AWS - STS Persistence
Last updated
Last updated
学习和实践 AWS 黑客技术:HackTricks 培训 AWS 红队专家 (ARTE) 学习和实践 GCP 黑客技术:HackTricks 培训 GCP 红队专家 (GRTE)
查看 订阅计划!
加入 💬 Discord 群组 或 Telegram 群组 或 关注 我们的 Twitter 🐦 @hacktricks_live.
通过向 HackTricks 和 HackTricks Cloud GitHub 仓库提交 PR 分享黑客技巧。
有关更多信息,请访问:
AWS - STS Enum临时令牌无法列出,因此保持一个活动的临时令牌是一种保持持久性的方法。
aws sts get-session-token --duration-seconds 129600
# 使用 MFA
aws sts get-session-token \
--serial-number <mfa-device-name> \
--token-code <code-from-token>
# 硬件设备名称通常是设备背面的数字,例如 GAHT12345678
# 短信设备名称是 AWS 中的 ARN,例如 arn:aws:iam::123456789012:sms-mfa/username
# 虚拟设备名称是 AWS 中的 ARN,例如 arn:aws:iam::123456789012:mfa/username
角色链切换是一个被认可的 AWS 特性,通常用于保持隐蔽的持久性。它涉及到假设一个角色,然后假设另一个角色,可能以循环的方式返回到初始角色。每次假设一个角色时,凭证的过期字段会被刷新。因此,如果两个角色被配置为相互假设,这种设置允许凭证的永久更新。
您可以使用这个 工具 来保持角色链切换:
./aws_role_juggler.py -h
usage: aws_role_juggler.py [-h] [-r ROLE_LIST [ROLE_LIST ...]]
optional arguments:
-h, --help show this help message and exit
-r ROLE_LIST [ROLE_LIST ...], --role-list ROLE_LIST [ROLE_LIST ...]
请注意,来自该Github存储库的 find_circular_trust.py 脚本并不能找到角色链配置的所有方式。
```powershell # PowerShell script to check for role juggling possibilities using AWS CLI
if (-not (Get-Command "aws" -ErrorAction SilentlyContinue)) { Write-Error "AWS CLI is not installed. Please install it and configure it with 'aws configure'." exit }
function List-IAMRoles { aws iam list-roles --query "Roles[*].{RoleName:RoleName, Arn:Arn}" --output json }
$errorCount = 0
$roles = List-IAMRoles | ConvertFrom-Json
foreach ($role in $roles) { $sessionName = "RoleJugglingTest-" + (Get-Date -Format FileDateTime) try { $credentials = aws sts assume-role --role-arn $role.Arn --role-session-name $sessionName --query "Credentials" --output json 2>$null | ConvertFrom-Json if ($credentials) { Write-Host "Successfully assumed role: $($role.RoleName)" Write-Host "Access Key: $($credentials.AccessKeyId)" Write-Host "Secret Access Key: $($credentials.SecretAccessKey)" Write-Host "Session Token: $($credentials.SessionToken)" Write-Host "Expiration: $($credentials.Expiration)"
$env:AWS_ACCESS_KEY_ID = $credentials.AccessKeyId $env:AWS_SECRET_ACCESS_KEY = $credentials.SecretAccessKey $env:AWS_SESSION_TOKEN = $credentials.SessionToken
foreach ($nextRole in $roles) { if ($nextRole.Arn -ne $role.Arn) { $nextSessionName = "RoleJugglingTest-" + (Get-Date -Format FileDateTime) try { $nextCredentials = aws sts assume-role --role-arn $nextRole.Arn --role-session-name $nextSessionName --query "Credentials" --output json 2>$null | ConvertFrom-Json if ($nextCredentials) { Write-Host "Also successfully assumed role: $($nextRole.RoleName) from $($role.RoleName)" Write-Host "Access Key: $($nextCredentials.AccessKeyId)" Write-Host "Secret Access Key: $($nextCredentials.SecretAccessKey)" Write-Host "Session Token: $($nextCredentials.SessionToken)" Write-Host "Expiration: $($nextCredentials.Expiration)" } } catch { $errorCount++ } } }
Remove-Item Env:\AWS_ACCESS_KEY_ID Remove-Item Env:\AWS_SECRET_ACCESS_KEY Remove-Item Env:\AWS_SESSION_TOKEN } else { $errorCount++ } } catch { $errorCount++ } }
if ($errorCount -gt 0) { Write-Host "$errorCount error(s) occurred during role assumption attempts." } else { Write-Host "No errors occurred. All roles checked successfully." }
Write-Host "Role juggling check complete."
</details>
<div data-gb-custom-block data-tag="hint" data-style='success'>
学习与实践 AWS 黑客技术:<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">[**HackTricks 培训 AWS 红队专家 (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">\
学习与实践 GCP 黑客技术:<img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">[**HackTricks 培训 GCP 红队专家 (GRTE)**<img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
<details>
<summary>支持 HackTricks</summary>
* 查看 [**订阅计划**](https://github.com/sponsors/carlospolop)!
* **加入** 💬 [**Discord 群组**](https://discord.gg/hRep4RUj7f) 或 [**Telegram 群组**](https://t.me/peass) 或 **在** **Twitter** 🐦 **上关注我们** [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.**
* **通过向** [**HackTricks**](https://github.com/carlospolop/hacktricks) 和 [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) GitHub 仓库提交 PR 来分享黑客技巧。
</details>
</div>