diff --git a/SUMMARY.md b/SUMMARY.md index 37cbdeb23..5d752c8da 100644 --- a/SUMMARY.md +++ b/SUMMARY.md @@ -228,6 +228,7 @@ * [AWS - RDS Post Exploitation](pentesting-cloud/aws-security/aws-post-exploitation/aws-rds-post-exploitation.md) * [AWS - S3 Post Exploitation](pentesting-cloud/aws-pentesting/aws-post-exploitation/aws-s3-post-exploitation.md) * [AWS - Secrets Manager Post Exploitation](pentesting-cloud/aws-pentesting/aws-post-exploitation/aws-secrets-manager-post-exploitation.md) + * [AWS - SES Post Exploitation](pentesting-cloud/aws-security/aws-post-exploitation/aws-ses-post-exploitation.md) * [AWS - SNS Post Exploitation](pentesting-cloud/aws-security/aws-post-exploitation/aws-sns-post-exploitation.md) * [AWS - SQS Post Exploitation](pentesting-cloud/aws-security/aws-post-exploitation/aws-sqs-post-exploitation.md) * [AWS - SSO & identitystore Post Exploitation](pentesting-cloud/aws-security/aws-post-exploitation/aws-sso-and-identitystore-post-exploitation.md) @@ -326,6 +327,7 @@ * [AWS - Relational Database (RDS) Enum](pentesting-cloud/aws-security/aws-services/aws-databases/aws-relational-database-rds-enum.md) * [AWS - Route53 Enum](pentesting-cloud/aws-security/aws-services/aws-route53-enum.md) * [AWS - Secrets Manager Enum](pentesting-cloud/aws-security/aws-services/aws-secrets-manager-enum.md) + * [AWS - SES Enum](pentesting-cloud/aws-security/aws-services/aws-ses-enum.md) * [AWS - SNS Enum](pentesting-cloud/aws-security/aws-services/aws-sns-enum.md) * [AWS - SQS Enum](pentesting-cloud/aws-security/aws-services/aws-sqs-and-sns-enum.md) * [AWS - S3, Athena & Glacier Enum](pentesting-cloud/aws-pentesting/aws-services/aws-s3-athena-and-glacier-enum.md) diff --git a/pentesting-cloud/aws-pentesting/aws-services/aws-organizations-enum.md b/pentesting-cloud/aws-pentesting/aws-services/aws-organizations-enum.md index 44d6e94b1..ac5fe0a62 100644 --- a/pentesting-cloud/aws-pentesting/aws-services/aws-organizations-enum.md +++ b/pentesting-cloud/aws-pentesting/aws-services/aws-organizations-enum.md @@ -9,7 +9,7 @@ Other ways to support HackTricks: * If you want to see your **company advertised in HackTricks** or **download HackTricks in PDF** Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! * Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com) * Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family) -* **Join the** πŸ’¬ [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks_live**](https://twitter.com/hacktricks_live)**.** +* **Join the** πŸ’¬ [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks\_live)**.** * **Share your hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. @@ -19,10 +19,11 @@ Other ways to support HackTricks: AWS Organizations facilitates the creation of new AWS accounts without incurring additional costs. Resources can be allocated effortlessly, accounts can be efficiently grouped, and governance policies can be applied to individual accounts or groups, enhancing management and control within the organization. Key Points: -- **New Account Creation**: AWS Organizations allows the creation of new AWS accounts without extra charges. -- **Resource Allocation**: It simplifies the process of allocating resources across the accounts. -- **Account Grouping**: Accounts can be grouped together, making management more streamlined. -- **Governance Policies**: Policies can be applied to accounts or groups of accounts, ensuring compliance and governance across the organization. + +* **New Account Creation**: AWS Organizations allows the creation of new AWS accounts without extra charges. +* **Resource Allocation**: It simplifies the process of allocating resources across the accounts. +* **Account Grouping**: Accounts can be grouped together, making management more streamlined. +* **Governance Policies**: Policies can be applied to accounts or groups of accounts, ensuring compliance and governance across the organization. You can find more information in: @@ -51,7 +52,8 @@ aws organizations list-accounts-for-parent --parent-id ou-n8s9-8nzv3a5y aws iam get-account-summary ``` -# References +## References + * https://aws.amazon.com/organizations/
@@ -63,7 +65,7 @@ Other ways to support HackTricks: * If you want to see your **company advertised in HackTricks** or **download HackTricks in PDF** Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! * Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com) * Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family) -* **Join the** πŸ’¬ [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks_live**](https://twitter.com/hacktricks_live)**.** +* **Join the** πŸ’¬ [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks\_live)**.** * **Share your hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
diff --git a/pentesting-cloud/aws-security/aws-post-exploitation/aws-ses-post-exploitation.md b/pentesting-cloud/aws-security/aws-post-exploitation/aws-ses-post-exploitation.md new file mode 100644 index 000000000..faaf5f366 --- /dev/null +++ b/pentesting-cloud/aws-security/aws-post-exploitation/aws-ses-post-exploitation.md @@ -0,0 +1,115 @@ +# AWS - SES Post Exploitation + +
+ +Learn AWS hacking from zero to hero with htARTE (HackTricks AWS Red Team Expert)! + +Other ways to support HackTricks: + +* If you want to see your **company advertised in HackTricks** or **download HackTricks in PDF** Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! +* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com) +* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family) +* **Join the** πŸ’¬ [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks\_live)**.** +* **Share your hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. + +
