AWS Reconnaissance from the outside
- Ts3c
- AWS , Cloud , Reconnaissance
- October 4, 2023
In this post I want to show you some possibilities on how to to do Recon on AWS environments.
AWS in comparison to Azure is very strict when it comes to scanning from the outside. There is no simple API you can call and do a User Enumeration like in Azure. Without Credentials you do not have any chance in AWS. So where can we find those credentials?
Leaks on Code Repositories
- Checkout for leaks in commit messages, source code or comments in the common Code Repositories like GitHub, GitLab etc.
- Check for password reuse or password leaks
- Check Applications hosted in the AWS environment
- Local File Read
- Server Side Request Forgery
- API Collection on Postman etc.
- Searching in Developer Plattforms with Tools like git-hound
- Public EBS Snapshots
- Public RDS Snapshots
- Public AMIs
- Public S3
- Marketplace
Check Applications hosted in AWS
Let’s go a little bit deeper into this bullet point. AWS is often used to host Applications. Some of them are available through the internet and in some cases anyone on the internet can access them. During a Reconnaissance it totaly makes sense to have a look at this applications.
Cloud Server Side Request Forgery (SSRF)
A Server Side Request Forgery (SSRF) is a vulnerability that focuses on attacking the backend server and causes it to execute malicious requests to perform unintended actions.
The impact of SSRF with an AWS Service like EC2 can be tremendious. EC2 has a metadata service which is accessable at http://169.254.169.254.
Exploiting a SSRF and accessing the metadata service can lead to the lost of AWS Credentials. Keep in mind that there are 2 different versions of this metadata endpoint. The first one can be access via a GET request, while for the second one (IMDSv2) you need to request a token sending a PUT request with a HTTP header. Using another HTTP header with the received token to access the metadata service.
Local File Read
This one is very important if you are in a for e.g. Red Team assessment. During this assessment you should definetly give it a try to checkout these files:
/home/USER/.aws/credentials
C:\Users\USER\.aws\credentials
Tools for Recon
- https://github.com/r1cksec/thoth
- https://github.com/internetwache/GitTools
- https://github.com/sa7mon/S3Scanner
- https://github.com/jordanpotti/AWSBucketDump
Resources https://cloud.hacktricks.xyz/pentesting-cloud/aws-security
