AWS

#Few Links to check it

https://3bodymo.medium.com/how-i-earned-by-amazon-s3-bucket-misconfigurations-29d51ee510de
https://logicbomb.medium.com/a-bug-worth-1-75lacs-aws-ssrf-to-rce-8d43d5fda899
https://notifybugme.medium.com/unveiling-a-critical-vulnerability-exposing-aws-credentials-in-a-penetration-test-2f7119a7c816
https://medium.com/@qaafqasim/the-ultimate-guide-to-hack-s3-buckets-data-leaks-and-discovery-techniques-40a29641d18b
https://raymondlind.medium.com/ssrf-bug-leads-to-aws-metadata-exposure-f2ee7d43c6c3
https://cloud.hacktricks.xyz/pentesting-cloud/aws-security/aws-unauthenticated-enum-access/aws-s3-unauthenticated-enum
https://youtu.be/Aizjgeq1Yek
https://medium.com/bug-bounty-hunting/aws-top-10-vulnerabilities-fe5fa93bac64
https://book.hacktricks.xyz/pentesting-web/ssrf-server-side-request-forgery/cloud-ssrf
https://sirleeroyjenkins.medium.com/bypassing-ssrf-protection-to-exfiltrate-aws-metadata-from-larksuite-bf99a3599462
https://blog.intigriti.com/hacking-tools/hacking-misconfigured-aws-s3-buckets-a-complete-guide
https://cyb3rmind.medium.com/5-bug-bounty-series-by-aws-s3-bucket-misconfigurations-fb645057d03e
https://medium.com/bug-bounty-hunting/aws-security-for-noobs-97f9759ec23a
https://ozguralp.medium.com/write-up-aws-document-signing-security-control-bypass-2b13a9c22a4d
https://medium.com/@dante.falls/how-to-find-and-test-s3-buckets-for-bug-bounty-b91166f9b4e0
https://medium.com/@terminalsandcoffee/aws-iam-privilege-escalation-by-policy-misconfiguration-4be3aec755d4
https://satyasai1460.medium.com/how-js-file-helped-me-to-find-and-exploit-aws-access-key-and-secret-e09b4219831d
https://medium.com/@ar_hawk/from-google-dorking-to-unauthorized-aws-account-access-and-account-takeover-89eb2b9d284f
https://akash-venky091.medium.com/aws-s3-bucket-misconfigurations-and-exploitations-6d89546eec54
https://infosecwriteups.com/aws-s3-bucket-misconfiguration-exposes-pii-and-documents-of-job-seekers-7b1332b0ecf1?gi=9a8958be01c6

You can find buckets by brute-forcing names related to the company you are pentesting:

https://github.com/sa7mon/S3Scanner
https://github.com/clario-tech/s3-inspector
https://github.com/jordanpotti/AWSBucketDump (Contains a list with potential bucket names)
https://github.com/fellchase/flumberboozle/tree/master/flumberbuckets
https://github.com/smaranchand/bucky
https://github.com/tomdev/teh_s3_bucketeers
https://github.com/RhinoSecurityLabs/Security-Research/tree/master/tools/aws-pentest-tools/s3
https://github.com/Eilonh/s3crets_scanner
https://github.com/belane/CloudHunter

#Tips for Recon

Enumerate AWS Services: Use tools to enumerate AWS-specific resources and endpoints (e.g., *.s3.amazonaws.com, *.execute-api.amazonaws.com). Cloud_enum tool can be used
Inspect Subdomains & DNS Records: Look for DNS entries pointing to AWS resources, which might help in identifying attack vectors.
Focus on Least Privilege & Least Exposure: Identify and exploit areas where least privilege or least exposure principles are not enforced.