+ +## SES + +For more information check: + +{% content-ref url="../aws-services/aws-ses-enum.md" %} +[aws-ses-enum.md](../aws-services/aws-ses-enum.md) +{% endcontent-ref %} + +### `ses:SendEmail` + +Send an email. + +{% code overflow="wrap" %} +```bash +aws ses send-email --from sender@example.com --destination file://emails.json --message file://message.json +aws sesv2 send-email --from sender@example.com --destination file://emails.json --message file://message.json +``` +{% endcode %} + +Still to test. + +### `ses:SendRawEmail` + +Send an email. + +```bash +aws ses send-raw-email --raw-message file://message.json +``` + +Still to test. + +### `ses:SendTemplatedEmail` + +Send an email based on a template. + +{% code overflow="wrap" %} +```bash +aws ses send-templated-email --source --destination --template +``` +{% endcode %} + +Still to test. + +### `ses:SendBulkTemplatedEmail` + +Send an email to multiple destinations + +```bash +aws ses send-bulk-templated-email --source --template +``` + +Still to test. + +### `ses:SendBulkEmail` + +Send an email to multiple destinations. + +``` +aws sesv2 send-bulk-email --default-content --bulk-email-entries +``` + +### `ses:SendBounce` + +Send a **bounce email** over a received email (indicating that the email couldn't be received). This can only be done **up to 24h after receiving** the email. + +{% code overflow="wrap" %} +```bash +aws ses send-bounce --original-message-id --bounce-sender --bounced-recipient-info-list +``` +{% endcode %} + +Still to test. + +### `ses:SendCustomVerificationEmail` + +This will send a customized verification email. You might need permissions also to created the template email. + +{% code overflow="wrap" %} +```bash +aws ses send-custom-verification-email --email-address --template-name +aws sesv2 send-custom-verification-email --email-address --template-name +``` +{% endcode %} + +Still to test. + +
+ +Learn AWS hacking from zero to hero with htARTE (HackTricks AWS Red Team Expert)! + +Other ways to support HackTricks: + +* If you want to see your **company advertised in HackTricks** or **download HackTricks in PDF** Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! +* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com) +* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family) +* **Join the** πŸ’¬ [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks\_live)**.** +* **Share your hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. + +
diff --git a/pentesting-cloud/aws-security/aws-services/aws-cloudformation-and-codestar-enum.md b/pentesting-cloud/aws-security/aws-services/aws-cloudformation-and-codestar-enum.md index 1578819e7..eb4f4d06f 100644 --- a/pentesting-cloud/aws-security/aws-services/aws-cloudformation-and-codestar-enum.md +++ b/pentesting-cloud/aws-security/aws-services/aws-cloudformation-and-codestar-enum.md @@ -9,7 +9,7 @@ Other ways to support HackTricks: * If you want to see your **company advertised in HackTricks** or **download HackTricks in PDF** Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! * Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com) * Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family) -* **Join the** πŸ’¬ [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks_live**](https://twitter.com/hacktricks_live)**.** +* **Join the** πŸ’¬ [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks\_live)**.** * **Share your hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. @@ -78,7 +78,8 @@ In the following page you can check how to **abuse codestar permissions to escal [aws-codestar-privesc](../aws-privilege-escalation/aws-codestar-privesc/) {% endcontent-ref %} -# References +## References + * [https://docs.aws.amazon.com/cloudformation/](https://docs.aws.amazon.com/cloudformation/)
@@ -90,7 +91,7 @@ Other ways to support HackTricks: * If you want to see your **company advertised in HackTricks** or **download HackTricks in PDF** Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! * Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com) * Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family) -* **Join the** πŸ’¬ [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks_live**](https://twitter.com/hacktricks_live)**.** +* **Join the** πŸ’¬ [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks\_live)**.** * **Share your hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
diff --git a/pentesting-cloud/aws-security/aws-services/aws-cloudhsm-enum.md b/pentesting-cloud/aws-security/aws-services/aws-cloudhsm-enum.md index c1ab9ed08..52131d291 100644 --- a/pentesting-cloud/aws-security/aws-services/aws-cloudhsm-enum.md +++ b/pentesting-cloud/aws-security/aws-services/aws-cloudhsm-enum.md @@ -9,7 +9,7 @@ Other ways to support HackTricks: * If you want to see your **company advertised in HackTricks** or **download HackTricks in PDF** Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! * Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com) * Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family) -* **Join the** πŸ’¬ [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks_live**](https://twitter.com/hacktricks_live)**.** +* **Join the** πŸ’¬ [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks\_live)**.** * **Share your hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. @@ -73,6 +73,7 @@ Overall, the high level of security provided by HSMs makes it **very difficult t ### Enumeration ``` +TODO ```
@@ -84,7 +85,7 @@ Other ways to support HackTricks: * If you want to see your **company advertised in HackTricks** or **download HackTricks in PDF** Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! * Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com) * Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family) -* **Join the** πŸ’¬ [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks_live**](https://twitter.com/hacktricks_live)**.** +* **Join the** πŸ’¬ [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks\_live)**.** * **Share your hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
diff --git a/pentesting-cloud/aws-security/aws-services/aws-codebuild-enum.md b/pentesting-cloud/aws-security/aws-services/aws-codebuild-enum.md index ce4878d34..5e4943309 100644 --- a/pentesting-cloud/aws-security/aws-services/aws-codebuild-enum.md +++ b/pentesting-cloud/aws-security/aws-services/aws-codebuild-enum.md @@ -1,5 +1,7 @@ # AWS - Codebuild Enum +## AWS - Codebuild Enum +
Learn AWS hacking from zero to hero with htARTE (HackTricks AWS Red Team Expert)! @@ -9,7 +11,7 @@ Other ways to support HackTricks: * If you want to see your **company advertised in HackTricks** or **download HackTricks in PDF** Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! * Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com) * Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family) -* **Join the** πŸ’¬ [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks_live**](https://twitter.com/hacktricks_live)**.** +* **Join the** πŸ’¬ [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks\_live)**.** * **Share your hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
