diff --git a/src/pentesting-cloud/aws-security/aws-services/aws-ec2-ebs-elb-ssm-vpc-and-vpn-enum/README.md b/src/pentesting-cloud/aws-security/aws-services/aws-ec2-ebs-elb-ssm-vpc-and-vpn-enum/README.md index 1ebffdf15..fc2682345 100644 --- a/src/pentesting-cloud/aws-security/aws-services/aws-ec2-ebs-elb-ssm-vpc-and-vpn-enum/README.md +++ b/src/pentesting-cloud/aws-security/aws-services/aws-ec2-ebs-elb-ssm-vpc-and-vpn-enum/README.md @@ -1,10 +1,10 @@ -# AWS - EC2, EBS, ELB, SSM, VPC & VPN 枚举 +# AWS - EC2, EBS, ELB, SSM, VPC & VPN Enum {{#include ../../../../banners/hacktricks-training.md}} -## VPC 与 网络 +## VPC & Networking -了解 VPC 是什么以及其组件,请参见: +在以下内容中了解什么是 VPC 以及它的组件: {{#ref}} aws-vpc-and-networking-basic-information.md @@ -12,36 +12,36 @@ aws-vpc-and-networking-basic-information.md ## EC2 -Amazon EC2 用于启动 **虚拟服务器**。它允许配置 **安全** 和 **网络** 并管理 **存储**。Amazon EC2 的灵活性体现在其能够向上或向下扩展资源,以便有效适应不同的需求变化或流量激增。这一特性减少了对精确流量预测的必要性。 +Amazon EC2 用于启动**虚拟服务器**。它允许配置**安全性**和**网络**以及管理**存储**。Amazon EC2 的灵活性体现在它能够向上和向下扩展资源,从而有效适应不断变化的需求或流量激增。这一特性减少了对精确流量预测的必要性。 -在 EC2 中值得枚举的内容包括: +在 EC2 中值得枚举的有: -- 虚拟机 +- Virtual Machines - SSH Keys - User Data - Existing EC2s/AMIs/Snapshots -- 网络 -- 网络 -- 子网 -- 公共 IPs -- 开放端口 -- 与 AWS 以外其他网络的集成连接 +- Networking +- Networks +- Subnetworks +- Public IPs +- Open ports +- Integrated connections with other networks outside AWS ### Instance Profiles -使用 **roles** 将权限授予在 **EC2 instances** 上运行的应用需要一些额外配置。运行在 EC2 实例上的应用由虚拟化的操作系统将其与 AWS 抽象隔离。由于这种额外的隔离,您需要采取额外步骤将 AWS 角色及其相关权限分配给 EC2 实例,并使这些权限对实例上的应用可用。 +使用 **roles** 为运行在 **EC2 instances** 上的应用程序授予权限,需要额外的一些配置。运行在 EC2 instance 上的应用程序会被虚拟化操作系统从 AWS 中抽象出来。由于这种额外隔离,你需要额外一步,将 AWS role 及其关联权限分配给 EC2 instance,并让其对应用程序可用。 -This extra step is the **creation of an** [_**instance profile**_](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_use_switch-role-ec2_instance-profiles.html) attached to the instance. The **instance profile contains the role and** can provide the role's temporary credentials to an application that runs on the instance. Those temporary credentials can then be used in the application's API calls to access resources and to limit access to only those resources that the role specifies. Note that **only one role can be assigned to an EC2 instance** at a time, and all applications on the instance share the same role and permissions. +这一步额外操作就是为该 instance 创建一个 [_**instance profile**_](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_use_switch-role-ec2_instance-profiles.html) 并将其附加到 instance 上。**instance profile 包含该 role**,并且可以向运行在该 instance 上的应用程序提供该 role 的临时凭证。随后,这些临时凭证可以用于应用程序的 API 调用,以访问资源,并将访问限制在该 role 指定的资源范围内。注意,**同一时间只能将一个 role 分配给一个 EC2 instance**,并且该 instance 上的所有应用程序共享相同的 role 和权限。 ### Metadata Endpoint -AWS EC2 metadata 是在运行时可供 Amazon Elastic Compute Cloud (EC2) 实例使用的有关该实例的信息。该元数据用于提供关于实例的信息,例如其 instance ID、运行所在的 availability zone、与实例关联的 IAM role 以及实例的 hostname。 +AWS EC2 metadata 是关于 Amazon Elastic Compute Cloud (EC2) instance 的信息,这些信息在运行时可供该 instance 使用。此 metadata 用于提供关于该 instance 的信息,例如 instance ID、其运行所在的 availability zone、与该 instance 关联的 IAM role,以及该 instance 的 hostname。 {{#ref}} https://book.hacktricks.wiki/en/pentesting-web/ssrf-server-side-request-forgery/cloud-ssrf.html {{#endref}} -### 枚举 +### Enumeration ```bash # Get EC2 instances aws ec2 describe-instances @@ -130,7 +130,7 @@ aws ec2 describe-route-tables aws ec2 describe-vpcs aws ec2 describe-vpc-peering-connections ``` -### 未认证访问 +### Unauthenticated Access {{#ref}} ../../aws-unauthenticated-enum-access/aws-ec2-unauthenticated-enum/README.md @@ -138,7 +138,7 @@ aws ec2 describe-vpc-peering-connections ### Privesc -在下面的页面你可以查看如何 **滥用 EC2 权限以提升权限**: +In the following page you can check how to **abuse EC2 permissions to escalate privileges**: {{#ref}} ../../aws-privilege-escalation/aws-ec2-privesc/README.md @@ -152,17 +152,17 @@ aws ec2 describe-vpc-peering-connections ## EBS -Amazon **EBS** (Elastic Block Store) 的 **快照 (snapshots)** 本质上是 AWS EBS 卷的静态 **备份**。换句话说,它们是在特定时间点附加到 **EC2** 实例上的 **磁盘** 的 **拷贝**。EBS snapshots 可以跨区域和账户复制,甚至可以下载并在本地运行。 +Amazon **EBS** (Elastic Block Store) **snapshots** 基本上是 AWS EBS volumes 的静态 **backups**。换句话说,它们是附加到某个 **EC2** Instance 上、在特定时间点上的 **disks** 的 **copies**。EBS snapshots 可以跨 regions 和 accounts 复制,甚至可以下载后在本地运行。 -快照可能包含 **敏感信息**,例如 **源代码或 APi keys**,因此如果有机会,建议检查它们。 +Snapshots 可能包含 **sensitive information**,例如 **source code or APi keys**,因此如果有机会,建议检查一下。 -### AMI 与 EBS 的区别 +### Difference AMI & EBS -一个 **AMI** 用于 **启动 EC2 实例**,而 EC2 的 **Snapshot** 用于 **备份并恢复存储在 EBS 卷上的数据**。虽然 EC2 Snapshot 可以用来创建新的 AMI,但它并不是 AMI 本身,也不包含运行应用程序所需的操作系统、应用服务器或其他软件的信息。 +**AMI** 用于 **launch an EC2 instance**,而 EC2 **Snapshot** 用于 **backup and recover data stored on an EBS volume**。虽然 EC2 Snapshot 可以用来创建新的 AMI,但它并不等同于 AMI,也不包含运行应用程序所需的 operating system、application server 或其他 software 的信息。 ### Privesc -在下面的页面你可以查看如何 **滥用 EBS 权限以提升权限**: +In the following page you can check how to **abuse EBS permissions to escalate privileges**: {{#ref}} ../../aws-privilege-escalation/aws-ebs-privesc/README.md @@ -170,9 +170,9 @@ Amazon **EBS** (Elastic Block Store) 的 **快照 (snapshots)** 本质上是 AWS ## SSM -**Amazon Simple Systems Manager (SSM)** 允许远程管理大量 EC2 实例,从而简化它们的管理。每个实例都需要运行 **SSM Agent service,因为该服务将接收来自 AWS API 的操作并执行它们**。 +**Amazon Simple Systems Manager (SSM)** allows to remotely manage floats of EC2 instances to make their administrations much more easy. Each of these instances need to be running the **SSM Agent service as the service will be the one getting the actions and performing them** from the AWS API. -**SSM Agent** 使 Systems Manager 能够更新、管理和配置这些资源。该 agent **会处理来自 AWS Cloud 中 Systems Manager 服务的请求**,然后按请求中指定的方式运行它们。 +**SSM Agent** makes it possible for Systems Manager to update, manage, and configure these resources. The agent **processes requests from the Systems Manager service in the AWS Cloud**, and then runs them as specified in the request. The **SSM Agent comes**[ **preinstalled in some AMIs**](https://docs.aws.amazon.com/systems-manager/latest/userguide/ami-preinstalled-agent.html) or you need to [**manually install them**](https://docs.aws.amazon.com/systems-manager/latest/userguide/sysman-manual-agent-install.html) on the instances. Also, the IAM Role used inside the