AWS RECONNAISSANCE AND ENUMERATION GUIDE -PART 1
In this article we are focusing on reconnaissance and enumeration on various services such as EC2 and S3 in AWS Cloud Platform. First we are gonna set up/configure the credentials of the AWS account we are gonna test. Since this part 1 I won’t go much deep but later on I’ll be covering on lambda functions and serverless computing.
The Credentials given by the Client
Next we have to import the credentials into your local machine so that we can continue performing the test the without authenticating every single request. In order to start your engagement you need to have installed the AWSCli in your machine and after that the tester needs to use the CLI to configure the credentials as following.
Command: aws configure
Here we are not gonna specify the region cause we are trying to find they have objects or any other hidden files in other regions on the same account in an attackers perspective.
First we are gonna enumerate EC2 instances which may contain data such as hardcoded credentials or some confidential resources which can be very valuable for adversaries.
The following command gives us the available EC2 instances in a specific AWS region.
Command: aws describe-instances — region us-east-1
Now we are gonna try changing the region to ‘ap-southeast-1’ but we aren’t gonna get any results from any of the instances.
Next let’s try to find the instance ‘userdata’ by specifying instance attribute and the instance-id of the EC2 server.
Command: aws e2 describe-instance-attribute — attribute userData — instance-id {ID of the instance} — region us-east-1
I am gonna change the region to ‘eu-west-2’ and run the same command we executed before to list down the available instances in a specific region.
Next I will be using the before command by specifying ‘userData’ as the attribute to the instance in the eu-west-2 region.
In the above picture as you can see that the tester was able to get a hidden base64 encoded message from the instance. The tester copied the base64 encoded string to the clipboard and tried decoding it.
From the results the tester was able to find that there is a S3 bucket at a specific region. Now we are able to enumerate S3 buckets and see what we could type of files and information we could find in it.
Command: aws ls s3://developers-secret-bucket/dave-share-bucket/
Here the tester has not only specified the bucket name but also it’s S3 folder to find hidden files and we are able to get a flag since this is based from a CTF challenge. There is a method to get all the available S3 using the AWSCli.
Command: aws s3 ls
As you can see the tester was able to get the full list of available S3 buckets which is in the account which was given us to test.
Now the tester is gonna try accessing and listing files from each of the buckets which we found.
From the results we are able to see that we aren’t able to get anything and some buckets shows as doesn’t exist.
So this is first part of my guide on AWS reconnaissance and enumeration, in the future articles I’ll be covering about lambda functions and how to get Remote Code Execution from a EC2 instance too. Hope you’ll learnt something and excited for the future articles. Thank you.