@@ -24,7 +26,6 @@ AWS **CodeBuild** is recognized as a **fully managed continuous integration serv AWS CodeBuild seamlessly integrates with other AWS services, enhancing the CI/CD (Continuous Integration/Continuous Deployment) pipeline's efficiency and reliability. - ### Enumeration ```bash @@ -68,7 +69,8 @@ In the following page, you can check how to **abuse codebuild permissions to esc [aws-codebuild-unauthenticated-access.md](../aws-unauthenticated-enum-access/aws-codebuild-unauthenticated-access.md) {% endcontent-ref %} -# References +## References + * [https://docs.aws.amazon.com/managedservices/latest/userguide/code-build.html](https://docs.aws.amazon.com/managedservices/latest/userguide/code-build.html)
@@ -80,7 +82,7 @@ Other ways to support HackTricks: * If you want to see your **company advertised in HackTricks** or **download HackTricks in PDF** Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! * Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com) * Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family) -* **Join the** πŸ’¬ [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks_live**](https://twitter.com/hacktricks_live)**.** +* **Join the** πŸ’¬ [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks\_live)**.** * **Share your hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
diff --git a/pentesting-cloud/aws-security/aws-services/aws-databases/aws-documentdb-enum.md b/pentesting-cloud/aws-security/aws-services/aws-databases/aws-documentdb-enum.md index 335d3449c..8c3928695 100644 --- a/pentesting-cloud/aws-security/aws-services/aws-databases/aws-documentdb-enum.md +++ b/pentesting-cloud/aws-security/aws-services/aws-databases/aws-documentdb-enum.md @@ -9,7 +9,7 @@ Other ways to support HackTricks: * If you want to see your **company advertised in HackTricks** or **download HackTricks in PDF** Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! * Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com) * Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family) -* **Join the** πŸ’¬ [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks_live**](https://twitter.com/hacktricks_live)**.** +* **Join the** πŸ’¬ [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks\_live)**.** * **Share your hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. @@ -45,7 +45,8 @@ As DocumentDB is a MongoDB compatible database, you can imagine it's also vulner [aws-documentdb-enum.md](../../aws-unauthenticated-enum-access/aws-documentdb-enum.md) {% endcontent-ref %} -# References +## References + * [https://aws.amazon.com/blogs/database/analyze-amazon-documentdb-workloads-with-performance-insights/](https://aws.amazon.com/blogs/database/analyze-amazon-documentdb-workloads-with-performance-insights/)
@@ -57,7 +58,7 @@ Other ways to support HackTricks: * If you want to see your **company advertised in HackTricks** or **download HackTricks in PDF** Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! * Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com) * Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family) -* **Join the** πŸ’¬ [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks_live**](https://twitter.com/hacktricks_live)**.** +* **Join the** πŸ’¬ [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks\_live)**.** * **Share your hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
diff --git a/pentesting-cloud/aws-security/aws-services/aws-datapipeline-codepipeline-codebuild-and-codecommit.md b/pentesting-cloud/aws-security/aws-services/aws-datapipeline-codepipeline-codebuild-and-codecommit.md index f51efeafe..1c53da72a 100644 --- a/pentesting-cloud/aws-security/aws-services/aws-datapipeline-codepipeline-codebuild-and-codecommit.md +++ b/pentesting-cloud/aws-security/aws-services/aws-datapipeline-codepipeline-codebuild-and-codecommit.md @@ -1,4 +1,4 @@ -# AWS - DataPipeline, CodePipeline, CodeBuild & CodeCommit Enum +# AWS - DataPipeline, CodePipeline & CodeCommit Enum
@@ -9,7 +9,7 @@ Other ways to support HackTricks: * If you want to see your **company advertised in HackTricks** or **download HackTricks in PDF** Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! * Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com) * Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family) -* **Join the** πŸ’¬ [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks_live**](https://twitter.com/hacktricks_live)**.** +* **Join the** πŸ’¬ [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks\_live)**.** * **Share your hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
@@ -21,10 +21,10 @@ AWS Data Pipeline is designed to facilitate the **access, transformation, and ef 1. **Access Your Data Where It’s Stored**: Data residing in various AWS services can be accessed seamlessly. 2. **Transform and Process at Scale**: Large-scale data processing and transformation tasks are handled efficiently. 3. **Efficiently Transfer Results**: The processed data can be efficiently transferred to multiple AWS services including: - - Amazon S3 - - Amazon RDS - - Amazon DynamoDB - - Amazon EMR + * Amazon S3 + * Amazon RDS + * Amazon DynamoDB + * Amazon EMR In essence, AWS Data Pipeline streamlines the movement and processing of data between different AWS compute and storage services, as well as on-premises data sources, at specified intervals. @@ -108,7 +108,8 @@ ssh-keygen -f .ssh/id_rsa -l -E md5 git clone ssh://@git-codecommit..amazonaws.com/v1/repos/ ``` -# References +## References + * [https://docs.aws.amazon.com/whitepapers/latest/aws-overview/analytics.html](https://docs.aws.amazon.com/whitepapers/latest/aws-overview/analytics.html)
@@ -120,7 +121,7 @@ Other ways to support HackTricks: * If you want to see your **company advertised in HackTricks** or **download HackTricks in PDF** Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! * Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com) * Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family) -* **Join the** πŸ’¬ [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks_live**](https://twitter.com/hacktricks_live)**.** +* **Join the** πŸ’¬ [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks\_live)**.** * **Share your hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
