Post

AWS Enum

Posted Updated
Preview Image
By
2 min read
AWS Enum

AWS Enum

I create a simple Quick recon check list for aws environment for Post Exploitation.

Table of Content

  • Identity and Access Management (IAM)
  • Amazon Elastic Compute Cloud (EC2)
  • Simple Storage Service (s3)

IAM

add soon !!!

Amazon Elastic Compute Cloud (EC2)

It allows users to launch and manage virtual servers, known as instances, which can be configured with various combinations of CPU, memory, storage, and networking resources.

Identify Running Instances

1
2
3
4
5
6
7
8
9
10

aws ec2 describe-instances   
aws ec2 describe-instances --region <>   


cloudfox aws  instances
cloudfox aws  inventory
cloudfox aws  -v2 inventory

[pacu]
run ec2__enum --regions us-east-1

Identify Public IP Address

1
2
3
4
5
6
7
8
9
10

aws ec2 describe-instances --instance-ids <id> --query 'Reservations[*].Instances[*].PublicIpAddress' --output text   

[pacu]
run ec2__enum --regions us-east-1

After running pacu module you get Public IP Addresses file loot...
┌──(root㉿0xmr)-[/home/0xmr/www/python]
└─# cat ~/.local/share/pacu/ec2/downloads/ec2_public_ips_ec2_us-east-1.txt
98.86.111.1x1
54.175.69.2x5

Extract User Meta-Data

1
2
3
4

cloudfox aws instances
cloudfox aws instances --userdata

Loot written to file cat /root/.cloudfox/cloudfox-output/aws/703671921227/loot/instance-userdata.txt

Simple Storage Service (s3 Buckets)

Thinks of it’s like an FTP. ( FTP == s3 )

  • Usage:- Hosting a Static website , Backup’s , Logs and etc… Buckets:-
    • They are Top Level Container.
    • Each Bucket have Unique Name.

Identify S3 Bucket’s

Using nslookup

1
2
3
4
5

# Grab IP from the Result
nslookup $Host

# Put IP here
nslookup $Ip

Using Curl

1
2

# check Headers
curl -I http://$Host     or     curl -I https://$Host

Tool

1
2
3

echo $IP | ip2cloud

python3 ./ip2provider.py $IP

List s3 Bucket Content (Without Authentication)

1
2
3
4
5
6
7
8
9
10
11

# using No-sign
aws s3 ls s3://$Host --no-sign-request

# Specify Region
aws s3 ls s3://$host --no-sign-request --region <>

# copy Specific File
aws s3 cp s3://$Host/File_Name  --no-sign-request  --region <>  file_Name

# Download all File's
aws s3 sync s3://$Host/ --no-sign-request  --region <>  Folder_Name

List s3 Bucket Content (With Authentication)

1
2
3
4
5
6
7
8
9
10
11

# using No-sign
aws s3 ls s3://$Host

# Specify Region
aws s3 ls s3://$host --region <>

# copy Specific File
aws s3 cp s3://$Host/File_Name --region <>  file_Name

# Download all File's
aws s3 sync s3://$Host/ --region <>  Folder_Name
Cheatsheet
AWS AWS Enum
This post is licensed under CC BY 4.0 by the author.