#Simple Checklist

S3 Buckets Publicly Accessible Buckets: Identify misconfigured S3 buckets that allow unauthorized read or write access. Look for sensitive files or backups. Misconfigured ACLs and Policies: Ensure bucket policies don’t unintentionally expose data. Look for overly permissive ACL and IAM policies.
AWS Identity and Access Management (IAM) Over-Permissive IAM Roles: Check if any roles or policies grant excessive permissions, leading to privilege escalation opportunities. Unused Credentials & Access Keys: Look for leftover or inactive IAM users and access keys that might still provide access.
EC2 Instances Open Ports & Misconfigured Security Groups: Scan for unnecessary open ports (e.g., SSH, RDP, MySQL). Overly permissive Security Groups can lead to remote attacks. Metadata Service Exploits: Test for the possibility of SSRF attacks accessing EC2 instance metadata (169.254.169.254) to retrieve credentials.
AWS Lambda Functions Insecure Public Invocation: Check if Lambda functions are publicly accessible without proper authentication controls. Environment Variable Leaks: Look for sensitive information (API keys, passwords) stored in Lambda environment variables.
Amazon RDS (Relational Database Service) Database Exposure: Ensure RDS instances are not directly exposed to the internet unless absolutely necessary. Weak IAM and Security Group Configurations: Check if databases are protected by robust IAM roles and Security Groups.
Amazon API Gateway Unauthorized Access: Test if APIs are secured with appropriate authentication and authorization. Look for open endpoints. Information Disclosure in API Responses: Check if APIs return excessive information that can aid in reconnaissance or lead to sensitive data leaks.
CloudFront Insecure Content Delivery: Ensure CloudFront distributions don’t serve sensitive data through caching mechanisms. Header Manipulation and CORS Misconfigurations: Check for weak security headers or CORS issues that could lead to data leaks or attacks.
Elastic Load Balancer (ELB) Open Administrative Interfaces: Verify if load balancers are exposing management interfaces without proper security controls. Weak Security Policies: Check for weak SSL/TLS configurations and insecure ciphers that might compromise data in transit.
AWS Secrets Manager & Systems Manager (SSM) Unrestricted Secrets Access: Ensure secrets stored in Secrets Manager or SSM Parameter Store are properly restricted. Hardcoded Credentials in Code: Inspect application code for hardcoded secrets that should be managed by AWS Secrets Manager.
CloudTrail & CloudWatch Logs Logging Misconfigurations: Verify that CloudTrail is enabled across all regions to track unauthorized or malicious activity. Unrestricted Log Access: Ensure logs are not publicly accessible or over-permissive, revealing sensitive operations.

#Here are few CVEs to Keep in Mind

CVE-2021-32704 - Misconfiguration leading to exposure of sensitive AWS metadata.
CVE-2020-10148 - Amazon WorkSpaces: Unauthorized access vulnerability.
CVE-2021-29203 - AWS CloudFormation vulnerability affecting template parsing.
CVE-2020-8913 - Information disclosure via exposed S3 buckets.
CVE-2020-13882 - AWS Elastic Beanstalk local file inclusion vulnerability.
CVE-2020-8964 - Amazon EC2 instances susceptible to privilege escalation.
CVE-2021-3156 - AWS EC2 shared AMIs leading to privilege escalations.
CVE-2021-36740 - AWS IAM misconfiguration causing potential data leaks.
CVE-2021-32787 - Sensitive AWS API keys found in public repositories.
CVE-2023-20963 - Exploitation of Amazon RDS PostgreSQL plugin.

PreviousAPACHE NextAZURE

Last updated 4 months ago

AWS

#Few Links to check it

https://3bodymo.medium.com/how-i-earned-by-amazon-s3-bucket-misconfigurations-29d51ee510de
https://logicbomb.medium.com/a-bug-worth-1-75lacs-aws-ssrf-to-rce-8d43d5fda899
https://notifybugme.medium.com/unveiling-a-critical-vulnerability-exposing-aws-credentials-in-a-penetration-test-2f7119a7c816
https://medium.com/@qaafqasim/the-ultimate-guide-to-hack-s3-buckets-data-leaks-and-discovery-techniques-40a29641d18b
https://raymondlind.medium.com/ssrf-bug-leads-to-aws-metadata-exposure-f2ee7d43c6c3
https://cloud.hacktricks.xyz/pentesting-cloud/aws-security/aws-unauthenticated-enum-access/aws-s3-unauthenticated-enum
https://youtu.be/Aizjgeq1Yek
https://medium.com/bug-bounty-hunting/aws-top-10-vulnerabilities-fe5fa93bac64
https://book.hacktricks.xyz/pentesting-web/ssrf-server-side-request-forgery/cloud-ssrf
https://sirleeroyjenkins.medium.com/bypassing-ssrf-protection-to-exfiltrate-aws-metadata-from-larksuite-bf99a3599462
https://blog.intigriti.com/hacking-tools/hacking-misconfigured-aws-s3-buckets-a-complete-guide
https://cyb3rmind.medium.com/5-bug-bounty-series-by-aws-s3-bucket-misconfigurations-fb645057d03e
https://medium.com/bug-bounty-hunting/aws-security-for-noobs-97f9759ec23a
https://ozguralp.medium.com/write-up-aws-document-signing-security-control-bypass-2b13a9c22a4d
https://medium.com/@dante.falls/how-to-find-and-test-s3-buckets-for-bug-bounty-b91166f9b4e0
https://medium.com/@terminalsandcoffee/aws-iam-privilege-escalation-by-policy-misconfiguration-4be3aec755d4
https://satyasai1460.medium.com/how-js-file-helped-me-to-find-and-exploit-aws-access-key-and-secret-e09b4219831d
https://medium.com/@ar_hawk/from-google-dorking-to-unauthorized-aws-account-access-and-account-takeover-89eb2b9d284f
https://akash-venky091.medium.com/aws-s3-bucket-misconfigurations-and-exploitations-6d89546eec54
https://infosecwriteups.com/aws-s3-bucket-misconfiguration-exposes-pii-and-documents-of-job-seekers-7b1332b0ecf1?gi=9a8958be01c6

