AWS

9 months ago
red.ghostwolflab.com
3 minutes

WeirdAAL

下载工具:

https://github.com/carnal0wnage/weirdAAL

枚举EC2服务的信息:

python3 weirdAAL.py -m enumeration.enum_ec2

枚举S3存储桶:

python3 weirdAAL.py -m enumeration.enum_s3

枚举IAM用户:

python3 weirdAAL.py -m enumeration.enum_iam_users

枚举RDS信息:

python3 weirdAAL.py -m enumeration.enum_rds

扫描开放的Elasticsearch实例:

python3 weirdAAL.py -m enumeration.enum_elasticsearch

Metasploit

枚举AWS中的EC2信息:

enumeration/ec2_instances

枚举S3存储桶:

enumeration/s3_buckets

枚举IAM用户:

enumeration/iam_users

枚举RDS实例:

enumeration/rds_instances

扫描开放的Elasticsearch实例:

enumeration/elasticsearch_instances

AWS

列出某个所有区域中的实例:

aws ec2 describe-instances

创建EC2实例:

aws ec2 run-instances --image-id ami-0c55b159cbfafe1f0 --count 1 --instance-type t2.micro --key-name my-key-pair --security-group-ids sg-903004f8 --subnet-id subnet-6e7f829e --associate-public-ip-address

创建S3存储桶:

aws s3 mb s3://my-bucket-name

检查Bucket权限

下载工具:

  • s3 buckets finder

https://github.com/gwen001/s3-buckets-finder

Usage: php s3-buckets-bruteforcer.php [OPTIONS] --bucket <bucket>

Options:
	--bucket	single bucket name or listing file
	--detect-region	Amazon only, try to automatically detect the region of the bucket
	--force-recurse	even if the bucket doesn't exist, the max-depth option will be applied (use this option at your own risk)
	--glue		characters used as a separator when concatenate all elements, default are: none, dash, dot and underscore
	-h, --help	print this help
	--list		do no perform any test, simply list the generated permutations
	--max-depth	max depth of recursion, if a bucket is found, another level will be added (permutations are applied), default=1, ex:
				if <bucket> is found then test <bucket>-xxx
				if <bucket>-xxx is found then test <bucket>-xxx-yyy
	--no-color	disable colored output
	--perform	tests to perform, default=esglw
				e: test if exist (always performed)
				s: set ACL
				g: get ACL
				l: list (cli and http)
				w: write
	--permut	permutation can be tested, default=0
				0: no permutation
				1: if both provided prefix and suffix are permuted (prefix.<bucket>.suffix, suffix.<bucket>.prefix)
				2: permutation applied only on the bucket name (a.b.c, b.c.a, ...)
				3: each elements will be separately permuted, then glogal permutation
	--prefix	single prefix or listing file
	--provider	can be: amazon, google, digitalocean
	--region	Amazon only, set the region (overwrite the option detect-region), value can be:
				us-east-1 us-east-2 us-west-1 us-west-2
				ap-south-1 ap-southeast-1 ap-southeast-2 ap-northeast-1 ap-northeast-2
				eu-central-1 eu-west-1 eu-west-2
				ca-central-1 sa-east-1
	--suffix	single suffix or listing file
	--thread	max threads, default=5
	-v,--verbosity	set verbosity, default=0
				0: everything
				1: do not display not found
				2: display only permissions success
				3: display only set ACL and write permission success

Examples:
	php s3-buckets-bruteforcer.php --bucket gwen001-test002
	php s3-buckets-bruteforcer.php --bucket listing.txt --no-color --verbosity 1
	php s3-buckets-bruteforcer.php --bucket listing1.txt --bucket listing2.txt --bucket listing3.txt --perform e --thread 10
	php s3-buckets-bruteforcer.php --bucket listing.txt --prefix prefix.txt --suffix suffix1.txt --suffix2.txt --perform esw --thread 10
	php s3-buckets-bruteforcer.php --bucket listing.txt --region us-east-2 --rlevel 3

审核 AWS 基础实例的安全状况

下载工具:

  • CS Suite

https://github.com/SecurityFTW/cs-suite

python cs.py -env aws