Intro
During a security engagement, especially for an evasive/covert type of assessment, you might need to hide your traffic as much as possible. Or if the client has implemented some type of IP based blocking, you might need to rotate your source IPs to bypass it to do something like password spraying, web application enumeration, etc. Also, Microsoft is no longer considering user enumeration as their “feature”. So, if you are trying to do a password guessing/user-enumeration against one of their Office365 APIs like ActiveSync or rst2.srf (SOAP API), Microsoft has implemented a defense that after a number of queries, it will start to throw error code saying the user account is locked out whether it is valid or invalid. To bypass this, rotating your source IPs is required. In this blog post, I will show how to use AWS API Gateway to rotate source IPs to access a target URL.
AWS API Gateway Setup
Login to your AWS account
→ Click Services drop-down menu
→ Select API Gateway under the “Networking & Content Delivery”