diff --git a/pentesting-cloud/aws-security/aws-services/aws-ec2-ebs-elb-ssm-vpc-and-vpn-enum/README.md b/pentesting-cloud/aws-security/aws-services/aws-ec2-ebs-elb-ssm-vpc-and-vpn-enum/README.md index 7699cdf3d..be2f627d6 100644 --- a/pentesting-cloud/aws-security/aws-services/aws-ec2-ebs-elb-ssm-vpc-and-vpn-enum/README.md +++ b/pentesting-cloud/aws-security/aws-services/aws-ec2-ebs-elb-ssm-vpc-and-vpn-enum/README.md @@ -9,7 +9,7 @@ Other ways to support HackTricks: * If you want to see your **company advertised in HackTricks** or **download HackTricks in PDF** Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! * Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com) * Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family) -* **Join the** πŸ’¬ [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks_live**](https://twitter.com/hacktricks_live)**.** +* **Join the** πŸ’¬ [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks\_live)**.** * **Share your hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. @@ -214,8 +214,8 @@ In the following page you can check how to **abuse SSM permissions to escalate p Techniques like SSM message interception can be found in the SSM post-exploitation page: -{% content-ref url="broken-reference" %} -[Broken link](broken-reference) +{% content-ref url="broken-reference/" %} +[broken-reference](broken-reference/) {% endcontent-ref %} ## ELB @@ -260,7 +260,7 @@ aws autoscaling describe-load-balancers A VPN allows to connect your **on-premise network (site-to-site VPN)** or the **workers laptops (Client VPN)** with a **AWS VPC** so services can accessed without needing to expose them to the internet. -### Basic AWS VPN Components +#### Basic AWS VPN Components 1. **Customer Gateway**: * A Customer Gateway is a resource that you create in AWS to represent your side of a VPN connection. @@ -283,9 +283,7 @@ A VPN allows to connect your **on-premise network (site-to-site VPN)** or the ** * It differs from Site-to-Site VPN in that it is designed for individual clients rather than connecting entire networks. * With Client VPN, each client device uses a VPN client software to establish a secure connection. -You can [**find more information about the benefits and components of AWS VPNs here**](../../../aws-pentesting/aws-services/aws-ec2-ebs-elb-ssm-vpc-and-vpn-enum/aws-vpc-and-networking-basic-information.md#vpn). - -Post E +You can [**find more information about the benefits and components of AWS VPNs here**](../../../aws-pentesting/aws-services/aws-ec2-ebs-elb-ssm-vpc-and-vpn-enum/aws-vpc-and-networking-basic-information.md#vpn). ### Enumeration @@ -315,23 +313,24 @@ aws ec2 describe-vpn-connections ### Local Enumeration -#### Local Temporary Credentials +**Local Temporary Credentials** When AWS VPN Client is used to connect to a VPN, the user will usually **login in AWS** to get access to the VPN. Then, some **AWS credentials are created and stored** locally to establish the VPN connection. These credentials are **stored in** `$HOME/.config/AWSVPNClient/TemporaryCredentials//temporary-credentials.txt` and contains an **AccessKey**, a **SecretKey** and a **Token**. The credentials belong to the user `arn:aws:sts:::assumed-role/aws-vpn-client-metrics-analytics-access-role/CognitoIdentityCredentials` (TODO: research more about the permissions of this credentials). -#### opvn config files +**opvn config files** If a **VPN connection was stablished** you should search for **`.opvn`** config files in the system. Moreover, one place where you could find the **configurations** is in **`$HOME/.config/AWSVPNClient/OpenVpnConfigs`** -### **Post Exploitaiton** +#### **Post Exploitaiton** {% content-ref url="../../aws-post-exploitation/aws-vpn-post-exploitation.md" %} [aws-vpn-post-exploitation.md](../../aws-post-exploitation/aws-vpn-post-exploitation.md) {% endcontent-ref %} -# References +## References + * [https://docs.aws.amazon.com/batch/latest/userguide/getting-started-ec2.html](https://docs.aws.amazon.com/batch/latest/userguide/getting-started-ec2.html)
@@ -343,7 +342,7 @@ Other ways to support HackTricks: * If you want to see your **company advertised in HackTricks** or **download HackTricks in PDF** Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! * Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com) * Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family) -* **Join the** πŸ’¬ [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks_live**](https://twitter.com/hacktricks_live)**.** +* **Join the** πŸ’¬ [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks\_live)**.** * **Share your hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
diff --git a/pentesting-cloud/aws-security/aws-services/aws-eks-enum.md b/pentesting-cloud/aws-security/aws-services/aws-eks-enum.md index 7a8f28603..d4a7edbb0 100644 --- a/pentesting-cloud/aws-security/aws-services/aws-eks-enum.md +++ b/pentesting-cloud/aws-security/aws-services/aws-eks-enum.md @@ -9,7 +9,7 @@ Other ways to support HackTricks: * If you want to see your **company advertised in HackTricks** or **download HackTricks in PDF** Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! * Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com) * Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family) -* **Join the** πŸ’¬ [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks_live**](https://twitter.com/hacktricks_live)**.** +* **Join the** πŸ’¬ [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks\_live)**.** * **Share your hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. @@ -25,8 +25,7 @@ Key aspects of Amazon EKS include: 3. **Scalability and Security**: Amazon EKS is designed to be highly available and secure, providing features such as automatic scaling and isolation by design. 4. **Compatibility with Kubernetes**: Applications running on Amazon EKS are fully compatible with applications running on any standard Kubernetes environment. - -### Enumeration +#### Enumeration ```bash aws eks list-clusters @@ -46,13 +45,14 @@ aws eks list-updates --name aws eks describe-update --name --update-id ``` -### Post Exploitation +#### Post Exploitation {% content-ref url="../aws-post-exploitation/aws-eks-post-exploitation.md" %} [aws-eks-post-exploitation.md](../aws-post-exploitation/aws-eks-post-exploitation.md) {% endcontent-ref %} -# References +## References + * [https://aws.amazon.com/eks/](https://aws.amazon.com/eks/)
