Cloud Pentesting: 01_AWS [ Access and Secret Keys to Internal IP]

on

 

AWS Keys to Internal IPs: An Enumeration Walkthrough ☁️

Got AWS Access & Secret Keys? Here's how they can reveal far more than you'd expect ๐Ÿ‘‡

✅ Step 1: Configure and Validate Access

๐ŸŽฏ Objective: Confirm credentials are valid

Use the AWS CLI:

aws configure --profile pentest-profile
aws sts get-caller-identity --profile pentest-profile

๐Ÿ” Output:

{

  "UserId": "AIDAEXAMPLEID",
  "Account": "123456789012",
  "Arn": "arn:aws:iam::123456789012:user/clouduser"
}

๐Ÿงพ Step 2: Discover IAM Permissions

๐ŸŽฏ Objective: See what the identity is allowed to do

aws iam list-attached-user-policies --user-name <<>> --profile pentest-profile

Then for each policy:

aws iam get-policy --policy-arn arn:aws:iam::aws:policy/SomePolicy --profile pentest-profile

Get the version ID and fetch the full policy:

aws iam get-policy-version --policy-arn <ARN> --version-id <ID> --profile pentest-profile

๐Ÿ” Output (sample permission):

"Action": "ec2:DescribeInstances",
"Effect": "Allow"

๐Ÿ“ฆ Step 3: Enumerate EC2 Instances

๐ŸŽฏ Objective: Use discovered permissions

aws ec2 describe-instances --profile pentest-profile

๐Ÿ” Output sample:

"PrivateIpAddress": "10.0.1.15",
"InstanceId": "i-0abcd1234example",
"Tags": [{"Key": "Env", "Value": "Prod"}]

Now you have:

  • ✅ Instance metadata

  • ✅ Tags (e.g., Name, Env)

  • Private IPs (internal access)

๐Ÿ’ฃ Step 4: Assess What’s Accessible Internally

๐ŸŽฏ Objective: Think beyond enumeration

What can these private IPs lead to?

  • Internal dashboards (e.g., Jenkins, Adminer)

  • Metadata APIs (e.g., http://169.254.169.254)

  • Dev environments with RCE potential

Even without write or execute rights — enumeration alone can become weaponized.

๐Ÿ”š The Takeaway

๐Ÿ” Access Key ≠ harmless
๐Ÿ“ Private IP = pivot point
๐Ÿ” Always enumerate before you escalate

Comments

Post a Comment