📑
Security Notes
  • Readme
  • Resources
    • Useful sites
    • Metasploit
      • Searchsploit
      • Msfvenom
      • Meterpreter
    • Shells
    • Linux
      • Cron
      • Connection
      • Compilers
    • Windows
      • Kernel exploits table
    • Bruteforce
      • Checklist
      • John the Ripper
      • Hashcat
    • BOF
      • Assembly
    • Gaining access checklist
  • Cloud - AWS
    • Enumeration
    • References
    • Bucket S3
      • Public Bucket
      • AMI Files
      • File upload to RCE
    • EC2
      • cloud-init Exploits
      • SSRF To AWS Role compromise
      • Unencrypted EBS
    • IAM
      • Account Disclosure by resource policy
    • Lambda Function
      • Code Injection
      • Attacking APIs
    • VPC
      • Expose Resources
  • Networking
    • Nmap
      • Scan types
    • TCPDump
    • Port forwarding
    • Ports
      • 21 - FTP
      • 22 - SSH
      • 25 465 587 - SMTP
      • 53 - DNS
      • 110 995 - POP3
      • 111 - NFS
      • 113 - Ident
      • 123 - NTP
      • 135 137 139 - RPC
      • 143 993 - IMAP
      • 161 - SNMP
      • 389 - LDAP
      • 139 445 - SMB
      • 873 - Rsync
      • 6379 - Redis
      • 6667 - IRC
  • Linux PrivEsc
    • Checklist
    • Enumeration
      • Important files
      • Memory Dump
    • Privileges Exploitation
    • Wildcard Exploits
    • Sudo Exploits
    • Docker Container
    • Docker Groups
    • Common Exploits
  • Windows PrivEsc
    • Checklist
    • Enumeration
      • Important Files
    • Antivirus evasion tools
    • Unquoted paths
    • Always install elevated
    • Vulnerable services
    • Client side
    • Exploitable privileges
      • Juicy Potato
    • UAC bypass
    • Common Exploits
  • Active Directory
    • Introduction
    • Checklist
    • Enumeration
    • Enable RDP
    • Kerberos
    • Rubeus
    • Credentials harvesting
      • Domain Controller specific
    • Connection
    • Pass The Hash
    • Kerberoast
    • ASREProast
    • Tickets
  • Web Attacks
    • Checklist
    • Enumeration
      • URL bruteforcing
    • APIs and Fields
    • Authentication
    • Filter Evasion
      • Fuzzying and encoding
    • File Vulnerabilities
      • LFI List
      • PHP shells
    • RCE
    • Code Injection
    • Dependency Injection
    • Joomla
    • Wordpress
    • WebDAV
    • HTTP
    • XSS
      • DOM Based
      • Reflected
      • Filter Evasion
    • SSI
    • SSTI
    • RCE
    • CSRF
    • SQL injection
      • sqlmap
      • PostgreSQL
      • Oracle
      • MSSQL
      • MySQL
      • Login
    • XPath injection
    • XXE
    • CORS
  • MOBILE PENTESTING
    • Static Code Analysis
    • Dynamic Code Analysis
    • Network Traffic Analysis
Powered by GitBook
On this page
  • Assign public IP address
  • Modify Routing Table to allow public traffic
  • Disable instance ACL rules
  • Disable NACL rules
  1. Cloud - AWS
  2. VPC

Expose Resources

Assign public IP address

Generate public address. Store the allocation ID because it will be needed in following commands

aws ec2 allocate-address

Get ENI Attachment IDs of EC2 instances in VPC

aws ec2 describe-instances --query 'Reservations[].Instances[].[InstanceId, NetworkInterfaces[].[Attachment.AttachmentId, NetworkInterfaceId]]' --output text

Assign public IP to attached ENI. The required IDs are the ENI (eni-xxxx) and the IP allocation one (eipalloc-xxxxxxx) returned by the first command

 aws ec2 associate-address --network-interface-id <interface id>  --allocation-id <allocation id>

Modify Routing Table to allow public traffic

Get VPC and subnets of EC2 instances

aws ec2 describe-instances --query "Reservations[].Instances[].[InstanceId, VpcId, SubnetId]" --output text

Get a list of available gateways in current VPC. Save the ID of a gateway to use to route traffic outside the VPC

aws ec2 describe-internet-gateways

Get routing tables of specified VPC and subnet

aws ec2 describe-route-tables --filters "Name=vpc-id,Values=<vpc id>" "Name=association.subnet-id,Values=<subnet id>"
aws ec2 describe-route-tables --filters "Name=vpc-id,Values=<vpc id>" "Name=association.subnet-id,Values=<subnet id>" --query "RouteTables[].[RouteTableId, Routes[*]]" --output text

Edit the routing table to allow traffic from the VPC to the internet

 aws ec2 create-route --route-table-id <route table id> --destination-cidr-block 0.0.0.0/0 --gateway-id <gateway id>

Disable instance ACL rules

Get the security groups associated with each EC2 instance. Edit the one of the instance you intend to expose

aws ec2 describe-instances --query "Reservations[].Instances[].[InstanceId, NetworkInterfaces[].Groups[*]]" --output text

Add inbound rule to security group to allow all traffic to reach the instance

aws ec2 authorize-security-group-ingress  --protocol all --port 0-65535 --cidr 0.0.0.0/0 --group-id <group id>

Disable NACL rules

Get the VPC of the target EC2 instance

aws ec2 describe-instances --query "Reservations[].Instances[].[InstanceId, VpcId]" --output text

Get NACL rules for the vpc. Dependingon the rules it may be required to insert new rules to allow all traffic inbound and/or outbound in one or more NACL instances. Keep in mind that NACL are stateless so it is possible that inbound traffic is allowed but the response is still being blocked by the outbound filter rules. in this case we need to add an allow all rule to the outbound traffic too.

aws ec2 describe-network-acls --filter "Name=vpc-id,Values=<vpc id>"

Add rule to allow all inbound traffic

aws ec2 create-network-acl-entry --cidr-block 0.0.0.0/0 --ingress  --protocol -1 --rule-action allow --rule-number 1 --network-acl-id <acl id>

Add rule to allow all outbound traffic

aws ec2 create-network-acl-entry --cidr-block 0.0.0.0/0 --egress --protocol -1 --rule-action allow --rule-number 1 --network-acl-id <acl id>
PreviousVPCNextNmap

Last updated 1 year ago