Skip to content

Commit

Permalink
Add dufflebag tool and cleanup
Browse files Browse the repository at this point in the history
  • Loading branch information
lanjelot committed Dec 18, 2020
1 parent f7e8f51 commit 4b9baf3
Showing 1 changed file with 34 additions and 69 deletions.
103 changes: 34 additions & 69 deletions Methodology and Resources/Cloud - AWS Pentest.md
Original file line number Diff line number Diff line change
Expand Up @@ -36,10 +36,8 @@

## Tools

* **SkyArk** : Discover the most privileged users in the scanned AWS environment - including the AWS Shadow Admins.
Require:
- Read-Only permissions over IAM service

* [SkyArk](https://github.com/cyberark/SkyArk) - Discover the most privileged users in the scanned AWS environment, including the AWS Shadow Admins
* Requires read-Only permissions over IAM service
```powershell
$ git clone https://github.com/cyberark/SkyArk
$ powershell -ExecutionPolicy Bypass -NoProfile
Expand All @@ -52,10 +50,8 @@
PS C> Scan-AWShadowAdmins
```
* **Pacu** : Pacu allows penetration testers to exploit configuration flaws within an AWS environment using an extensible collection of modules with a diverse feature-set.
Require:
- AWS Keys
* [Pacu](https://github.com/RhinoSecurityLabs/pacu) - Exploit configuration flaws within an AWS environment using an extensible collection of modules with a diverse feature-set
* Requires AWS Keys
```powershell
$ git clone https://github.com/RhinoSecurityLabs/pacu
$ bash install.sh
Expand All @@ -68,7 +64,7 @@
# https://github.com/RhinoSecurityLabs/pacu/wiki/Module-Details
```
* **Bucket Finder** : Search for readable buckets and list all the files in them https://digi.ninja/
* [Bucket Finder](https://digi.ninja/projects/bucket_finder.php) - Search for public buckets, list and download all files if directory indexing is enabled
```powershell
wget https://digi.ninja/files/bucket_finder_1.1.tar.bz2 -O bucket_finder_1.1.tar.bz2
./bucket_finder.rb my_words
Expand All @@ -83,7 +79,7 @@
./bucket_finder.rb --log-file bucket.out my_words
```
* **Boto3** : Amazon Web Services (AWS) SDK for Python https://boto3.amazonaws.com/v1/documentation/api/latest/index.html
* [Boto3](https://boto3.amazonaws.com/v1/documentation/api/latest/index.html) - Amazon Web Services (AWS) SDK for Python
```python
import boto3
# Create an S3 client
Expand All @@ -96,9 +92,10 @@
print(e)
```
* **Prowler** : AWS Security Best Practices Assessment, Auditing, Hardening and Forensics Readiness Tool. It follows guidelines of the CIS Amazon Web Services Foundations Benchmark and DOZENS of additional checks including GDPR and HIPAA (+100).
Require:
- arn:aws:iam::aws:policy/SecurityAudit
* [Prowler](https://github.com/toniblyx/prowler) - AWS security best practices assessments, audits, incident response, continuous monitoring, hardening and forensics readiness
> It follows guidelines of the CIS Amazon Web Services Foundations Benchmark and DOZENS of additional checks including GDPR and HIPAA (+100).
* Require: arn:aws:iam::aws:policy/SecurityAudit
```powershell
$ pip install awscli ansi2html detect-secrets
Expand All @@ -109,7 +106,7 @@
$ ./prowler -A 123456789012 -R ProwlerRole # sts assume-role
```
* **Principal Mapper** : A tool for quickly evaluating IAM permissions in AWS
* [Principal Mapper](https://github.com/nccgroup/PMapper) - A tool for quickly evaluating IAM permissions in AWS
```powershell
https://github.com/nccgroup/PMapper
pip install principalmapper
Expand All @@ -134,7 +131,7 @@
pmapper argquery --principal '*' --resource user/PowerUser --preset connected
```
* **ScoutSuite** : Multi-Cloud Security Auditing Tool https://github.com/nccgroup/ScoutSuite/wiki
* [ScoutSuite](https://github.com/nccgroup/ScoutSuite/wiki) - Multi-Cloud Security Auditing Tool
```powershell
$ git clone https://github.com/nccgroup/ScoutSuite
$ python scout.py PROVIDER --help
Expand All @@ -143,23 +140,23 @@
$ python scout.py azure --cli
```
* **s3_objects_check** : Whitebox evaluation of effective S3 object permissions, to identify publicly accessible files
* [s3_objects_check](https://github.com/nccgroup/s3_objects_check) - Whitebox evaluation of effective S3 object permissions, to identify publicly accessible files
```powershell
$ git clone https://github.com/nccgroup/s3_objects_check && cd s3_objects_check
$ git clone https://github.com/nccgroup/s3_objects_check
$ python3 -m venv env && source env/bin/activate
$ pip install -r requirements.txt
$ python s3-objects-check.py -h
$ python s3-objects-check.py -p whitebox-profile -e blackbox-profile
```
* **weirdAAL** : AWS Attack Library https://github.com/carnal0wnage/weirdAAL/wiki
* [weirdAAL](https://github.com/carnal0wnage/weirdAAL/wiki) - AWS Attack Library
```powershell
python3 weirdAAL.py -m ec2_describe_instances -t demo
python3 weirdAAL.py -m lambda_get_account_settings -t demo
python3 weirdAAL.py -m lambda_get_function -a 'MY_LAMBDA_FUNCTION','us-west-2' -t yolo
```
* **cloudmapper** : CloudMapper helps you analyze your Amazon Web Services (AWS) environments.
* [cloudmapper](https://github.com/duo-labs/cloudmapper.git) - CloudMapper helps you analyze your Amazon Web Services (AWS) environments
```powershell
git clone https://github.com/duo-labs/cloudmapper.git
# sudo yum install autoconf automake libtool python3-devel.x86_64 python3-tkinter python-pip jq awscli
Expand All @@ -174,6 +171,9 @@
find_admins: Look at IAM policies to identify admin users and roles, or principals with specific privileges
```
* [dufflebag](https://labs.bishopfox.com/dufflebag) - Find secrets that are accidentally exposed via Amazon EBS’s “public” mode
## AWS Patterns
| Service | URL |
|-------------|--------|
Expand Down Expand Up @@ -205,7 +205,7 @@
## AWS - Metadata SSRF
> AWS released an additional security defences against the attack.
> AWS released additional security defences against the attack.
:warning: Only working with IMDSv1.
Enabling IMDSv2 : `aws ec2 modify-instance-metadata-options --instance-id <INSTANCE-ID> --profile <AWS_PROFILE> --http-endpoint enabled --http-token required`.
Expand Down Expand Up @@ -421,20 +421,19 @@ https://signin.aws.amazon.com/federation?Action=login&Issuer=consoler.local&Dest

