Lab 2: Exploit S3 Buckets

Lab 2: Exploit S3 Buckets

Lab Scenario

As a professional ethical hacker or pen tester, you must have sound knowledge of enumerating S3 buckets. Using various techniques, you can exploit misconfigurations in bucket implementation and breach the security mechanism to compromise data privacy. Leaving the S3 bucket session running enables you to modify files such as JavaScript or related code and inject malware into the bucket files. Furthermore, finding the bucket’s location and name will help you in testing its security and identifying vulnerabilities in the implementation.

Lab Objectives

  • Exploit open S3 buckets using AWS CLI

Overview of S3 Buckets

S3 buckets are used by customers and end users to store text documents, PDFs, videos, images, etc. To store all these data, the user needs to create a bucket with a unique name.

Listed below are several techniques that can be adopted to identify AWS S3 Buckets:

  • Inspecting HTML: Analyze the source code of HTML web pages in the background to find URLs to the target S3 buckets
  • Brute-Forcing URL: Use Burp Suite to perform a brute-force attack on the target bucket’s URL to identify its correct URL
  • Finding subdomains: Use tools such as Findsubdomains and Robtex to identify subdomains related to the target bucket
  • Reverse IP Search: Use search engines such as Bing to perform reverse IP search to identify the domains of the target S3 buckets
  • Advanced Google hacking: Use advanced Google search operators such as “inurl” to search for URLs related to the target S3 buckets

Task 1: Exploit Open S3 Buckets using AWS CLI

The AWS command line interface (CLI) is a unified tool for managing AWS services. With just one tool to download and configure, you can control multiple AWS services from the command line and automate them through scripts.

Before starting this task, you must create your AWS account (https://aws.amazon.com).

  1. In the Parrot Security machine, click the MATE Terminal icon in the menu to launch the terminal.

    gdsdd.jpg

  2. Parrot Terminal window appears. In the terminal window, type sudo su and press Enter to run the programs as a root user.

  3. In the [sudo] password for attacker field, type toor as a password and press Enter.

    The password that you type will not be visible.

  4. Now, type cd and press Enter to jump to the root directory.

    Screenshot

  5. In the terminal window, type pip3 install awscli and press Enter to install AWS CLI.

    Screenshot

  6. Once the installation is completed, type aws --help and press Enter to check whether AWS CLI is properly installed.

    Here, the awscli is already installed.

    Ignore the errors (if you find any).

    Screenshot

  7. Now, we need to configure AWS CLI. To configure AWS CLI in the terminal window, type aws configure and press Enter.

    Screenshot

  8. It will ask for the following details:

    • AWS Access Key ID
    • AWS Secret Access Key
    • Default region name
    • Default output format

  9. To provide these details, you need to login to your AWS account.

  10. Cick Firefox icon from the top-section of the Desktop.

  11. Login to your AWS account that you created at the beginning of this task. Click the Firefox browser icon in the menu, type https://console.aws.amazon.com in the address bar, and press Enter.

    If you do not have an AWS account, create one with the Basic Free Plan, and then proceed with the tasks.

  12. The Amazon Web Services Sign-In page appears; type your email account in the Email address field and click Next.

    2020-08-27_14-30-51.jpg

  13. Type your AWS account password in the Password field and click Sign in.

    2020-08-27_14-32-16.jpg

  14. Click the AWS account drop-down menu and click My Security Credentials, as shown in the screenshot.

    2020-08-27_14-37-42.jpg

  15. Click Access keys (access key ID and secret access key) in the Your Security Credentials section.

    2020-08-27_14-41-06.jpg

  16. Click the Create New Access Key button.

    erfjhgfdn.jpg

  17. Create Access Key pop-up appears, stating that your access key has been successfully created. Click the Show Access Key link to view the access key.

  18. Copy the Access Key ID displayed by pressing Ctrl+C on your keyboard and switch to the Terminal window.

    2020-08-27_14-45-37.jpg

  19. In the terminal window, right-click your mouse; select Paste from the context menu to paste the copied Access Key ID and press Enter. It will prompt you to the AWS Secret Access Key. Switch to your AWS Account in the browser.

    223232.png

  20. In the Create Access Key pop-up, select the Secret Access Key displayed, copy it by pressing Ctrl+C on your keyboard, and minimize the browser window. Switch to the Terminal window.

  21. In the terminal window, right-click your mouse, select Paste from the context menu to paste the copied Secret Access Key and press Enter. It will prompt you for the default region name.

  22. In the Default region name field, type eu-west-1 and press Enter.

  23. The Default output format prompt appears; leave it as default and press Enter.

    2020-08-27_14-51-15.jpg

  24. For demonstration purposes, we have created an open S3 bucket with the name certifiedhacker1 in the AWS service. We are going to use that bucket in this task.

    The public S3 buckets can be found during the enumeration phase.

