GITBOOK-518: change request with no subject merged in GitBook

SUMMARY.md

@@ -180,6 +180,7 @@
     * [AWS - SQS Post Exploitation](pentesting-cloud/aws-security/aws-post-exploitation/aws-sqs-post-exploitation.md)
     * [AWS - SSO & identitystore Post Exploitation](pentesting-cloud/aws-security/aws-post-exploitation/aws-sso-and-identitystore-post-exploitation.md)
     * [AWS - STS Post Exploitation](pentesting-cloud/aws-pentesting/aws-post-exploitation/aws-sts-post-exploitation.md)
+    * [AWS - VPN Post Exploitation](pentesting-cloud/aws-security/aws-post-exploitation/aws-vpn-post-exploitation.md)
   * [AWS - Privilege Escalation](pentesting-cloud/aws-security/aws-privilege-escalation/README.md)
     * [AWS - Apigateway Privesc](pentesting-cloud/aws-security/aws-privilege-escalation/aws-apigateway-privesc.md)
     * [AWS - Chime Privesc](pentesting-cloud/aws-security/aws-privilege-escalation/aws-chime-privesc.md)

pentesting-cloud/aws-pentesting/aws-services/aws-ec2-ebs-elb-ssm-vpc-and-vpn-enum/aws-vpc-and-networking-basic-information.md

@@ -122,6 +122,29 @@ For every network interface that publishes data to the CloudWatch log group, it
 
 ## VPN
 
+### Basic AWS VPN Components
+
+1. **Customer Gateway**:
+   * A Customer Gateway is a resource that you create in AWS to represent your side of a VPN connection.
+   * It is essentially a physical device or software application on your side of the Site-to-Site VPN connection.
+   * You provide routing information and the public IP address of your network device (such as a router or a firewall) to AWS to create a Customer Gateway.
+   * It serves as a reference point for setting up the VPN connection and doesn't incur additional charges.
+2. **Virtual Private Gateway**:
+   * A Virtual Private Gateway (VPG) is the VPN concentrator on the Amazon side of the Site-to-Site VPN connection.
+   * It is attached to your VPC and serves as the target for your VPN connection.
+   * VPG is the AWS side endpoint for the VPN connection.
+   * It handles the secure communication between your VPC and your on-premises network.
+3. **Site-to-Site VPN Connection**:
+   * A Site-to-Site VPN connection connects your on-premises network to a VPC through a secure, IPsec VPN tunnel.
+   * This type of connection requires a Customer Gateway and a Virtual Private Gateway.
+   * It's used for secure, stable, and consistent communication between your data center or network and your AWS environment.
+   * Typically used for regular, long-term connections and is billed based on the amount of data transferred over the connection.
+4. **Client VPN Endpoint**:
+   * A Client VPN endpoint is a resource that you create in AWS to enable and manage client VPN sessions.
+   * It is used for allowing individual devices (like laptops, smartphones, etc.) to securely connect to AWS resources or your on-premises network.
+   * It differs from Site-to-Site VPN in that it is designed for individual clients rather than connecting entire networks.
+   * With Client VPN, each client device uses a VPN client software to establish a secure connection.
+
 ### Site-to-Site VPN
 
 **Connect your on premisses network with your VPC.**
@@ -144,7 +167,7 @@ In addition, take the following into consideration when you use Site-to-Site VPN
 
 * When connecting your VPCs to a common on-premises network, we recommend that you use non-overlapping CIDR blocks for your networks.
 
