile_DB.txt | awk -F '[][]''{print $2}' | sed 's##\n#g' | sort -fu | cut -d ',' -f1 | sort -u

Domains/Sub

scan for cloud assets too

• https://github.com/nsonaniya2010/SubDomainizer

resolve ips to domains via ssl cert

• https://github.com/hakluke/hakip2host

ssl scrape from ips

• https://github.com/cheetz/sslScrape

Search public cloud assets

• Public cloud buckets https://buckets.grayhatwarfare.com/

• https://github.com/initstring/cloud_enum

• https://github.com/0xsha/CloudBrute

other refs

• aws enum tools
• https://s0cm0nkey.gitbook.io/s0cm0nkeys-security-reference-guide/cloud#aws-amazon-cloud-services
• https://book.hacktricks.xyz/generic-methodologies-and-resources/external-recon-methodology#public-cloud-assets
• https://cloud.hacktricks.xyz/pentesting-cloud/aws-security/aws-unauthenticated-enum-access/aws-s3-unauthenticated-enum

S3 enum

External/Public/Unauthenticated

1 - https://cloud.hacktricks.xyz/pentesting-cloud/aws-security/aws-unauthenticated-enum-access/aws-s3-unauthenticated-enum

2 - Discovering Bucket Names:

There are many ways to discover the names of Buckets. One of the easiest ways is when a company embeds content hosted in S3 on their website. Images, PDFs, etc., can all be hosted cheaply in S3 and linked from another site. These links will look like this:

• http://BUCKETNAME.s3.amazonaws.com/FILENAME.ext or http://s3.amazonaws.com/BUCKETNAME/FILENAME.ext

3 - Find public IP to see if it is s3 aws:

• $ dig sub.domain.com and $ nslookup IP
• $ dig +nocmd flaws.cloud any +multiline +noall +answer and $ nslookup IP

4 - Enumerate Bucket:

• To test the openness of the bucket a user can just enter the URL in their web browser. A private bucket will respond with “Access Denied”. A public bucket will list the first 1,000 objects that have been stored.

5 - Listing the Contents of Buckets:

• $ curl http://BUCKETNAME.s3.amazonaws.com/
• $ aws s3 ls s3://irs-form-990/ --no-sign-request

6 - Downloading Objects:

• $ curl http://irs-form-990.s3.amazonaws.com/201101319349101615_public.xml
• $ aws s3 cp s3://irs-form-990/201101319349101615_public.xml . --no-sign-request

Internal/Authenticated

• https://cloud.hacktricks.xyz/pentesting-cloud/aws-security/aws-services/aws-s3-athena-and-glacier-enum#enumeration

1 - Listing the Contents of Buckets:

• aws s3 --profile YOUR_ACCOUNT ls s3://BUCKET-NAME

2 - S3 misconfig series:

1. http://flaws.cloud/
2. http://flaws.cloud/hint1.html
3. http://flaws.cloud/hint2.html
4. http://level2-c8b217a33fcf1f839f6f1f73a00a9ae7.flaws.cloud/
5. http://level2-c8b217a33fcf1f839f6f1f73a00a9ae7.flaws.cloud/hint1.html
6. http://level3-9afd3927f195e10225021a578e6f78df.flaws.cloud/
7. http://level3-9afd3927f195e10225021a578e6f78df.flaws.cloud/hint1.html
8. http://level4-1156739cfb264ced6de514971a4bef68.flaws.cloud/
9. http://level4-1156739cfb264ced6de514971a4bef68.flaws.cloud/hint1.html
10. http://level4-1156739cfb264ced6de514971a4bef68.flaws.cloud/hint2.html
11. http://level4-1156739cfb264ced6de514971a4bef68.flaws.cloud/hint3.html
12. http://level5-d2891f604d2061b6977c2481b0c8333e.flaws.cloud/243f422c/hint2.html
13. http://level5-d2891f604d2061b6977c2481b0c8333e.flaws.cloud/243f422c/hint3.html
14. http://level6-cc4c404a8a8b876167f5e70a7d8c9880.flaws.cloud/ddcc78ff/
15. http://level6-cc4c404a8a8b876167f5e70a7d8c9880.flaws.cloud/ddcc78ff/hint1.html
16. http://level6-cc4c404a8a8b876167f5e70a7d8c9880.flaws.cloud/ddcc78ff/hint2.html
17. http://theend-797237e8ada164bf9f12cebf93b282cf.flaws.cloud/d730aa2b/
18. http://level2-g9785tw8478k4awxtbox9kk3c5ka8iiz.flaws2.cloud/ (lambda leak envs with creds)

IAM

1 - https://hackingthe.cloud/aws/general-knowledge/using_stolen_iam_credentials/

• https://cloud.hacktricks.xyz/pentesting-cloud/aws-security/aws-basic-information#cli-authentication

When you find credentials to AWS, you can add them to your AWS Profile in the AWS CLI. For this, you use the command:

https://docs.aws.amazon.com/cli/latest/userguide/cli-configure-files.html#cli-configure-files-using-profiles

aws configure --profile PROFILENAME

This command will add entries to the .aws/config and .aws/credentials files in your user’s home directory.

