From e9c1ce1c096f4f264de222640def2ec07c8a1044 Mon Sep 17 00:00:00 2001 From: Swissky <12152583+swisskyrepo@users.noreply.github.com> Date: Thu, 22 Jun 2023 19:03:06 +0200 Subject: [PATCH] AWS Key Patterns --- API Key Leaks/README.md | 1 - .../Cloud - AWS Pentest.md | 75 ++++++++++++------- .../Windows - Defenses.md | 3 + Server Side Request Forgery/README.md | 9 ++- Type Juggling/README.md | 10 +++ 5 files changed, 68 insertions(+), 30 deletions(-) diff --git a/API Key Leaks/README.md b/API Key Leaks/README.md index ad96631..3a07a18 100644 --- a/API Key Leaks/README.md +++ b/API Key Leaks/README.md @@ -8,7 +8,6 @@ - [Exploit](#exploit) - [Google Maps](#google-maps) - [Algolia](#algolia) - - [AWS Access Key ID & Secret](#aws-access-key-id--secret) - [Slack API Token](#slack-api-token) - [Facebook Access Token](#facebook-access-token) - [Github client id and client secret](#github-client-id-and-client-secret) diff --git a/Methodology and Resources/Cloud - AWS Pentest.md b/Methodology and Resources/Cloud - AWS Pentest.md index 070e255..3d47175 100644 --- a/Methodology and Resources/Cloud - AWS Pentest.md +++ b/Methodology and Resources/Cloud - AWS Pentest.md @@ -8,7 +8,9 @@ - [Summary](#summary) - [Training](#training) - [Tools](#tools) - - [AWS Patterns](#aws-patterns) + - [AWS - Patterns](#aws---patterns) + - [URL Services](#url-services) + - [Access Key ID & Secret](#access-key-id--secret) - [AWS - Metadata SSRF](#aws---metadata-ssrf) - [Method for Elastic Cloud Compute (EC2)](#method-for-elastic-cloud-compute-ec2) - [Method for Container Service (Fargate)](#method-for-container-service-fargate) @@ -188,35 +190,58 @@ -## AWS Patterns -| Service | URL | -|-------------|--------| -| s3 | https://{user_provided}.s3.amazonaws.com | -| cloudfront | https://{random_id}.cloudfront.net | -| ec2 | ec2-{ip-seperated}.compute-1.amazonaws.com | -| es | https://{user_provided}-{random_id}.{region}.es.amazonaws.com | -| elb | http://{user_provided}-{random_id}.{region}.elb.amazonaws.com:80/443 | -| elbv2 | https://{user_provided}-{random_id}.{region}.elb.amazonaws.com | -| rds | mysql://{user_provided}.{random_id}.{region}.rds.amazonaws.com:3306 | -| rds | postgres://{user_provided}.{random_id}.{region}.rds.amazonaws.com:5432 | -| route 53 | {user_provided} | -| execute-api | https://{random_id}.execute-api.{region}.amazonaws.com/{user_provided} | -| cloudsearch | https://doc-{user_provided}-{random_id}.{region}.cloudsearch.amazonaws.com | -| transfer | sftp://s-{random_id}.server.transfer.{region}.amazonaws.com | -| iot | mqtt://{random_id}.iot.{region}.amazonaws.com:8883 | -| iot | https://{random_id}.iot.{region}.amazonaws.com:8443 | -| iot | https://{random_id}.iot.{region}.amazonaws.com:443 | -| mq | https://b-{random_id}-{1,2}.mq.{region}.amazonaws.com:8162 | -| mq | ssl://b-{random_id}-{1,2}.mq.{region}.amazonaws.com:61617 | -| kafka | b-{1,2,3,4}.{user_provided}.{random_id}.c{1,2}.kafka.{region}.amazonaws.com | -| kafka | {user_provided}.{random_id}.c{1,2}.kafka.useast-1.amazonaws.com | -| cloud9 | https://{random_id}.vfs.cloud9.{region}.amazonaws.com | -| mediastore | https://{random_id}.data.mediastore.{region}.amazonaws.com | +## AWS - Patterns + +### URL Services + +| Service | URL | +|--------------|-----------------------| +| s3 | https://{user_provided}.s3.amazonaws.com | +| cloudfront | https://{random_id}.cloudfront.net | +| ec2 | ec2-{ip-seperated}.compute-1.amazonaws.com | +| es | https://{user_provided}-{random_id}.{region}.es.amazonaws.com | +| elb | http://{user_provided}-{random_id}.{region}.elb.amazonaws.com:80/443 | +| elbv2 | https://{user_provided}-{random_id}.{region}.elb.amazonaws.com | +| rds | mysql://{user_provided}.{random_id}.{region}.rds.amazonaws.com:3306 | +| rds | postgres://{user_provided}.{random_id}.{region}.rds.amazonaws.com:5432 | +| route 53 | {user_provided} | +| execute-api | https://{random_id}.execute-api.{region}.amazonaws.com/{user_provided} | +| cloudsearch | https://doc-{user_provided}-{random_id}.{region}.cloudsearch.amazonaws.com | +| transfer | sftp://s-{random_id}.server.transfer.{region}.amazonaws.com | +| iot | mqtt://{random_id}.iot.{region}.amazonaws.com:8883 | +| iot | https://{random_id}.iot.{region}.amazonaws.com:8443 | +| iot | https://{random_id}.iot.{region}.amazonaws.com:443 | +| mq | https://b-{random_id}-{1,2}.mq.{region}.amazonaws.com:8162 | +| mq | ssl://b-{random_id}-{1,2}.mq.{region}.amazonaws.com:61617 | +| kafka | b-{1,2,3,4}.