-### Components of Client VPN <a href="#what-is-components" id="what-is-components"></a>
+### Client VPN <a href="#what-is-components" id="what-is-components"></a>
 
 **Connect from your machine to your VPC**
 

pentesting-cloud/aws-security/aws-post-exploitation/aws-vpn-post-exploitation.md

@@ -0,0 +1,37 @@
+# AWS - VPN Post Exploitation
+
+<details>
+
+<summary><strong>Learn AWS hacking from zero to hero with</strong> <a href="https://training.hacktricks.xyz/courses/arte"><strong>htARTE (HackTricks AWS Red Team Expert)</strong></a><strong>!</strong></summary>
+
+Other ways to support HackTricks:
+
+* If you want to see your **company advertised in HackTricks** or **download HackTricks in PDF** Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
+* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
+* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family)
+* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** me on **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/carlospolopm)**.**
+* **Share your hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
+
+</details>
+
+## VPN
+
+For more information:
+
+{% content-ref url="../aws-services/aws-ec2-ebs-elb-ssm-vpc-and-vpn-enum/" %}
+[aws-ec2-ebs-elb-ssm-vpc-and-vpn-enum](../aws-services/aws-ec2-ebs-elb-ssm-vpc-and-vpn-enum/)
+{% endcontent-ref %}
+
+<details>
+
+<summary><strong>Learn AWS hacking from zero to hero with</strong> <a href="https://training.hacktricks.xyz/courses/arte"><strong>htARTE (HackTricks AWS Red Team Expert)</strong></a><strong>!</strong></summary>
+
+Other ways to support HackTricks:
+
+* If you want to see your **company advertised in HackTricks** or **download HackTricks in PDF** Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
+* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
+* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family)
+* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** me on **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/carlospolopm)**.**
+* **Share your hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
+
+</details>

pentesting-cloud/aws-security/aws-services/aws-ec2-ebs-elb-ssm-vpc-and-vpn-enum/README.md

@@ -256,6 +256,81 @@ aws autoscaling describe-load-balancers
 ```
 {% endcode %}
 
+## VPN
+
+A VPN allows to connect your **on-premise network (site-to-site VPN)** or the **workers laptops (Client VPN)** with a **AWS VPC** so services can accessed without needing to expose them to the internet.
+
+### Basic AWS VPN Components
+
+1. **Customer Gateway**:
+   * A Customer Gateway is a resource that you create in AWS to represent your side of a VPN connection.
+   * It is essentially a physical device or software application on your side of the Site-to-Site VPN connection.
+   * You provide routing information and the public IP address of your network device (such as a router or a firewall) to AWS to create a Customer Gateway.
+   * It serves as a reference point for setting up the VPN connection and doesn't incur additional charges.
+2. **Virtual Private Gateway**:
+   * A Virtual Private Gateway (VPG) is the VPN concentrator on the Amazon side of the Site-to-Site VPN connection.
+   * It is attached to your VPC and serves as the target for your VPN connection.
+   * VPG is the AWS side endpoint for the VPN connection.
+   * It handles the secure communication between your VPC and your on-premises network.
+3. **Site-to-Site VPN Connection**:
+   * A Site-to-Site VPN connection connects your on-premises network to a VPC through a secure, IPsec VPN tunnel.
+   * This type of connection requires a Customer Gateway and a Virtual Private Gateway.
+   * It's used for secure, stable, and consistent communication between your data center or network and your AWS environment.
+   * Typically used for regular, long-term connections and is billed based on the amount of data transferred over the connection.
+4. **Client VPN Endpoint**:
+   * A Client VPN endpoint is a resource that you create in AWS to enable and manage client VPN sessions.
+   * It is used for allowing individual devices (like laptops, smartphones, etc.) to securely connect to AWS resources or your on-premises network.
+   * It differs from Site-to-Site VPN in that it is designed for individual clients rather than connecting entire networks.
+   * With Client VPN, each client device uses a VPN client software to establish a secure connection.
+
+You can [**find more information about the benefits and components of AWS VPNs here**](../../../aws-pentesting/aws-services/aws-ec2-ebs-elb-ssm-vpc-and-vpn-enum/aws-vpc-and-networking-basic-information.md#vpn). 
+
+Post E
+
+### Enumeration
+
+```bash
+# VPN endpoints
+## Check used subnetwork, authentication, SGs, connected...
+aws ec2 describe-client-vpn-endpoints
+
+## Get AWS network info related to the vpn endpoint
+aws ec2 describe-client-vpn-target-networks --client-vpn-endpoint-id <id>
+
+## Get AWS subnet & ip range the VPN iconnected to
+aws ec2 describe-client-vpn-routes --client-vpn-endpoint-id <id>
+
+## Check authorization rules
+aws ec2 describe-client-vpn-authorization-rules --client-vpn-endpoint-id <id>
+
+## Get current connections to the VPN endpoint
+aws ec2 describe-client-vpn-connections --client-vpn-endpoint-id <id>
+
+# Get VPN gateways and check with which VPC each is connected
+aws ec2 describe-vpn-gateways
+
+# Get VPN site-to-site connections
+aws ec2 describe-vpn-connections
+```
+
+### Local Enumeration
+
+#### Local Temporary Credentials
+
+When AWS VPN Client is used to connect to a VPN, the user will usually **login in AWS** to get access to the VPN. Then, some **AWS credentials are created and stored** locally to establish the VPN connection. These credentials are **stored in** `$HOME/.config/AWSVPNClient/TemporaryCredentials/<region>/temporary-credentials.txt` and contains an **AccessKey**, a **SecretKey** and a **Token**.
+
+The credentials belong to the user `arn:aws:sts::<acc-id>:assumed-role/aws-vpn-client-metrics-analytics-access-role/CognitoIdentityCredentials` (TODO: research more about the permissions of this credentials).
+
+#### opvn config files
+
+If a **VPN connection was stablished** you should search for **`.opvn`** config files in the system. Moreover, one place where you could find the **configurations** is in **`$HOME/.config/AWSVPNClient/OpenVpnConfigs`**
+
+### **Post Exploitaiton**
+
+{% content-ref url="../../aws-post-exploitation/aws-vpn-post-exploitation.md" %}
+[aws-vpn-post-exploitation.md](../../aws-post-exploitation/aws-vpn-post-exploitation.md)
+{% endcontent-ref %}
+
 <details>
 
 <summary><strong>Learn AWS hacking from zero to hero with</strong> <a href="https://training.hacktricks.xyz/courses/arte"><strong>htARTE (HackTricks AWS Red Team Expert)</strong></a><strong>!</strong></summary>

pentesting-cloud/aws-security/aws-services/aws-iam-enum.md

@@ -343,6 +343,49 @@ aws identitystore list-group-memberships --identity-store-id <store-id> --group-
 aws identitystore list-group-memberships-for-member --identity-store-id <store-id> --member-id <member-id>
 ```
 
