📑
Security Notes
  • Readme
  • Resources
    • Useful sites
    • Metasploit
      • Searchsploit
      • Msfvenom
      • Meterpreter
    • Shells
    • Linux
      • Cron
      • Connection
      • Compilers
    • Windows
      • Kernel exploits table
    • Bruteforce
      • Checklist
      • John the Ripper
      • Hashcat
    • BOF
      • Assembly
    • Gaining access checklist
  • Cloud - AWS
    • Enumeration
    • References
    • Bucket S3
      • Public Bucket
      • AMI Files
      • File upload to RCE
    • EC2
      • cloud-init Exploits
      • SSRF To AWS Role compromise
      • Unencrypted EBS
    • IAM
      • Account Disclosure by resource policy
    • Lambda Function
      • Code Injection
      • Attacking APIs
    • VPC
      • Expose Resources
  • Networking
    • Nmap
      • Scan types
    • TCPDump
    • Port forwarding
    • Ports
      • 21 - FTP
      • 22 - SSH
      • 25 465 587 - SMTP
      • 53 - DNS
      • 110 995 - POP3
      • 111 - NFS
      • 113 - Ident
      • 123 - NTP
      • 135 137 139 - RPC
      • 143 993 - IMAP
      • 161 - SNMP
      • 389 - LDAP
      • 139 445 - SMB
      • 873 - Rsync
      • 6379 - Redis
      • 6667 - IRC
  • Linux PrivEsc
    • Checklist
    • Enumeration
      • Important files
      • Memory Dump
    • Privileges Exploitation
    • Wildcard Exploits
    • Sudo Exploits
    • Docker Container
    • Docker Groups
    • Common Exploits
  • Windows PrivEsc
    • Checklist
    • Enumeration
      • Important Files
    • Antivirus evasion tools
    • Unquoted paths
    • Always install elevated
    • Vulnerable services
    • Client side
    • Exploitable privileges
      • Juicy Potato
    • UAC bypass
    • Common Exploits
  • Active Directory
    • Introduction
    • Checklist
    • Enumeration
    • Enable RDP
    • Kerberos
    • Rubeus
    • Credentials harvesting
      • Domain Controller specific
    • Connection
    • Pass The Hash
    • Kerberoast
    • ASREProast
    • Tickets
  • Web Attacks
    • Checklist
    • Enumeration
      • URL bruteforcing
    • APIs and Fields
    • Authentication
    • Filter Evasion
      • Fuzzying and encoding
    • File Vulnerabilities
      • LFI List
      • PHP shells
    • RCE
    • Code Injection
    • Dependency Injection
    • Joomla
    • Wordpress
    • WebDAV
    • HTTP
    • XSS
      • DOM Based
      • Reflected
      • Filter Evasion
    • SSI
    • SSTI
    • RCE
    • CSRF
    • SQL injection
      • sqlmap
      • PostgreSQL
      • Oracle
      • MSSQL
      • MySQL
      • Login
    • XPath injection
    • XXE
    • CORS
  • MOBILE PENTESTING
    • Static Code Analysis
    • Dynamic Code Analysis
    • Network Traffic Analysis
Powered by GitBook
On this page
  • Structure
  • Global services
  • Regional architecture
  • Enumeration
  • VPC Elements
  • Route 53
  1. Cloud - AWS

VPC

PreviousAttacking APIsNextExpose Resources

Last updated 1 year ago

Structure

Global services

  • Cludfront

  • Route 53

  • IAM

  • Organizations

  • STS

Regional architecture

  • Region: a physical location in the world where a cluster of data centers is present

    • Availability Zone: one or more discrete data centers with redundant power, networking, and connectivity in an AWS Region. These separations mean that an outage of one AZ due to lost power, networking issues, or ISP connectivity issues should not affect any other AZ

      • S3 Bucket

      • VPC

        • Gateway

        • Amazon DNS resolver instance

        • Amazon Time Sync Service

        • Microsoft KMS Service

        • Elastic IP Address range

        • EC2 Instance Metadata Service

        • ECS Task Metadata Service

        • EC2 Instances

        • VPC Endpoints

Enumeration

VPC Elements

Public load balancers (ELB)

aws elbv2 describe-load-balancers --query LoadBalancers[].DNSName --output text

Endpoints and Managed Prefix List

aws ec2 describe-prefix-lists

Route 53

Hosted zones

aws route53 list-hosted-zones

DNS records

aws route53 list-resource-record-sets --hosted-zone <hosted zone id>

NS Lookup

aws route53 list-resource-record-sets --hosted-zone <zone id> --query "ResourceRecordSets[?Type=='A' && contains(Name,'<domain name>')].ResourceRecords[*].Value"

Reverse NS Lookup

aws route53 list-resource-record-sets --hosted-zone /hostedzone/Z07539222LGSNXAUJI1RU --query "ResourceRecordSets[?Type=='A' && ResourceRecords[?Value=='<ip address>']].Name