@@ -64,7 +64,7 @@ Other ways to support HackTricks: * If you want to see your **company advertised in HackTricks** or **download HackTricks in PDF** Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! * Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com) * Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family) -* **Join the** πŸ’¬ [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks_live**](https://twitter.com/hacktricks_live)**.** +* **Join the** πŸ’¬ [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks\_live)**.** * **Share your hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
diff --git a/pentesting-cloud/aws-security/aws-services/aws-emr-enum.md b/pentesting-cloud/aws-security/aws-services/aws-emr-enum.md index adb64daa0..a4f3c4d1d 100644 --- a/pentesting-cloud/aws-security/aws-services/aws-emr-enum.md +++ b/pentesting-cloud/aws-security/aws-services/aws-emr-enum.md @@ -9,7 +9,7 @@ Other ways to support HackTricks: * If you want to see your **company advertised in HackTricks** or **download HackTricks in PDF** Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! * Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com) * Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family) -* **Join the** πŸ’¬ [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks_live**](https://twitter.com/hacktricks_live)**.** +* **Join the** πŸ’¬ [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks\_live)**.** * **Share your hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. @@ -20,38 +20,33 @@ AWS's Elastic MapReduce (EMR) service, starting from version 4.8.0, introduced a Key characteristics include: -- **Cluster Encryption Default**: By default, data at rest within a cluster is not encrypted. However, enabling encryption provides access to several features: - - **Linux Unified Key Setup**: Encrypts EBS cluster volumes. Users can opt for AWS Key Management Service (KMS) or a custom key provider. - - **Open-Source HDFS Encryption**: Offers two encryption options for Hadoop: - - Secure Hadoop RPC (Remote Procedure Call), set to privacy, leveraging the Simple Authentication Security Layer. - - HDFS Block transfer encryption, set to true, utilizes the AES-256 algorithm. - -- **Encryption in Transit**: Focuses on securing data during transfer. Options include: - - **Open Source Transport Layer Security (TLS)**: Encryption can be enabled by choosing a certificate provider: - - **PEM**: Requires manual creation and bundling of PEM certificates into a zip file, referenced from an S3 bucket. - - **Custom**: Involves adding a custom Java class as a certificate provider that supplies encryption artifacts. +* **Cluster Encryption Default**: By default, data at rest within a cluster is not encrypted. However, enabling encryption provides access to several features: + * **Linux Unified Key Setup**: Encrypts EBS cluster volumes. Users can opt for AWS Key Management Service (KMS) or a custom key provider. + * **Open-Source HDFS Encryption**: Offers two encryption options for Hadoop: + * Secure Hadoop RPC (Remote Procedure Call), set to privacy, leveraging the Simple Authentication Security Layer. + * HDFS Block transfer encryption, set to true, utilizes the AES-256 algorithm. +* **Encryption in Transit**: Focuses on securing data during transfer. Options include: + * **Open Source Transport Layer Security (TLS)**: Encryption can be enabled by choosing a certificate provider: + * **PEM**: Requires manual creation and bundling of PEM certificates into a zip file, referenced from an S3 bucket. + * **Custom**: Involves adding a custom Java class as a certificate provider that supplies encryption artifacts. Once a TLS certificate provider is integrated into the security configuration, the following application-specific encryption features can be activated, varying based on the EMR version: -- **Hadoop**: - - Might reduce encrypted shuffle using TLS. - - Secure Hadoop RPC with Simple Authentication Security Layer and HDFS Block Transfer with AES-256 are activated with at-rest encryption. - -- **Presto** (EMR version 5.6.0+): - - Internal communication between Presto nodes is secured using SSL and TLS. - -- **Tez Shuffle Handler**: - - Utilizes TLS for encryption. - -- **Spark**: - - Employs TLS for the Akka protocol. - - Uses Simple Authentication Security Layer and 3DES for Block Transfer Service. - - External shuffle service is secured with the Simple Authentication Security Layer. +* **Hadoop**: + * Might reduce encrypted shuffle using TLS. + * Secure Hadoop RPC with Simple Authentication Security Layer and HDFS Block Transfer with AES-256 are activated with at-rest encryption. +* **Presto** (EMR version 5.6.0+): + * Internal communication between Presto nodes is secured using SSL and TLS. +* **Tez Shuffle Handler**: + * Utilizes TLS for encryption. +* **Spark**: + * Employs TLS for the Akka protocol. + * Uses Simple Authentication Security Layer and 3DES for Block Transfer Service. + * External shuffle service is secured with the Simple Authentication Security Layer. These features collectively enhance the security posture of EMR clusters, especially concerning data protection during storage and transmission phases. - -### Enumeration +#### Enumeration ```bash aws emr list-clusters @@ -64,13 +59,14 @@ aws emr list-security-configurations aws emr list-studios #Get studio URLs ``` -### Privesc +#### Privesc {% content-ref url="../aws-privilege-escalation/aws-emr-privesc.md" %} [aws-emr-privesc.md](../aws-privilege-escalation/aws-emr-privesc.md) {% endcontent-ref %} -# References +## References + * [https://cloudacademy.com/course/domain-three-designing-secure-applications-and-architectures/elastic-mapreduce-emr-encryption-1/](https://cloudacademy.com/course/domain-three-designing-secure-applications-and-architectures/elastic-mapreduce-emr-encryption-1/)