ProTip: Never store a set of access keys in the [default] profile. Doing so forces you always to specify a profile and never accidentally run a command against an account you don't intend to.

2 - A few other common AWS reconnaissance techniques are:

• Finding the Account ID belonging to an access key:
  • aws sts get-access-key-info --access-key-id AKIAEXAMPLE
• Determining the Username the access key you’re using belongs to
  • aws sts get-caller-identity --profile PROFILENAME
• Listing all the EC2 instances running in an account
  • aws ec2 describe-instances --output text --profile PROFILENAME
• Listing all the EC2 instances running in an account in a different region
  • aws ec2 describe-instances --output text --region us-east-1 --profile PROFILENAME

3 - Enum Policies

• https://cloud.hacktricks.xyz/pentesting-cloud/aws-security/aws-services/aws-iam-enum

• Get metadata of user
  • aws --profile PROFILE-NAME iam get-user
• Get policies of user
  • aws --profile PROFILE-NAME iam list-attached-user-policies --user-name CURRENT-OR-OTHER
• Get policy content
  • aws --profile PROFILE-NAME iam get-policy --policy-arn <policy_arn>
  • aws iam get-policy-version --policy-arn <arn:aws:iam::975426262029:policy/list_apigateways> --version-id <VERSION_X>

EC2

Internal/Authenticated

• https://cloud.hacktricks.xyz/pentesting-cloud/aws-security/aws-services/aws-ec2-ebs-elb-ssm-vpc-and-vpn-enum

• Discovery snapshots
  • aws --profile PROFILE-NAME ec2 describe-snapshots --owner-id ACCOUNT-ID
• Snapshot Dump
  • https://cloud.hacktricks.xyz/pentesting-cloud/aws-security/aws-post-exploitation/aws-ec2-ebs-ssm-and-vpc-post-exploitation/aws-ebs-snapshot-dump
  • http://level4-1156739cfb264ced6de514971a4bef68.flaws.cloud/hint1.html
  • http://level4-1156739cfb264ced6de514971a4bef68.flaws.cloud/hint2.html
  • http://level4-1156739cfb264ced6de514971a4bef68.flaws.cloud/hint3.html

ECR (Elastic Container Registry)

Internal/Authenticated

• Get repos
  • aws ecr describe-repositories --profile PROFILE-NAME
  • aws ecr describe-registry --profile PROFILE-NAME
• Get image metadata

  • aws ecr list-images --repository-name <repo_name> --profile PROFILE-NAME

  • aws ecr list-images --repository-name <repo_name> --resgistry-id ACCOUNT-ID --profile PROFILE-NAME

  • aws ecr batch-get-image --repository-name level2 --registry-id 653711331788 --image-ids imageTag=latest | jq '.images[].imageManifest | fromjson'

  • aws ecr get-download-url-for-layer --repository-name level2 --registry-id 653711331788 --layer-digest "sha256:..."

• Login, Pull & Push
  • login - aws ecr --profile PROFILE-NAME get-login-password --region REGION | docker login --username AWS --password-stdin ACCOUNT-ID.dkr.ecr.REGION.amazonaws.com
  • pull image - docker pull <account_id>.dkr.ecr.<region>.amazonaws.com/<img_name>:latest
• Get image metadata
  • aws ecr describe-images --repository-name level2 --profile PROFILE-ID
• SSRF in AWS ECS (Container Service)
  • https://book.hacktricks.xyz/pentesting-web/ssrf-server-side-request-forgery/cloud-ssrf#ssrf-in-aws-ecs-container-service-credentials
  • https://docs.aws.amazon.com/AmazonECS/latest/developerguide/task-metadata-endpoint-v2.html
    1. curl -v http://container.target.flaws2.cloud/proxy/file:///proc/self/environ -o environ
    2. In “environ” output file found variable “AWS_CONTAINER_CREDENTIALS_RELATIVE_URI” copy paste in next curl cli:
    3. curl -v http://container.target.flaws2.cloud/proxy/http://169.254.170.2/v2/credentials/cd0f067f-f28a-4f8a-ba76-0e697ec1d289
    4. Get creds …

constantly adding more …