You can find buckets by brute-forcing names related to the company you are pentesting:

https://github.com/sa7mon/S3Scanner
https://github.com/clario-tech/s3-inspector
https://github.com/jordanpotti/AWSBucketDump (Contains a list with potential bucket names)
https://github.com/fellchase/flumberboozle/tree/master/flumberbuckets
https://github.com/smaranchand/bucky
https://github.com/tomdev/teh_s3_bucketeers
https://github.com/RhinoSecurityLabs/Security-Research/tree/master/tools/aws-pentest-tools/s3
https://github.com/Eilonh/s3crets_scanner
https://github.com/belane/CloudHunter

#Tips for Recon

Enumerate AWS Services: Use tools to enumerate AWS-specific resources and endpoints (e.g., *.s3.amazonaws.com, *.execute-api.amazonaws.com). Cloud_enum tool can be used
Inspect Subdomains & DNS Records: Look for DNS entries pointing to AWS resources, which might help in identifying attack vectors.
Focus on Least Privilege & Least Exposure: Identify and exploit areas where least privilege or least exposure principles are not enforced.

#Simple Checklist

S3 Buckets Publicly Accessible Buckets: Identify misconfigured S3 buckets that allow unauthorized read or write access. Look for sensitive files or backups. Misconfigured ACLs and Policies: Ensure bucket policies don’t unintentionally expose data. Look for overly permissive ACL and IAM policies.
AWS Identity and Access Management (IAM) Over-Permissive IAM Roles: Check if any roles or policies grant excessive permissions, leading to privilege escalation opportunities. Unused Credentials & Access Keys: Look for leftover or inactive IAM users and access keys that might still provide access.
EC2 Instances Open Ports & Misconfigured Security Groups: Scan for unnecessary open ports (e.g., SSH, RDP, MySQL). Overly permissive Security Groups can lead to remote attacks. Metadata Service Exploits: Test for the possibility of SSRF attacks accessing EC2 instance metadata (169.254.169.254) to retrieve credentials.
AWS Lambda Functions Insecure Public Invocation: Check if Lambda functions are publicly accessible without proper authentication controls. Environment Variable Leaks: Look for sensitive information (API keys, passwords) stored in Lambda environment variables.
Amazon RDS (Relational Database Service) Database Exposure: Ensure RDS instances are not directly exposed to the internet unless absolutely necessary. Weak IAM and Security Group Configurations: Check if databases are protected by robust IAM roles and Security Groups.
Amazon API Gateway Unauthorized Access: Test if APIs are secured with appropriate authentication and authorization. Look for open endpoints. Information Disclosure in API Responses: Check if APIs return excessive information that can aid in reconnaissance or lead to sensitive data leaks.
CloudFront Insecure Content Delivery: Ensure CloudFront distributions don’t serve sensitive data through caching mechanisms. Header Manipulation and CORS Misconfigurations: Check for weak security headers or CORS issues that could lead to data leaks or attacks.
Elastic Load Balancer (ELB) Open Administrative Interfaces: Verify if load balancers are exposing management interfaces without proper security controls. Weak Security Policies: Check for weak SSL/TLS configurations and insecure ciphers that might compromise data in transit.
AWS Secrets Manager & Systems Manager (SSM) Unrestricted Secrets Access: Ensure secrets stored in Secrets Manager or SSM Parameter Store are properly restricted. Hardcoded Credentials in Code: Inspect application code for hardcoded secrets that should be managed by AWS Secrets Manager.
CloudTrail & CloudWatch Logs Logging Misconfigurations: Verify that CloudTrail is enabled across all regions to track unauthorized or malicious activity. Unrestricted Log Access: Ensure logs are not publicly accessible or over-permissive, revealing sensitive operations.

#Here are few CVEs to Keep in Mind

CVE-2021-32704 - Misconfiguration leading to exposure of sensitive AWS metadata.
CVE-2020-10148 - Amazon WorkSpaces: Unauthorized access vulnerability.
CVE-2021-29203 - AWS CloudFormation vulnerability affecting template parsing.
CVE-2020-8913 - Information disclosure via exposed S3 buckets.
CVE-2020-13882 - AWS Elastic Beanstalk local file inclusion vulnerability.
CVE-2020-8964 - Amazon EC2 instances susceptible to privilege escalation.
CVE-2021-3156 - AWS EC2 shared AMIs leading to privilege escalations.
CVE-2021-36740 - AWS IAM misconfiguration causing potential data leaks.
CVE-2021-32787 - Sensitive AWS API keys found in public repositories.
CVE-2023-20963 - Exploitation of Amazon RDS PostgreSQL plugin.

PreviousAPACHE NextAZURE

Last updated 4 months ago