@@ -82,7 +78,7 @@ Other ways to support HackTricks: * If you want to see your **company advertised in HackTricks** or **download HackTricks in PDF** Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! * Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com) * Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family) -* **Join the** πŸ’¬ [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks_live**](https://twitter.com/hacktricks_live)**.** +* **Join the** πŸ’¬ [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks\_live)**.** * **Share your hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
diff --git a/pentesting-cloud/aws-security/aws-services/aws-security-and-detection-services/README.md b/pentesting-cloud/aws-security/aws-services/aws-security-and-detection-services/README.md index 8ed49da95..0416f90ff 100644 --- a/pentesting-cloud/aws-security/aws-services/aws-security-and-detection-services/README.md +++ b/pentesting-cloud/aws-security/aws-services/aws-security-and-detection-services/README.md @@ -1,46 +1,2 @@ # AWS - Security & Detection Services -
- -Learn AWS hacking from zero to hero with htARTE (HackTricks AWS Red Team Expert)! - -Other ways to support HackTricks: - -* If you want to see your **company advertised in HackTricks** or **download HackTricks in PDF** Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! -* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com) -* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family) -* **Join the** πŸ’¬ [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks_live**](https://twitter.com/hacktricks_live)**.** -* **Share your hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. - -
- -In this page you can find information about several **security related products inside AWS environment**: - -* [**CloudTrail**](aws-cloudtrail-enum.md) -* [**CloudWatch**](aws-cloudwatch-enum.md) -* ****[**Config**](aws-config-enum.md)**** -* ****[**Control Tower**](../../../aws-pentesting/aws-services/aws-security-and-detection-services/aws-control-tower-enum.md)**** -* [**Cost Explorer**](aws-cost-explorer-enum.md) -* [**Detective**](aws-detective-enum.md) -* [**Firewall Manager**](aws-firewall-manager-enum.md) -* [**GuardDuty**](aws-guardduty-enum.md) -* [**Inspector**](aws-inspector-enum.md) -* [**Macie**](aws-macie-enum.md) -* [**Security Hub**](aws-security-hub-enum.md) -* [**Shield**](aws-shield-enum.md) -* [**Trusted Advisor**](aws-trusted-advisor-enum.md) -* [**WAF**](aws-waf-enum.md) - -
- -Learn AWS hacking from zero to hero with htARTE (HackTricks AWS Red Team Expert)! - -Other ways to support HackTricks: - -* If you want to see your **company advertised in HackTricks** or **download HackTricks in PDF** Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! -* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com) -* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family) -* **Join the** πŸ’¬ [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks_live**](https://twitter.com/hacktricks_live)**.** -* **Share your hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. - -
diff --git a/pentesting-cloud/aws-security/aws-services/aws-security-and-detection-services/aws-firewall-manager-enum.md b/pentesting-cloud/aws-security/aws-services/aws-security-and-detection-services/aws-firewall-manager-enum.md index 3246e5318..7a8972591 100644 --- a/pentesting-cloud/aws-security/aws-services/aws-security-and-detection-services/aws-firewall-manager-enum.md +++ b/pentesting-cloud/aws-security/aws-services/aws-security-and-detection-services/aws-firewall-manager-enum.md @@ -9,7 +9,7 @@ Other ways to support HackTricks: * If you want to see your **company advertised in HackTricks** or **download HackTricks in PDF** Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! * Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com) * Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family) -* **Join the** πŸ’¬ [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks_live**](https://twitter.com/hacktricks_live)**.** +* **Join the** πŸ’¬ [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks\_live)**.** * **Share your hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. @@ -26,7 +26,7 @@ A **rule group** (a collection of WAF rules) can be incorporated into an AWS Fir It's important to note that **Firewall Manager policies permit only "Block" or "Count" actions** for a rule group, without an "Allow" option. -## Enumeration +### Enumeration ``` # Get admin account @@ -54,11 +54,12 @@ aws fms get-admin-scope --admin-account # ReadOnly policy is not enough aws fms list-admin-accounts-for-organization # ReadOnly policy is not enough for this ``` -## Bypass Detection +### Bypass Detection TODO, PRs accepted -# References +## References + * [https://docs.aws.amazon.com/govcloud-us/latest/UserGuide/govcloud-fms.html](https://docs.aws.amazon.com/govcloud-us/latest/UserGuide/govcloud-fms.html)
@@ -70,7 +71,7 @@ Other ways to support HackTricks: * If you want to see your **company advertised in HackTricks** or **download HackTricks in PDF** Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! * Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com) * Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family) -* **Join the** πŸ’¬ [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks_live**](https://twitter.com/hacktricks_live)**.** +* **Join the** πŸ’¬ [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks\_live)**.** * **Share your hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
diff --git a/pentesting-cloud/aws-security/aws-services/aws-ses-enum.md b/pentesting-cloud/aws-security/aws-services/aws-ses-enum.md new file mode 100644 index 000000000..f4067316f --- /dev/null +++ b/pentesting-cloud/aws-security/aws-services/aws-ses-enum.md @@ -0,0 +1,154 @@ +# AWS - SES Enum + +
+ +Learn AWS hacking from zero to hero with htARTE (HackTricks AWS Red Team Expert)! + +Other ways to support HackTricks: + +* If you want to see your **company advertised in HackTricks** or **download HackTricks in PDF** Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! +* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com) +* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family) +* **Join the** πŸ’¬ [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks\_live)**.** +* **Share your hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. + +
