BAWS 02 – Dumping EBS Secrets

Authenticated Reconnaissance

Once you have a pair of valid AWS Account and Access keys, you can start enumerating resources and roles available to that user. 

Enumerating IAM Permissions

Firstly we would like to retrieve information about AWS IAM user or role making the call and the Account ID. The Account ID is a unique identifier of an AWS account.

aws sts get-caller-identity

Return information about the user, including Permissions Boundary, Password Last Used, etc:  

aws iam get-user --user-name <breached_username>

Returns a list of policies attached to the target user:

aws iam list-user-policies –user-name <breached_username>

Returns in-line policies attached to a user:

aws iam list-attached-user-policies --user-name <breached_username>

Retrieves a specific in-line policy:

aws iam get-user-policy --user-name <breached_username> --policy-name <policyname>

Using automated tools such as Pacu you can easily enumerate the permissions assigned to the compromised user. It should be noted that depending on the level of security maturity of the organisation, all actions will be recorded on AWS CloudTrail logs.

What is Pacu?

Pacu is an open-source AWS exploitation framework, designed for offensive security testing against cloud environments. Created and maintained by Rhino Security Labs, Pacu allows penetration testers to exploit configuration flaws within an AWS account, using modules to easily expand its functionality.

> run iam__enum_permissions

Enumerating AWS Resources

Amazon cloud infrastructure is hosted in different locations around the world. These locations are classified to 32 AWS Regions, 102 Availability Zones, and Local Zones. Each AWS Region is a separate geographic area. Each AWS Region has multiple, isolated locations known as Availability Zones.

Each AWS region operates independently and may offer different services and features, providing a flexible and robust infrastructure for deploying applications globally. The full list of regions can be found here

Elastic Compute Cloud EC2

Amazon Web Services (AWS) Elastic Compute Cloud (EC2) is a web service that provides resizable compute capacity in the cloud. EC2 is one of AWS’s most popular services and is designed to make web-scale cloud computing easier for developers. It allows you to run virtual servers, known as instances, on-demand. These instances can be customised based on computing capacity, storage, and networking options, giving you the flexibility to choose the right mix of resources for your applications.

EC2 is well-integrated with other AWS services like Amazon RDS, AWS Lambda, and Amazon S3, making it easier to build comprehensive cloud-based applications. In terms of security features, EC2s can be placed in network segments that are isolated called Virtual Private Clouds (VPCs).

To describe EC2 instances, you can use:

aws ec2 describe-instances

Next, to list EBS volumes use the describe command:

aws ec2 describe-volumes

And, if you want to describe EBS snapshots:

aws ec2 describe-snapshots

Ensure that your AWS CLI is configured with the correct credentials using aws configure before running these commands.

Also, keep in mind that these commands will return JSON outputs by default. If you have a specific attribute you’re interested in, you can make use of the –query parameter to filter the output.

Amazon Elastic Block Store (EBS)

Amazon Elastic Block Store (EBS) is a block storage service designed to be used with Amazon Elastic Compute Cloud (EC2) instances for both throughput and transaction-intensive workloads at any scale. Offered by Amazon Web Services (AWS), EBS provides scalable, durable, high-performance storage that can be attached to running EC2 instances and used like a traditional hard drive.
EBS volumes behave like raw, unformatted block devices that can be attached to a single EC2 instance. You can create an EBS volume independently and then attach it to an EC2 instance or create an EBS volume as part of the EC2 instance launch.
The data stored on an EBS volume persists independently of the life of the associated EC2 instance, unlike instance store volumes that are ephemeral.

To list all EBS volumes:

aws ec2 describe-volumes

Amazon Elastic Block Store (EBS) Snapshot

An Amazon Elastic Compute Cloud (Amazon EC2) snapshot is a point-in-time copy of an Amazon Elastic Block Store (Amazon EBS) volume. It captures the data and configuration of an EBS volume, allowing you to create a backup or replicate volumes for data protection, disaster recovery, or creating new instances with similar configurations. EC2 snapshots are crucial for ensuring the durability and availability of your data, as they enable you to recover from data loss or system failures, and efficiently manage your EC2 instances and storage resources.

List the publicly available and the one that you may have access to EC2 snapshots:

aws ec2 describe-snapshots --region <region>