ToolsFebruary 9, 20263 min readby 0xt0pus

AWS CLI

AWS command-line interface for cloud infrastructure enumeration and reconnaissance

#cloud#aws#enumeration

AWS CLI

Description

Command-line tool for interacting with Amazon Web Services (AWS) infrastructure. Used for cloud enumeration, reconnaissance, and managing AWS resources. Essential for penetration testing of cloud environments including S3 bucket enumeration, IAM user enumeration, AMI discovery, and account ID extraction.

Usage 1: Install AWS CLI

Install the AWS CLI tool on Kali Linux.

Command:

sudo apt update
sudo apt install -y awscli

Usage 2: Configure a named profile

Set up AWS credentials using a named profile for easy switching between IAM users.

Command:

aws configure --profile attacker

Expected inputs:

AWS Access Key ID []: AKIAQO...
AWS Secret Access Key []: cOGzm...
Default region name []: us-east-1
Default output format []: json

Usage 3: Verify caller identity

Test that credentials are valid and check which IAM user you are interacting as.

Command:

aws --profile attacker sts get-caller-identity

Usage 4: List contents of a public S3 bucket

Enumerate the contents of a publicly accessible S3 bucket.

Command:

aws --profile attacker s3 ls offseclab-assets-public-kaykoour

Usage 5: Create a new IAM user for enumeration

Create a new IAM user (with no permissions by default) for account ID enumeration.

Command:

aws --profile attacker iam create-user --user-name enum

Usage 6: Create access keys for an IAM user

Generate access keys to interact as the newly created user.

Command:

aws --profile attacker iam create-access-key --user-name enum

Usage 7: Apply an inline policy to an IAM user

Attach a policy document (JSON file) to an IAM user for conditional S3 access, used for account ID enumeration.

Command:

aws --profile attacker iam put-user-policy \
--user-name enum \
--policy-name s3-read \
--policy-document file://policy-s3-read.json

Example policy document (policy-s3-read.json) for account ID enumeration:

{
     "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "AllowResourceAccount",
            "Effect": "Allow",
            "Action": [
                "s3:ListBucket",
                "s3:GetObject"
            ],
            "Resource": "*",
            "Condition": {
                "StringLike": {"s3:ResourceAccount": ["0*"]}
            }
        }
    ]
}

Usage 8: List user policies

Verify which policies are attached to an IAM user.

Command:

aws --profile attacker iam list-user-policies --user-name enum

Usage 9: Enumerate account ID digit by digit

Test S3 bucket access with the enum user. Access Denied means the digit is wrong; success means the digit is correct. Iterate through digits 0-9.

Command:

aws --profile enum s3 ls offseclab-assets-private-kaykoour

Iterate by changing the policy condition:

"StringLike": {"s3:ResourceAccount": ["0*"]}
"StringLike": {"s3:ResourceAccount": ["1*"]}
...
"StringLike": {"s3:ResourceAccount": ["10*"]}
"StringLike": {"s3:ResourceAccount": ["11*"]}
...
"StringLike": {"s3:ResourceAccount": ["19*"]}

Usage 10: Discover publicly shared AMIs by name filter

Search for Amazon Machine Images shared by a target organization.

Command:

aws --profile attacker ec2 describe-images --executable-users all --filters "Name=name,Values=*Offseclab*"

Usage 11: Discover publicly shared AMIs by description filter

Search for AMIs using a description keyword.

Command:

aws --profile attacker ec2 describe-images --executable-users all --filters "Name=description,Values=*Offseclab*"

Usage 12: Discover publicly shared EBS snapshots

Search for Elastic Block Storage snapshots shared by a target.

Command:

aws --profile attacker ec2 describe-snapshots --filters "Name=description,Values=*offseclab*"

Usage 13: List snapshots by owner account ID

Retrieve all snapshots owned by a specific AWS account.

Command:

aws --profile attacker ec2 describe-snapshots --filters --owner-ids 554786959974

Usage 14: DNS and domain reconnaissance (supporting commands)

Discover if a target uses AWS by querying DNS nameservers and reverse lookups.

Query nameservers:

host -t ns offseclab.io

Reverse DNS lookup:

host 52.70.117.69

Whois lookup:

whois 52.70.117.69 | grep "OrgName"

DNS enumeration with dnsenum:

dnsenum offseclab.io --threads 100

Usage 15: Cloud resource enumeration with cloud_enum

Use cloud_enum to discover cloud resources across providers.

Install:

sudo apt update
sudo apt install cloud-enum

Quick scan for a specific bucket name:

cloud_enum -k offseclab-assets-public-rxvjjuco --quickscan --disable-azure --disable-gcp

Scan with a custom keyfile:

cloud_enum -kf /tmp/keyfile.txt -qs --disable-azure --disable-gcp

Usage 16: Enumerate IAM users in other accounts

Abuse IAM policy validation to check if specific IAM users exist in a target account by specifying their ARN in a policy Principal.

ARN format for cross-account user enumeration:

"Principal": {
  "AWS": ["arn:aws:iam::123456789012:user/cloudadmin"]
}