{user_provided}.{random_id}.c{1,2}.kafka.{region}.amazonaws.com | +| kafka | {user_provided}.{random_id}.c{1,2}.kafka.useast-1.amazonaws.com | +| cloud9 | https://{random_id}.vfs.cloud9.{region}.amazonaws.com | +| mediastore | https://{random_id}.data.mediastore.{region}.amazonaws.com | | kinesisvideo | https://{random_id}.kinesisvideo.{region}.amazonaws.com | | mediaconvert | https://{random_id}.mediaconvert.{region}.amazonaws.com | | mediapackage | https://{random_id}.mediapackage.{region}.amazonaws.com/in/v1/{random_id}/channel | +### Access Key ID & Secret + +> IAM uses the following prefixes to indicate what type of resource each unique ID applies to. + +| Prefix | Resource type | +|--------------|-------------------------| +| ABIA | AWS STS service bearer token | +| ACCA | Context-specific credential | +| AGPA | User group | +| AIDA | IAM user | +| AIPA | Amazon EC2 instance profile | +| AKIA | Access key | +| ANPA | Managed policy | +| ANVA | Version in a managed policy | +| APKA | Public key | +| AROA | Role | +| ASCA | Certificate | +| ASIA | Temporary (AWS STS) access key | + + ## AWS - Metadata SSRF > AWS released additional security defences against the attack. diff --git a/Methodology and Resources/Windows - Defenses.md b/Methodology and Resources/Windows - Defenses.md index 7e7f297..50d0298 100644 --- a/Methodology and Resources/Windows - Defenses.md +++ b/Methodology and Resources/Windows - Defenses.md @@ -288,6 +288,9 @@ PS C:\> Add-MpPreference -ExclusionPath "C:\Temp" PS C:\> Add-MpPreference -ExclusionPath "C:\Windows\Tasks" PS C:\> Set-MpPreference -ExclusionProcess "word.exe", "vmwp.exe" +# exclude using wmi +PS C:\> WMIC /Namespace:\\root\Microsoft\Windows\Defender class MSFT_MpPreference call Add ExclusionPath="C:\Users\Public\wmic" + # remove signatures (if Internet connection is present, they will be downloaded again): PS > & "C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.2008.9-0\MpCmdRun.exe" -RemoveDefinitions -All PS > & "C:\Program Files\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All diff --git a/Server Side Request Forgery/README.md b/Server Side Request Forgery/README.md index 68be99b..5ce4365 100644 --- a/Server Side Request Forgery/README.md +++ b/Server Side Request Forgery/README.md @@ -57,10 +57,11 @@ ## Tools -- [SSRFmap - https://github.com/swisskyrepo/SSRFmap](https://github.com/swisskyrepo/SSRFmap) -- [Gopherus - https://github.com/tarunkant/Gopherus](https://github.com/tarunkant/Gopherus) -- [See-SURF - https://github.com/In3tinct/See-SURF](https://github.com/In3tinct/See-SURF) -- [SSRF Sheriff - https://github.com/teknogeek/ssrf-sheriff](https://github.com/teknogeek/ssrf-sheriff) +- [swisskyrepo/SSRFmap](https://github.com/swisskyrepo/SSRFmap) - Automatic SSRF fuzzer and exploitation tool +- [tarunkant/Gopherus](https://github.com/tarunkant/Gopherus) - Generates gopher link for exploiting SSRF and gaining RCE in various servers +- [In3tinct/See-SURF](https://github.com/In3tinct/See-SURF) - Python based scanner to find potential SSRF parameters +- [teknogeek/SSRF Sheriff](https://github.com/teknogeek/ssrf-sheriff) - Simple SSRF-testing sheriff written in Go +* [assetnote/surf](https://github.com/assetnote/surf) - Returns a list of viable SSRF candidates ## Payloads with localhost diff --git a/Type Juggling/README.md b/Type Juggling/README.md index e39d081..f40e784 100644 --- a/Type Juggling/README.md +++ b/Type Juggling/README.md @@ -42,6 +42,16 @@ ![LooseTypeComparison](https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Type%20Juggling/Images/table_representing_behavior_of_PHP_with_loose_type_comparisons.png?raw=true) +Loose Type Comparisons occurs in many languages: +* [MariaDB](https://github.com/Hakumarachi/Loose-Compare-Tables/tree/master/results/Mariadb) +* [MySQL](https://github.com/Hakumarachi/Loose-Compare-Tables/tree/master/results/Mysql) +* [NodeJS](https://github.com/Hakumarachi/Loose-Compare-Tables/tree/master/results/NodeJS) +* [PHP](https://github.com/Hakumarachi/Loose-Compare-Tables/tree/master/results/PHP) +* [Perl](https://github.com/Hakumarachi/Loose-Compare-Tables/tree/master/results/Perl) +* [Postgres](https://github.com/Hakumarachi/Loose-Compare-Tables/tree/master/results/Postgres) +* [Python](https://github.com/Hakumarachi/Loose-Compare-Tables/tree/master/results/Python) +* [SQLite](https://github.com/Hakumarachi/Loose-Compare-Tables/tree/master/results/SQLite/2.6.0) + ### NULL statements