EC2

Enumeration

Instances

List all instances

aws ec2 describe-instances --query 'Reservations[*].Instances[*].[Tags[?Key == `Name`].Value,InstanceId,State.Name,InstanceType,PublicIpAddress,PrivateIpAddress]' --output text | sed 'N;s/\n/ /'

Download the UserData script file from all instances

ec2_list=$(aws ec2 describe-instances --region us-east-1 --query Reservations[].Instances[].InstanceId --output text --profile ec2-capstone)
for i in $ec2_list; do
  aws ec2 describe-instance-attribute --profile ec2-capstone --instance-id $i --attribute userData --output text --query UserData --region us-east-1 | base64 --decode > $i-USERDATA.txt
done

Network

aws ec2 describe-network-interfaces    #display all
aws ec2 describe-network-interfaces --filters "Name=attachment.instance-id,Values=<instance id>"
aws ec2 describe-network-interfaces | jq '.NetworkInterfaces[0]'

Connect to instance

Direct SSH or RDP

Use a standard SSH or RDP connection to reach the instance.

  • Requires knowing the Elastic or Private IP of the machine

  • The Security Group associated with the instance must allow inbound SSH or RDP connections

  • The SSH or RDP service must be configured and running on the machine

  • Since the authentication procedure is managed directly on the instance, no AWS credentials or keys are needed

EC2 Connect

A browser based shell leveraging temporary SSH keys as backed against IAM credentials. Can be accessed from the AWS dashboard or from the url below

  • Requires configuration of an agent on the target machine

  • In order to use this access method from a remote SSH Client, the SSH port must be reachable from the internet and the user must own valid IAM credentials

Direct URL:

https:/<region>.console.aws.amazon.com/ec2-instance-connect/ssh?region=<region>&connType=standard&instanceId=<instance id>osUser=<ec2 user>&sshPort=22#/

AWS SSM

AWS Simple System Management allows to install a package or run a command on a Linux or Windows server. This service can also be used to obtain a shell on the EC2 instance using the AWS Systems Manager Session Manager service.

  • Requires configuration of an agent on the target machine

  • The EC2 instance must own the correct IAM permissions to enable this service

  • The user must own valid IAM user credentials to use this service

  • Does not require direct network access to the instance

EC2 Serial Console

This method of authentication allows a user to authenticate on the EC2 instance only by knowing the host's username and password.

  • An administrator must enable the EC2 Serial Console for the whole region

  • Users on the instance must have a password defined, otherwise it will be impossible to login as them

  • Does not require valid IAM User credentials

  • Does not require direct network access to the EC2 instance

IMDS

IMDS vs IMDSv2

Authentication

While in IMDS it is possible to send a request without authentication, IMDSv2 requires to perform an authentication step and obtain a taken before sending API requests.

This code will request a token and store it into a variable. The TTL header can be set to any value in seconds.

IMDS_TOKEN=$(curl -s -X PUT "http://169.254.169.254/latest/api/token" -H "X-aws-ec2-metadata-token-ttl-seconds: 21600")

Enable IMDSv2

Enable IMDv2 for current instance

aws ec2 modify-instance-metadata-options --instance-id <instance id> --http-tokens required --region <region>

One line command with required calls included

aws ec2 modify-instance-metadata-options --instance-id $(curl -s http://169.254.169.254/latest/meta-data/instance-id) --http-tokens required --region $(curl -s http://169.254.169.254/latest/meta-data/placement/region)

Get instance information

Get current role

curl -s http://169.254.169.254/latest/meta-data/iam/security-credentials/

Get instance ID

curl -s http://169.254.169.254/latest/meta-data/instance-id

Get instance region

curl -s http://169.254.169.254/latest/meta-data/placement/region

Get instance Availability Zone

curl -s http://169.254.169.254/latest/meta-data/placement/availability-zone
PreviousFile upload to RCENextcloud-init Exploits

Last updated