+### Local Enumeration
+
+It's possible to create inside the folder `$HOME/.aws` the file config to configure profiles that are accessible via SSO, for example:
+
+```tsconfig
+[default]
+region = us-west-2
+output = json
+
+[profile my-sso-profile]
+sso_start_url = https://my-sso-portal.awsapps.com/start
+sso_region = us-west-2
+sso_account_id = 123456789012
+sso_role_name = MySSORole
+region = us-west-2
+output = json
+
+[profile dependent-profile]
+role_arn = arn:aws:iam::<acc-id>:role/ReadOnlyRole
+source_profile = Hacktricks-Admin
+```
+
+This configuration can be used with the commands:
+
+```bash
+# Login in ms-sso-profile
+aws sso login --profile my-sso-profile
+# Use dependent-profile
+aws s3 ls --profile dependent-profile
+```
+
+When a **profile from SSO is used** to access some information, the credentials are **cached** in a file inside the folder **`$HOME/.aws/sso/cache`**. Therefore they can be **read and used from there**.
+
+Moreover, **more credentials** can be stored in the folder **`$HOME/.aws/cli/cache`**. This cache directory is primarily used when you are **working with AWS CLI profiles** that use IAM user credentials or **assume** roles through IAM (without SSO). Config example:
+
+```typoscript
+[profile crossaccountrole]
+role_arn = arn:aws:iam::234567890123:role/SomeRole
+source_profile = default
+mfa_serial = arn:aws:iam::123456789012:mfa/saanvi
+external_id = 123456
+```
+
 ### Privesc
 
 {% content-ref url="../../aws-pentesting/aws-privilege-escalation/aws-sso-and-identitystore-privesc.md" %}