From a76b0b5c07debbdbb0897912de0b41315799a449 Mon Sep 17 00:00:00 2001 From: CPol Date: Tue, 19 Dec 2023 15:56:37 +0000 Subject: [PATCH] GITBOOK-498: change request with no subject merged in GitBook --- SUMMARY.md | 1 + ...m-and-private-certificate-authority-pca.md | 81 +++++++++++++++++++ .../aws-security/aws-services/aws-iam-enum.md | 6 +- 3 files changed, 87 insertions(+), 1 deletion(-) create mode 100644 pentesting-cloud/aws-security/aws-services/aws-certificate-manager-acm-and-private-certificate-authority-pca.md diff --git a/SUMMARY.md b/SUMMARY.md index 2a408293b5..5f8d425c5f 100644 --- a/SUMMARY.md +++ b/SUMMARY.md @@ -241,6 +241,7 @@ * [AWS - Trusted Advisor Enum](pentesting-cloud/aws-security/aws-services/aws-security-and-detection-services/aws-trusted-advisor-enum.md) * [AWS - WAF Enum](pentesting-cloud/aws-security/aws-services/aws-security-and-detection-services/aws-waf-enum.md) * [AWS - API Gateway Enum](pentesting-cloud/aws-security/aws-services/aws-api-gateway-enum.md) + * [AWS - Certificate Manager (ACM) & Private Certificate Authority (PCA)](pentesting-cloud/aws-security/aws-services/aws-certificate-manager-acm-and-private-certificate-authority-pca.md) * [AWS - CloudFormation & Codestar Enum](pentesting-cloud/aws-security/aws-services/aws-cloudformation-and-codestar-enum.md) * [AWS - CloudHSM Enum](pentesting-cloud/aws-security/aws-services/aws-cloudhsm-enum.md) * [AWS - CloudFront Enum](pentesting-cloud/aws-security/aws-services/aws-cloudfront-enum.md) diff --git a/pentesting-cloud/aws-security/aws-services/aws-certificate-manager-acm-and-private-certificate-authority-pca.md b/pentesting-cloud/aws-security/aws-services/aws-certificate-manager-acm-and-private-certificate-authority-pca.md new file mode 100644 index 0000000000..cac37748df --- /dev/null +++ b/pentesting-cloud/aws-security/aws-services/aws-certificate-manager-acm-and-private-certificate-authority-pca.md @@ -0,0 +1,81 @@ +# AWS - Certificate Manager (ACM) & Private Certificate Authority (PCA) + +
+ +Support HackTricks and get benefits! + +* If you want to see your **company advertised in HackTricks** or if you want access to the **latest version of the PEASS or download HackTricks in PDF** Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! +* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com) +* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family) +* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** me on **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/carlospolopm)**.** +* **Share your hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. + +
+ +## Basic Information + +**AWS Certificate Manager (ACM)** is a service designed to simplify the provisioning, management, and deployment of SSL/TLS certificates for AWS services and internal resources. It **eliminates the manual steps involved** in purchasing, uploading, and renewing these certificates. With ACM, users can easily request and deploy certificates on various AWS resources like Elastic Load Balancers, Amazon CloudFront distributions, and APIs on API Gateway. + +ACM also takes care of **automatic certificate renewals**. Additionally, it allows for the creation and centralized management of **private certificates for internal use**. SSL/TLS certificates provided through ACM for use exclusively with integrated AWS services like Elastic Load Balancing, Amazon CloudFront, and Amazon API Gateway are free, but users pay for any AWS resources used to run applications and a monthly fee for the operation of each **private Certificate Authority (CA)** and for private certificates used outside of ACM-integrated services. + +**AWS Private Certificate Authority** is a **managed private CA** service that **extends ACM certificate management to private certificates**. With private certificates you can authenticate resources inside an organization. + +## Enumeration + +### ACM + +``` +# List certificates +aws acm list-certificates + +# Get certificate info +aws --profile lab acm describe-certificate --certificate-arn + +# Get certificate data +aws acm get-certificate --certificate-arn "arn:aws:acm:us-east-1:188868097724:certificate/865abced-82c9-43bf-b7d2-1f4948bf353d" + +# Account configuration +aws acm get-account-configuration +``` + +### PCM + +``` +# List CAs +aws acm-pca list-certificate-authorities + +# Get CA info +aws acm-pca describe-certificate-authority --certificate-authority-arn + +# Get CA Permissions +aws acm-pca list-permissions --certificate-authority-arn + +# Get CA certificate +aws acm-pca get-certificate-authority-certificate --certificate-authority-arn + +# Certificate request +aws acm-pca get-certificate-authority-csr --certificate-authority-arn + +# Get CA Policy (if any) +aws acm-pca get-policy --resource-arn +``` + +## Privesc + +TODO + +## Post Exploitation + +TODO + +
+ +Support HackTricks and get benefits! + +* If you want to see your **company advertised in HackTricks** or if you want access to the **latest version of the PEASS or download HackTricks in PDF** Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! +* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com) +* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family) +* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** me on **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/carlospolopm)**.** +* **Share your hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. + +
diff --git a/pentesting-cloud/aws-security/aws-services/aws-iam-enum.md b/pentesting-cloud/aws-security/aws-services/aws-iam-enum.md index 9a4621fe11..a295ad6992 100644 --- a/pentesting-cloud/aws-security/aws-services/aws-iam-enum.md +++ b/pentesting-cloud/aws-security/aws-services/aws-iam-enum.md @@ -135,7 +135,7 @@ python3 aws-Perms2ManagedPolicies.py --profile myadmin --permissions-file exampl {% endcode %} {% hint style="warning" %} -It's possible to "know" if the permisisons you have are granted by an AWS managed role if you see that **you have permissions over services that aren't used** for example. +It's possible to "know" if the permissions you have are granted by an AWS managed role if you see that **you have permissions over services that aren't used** for example. {% endhint %} #### Cloudtrail2IAM @@ -151,6 +151,10 @@ python3 cloudtrail2IAM.py --prefix PREFIX --bucket_name BUCKET_NAME --profile PR ``` {% endcode %} +{% hint style="warning" %} +If you find .tfstate (Terraform state files) or CloudFormation files (these are usually yaml files located inside a bucket with the prefix cf-templates), you can also read them to find aws configuration and find which permissions have been assigned to who. +{% endhint %} + #### enumerate-iam To use the tool [**https://github.com/andresriancho/enumerate-iam**](https://github.com/andresriancho/enumerate-iam) you first need to download all the API AWS endpoints, from those the script **`generate_bruteforce_tests.py`** will get all the **"list\_", "describe\_", and "get\_" endpoints.** And finally, it will try to **access them** with the given credentials and **indicate if it worked**.