AWS - IAM, Identity Center & SSO Enum

支持 HackTricks

IAM

您可以在以下位置找到 IAM 的描述

枚举

所需的主要权限:

  • iam:ListPoliciesiam:GetPolicyiam:GetPolicyVersion

  • iam:ListRoles

  • iam:ListUsers

  • iam:ListGroups

  • iam:ListGroupsForUser

  • iam:ListAttachedUserPolicies

  • iam:ListAttachedRolePolicies

  • iam:ListAttachedGroupPolicies

  • iam:ListUserPoliciesiam:GetUserPolicy

  • iam:ListGroupPoliciesiam:GetGroupPolicy

  • iam:ListRolePoliciesiam:GetRolePolicy

# All IAMs
## Retrieves  information about all IAM users, groups, roles, and policies
## in your Amazon Web Services account, including their relationships  to
## one another. Use this operation to obtain a snapshot of the configura-
## tion of IAM permissions (users, groups, roles, and  policies)  in  your
## account.
aws iam get-account-authorization-details

# List users
aws iam get-user #Get current user information
aws iam list-users
aws iam list-ssh-public-keys #User keys for CodeCommit
aws iam get-ssh-public-key --user-name <username> --ssh-public-key-id <id> --encoding SSH #Get public key with metadata
aws iam list-service-specific-credentials #Get special permissions of the IAM user over specific services
aws iam get-user --user-name <username> #Get metadata of user, included permissions boundaries
aws iam list-access-keys #List created access keys
## inline policies
aws iam list-user-policies --user-name <username> #Get inline policies of the user
aws iam get-user-policy --user-name <username> --policy-name <policyname> #Get inline policy details
## attached policies
aws iam list-attached-user-policies --user-name <username> #Get policies of user, it doesn't get inline policies

# List groups
aws iam list-groups #Get groups
aws iam list-groups-for-user --user-name <username> #Get groups of a user
aws iam get-group --group-name <name> #Get group name info
## inline policies
aws iam list-group-policies --group-name <username> #Get inline policies of the group
aws iam get-group-policy --group-name <username> --policy-name <policyname> #Get an inline policy info
## attached policies
aws iam list-attached-group-policies --group-name <name> #Get policies of group, it doesn't get inline policies

# List roles
aws iam list-roles #Get roles
aws iam get-role --role-name <role-name> #Get role
## inline policies
aws iam list-role-policies --role-name <name> #Get inline policies of a role
aws iam get-role-policy --role-name <name> --policy-name <name> #Get inline policy details
## attached policies
aws iam list-attached-role-policies --role-name <role-name> #Get policies of role, it doesn't get inline policies

# List policies
aws iam list-policies [--only-attached] [--scope Local]
aws iam list-policies-granting-service-access --arn <identity> --service-namespaces <svc> # Get list of policies that give access to the user to the service
## Get policy content
aws iam get-policy --policy-arn <policy_arn>
aws iam list-policy-versions --policy-arn <arn>
aws iam get-policy-version --policy-arn <arn:aws:iam::975426262029:policy/list_apigateways> --version-id <VERSION_X>

# Enumerate providers
aws iam list-saml-providers
aws iam get-saml-provider --saml-provider-arn <ARN>
aws iam list-open-id-connect-providers
aws iam get-open-id-connect-provider --open-id-connect-provider-arn <ARN>

# Password Policy
aws iam get-account-password-policy

# MFA
aws iam list-mfa-devices
aws iam list-virtual-mfa-devices

权限暴力破解

如果您对自己的权限感兴趣,但没有权限查询 IAM,您可以尝试暴力破解它们。

bf-aws-permissions

工具 bf-aws-permissions 只是一个 bash 脚本,它将使用指定的配置文件运行所有可以通过 aws cli 帮助信息找到的 list*, describe*, get* 操作,并 返回成功的执行结果

# Bruteforce permissions
bash bf-aws-permissions.sh -p default > /tmp/bf-permissions-verbose.txt

bf-aws-perms-simulate

工具 bf-aws-perms-simulate 可以找到您当前的权限(或其他主体的权限),前提是您拥有权限 iam:SimulatePrincipalPolicy

# Ask for permissions
python3 aws_permissions_checker.py --profile <AWS_PROFILE> [--arn <USER_ARN>]

Perms2ManagedPolicies

如果你发现你的用户拥有某些权限,并且你认为这些权限是由托管的 AWS 角色授予的(而不是自定义角色)。你可以使用工具 aws-Perms2ManagedRoles 来检查所有授予你发现的权限的 AWS 托管角色

# Run example with my profile
python3 aws-Perms2ManagedPolicies.py --profile myadmin --permissions-file example-permissions.txt

如果您看到您对未使用的服务拥有权限,则可以“知道”您拥有的权限是由AWS托管角色授予的。

Cloudtrail2IAM

CloudTrail2IAM 是一个Python工具,用于分析AWS CloudTrail日志以提取和总结所有人或特定用户或角色的操作。该工具将解析指定存储桶中的每个cloudtrail日志

git clone https://github.com/carlospolop/Cloudtrail2IAM
cd Cloudtrail2IAM
pip install -r requirements.txt
python3 cloudtrail2IAM.py --prefix PREFIX --bucket_name BUCKET_NAME --profile PROFILE [--filter-name FILTER_NAME] [--threads THREADS]