instance needs to have the policy **AmazonEC2RoleforSSM** attached to be able to communicate. @@ -185,13 +185,13 @@ aws ssm describe-instance-patches --instance-id aws ssm describe-instance-patch-states --instance-ids aws ssm describe-instance-associations-status --instance-id ``` -您可以在 EC2 实例中仅通过执行以下命令来检查 Systems Manager 是否正在运行: +你可以在 EC2 instance 中通过执行以下命令来检查 Systems Manager 是否正在运行: ```bash ps aux | grep amazon-ssm ``` ### Privesc -在以下页面你可以查看如何 **abuse SSM permissions to escalate privileges**: +在以下页面中,你可以查看如何**abuse SSM permissions to escalate privileges**: {{#ref}} ../../aws-privilege-escalation/aws-ssm-privesc/README.md @@ -199,7 +199,7 @@ ps aux | grep amazon-ssm ### Perssistence -在以下页面你可以查看如何 **abuse SSM permissions to achieve persistence**: +在以下页面中,你可以查看如何**abuse SSM permissions to achieve persistence**: {{#ref}} ../../aws-persistence/aws-ssm-persistence/README.md @@ -207,7 +207,9 @@ ps aux | grep amazon-ssm ## ELB -**Elastic Load Balancing** (ELB) 是 Amazon Web Services (AWS) 部署中的负载均衡服务。ELB 会自动 **分发传入的应用流量** 并根据流量需求扩展资源以满足负载。 +**Elastic Load Balancing** (ELB) 是 AWS 部署中的一个**load-balancing service**。ELB 会自动**distributes incoming application traffic**,并扩展资源以满足流量需求。 + +对于 **Application Load Balancers (ALBs)**,listener rules、authentication actions、header handling,以及到同一 targets 的替代路径,都是 **security boundary** 的一部分。请完整审查路径 **CloudFront --> ALB/NLB --> listeners --> rules --> target groups --> instances/IPs/ports/security groups**,而不只是单独看某一条 listener rule。 ### Enumeration ```bash @@ -219,6 +221,71 @@ aws elb describe-load-balancers | jq '.LoadBalancerDescriptions[]| select( .Sche aws elbv2 describe-load-balancers aws elbv2 describe-load-balancers | jq '.LoadBalancers[].DNSName' aws elbv2 describe-listeners --load-balancer-arn +aws elbv2 describe-rules --listener-arn +aws elbv2 describe-target-groups --load-balancer-arn +aws elbv2 describe-target-health --target-group-arn +aws elbv2 describe-load-balancer-attributes --load-balancer-arn +``` +### ELB / ALB 暴露与访问控制绕过 + +#### 通过直接访问 ALB origin 绕过 CloudFront / WAF + +如果一个 **CloudFront** distribution 位于一个 **internet-facing ALB** 之前,但 ALB security group 仍然允许 public inbound traffic,攻击者通常可以**直接请求 ALB 的 DNS name**,从而绕过 **CloudFront WAF、geo restrictions、rate limits 和 cache-layer controls**。 +```bash +# Test the origin directly +curl -isk https:/// + +# If the ALB routes on Host, replay the expected hostname directly to the ALB +curl -isk https:/// -H 'Host: app.example.com' +``` +**审计 notes:** + +- 枚举 CloudFront distributions 及其 origins,然后检查 origin ALB 是否仍然是 **internet-facing**。 +- 检查 ALB 的 **security groups**。如果允许来自 `0.0.0.0/0` 或较宽泛 CIDR 的 inbound traffic,CloudFront 很可能不是唯一可达路径。 +- 直接从 ALB 返回的 **non-error** 响应通常意味着 CloudFront/WAF layer 可以被绕过。 + +**Hardening:** 如果 CloudFront 应该是唯一入口点,则只允许来自 AWS-managed prefix list **`com.amazonaws.global.cloudfront.origin-facing`** 的 inbound traffic 到 ALB。 + +#### Listener rule shadowing / auth bypass + +ALB rules 按 **ascending priority order** 进行评估。一个 **broader** 且 **lower priority number** 的 rule 可能会在带有 `authenticate-oidc`、`authenticate-cognito` 或 `source-ip` 的 restrictive rule 之前拦截 traffic。 +```text +[10] path /* -> forward -> tg-app +[20] path /admin* -> authenticate-oidc -> tg-app +``` +A request to `/admin` matches `/*` first, so the authentication action never runs. + +**Audit notes:** + +- Dump every listener and rule with `aws elbv2 describe-rules --listener-arn `. +- Walk rules in ascending priority order and check whether a broad **host/path/header/query** condition matches traffic that should have hit a more restrictive rule first. +- Treat listener ordering like middleware ordering: **first matching rule wins**. + +#### `source-ip` restrictions can be bypassed through alternate paths + +A `source-ip` condition only protects the **specific listener rule** where it is configured. If the **same target group**, the **same backend IPs/instances**, or the **same service on another port** is reachable through another ALB, another listener, or an NLB with weaker controls, the IP allowlist can often be bypassed by using that alternate path. + +**Audit notes:** + +- For each restrictive rule, enumerate the **target group ARN** and the registered targets. +- Compare those targets against **all other listeners/load balancers** in the account/region. +- Also check for direct exposure via **public instance IPs**, permissive **security groups**, or additional listeners on ports such as `80`, `443`, `8080`, or `8443`. + +A good mental model is: **protect the target, not only one route to the target**. + +#### Client-controlled `X-Forwarded-For` trust + +If `routing.http.xff_header_processing.mode` is set to **`preserve`** on an **internet-facing ALB**, the backend can receive an **attacker-supplied** `X-Forwarded-For` value unchanged. If the application trusts that header for **access control**, **rate limiting**, **logging**, or **monitoring**, the attacker may spoof the perceived client IP. +```bash +curl -isk https:/// -H 'X-Forwarded-For: 127.0.0.1' +aws elbv2 describe-load-balancer-attributes --load-balancer-arn +``` +#### 有用工具 + +[**ELBaph**](https://github.com/doyensec/ELBaph) 是一个只读审计工具,它将 **ALBs、NLBs、listeners、rules、target groups 和 targets 建模为一个 routing graph**,然后探测可达的 exposures。 +```bash +elbaph scan --region us-east-1 +elbaph scan --all-regions -p my-pentest-profile ``` ## Launch Templates & Autoscaling Groups @@ -239,7 +306,7 @@ aws autoscaling describe-load-balancers ``` ## Nitro -AWS Nitro 是一套构成 AWS EC2 instances 底层平台的 **创新技术**。由 Amazon 引入以 **增强安全性、性能和可靠性**,Nitro 利用定制的 **硬件组件和轻量级 hypervisor**。它将大量传统虚拟化功能抽象到专用的硬件和软件中,**最小化攻击面**并提高资源效率。通过卸载虚拟化功能,Nitro 使 EC2 instances 能提供 **接近裸金属性能**,这对资源密集型应用尤其有利。此外,Nitro Security Chip 专门确保持有 **硬件和固件的安全性**,进一步巩固其稳健的架构。 +AWS Nitro 是一套 **创新技术**,构成了 AWS EC2 实例的底层平台。它由 Amazon 推出,旨在 **增强安全性、性能和可靠性**,Nitro 利用定制 **硬件组件和轻量级 hypervisor**。它将许多传统虚拟化功能抽象到专用硬件和软件中,**最小化攻击面**并提高资源效率。通过卸载虚拟化功能,Nitro 使 EC2 实例能够提供 **接近 bare-metal 的性能**,这对资源密集型应用尤其有利。此外,Nitro Security Chip 还专门确保 **硬件和固件的安全性**,进一步巩固了其稳健架构。 Get more information and how to enumerate it from: @@ -249,34 +316,34 @@ aws-nitro-enum.md ## VPN -A VPN allows to connect your **on-premise network (site-to-site VPN)** or the **workers laptops (Client VPN)** with a **AWS VPC** so services can accessed without needing to expose them to the internet. +VPN 允许将你的 **on-premise network (site-to-site VPN)** 或 **workers laptops (Client VPN)** 与 **AWS VPC** 连接起来,从而可以在无需暴露到 internet 的情况下访问这些 services。 #### Basic AWS VPN Components 1. **Customer Gateway**: -- A Customer Gateway is a resource that you create in AWS to represent your side of a VPN connection. -- It is essentially a physical device or software application on your side of the Site-to-Site VPN connection. -- You provide routing information and the public IP address of your network device (such as a router or a firewall) to AWS to create a Customer Gateway. -- It serves as a reference point for setting up the VPN connection and doesn't incur additional charges. +- Customer Gateway 是你在 AWS 中创建的一个 resource,用于代表你的 VPN connection 一侧。 +- 它本质上是你这边 Site-to-Site VPN connection 上的一个物理设备或 software application。 +- 你向 AWS 提供路由信息以及你的网络设备(例如 router 或 firewall)的 public IP address,以创建 Customer Gateway。 +- 它作为设置 VPN connection 的参考点,不会产生额外费用。 2. **Virtual Private Gateway**: -- A Virtual Private Gateway (VPG) is the VPN concentrator on the Amazon side of the Site-to-Site VPN connection. -- It is attached to your VPC and serves as the target for your VPN connection. -- VPG is the AWS side endpoint for the VPN connection. -- It handles the secure communication between your VPC and your on-premises network. +- Virtual Private Gateway (VPG) 是 Site-to-Site VPN connection 中 Amazon 一侧的 VPN concentrator。 +- 它附加到你的 VPC 上,并作为你的 VPN connection 的目标。 +- VPG 是 VPN connection 的 AWS 侧 endpoint。 +- 它负责你 VPC 与 on-premises network 之间的 secure communication。 3. **Site-to-Site VPN Connection**: -- A Site-to-Site VPN connection connects your on-premises network to a VPC through a secure, IPsec VPN tunnel. -- This type of connection requires a Customer Gateway and a Virtual Private Gateway. -- It's used for secure, stable, and consistent communication between your data center or network and your AWS environment. -- Typically used for regular, long-term connections and is billed based on the amount of data transferred over the connection. +- Site-to-Site VPN connection 通过安全的 IPsec VPN tunnel 将你的 on-premises network 连接到 VPC。 +- 这种 connection 需要 Customer Gateway 和 Virtual Private Gateway。 +- 它用于你的 data center 或 network 与 AWS environment 之间的安全、稳定和一致的 communication。 +- 通常用于常规的、长期的 connections,并按通过该 connection 传输的数据量计费。 4. **Client VPN Endpoint**: -- A Client VPN endpoint is a resource that you create in AWS to enable and manage client VPN sessions. -- It is used for allowing individual devices (like laptops, smartphones, etc.) to securely connect to AWS resources or your on-premises network. -- It differs from Site-to-Site VPN in that it is designed for individual clients rather than connecting entire networks. -- With Client VPN, each client device uses a VPN client software to establish a secure connection. +- Client VPN endpoint 是你在 AWS 中创建的一个 resource,用于启用和管理 client VPN sessions。 +- 它用于允许单个 devices(如 laptops、smartphones 等)安全地连接到 AWS resources 或你的 on-premises network。 +- 它与 Site-to-Site VPN 的区别在于,它是为单个 clients 设计的,而不是连接整个 network。 +- 使用 Client VPN 时,每个 client device 都使用 VPN client software 来建立安全 connection。 -您可以在此处 [**查找有关 AWS VPN 优势和组件的更多信息**](aws-vpc-and-networking-basic-information.md#vpn)。 +You can [**find more information about the benefits and components of AWS VPNs here**](aws-vpc-and-networking-basic-information.md#vpn). -### 枚举 +### Enumeration ```bash # VPN endpoints ## Check used subnetwork, authentication, SGs, connected... @@ -302,15 +369,15 @@ aws ec2 describe-vpn-connections ``` ### Local Enumeration -**本地临时凭证** +**Local Temporary Credentials** -当使用 AWS VPN Client 连接到 VPN 时,用户通常会 **登录 AWS** 以获取对 VPN 的访问权限。随后,会在本地创建并存储一些 **AWS 凭证** 以建立 VPN 连接。 这些凭证被 **存储在** `$HOME/.config/AWSVPNClient/TemporaryCredentials//temporary-credentials.txt`,并包含一个 **AccessKey**、一个 **SecretKey** 和一个 **Token**。 +When AWS VPN Client is used to connect to a VPN, the user will usually **login in AWS** to get access to the VPN. Then, some **AWS credentials are created and stored** locally to establish the VPN connection. These credentials are **stored in** `$HOME/.config/AWSVPNClient/TemporaryCredentials//temporary-credentials.txt` and contains an **AccessKey**, a **SecretKey** and a **Token**. -这些凭证属于用户 `arn:aws:sts:::assumed-role/aws-vpn-client-metrics-analytics-access-role/CognitoIdentityCredentials`(TODO: research more about the permissions of this credentials)。 +The credentials belong to the user `arn:aws:sts:::assumed-role/aws-vpn-client-metrics-analytics-access-role/CognitoIdentityCredentials` (TODO: research more about the permissions of this credentials). -**opvn 配置文件** +**opvn config files** -如果已经建立了 **VPN 连接**,应在系统中搜索 **`.opvn`** 配置文件。此外,可以在 **`$HOME/.config/AWSVPNClient/OpenVpnConfigs`** 找到这些 **配置**。 +If a **VPN connection was stablished** you should search for **`.opvn`** config files in the system. Moreover, one place where you could find the **configurations** is in **`$HOME/.config/AWSVPNClient/OpenVpnConfigs`** #### **Post Exploitaiton** @@ -318,8 +385,13 @@ aws ec2 describe-vpn-connections ../../aws-post-exploitation/aws-vpn-post-exploitation/README.md {{#endref}} -## 参考资料 +## References -- [https://docs.aws.amazon.com/batch/latest/userguide/getting-started-ec2.html](https://docs.aws.amazon.com/batch/latest/userguide/getting-started-ec2.html) +- [AWS Elastic Beanstalk and Amazon EC2 getting started](https://docs.aws.amazon.com/batch/latest/userguide/getting-started-ec2.html) +- [Doyensec - Navigating Lax Load Balancers: When an Intersection Gets You Inside](https://blog.doyensec.com/2026/05/25/cloudsectidbits-elbaph-alb.html) +- [AWS - Listener rules for your Application Load Balancer](https://docs.aws.amazon.com/elasticloadbalancing/latest/application/listener-rules.html) +- [AWS - HTTP headers and Application Load Balancers](https://docs.aws.amazon.com/elasticloadbalancing/latest/application/x-forwarded-headers.html) +- [AWS - CloudFront managed prefix list for origin-facing servers](https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/LocationsOfEdgeServers.html) +- [Doyensec - ELBaph](https://github.com/doyensec/ELBaph) {{#include ../../../../banners/hacktricks-training.md}}