  25. Let us list the directories in the certifiedhacker1 bucket. In the terminal window, type aws s3 ls s3://[Bucket Name] (here, Bucket Name is certifiedhacker1) and press Enter.

    The bucket name may be different in your lab environment depending on the bucket you are targeting.

  26. This will show you the list of directories in the certifiedhacker1 S3 bucket, as shown in the screenshot.

    Screenshot

  27. Now, maximize the browser window, type certifiedhacker1.s3.amazonaws.com in the address bar, and press Enter.

  28. This will show you the complete list of directories and files available in this bucket.

    Screenshot

  29. Minimize the browser window and switch to Terminal.

  30. Let us move some files to the certifiedhacker1 bucket. To do this, in the terminal window, type echo “You have been hacked” >> Hack.txt and press Enter.

  31. By issuing this command, you are creating a file named Hack.txt.

    Screenshot

  32. Let us try to move the Hack.txt file to the certifiedhacker1 bucket. In the terminal window, type aws s3 mv Hack.txt s3://certifiedhacker1 and press Enter.

  33. You have successfully moved the Hack.txt file to the certifiedhacker1 bucket.

    Screenshot

  34. To verify whether the file is moved, switch to the browser window and maximize it. Reload the page.

  35. You can observe that the Hack.txt file is moved to the certifiedhacker1 bucket, as shown in the screenshot.

    Screenshot

  36. Minimize the browser window and switch to the Terminal window.

  37. Let us delete the Hack.txt file from the certifiedhacker1 bucket. In the terminal window, type aws s3 rm s3://certifiedhacker1/Hack.txt and press Enter.

  38. By issuing this command, you have successfully deleted the Hack.txt file from the certifiedhacker1 bucket.

    Screenshot

  39. To verify whether the file is deleted, switch to the browser window and reload the page.

  40. The Hack.txt file is deleted from the certifiedhacker1 bucket.

    Screenshot

  41. Thus, you can add or delete files from open S3 buckets.

  42. This concludes the demonstration of exploiting public S3 buckets.

  43. Close all open windows and document all the acquired information.

Comments

Post a Comment

Popular posts from this blog

Lab 7: Perform Enumeration using Various Enumeration Tools

Image
  Lab 7: Perform Enumeration using Various Enumeration Tools Module 04: Enumeration Lab 7: Perform Enumeration using Various Enumeration Tools Task 1: Enumerate Information using Global Network Inventory Task 2: Enumerate Network Resources using Advanced IP Scanner Task 3: Enumerate Information from Windows and Samba Hosts using Enum4linux The details obtained in the previous steps might not reveal all potential vulnerabilities in the target network.  There may be more information available that could help attackers to identify loopholes to exploit. As an ethical hacker,  you should use a range of tools to find as much information as possible about the target network’s systems. This lab activity  will demonstrate further enumeration tools for extracting even more information about the target system. refer to blog Lab Scenario The details obtained in the previous steps might not reveal all potential vulnerabilities in the target network. There may be more information ...
Read more

Lab 1: Perform S3 Bucket Enumeration using Various S3 Bucket Enumeration Tools

Image
Lab 1: Perform S3 Bucket Enumeration using Various S3 Bucket Enumeration Tools Lab Scenario As an ethical hacker, you must try to obtain as much information as possible about the target cloud environment using various enumeration tools. This lab will demonstrate various S3 bucket enumeration tools that can help you in extracting the list of publicly available S3 buckets. Lab Objectives Enumerate S3 buckets using lazys3 Enumerate S3 buckets using S3Scanner Overview of Enumeration Tools Enumeration tools are used to collect detailed information about target systems to exploit them. Information collected by S3 enumeration tools consists of a list of misconfigured S3 buckets that are available publicly. Attackers can exploit these buckets to gain unauthorized access to them. Moreover, they can modify, delete, and exfiltrate the bucket content. Task 1: Enumerate S3 Buckets using lazys3 lazys3 is a Ruby script tool that is used to brute-force AWS S3 buckets using different permutations. This...
Read more

Lab 2: Perform Vulnerability Assessment using Various Vulnerability Assessment Tools

Image
  Lab 2: Perform Vulnerability Assessment using Various Vulnerability Assessment Tools Module 05: Vulnerability Analysis Lab 2: Perform Vulnerability Assessment using Various Vulnerability Assessment Tools Task 1: Perform Vulnerability Analysis using OpenVAS OpenVAS is a framework of several services and tools offering a comprehensive and powerful vulnerability  scanning and vulnerability management solution. Its capabilities include unauthenticated testing, authenticated testing,  various high level and low-level Internet and industrial protocols, performance tuning for large-scale scans, and a powerful  internal programming language to implement any vulnerability test. The actual security scanner is accompanied with a regularly  updated feed of Network Vulnerability Tests (NVTs)—over 50,000 in total. Vulnerability Analysis to identify security loopholes using Parrot Security / OpenVAS // Vulnerability Assessment  - Applications --> Pentesting --> Vu...
Read more