From a12d8833e7d9a528e65b1154967b9794528c1745 Mon Sep 17 00:00:00 2001 From: hhoollaa1 Date: Mon, 27 Jan 2025 21:10:05 +0100 Subject: [PATCH] Update aws-efs-enum.md --- .../aws-security/aws-services/aws-efs-enum.md | 100 ++++++++++++++++++ 1 file changed, 100 insertions(+) diff --git a/src/pentesting-cloud/aws-security/aws-services/aws-efs-enum.md b/src/pentesting-cloud/aws-security/aws-services/aws-efs-enum.md index bcf4e58d48..64e1b8526b 100644 --- a/src/pentesting-cloud/aws-security/aws-services/aws-efs-enum.md +++ b/src/pentesting-cloud/aws-security/aws-services/aws-efs-enum.md @@ -123,6 +123,106 @@ Access points can be used for the following purposes: - **Enforce a root directory**: Access points can restrict access to a specific directory within the EFS file system, ensuring that each application or user operates within its designated folder. This helps prevent accidental data exposure or modification. - **Easier file system access**: Access points can be associated with an AWS Lambda function or an AWS Fargate task, simplifying file system access for serverless and containerized applications. +## EFS IP address + +Using the information related to the EFS IP address, the following Python script can assist in retrieving details about the EFS system. This information is useful for building the mount system command or performing further enumeration with knowledge of the subnet ID. Additionally, the script shows access points, which can be valuable when the root directory or primary mount path is restricted. In such cases, the access points provide alternative paths to access sensitive information + +```bash +Usage: python efs_ip_enum.py +``` + +```python +import boto3 +import sys + +def get_efs_info(ip_address): + try: + session = boto3.Session(profile_name="profile") + ec2_client = session.client('ec2') + efs_client = session.client('efs') + + print(f"[*] Enumerating EFS information for IP address: {ip_address}\n") + + try: + response = ec2_client.describe_network_interfaces(Filters=[ + {'Name': 'addresses.private-ip-address', 'Values': [ip_address]} + ]) + + if not response['NetworkInterfaces']: + print(f"[!] No network interface found for IP address {ip_address}") + return + + network_interface = response['NetworkInterfaces'][0] + network_interface_id = network_interface['NetworkInterfaceId'] + print(f"[+] Found network interface: {network_interface_id}\n") + except Exception as e: + print(f"[!] Error retrieving network interface: {str(e)}") + return + + try: + efs_response = efs_client.describe_file_systems() + file_systems = efs_response['FileSystems'] + except Exception as e: + print(f"[!] Error retrieving EFS file systems: {str(e)}") + return + + for fs in file_systems: + fs_id = fs['FileSystemId'] + + try: + mount_targets = efs_client.describe_mount_targets(FileSystemId=fs_id)['MountTargets'] + + for mt in mount_targets: + if mt['NetworkInterfaceId'] == network_interface_id: + try: + policy = efs_client.describe_file_system_policy(FileSystemId=fs_id).get('Policy', 'No policy attached') + except Exception as e: + policy = f"Error retrieving policy: {str(e)}" + + print("[+] Found matching EFS File System:\n") + print(f" FileSystemId: {fs_id}") + print(f" MountTargetId: {mt['MountTargetId']}") + print(f" DNSName: {fs_id}.efs.{session.region_name}.amazonaws.com") + print(f" LifeCycleState: {mt['LifeCycleState']}") + print(f" SubnetId: {mt['SubnetId']}") + print(f" SecurityGroups: {', '.join(mt.get('SecurityGroups', [])) if mt.get('SecurityGroups') else 'None'}") + print(f" Policy: {policy}\n") + + try: + access_points = efs_client.describe_access_points(FileSystemId=fs_id)['AccessPoints'] + + if access_points: + print(f"[+] Access Points for FileSystemId {fs_id}:") + for ap in access_points: + print(f" AccessPointId: {ap['AccessPointId']}") + print(f" Name: {ap.get('Name', 'N/A')}") + print(f" OwnerId: {ap['OwnerId']}") + posix_user = ap.get('PosixUser', {}) + print(f" PosixUser: UID={posix_user.get('Uid', 'N/A')}, GID={posix_user.get('Gid', 'N/A')}") + root_dir = ap.get('RootDirectory', {}) + print(f" RootDirectory: Path={root_dir.get('Path', 'N/A')}") + creation_info = root_dir.get('CreationInfo', {}) + print(f" CreationInfo: OwnerUID={creation_info.get('OwnerUid', 'N/A')}, OwnerGID={creation_info.get('OwnerGid', 'N/A')}, Permissions={creation_info.get('Permissions', 'N/A')}\n") + else: + print(f"[!] No Access Points found for FileSystemId {fs_id}\n") + except Exception as e: + print(f"[!] Error retrieving access points for FileSystemId {fs_id}: {str(e)}\n") + except Exception as e: + print(f"[!] Error processing file system {fs_id}: {str(e)}\n") + + except Exception as e: + print(f"[!] General Error: {str(e)}\n") + +if __name__ == "__main__": + if len(sys.argv) != 2: + print("Usage: python efs_enum.py ") + sys.exit(1) + + ip_address = sys.argv[1] + get_efs_info(ip_address) + +``` + ## Privesc {{#ref}}