+ +## Basic Information + +Amazon Simple Email Service (Amazon SES) is designed for **sending and receiving emails**. It enables users to send transactional, marketing, or notification emails efficiently and securely at scale. It **integrates well with other AWS services**, providing a robust solution for managing email communications for businesses of all sizes. + +You need to register **identities**, which can be domains or emails addresses that will be able to interact with SES (e.g. send and receive emails). + +### SMTP User + +It's possible to connect to a **SMTP server of AWS to perform actions** instead of using the AWS API (or in addition). For this you need to create a user with a policy such as: + +```json +{ + "Version": "2012-10-17", + "Statement": [ + { + "Effect": "Allow", + "Action": "ses:SendRawEmail", + "Resource": "*" + } + ] +} +``` + +Then, gather the **API key and secret** of the user and run: + +```bash +git clone https://github.com/lisenet/ses-smtp-converter.git +cd ./ses-smtp-converter +chmod u+x ./ses-smtp-conv.sh +./ses-smtp-conv.sh +``` + +It's also possible to do this from the AWS console web. + +### Enumeration + +{% hint style="warning" %} +Note that SES has 2 APIs: **`ses`** and **`sesv2`**. Some actions are in both APIs and others are just in one of the two. +{% endhint %} + +{% code overflow="wrap" %} +```bash +# Get info about the SES account +aws sesv2 get-account +aws ses get-account-sending-enabled # Check if enabled + +# Get registered domains and email addresses (identities) +aws ses list-identities +aws sesv2 list-email-identities +aws sesv2 get-email-identity --email-identity #Get at once all the attributes + +# Get Resource Policies applied in the identity +aws ses list-identity-policies --identity +aws ses get-identity-policies --identity --policy-names +aws sesv2 get-email-identity-policies --email-identity + +# Get attributes of the identity +## Check if verified +aws ses get-identity-verification-attributes --identities +## DKIM settings, relevant for identities that are domains not emails +aws ses get-identity-dkim-attributes --identities +## Get what happnes if the send mail from the identity fails +aws ses get-identity-mail-from-domain-attributes --identities +## otifications attributes +aws ses get-identity-notification-attributes --identities + +# Get email templates +aws ses list-templates +aws ses get-template --template-name +aws sesv2 list-email-templates +aws sesv2 get-email-template --template-name + +# Get custom verification email templates +## This is the email sent when an identity is verified, it can be customized +aws ses list-custom-verification-email-templates +aws sesv2 list-custom-verification-email-templates +aws ses get-custom-verification-email-template --template-name +aws sesv2 get-custom-verification-email-template --template-name + +# Get receipt rule sets +## Receipt rules indicate how to handle incoming mail by executing an ordered list of actions +aws ses list-receipt-rule-sets +aws ses describe-receipt-rule-set --rule-set-name +aws ses describe-receipt-rule-set --rule-set-name --rule-name +## Metadata and receipt rules for the receipt rule set that is currently active +aws ses describe-active-receipt-rule-set + +# Get suppressed destinations +aws sesv2 list-suppressed-destinations +aws sesv2 get-suppressed-destination --email-address + +# Get configuration sets +## These are set of rules applied to the identities related to the configuration set +aws ses list-configuration-sets +aws sesv2 list-configuration-sets +aws ses describe-configuration-set --configuration-set-name --configuration-set-attribute-names eventDestinations trackingOptions deliveryOptions reputationOptions +aws sesv2 get-configuration-set --configuration-set-name +aws sesv2 get-configuration-set-event-destinations --configuration-set-name + +# Get Contacts list +aws sesv2 list-contact-lists +aws sesv2 list-contacts --contact-list-name +aws sesv2 get-contact-list --contact-list-name +aws sesv2 get-contact --contact-list-name --email-address + +# Private IPs +aws sesv2 list-dedicated-ip-pools +aws sesv2 get-dedicated-ip-pool --pool-name +aws sesv2 get-dedicated-ips --pool-name #Only valid if ScalingMode is Standard +aws sesv2 get-dedicated-ip --ip + +# Misc +## Get send quota +aws ses get-send-quota +## Get statistics +aws ses get-send-statistics +``` +{% endcode %} + +### Post Exploitation + +{% content-ref url="../aws-post-exploitation/aws-ses-post-exploitation.md" %} +[aws-ses-post-exploitation.md](../aws-post-exploitation/aws-ses-post-exploitation.md) +{% endcontent-ref %} + +
+ +Learn AWS hacking from zero to hero with htARTE (HackTricks AWS Red Team Expert)! + +Other ways to support HackTricks: + +* If you want to see your **company advertised in HackTricks** or **download HackTricks in PDF** Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! +* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com) +* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family) +* **Join the** πŸ’¬ [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks\_live)**.** +* **Share your hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. + +
diff --git a/pentesting-cloud/aws-security/aws-services/aws-sns-enum.md b/pentesting-cloud/aws-security/aws-services/aws-sns-enum.md index c886399f7..adf7f0de3 100644 --- a/pentesting-cloud/aws-security/aws-services/aws-sns-enum.md +++ b/pentesting-cloud/aws-security/aws-services/aws-sns-enum.md @@ -9,7 +9,7 @@ Other ways to support HackTricks: * If you want to see your **company advertised in HackTricks** or **download HackTricks in PDF** Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! * Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com) * Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family) -* **Join the** πŸ’¬ [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks_live**](https://twitter.com/hacktricks_live)**.** +* **Join the** πŸ’¬ [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks\_live)**.