:warning: EBS snapshots are block-level incremental, which means that every snapshot only copies the blocks (or areas) in the volume that had been changed since the last snapshot. To restore your data, you need to create a new EBS volume from one of your EBS snapshots. The new volume will be a duplicate of the initial EBS volume on which the snapshot was taken.

Step 1: Head over to EC2 –> Volumes and create a new volume of your preferred size and type.
Step 2: Select the created volume, right click and select the "attach volume" option.
Step 3: Select the instance from the instance text box as shown below : `attach ebs volume`
```powershell
aws ec2 create-volume –snapshot-id snapshot_id --availability-zone zone
aws ec2 attach-volume –-volume-id volume_id –-instance-id instance_id --device device
```

Step 4: Now, login to your ec2 instance and list the available disks using the following command : `lsblk`
Step 5: Check if the volume has any data using the following command : `sudo file -s /dev/xvdf`
Step 6: Format the volume to ext4 filesystem using the following command : `sudo mkfs -t ext4 /dev/xvdf`
Step 7: Create a directory of your choice to mount our new ext4 volume. I am using the name “newvolume” : `sudo mkdir /newvolume`
Step 8: Mount the volume to "newvolume" directory using the following command : `sudo mount /dev/xvdf /newvolume/`
Step 9: cd into newvolume directory and check the disk space for confirming the volume mount : `cd /newvolume; df -h .`
1. Head over to EC2 –> Volumes and create a new volume of your preferred size and type.
2. Select the created volume, right click and select the "attach volume" option.
3. Select the instance from the instance text box as shown below : `attach ebs volume`
```powershell
aws ec2 create-volume –snapshot-id snapshot_id --availability-zone zone
aws ec2 attach-volume –-volume-id volume_id –-instance-id instance_id --device device
```
4. Now, login to your ec2 instance and list the available disks using the following command : `lsblk`
5. Check if the volume has any data using the following command : `sudo file -s /dev/xvdf`
6. Format the volume to ext4 filesystem using the following command : `sudo mkfs -t ext4 /dev/xvdf`
7. Create a directory of your choice to mount our new ext4 volume. I am using the name “newvolume” : `sudo mkdir /newvolume`
8. Mount the volume to "newvolume" directory using the following command : `sudo mount /dev/xvdf /newvolume/`
9. cd into newvolume directory and check the disk space for confirming the volume mount : `cd /newvolume; df -h .`


