Scribd
Upload
11 views11 pages

3.2 AWS Black Box Methodology

The document outlines the AWS Black Box methodology for penetration testing, detailing the Cyber Kill Chain stages from enumeration to profit. It covers various techniques for discovery, exploitation, internal enumeration, privilege escalation, and post-exploitation strategies, including the use of tools and attacks. Additionally, it discusses persistence methods and potential profit avenues such as crypto mining and data dumping.

Uploaded by

chinfon
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PPTX, PDF, TXT or read online on Scribd
11 views11 pages

3.2 AWS Black Box Methodology

The document outlines the AWS Black Box methodology for penetration testing, detailing the Cyber Kill Chain stages from enumeration to profit. It covers various techniques for discovery, exploitation, internal enumeration, privilege escalation, and post-exploitation strategies, including the use of tools and attacks. Additionally, it discusses persistence methods and potential profit avenues such as crypto mining and data dumping.

Uploaded by

chinfon
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PPTX, PDF, TXT or read online on Scribd
You are on page 1/ 11

AWS Black Box

Methodology
HackTricks Training
Cyber Kill Chain
1- Enumeration

2- Exploitation

3- Internal Enumeration

4- Post exploitation

5- Persistence

6- Privilege Escalation

7- Profit
Discovery & Enumeration
● OSINT
○ Github Leaks
● Open Buckets
○ Spidering
○ Brute-Force
● Open ports
○ Exploits
○ Brute-Force credentials
● Web
○ SSRF
● Public AMIs, EBS Snapshots, RDS Snapshots
● Roles & Usernames enumeration
● Cognito Credentials
● Federated Identities
Attack: We found some Cognito misconfiguration
DEMO
Exploitation
● OSINT
○ Github Leaks
○ https://book.hacktricks.xyz/generic-methodologies-and-resources/external-recon-methodolog
y/github-leaked-secrets
● Open Buckets
○ Spidering
○ Brute-Force
○ https://cloud.hacktricks.xyz/pentesting-cloud/aws-pentesting/aws-unauthenticated-enum-acc
ess/aws-s3-unauthenticated-enum
● Open ports
○ Exploits
○ Brute-Force credentials
● Web
○ SSRF
○ https://book.hacktricks.xyz/pentesting-web/ssrf-server-side-request-forgery/cloud-ssrf
● Public AMIs, EBS Snapshots, RDS Snapshots
○ https://cloud.hacktricks.xyz/pentesting-cloud/aws-pentesting/aws-unauthenticated-enum-acc
ess/aws-ec2-unauthenticated-enum
● Roles & Usernames enumeration (demo)
Attack: We got Cognito credentials
● Cognito Credentials (demo)
DEMO
Internal Enumeration
● Web Console
● AWS cli
● Steampipe
○ https://github.com/turbot/steampipe-mod-aws-perimeter
○ https://github.com/turbot/steampipe-mod-aws-insights
● CloudSploit
● Cloudfox
● Prowler doesn’t work without access to generate a credential report
● Current privileges BF:
○ https://github.com/carlospolop/bf-aws-permissions
○ https://github.com/carlospolop/bf-aws-perms-simulate
○ https://github.com/carlospolop/aws-Perms2ManagedPolicies
○ https://github.com/carlospolop/tfstate2IAM
○ https://github.com/carlospolop/Cloudtrail2IAM
○ https://github.com/carnal0wnage/weirdAAL
○ https://github.com/andresriancho/enumerate-iam

Attack: We found interesting privileges


DEMO
IAM Privilege Escalation
● HackTricks has hundreds of documented permissions that can be used to
escalate privileges:
○ https://cloud.hacktricks.xyz/pentesting-cloud/aws-pentesting/aws-
privilege-escalation
● iam:CreateAccessKey (demo)

Attack: We escalated to Administrator


DEMO
Internal Enumeration
● IAM recon (demo)
● Org recon (demo)

Attack: We found children accounts


DEMO
Org Compromise
● By default the Management Account has Admin permissions on child accounts
through the OrganizationAccountAccessRole role. (demo)
○ https://cloud.hacktricks.xyz/pentesting-cloud/aws-pentesting#compromising-th
e-organization

Attack: We moved to Administrator in a child account


DEMO
Post-exploitation
● Get Web Console Access
● Confused Deputy
○ https://cloud.hacktricks.xyz/pentesting-cloud/aws-pentesting/aws-post-expl
oitation/aws-iam-post-exploitation
● Steal information from Instances, Snapshots, Containers…
● Pivot to EKS cluster
● Stealing credentials from Code Build (demo)

Attack: We obtained a sensitive token to access Github


Persistence
● Secrets Rotation Lambda
○ https://cloud.hacktricks.xyz/pentesting-cloud/aws-pentesting/aw
s-persistence/aws-secrets-manager-persistence
● Backdoor Role Trust Policies
● Role Chain Juggling

Attack: We set some persistence


“Profit”
● Crypto mining
● Dump everything
● Kill everything (DoS)
● Change KMS keys - Ransomware
○ Or give yourself access to the clients KMS keys and remove it from him (--
bypass-policy-lockout-safety-check)

Attack: We obtained a sensitive token to access Github

You might also like