** * **Share your hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. @@ -20,7 +20,6 @@ Amazon Simple Notification Service (Amazon SNS) is described as a **fully manage Key features for A2A communication include **publish/subscribe (pub/sub) mechanisms**. These mechanisms introduce **topics**, crucial for enabling high-throughput, **push-based, many-to-many messaging**. This feature is highly advantageous in scenarios that involve distributed systems, microservices, and event-driven serverless architectures. By leveraging these topics, publisher systems can efficiently distribute messages to a **wide range of subscriber systems**, facilitating a fanout messaging pattern. - ### **Difference with SQS** **SQS** is a **queue-based** service that allows point-to-point communication, ensuring that messages are processed by a **single consumer**. It offers **at-least-once delivery**, supports standard and FIFO queues, and allows message retention for retries and delayed processing.\ @@ -62,31 +61,32 @@ Note that if the **topic is of type FIFO**, only subscribers using the protocol Also, even if the `--topic-arn` contains the region make sure you specify the correct region in **`--region`** or you will get an error that looks like indicate that you don't have access but the problem is the region. {% endhint %} -### Unauthenticated Access +#### Unauthenticated Access {% content-ref url="../aws-unauthenticated-enum-access/aws-sns-unauthenticated-enum.md" %} [aws-sns-unauthenticated-enum.md](../aws-unauthenticated-enum-access/aws-sns-unauthenticated-enum.md) {% endcontent-ref %} -### Privilege Escalation +#### Privilege Escalation {% content-ref url="../aws-privilege-escalation/aws-sns-privesc.md" %} [aws-sns-privesc.md](../aws-privilege-escalation/aws-sns-privesc.md) {% endcontent-ref %} -### Post Exploitation +#### Post Exploitation {% content-ref url="../aws-post-exploitation/aws-sns-post-exploitation.md" %} [aws-sns-post-exploitation.md](../aws-post-exploitation/aws-sns-post-exploitation.md) {% endcontent-ref %} -### Persistence +#### Persistence {% content-ref url="../aws-persistence/aws-sns-persistence.md" %} [aws-sns-persistence.md](../aws-persistence/aws-sns-persistence.md) {% endcontent-ref %} -# References +## References + * [https://aws.amazon.com/about-aws/whats-new/2022/01/amazon-sns-attribute-based-access-controls/](https://aws.amazon.com/about-aws/whats-new/2022/01/amazon-sns-attribute-based-access-controls/)
@@ -98,7 +98,7 @@ Other ways to support HackTricks: * If you want to see your **company advertised in HackTricks** or **download HackTricks in PDF** Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! * Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com) * Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family) -* **Join the** πŸ’¬ [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks_live**](https://twitter.com/hacktricks_live)**.** +* **Join the** πŸ’¬ [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks\_live)**.** * **Share your hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
diff --git a/pentesting-cloud/aws-security/aws-services/aws-sqs-and-sns-enum.md b/pentesting-cloud/aws-security/aws-services/aws-sqs-and-sns-enum.md index c1ff0eae0..27979fb64 100644 --- a/pentesting-cloud/aws-security/aws-services/aws-sqs-and-sns-enum.md +++ b/pentesting-cloud/aws-security/aws-services/aws-sqs-and-sns-enum.md @@ -9,7 +9,7 @@ Other ways to support HackTricks: * If you want to see your **company advertised in HackTricks** or **download HackTricks in PDF** Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! * Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com) * Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family) -* **Join the** πŸ’¬ [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks_live**](https://twitter.com/hacktricks_live)**.** +* **Join the** πŸ’¬ [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks\_live)**.** * **Share your hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. @@ -18,7 +18,6 @@ Other ways to support HackTricks: Amazon Simple Queue Service (SQS) is presented as a **fully managed message queuing service**. Its main function is to assist in the scaling and decoupling of microservices, distributed systems, and serverless applications. The service is designed to remove the need for managing and operating message-oriented middleware, which can often be complex and resource-intensive. This elimination of complexity allows developers to direct their efforts towards more innovative and differentiating aspects of their work. - ### Enumeration ```bash @@ -36,32 +35,33 @@ aws sqs send-message --queue-url --message-body Also, even if the `--queue-url` contains the region make sure you specify the correct region in **`--region`** or you will get an error that looks like indicate that you don't have access but the problem is the region. {% endhint %} -### Unauthenticated Access +#### Unauthenticated Access {% content-ref url="../aws-unauthenticated-enum-access/aws-sqs-unauthenticated-enum.md" %} [aws-sqs-unauthenticated-enum.md](../aws-unauthenticated-enum-access/aws-sqs-unauthenticated-enum.md) {% endcontent-ref %} -### Privilege Escalation +#### Privilege Escalation {% content-ref url="../aws-privilege-escalation/aws-sqs-privesc.md" %} [aws-sqs-privesc.md](../aws-privilege-escalation/aws-sqs-privesc.md) {% endcontent-ref %} -### Post Exploitation +#### Post Exploitation {% content-ref url="../aws-post-exploitation/aws-sqs-post-exploitation.md" %} [aws-sqs-post-exploitation.md](../aws-post-exploitation/aws-sqs-post-exploitation.md) {% endcontent-ref %} -### Persistence +#### Persistence {% content-ref url="../aws-persistence/aws-sqs-persistence.md" %} [aws-sqs-persistence.md](../aws-persistence/aws-sqs-persistence.md) {% endcontent-ref %} -# References -* https://docs.aws.amazon.com/cdk/api/v2/python/aws_cdk.aws_sqs/README.html +## References + +* https://docs.aws.amazon.com/cdk/api/v2/python/aws\_cdk.aws\_sqs/README.html
@@ -72,7 +72,7 @@ Other ways to support HackTricks: * If you want to see your **company advertised in HackTricks** or **download HackTricks in PDF** Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! * Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com) * Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family) -* **Join the** πŸ’¬ [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks_live**](https://twitter.com/hacktricks_live)**.** +* **Join the** πŸ’¬ [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks\_live)**.** * **Share your hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.