## AWS - Copy EC2 using AMI Image
Expand Down Expand Up @@ -541,7 +540,6 @@ Prerequisite:
13. SFTP get `"/home/ec2-user/ntds.dit ./ntds.dit"`
14. locally run `"secretsdump.py -system ./SYSTEM -ntds ./ntds.dit local -outputfile secrets'`, expects secretsdump to be on path


## Disable CloudTrail

```powershell
Expand All @@ -560,12 +558,11 @@ Disable Cloud Trail on specific regions
$ aws cloudtrail update-trail --name cloudgoat_trail --no-include-global-service-event --no-is-multi-region --region=eu-west
```


## Cover tracks by obfuscating Cloudtrail logs and Guard Duty

:warning: When using awscli on Kali Linux, Pentoo and Parrot Linux, a log is generated based on the user-agent.

Pacu bypass this problem by defining a custom User-agent (https://github.com/RhinoSecurityLabs/pacu/blob/master/pacu.py#L1473)
Pacu bypass this problem by defining a custom User-Agent (https://github.com/RhinoSecurityLabs/pacu/blob/master/pacu.py#L1473)

```python
boto3_session = boto3.session.Session()
Expand All @@ -575,37 +572,6 @@ if 'kali' in ua.lower() or 'parrot' in ua.lower() or 'pentoo' in ua.lower(): #
self.print('Detected environment as one of Kali/Parrot/Pentoo Linux. Modifying user agent to hide that from GuardDuty...')
```

### PenTest:IAMUser/KaliLinux

#### Finding description

**An API was invoked from a Kali Linux EC2 instance\.**

This finding informs you that a machine running Kali Linux is making API calls using credentials that belong to your AWS account\. Your credentials might be compromised\. Kali Linux is a popular penetration testing tool that security professionals use to identify weaknesses in EC2 instances that require patching\. Attackers also use this tool to find EC2 configuration weaknesses and gain unauthorized access to your AWS environment\. For more information, see [Remediating Compromised AWS Credentials](guardduty_remediate.md#compromised-creds)\.

#### Default severity: Medium

### PenTest:IAMUser/ParrotLinux

#### Finding description

**An API was invoked from a Parrot Security Linux EC2 instance\.**

This finding informs you that a machine running Parrot Security Linux is making API calls using credentials that belong to your AWS account\. Your credentials might be compromised\. Parrot Security Linux is a popular penetration testing tool that security professionals use to identify weaknesses in EC2 instances that require patching\. Attackers also use this tool to find EC2 configuration weaknesses and gain unauthorized access to your AWS environment\. For more information, see [Remediating Compromised AWS Credentials](guardduty_remediate.md#compromised-creds)\.

#### Default severity: Medium

### PenTest:IAMUser/PentooLinux

#### Finding description

**An API was invoked from a Pentoo Linux EC2 instance\.**

This finding informs you that a machine running Pentoo Linux is making API calls using credentials that belong to your AWS account\. Your credentials might be compromised\. Pentoo Linux is a popular penetration testing tool that security professionals use to identify weaknesses in EC2 instances that require patching\. Attackers also use this tool to find EC2 configuration weaknesses and gain unauthorized access to your AWS environment\. For more information, see [Remediating Compromised AWS Credentials](guardduty_remediate.md#compromised-creds)\.

#### Default severity: Medium<a name="pentest3_severity"></a>


## Security checks

https://github.com/DenizParlak/Zeus
Expand Down Expand Up @@ -658,7 +624,6 @@ https://github.com/DenizParlak/Zeus
* Ensure a log metric filter and alarm exist for route table changes
* Ensure a log metric filter and alarm exist for VPC changes


## References

* [An introduction to penetration testing AWS - Graceful Security](https://www.gracefulsecurity.com/an-introduction-to-penetration-testing-aws/)
Expand Down

0 comments on commit 4b9baf3

Please sign in to comment.