mirror of
https://github.com/HackTricks-wiki/hacktricks-cloud.git
synced 2025-12-28 13:43:24 -08:00
81 lines
5.5 KiB
Markdown
81 lines
5.5 KiB
Markdown
# AWS - Unauthenticated Enum & Access
|
|
|
|
{% hint style="success" %}
|
|
Learn & practice AWS Hacking:<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">\
|
|
Learn & practice GCP Hacking: <img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
|
|
|
|
<details>
|
|
|
|
<summary>Support HackTricks</summary>
|
|
|
|
* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
|
|
* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.**
|
|
* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
|
|
|
|
</details>
|
|
{% endhint %}
|
|
|
|
## AWS Credentials Leaks
|
|
|
|
A common way to obtain access or information about an AWS account is by **searching for leaks**. You can search for leaks using **google dorks**, checking the **public repos** of the **organization** and the **workers** of the organization in **Github** or other platforms, searching in **credentials leaks databases**... or in any other part you think you might find any information about the company and its cloud infa.\
|
|
Some useful **tools**:
|
|
|
|
* [https://github.com/carlospolop/leakos](https://github.com/carlospolop/leakos)
|
|
* [https://github.com/carlospolop/pastos](https://github.com/carlospolop/pastos)
|
|
* [https://github.com/carlospolop/gorks](https://github.com/carlospolop/gorks)
|
|
|
|
## AWS Unauthenticated Enum & Access
|
|
|
|
There are several services in AWS that could be configured giving some kind of access to all Internet or to more people than expected. Check here how:
|
|
|
|
* [**Accounts Unauthenticated Enum**](aws-accounts-unauthenticated-enum.md)
|
|
* [**Cloud9 Unauthenticated Enum**](https://github.com/carlospolop/hacktricks-cloud/blob/master/pentesting-cloud/aws-security/aws-unauthenticated-enum-access/broken-reference/README.md)
|
|
* [**Cloudfront Unauthenticated Enum**](aws-cloudfront-unauthenticated-enum.md)
|
|
* [**Cloudsearch Unauthenticated Enum**](https://github.com/carlospolop/hacktricks-cloud/blob/master/pentesting-cloud/aws-security/aws-unauthenticated-enum-access/broken-reference/README.md)
|
|
* [**Cognito Unauthenticated Enum**](aws-cognito-unauthenticated-enum.md)
|
|
* [**DocumentDB Unauthenticated Enum**](aws-documentdb-enum.md)
|
|
* [**EC2 Unauthenticated Enum**](aws-ec2-unauthenticated-enum.md)
|
|
* [**Elasticsearch Unauthenticated Enum**](aws-elasticsearch-unauthenticated-enum.md)
|
|
* [**IAM Unauthenticated Enum**](aws-iam-and-sts-unauthenticated-enum.md)
|
|
* [**IoT Unauthenticated Access**](aws-iot-unauthenticated-enum.md)
|
|
* [**Kinesis Video Unauthenticated Access**](aws-kinesis-video-unauthenticated-enum.md)
|
|
* [**Media Unauthenticated Access**](aws-media-unauthenticated-enum.md)
|
|
* [**MQ Unauthenticated Access**](aws-mq-unauthenticated-enum.md)
|
|
* [**MSK Unauthenticated Access**](aws-msk-unauthenticated-enum.md)
|
|
* [**RDS Unauthenticated Access**](aws-rds-unauthenticated-enum.md)
|
|
* [**Redshift Unauthenticated Access**](aws-redshift-unauthenticated-enum.md)
|
|
* [**SQS Unauthenticated Access**](aws-sqs-unauthenticated-enum.md)
|
|
* [**S3 Unauthenticated Access**](aws-s3-unauthenticated-enum.md)
|
|
|
|
## Cross Account Attacks
|
|
|
|
In the talk [**Breaking the Isolation: Cross-Account AWS Vulnerabilities**](https://www.youtube.com/watch?v=JfEFIcpJ2wk) it's presented how some services allow(ed) any AWS account accessing them because **AWS services without specifying accounts ID** were allowed.
|
|
|
|
During the talk they specify several examples, such as S3 buckets **allowing cloudtrai**l (of **any AWS** account) to **write to them**:
|
|
|
|
.png>)
|
|
|
|
Other services found vulnerable:
|
|
|
|
* AWS Config
|
|
* Serverless repository
|
|
|
|
## Tools
|
|
|
|
* [**cloud\_enum**](https://github.com/initstring/cloud_enum): Multi-cloud OSINT tool. **Find public resources** in AWS, Azure, and Google Cloud. Supported AWS services: Open / Protected S3 Buckets, awsapps (WorkMail, WorkDocs, Connect, etc.)
|
|
|
|
{% hint style="success" %}
|
|
Learn & practice AWS Hacking:<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">\
|
|
Learn & practice GCP Hacking: <img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
|
|
|
|
<details>
|
|
|
|
<summary>Support HackTricks</summary>
|
|
|
|
* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
|
|
* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.**
|
|
* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
|
|
|
|
</details>
|
|
{% endhint %}
|