如果你找到 .tfstate(Terraform 状态文件)或 CloudFormation 文件(这些通常是位于以 cf-templates 为前缀的桶中的 yaml 文件),你也可以读取它们以查找 aws 配置并找出哪些权限已分配给谁。

enumerate-iam

要使用工具 https://github.com/andresriancho/enumerate-iam,你首先需要下载所有的 API AWS 端点,从中脚本 generate_bruteforce_tests.py 将获取所有的 "list_", "describe_", 和 "get_" 端点。 最后,它将尝试 使用给定的凭据访问它们指示是否成功

(根据我的经验,工具在某个时刻会挂起查看此修复 尝试修复这个问题)。

根据我的经验,这个工具与之前的工具类似,但工作效果更差,检查的权限更少。

# Install tool
git clone git@github.com:andresriancho/enumerate-iam.git
cd enumerate-iam/
pip install -r requirements.txt

# Download API endpoints
cd enumerate_iam/
git clone https://github.com/aws/aws-sdk-js.git
python3 generate_bruteforce_tests.py
rm -rf aws-sdk-js
cd ..

# Enumerate permissions
python3 enumerate-iam.py --access-key ACCESS_KEY --secret-key SECRET_KEY [--session-token SESSION_TOKEN] [--region REGION]

weirdAAL

您还可以使用工具 weirdAAL。该工具将检查 多个常见服务上的几种常见操作(将检查一些枚举权限和一些特权提升权限)。但它只会检查编码的检查(检查更多内容的唯一方法是编写更多测试)。

# Install
git clone https://github.com/carnal0wnage/weirdAAL.git
cd weirdAAL
python3 -m venv weirdAAL
source weirdAAL/bin/activate
pip3 install -r requirements.txt

# Create a .env file with aws credentials such as
[default]
aws_access_key_id = <insert key id>
aws_secret_access_key = <insert secret key>

# Setup DB
python3 create_dbs.py

# Invoke it
python3 weirdAAL.py -m ec2_describe_instances -t ec2test # Just some ec2 tests
python3 weirdAAL.py -m recon_all -t MyTarget # Check all permissions
# You will see output such as:
# [+] elbv2 Actions allowed are [+]
# ['DescribeLoadBalancers', 'DescribeAccountLimits', 'DescribeTargetGroups']

加固工具以 BF 权限

# Export env variables
./index.js --console=text --config ./config.js --json /tmp/out-cloudsploit.json

# Filter results removing unknown
jq 'map(select(.status | contains("UNKNOWN") | not))' /tmp/out-cloudsploit.json | jq 'map(select(.resource | contains("N/A") | not))' > /tmp/out-cloudsploit-filt.json

# Get services by regions
jq 'group_by(.region) | map({(.[0].region): ([map((.resource | split(":"))[2]) | unique])})' ~/Desktop/pentests/cere/greybox/core-dev-dev-cloudsploit-filtered.json

<YourTool>

之前的工具都无法检查所有权限,因此如果你知道更好的工具,请发送 PR!

未经身份验证的访问

权限提升

在以下页面中,你可以查看如何 滥用 IAM 权限以提升权限

IAM 后期利用

IAM 持久性

IAM 身份中心

你可以在以下位置找到 IAM 身份中心的描述

通过 SSO 使用 CLI 连接

# Connect with sso via CLI aws configure sso
aws configure sso

[profile profile_name]
sso_start_url = https://subdomain.awsapps.com/start/
sso_account_id = <account_numbre>
sso_role_name = AdministratorAccess
sso_region = us-east-1

枚举

身份中心的主要元素是:

  • 用户和组

  • 权限集:附加了策略

  • AWS 账户

然后,创建关系,使用户/组对 AWS 账户拥有权限集。

请注意,有三种方法可以将策略附加到权限集。附加 AWS 管理的策略、客户管理的策略(这些策略需要在权限集影响的所有账户中创建)和内联策略(在此定义)。

# Check if IAM Identity Center is used
aws sso-admin list-instances

# Get Permissions sets. These are the policies that can be assigned
aws sso-admin list-permission-sets --instance-arn <instance-arn>
aws sso-admin describe-permission-set --instance-arn <instance-arn> --permission-set-arn <perm-set-arn>

## Get managed policies of a permission set
aws sso-admin list-managed-policies-in-permission-set --instance-arn <instance-arn> --permission-set-arn <perm-set-arn>
## Get inline policies of a permission set
aws sso-admin get-inline-policy-for-permission-set --instance-arn <instance-arn> --permission-set-arn <perm-set-arn>
## Get customer managed policies of a permission set
aws sso-admin list-customer-managed-policy-references-in-permission-set --instance-arn <instance-arn> --permission-set-arn <perm-set-arn>
## Get boundaries of a permission set
aws sso-admin get-permissions-boundary-for-permission-set --instance-arn <instance-arn> --permission-set-arn <perm-set-arn>

## List accounts a permission set is affecting
aws sso-admin list-accounts-for-provisioned-permission-set --instance-arn <instance-arn> --permission-set-arn <perm-set-arn>
## List principals given a permission set in an account
aws sso-admin list-account-assignments --instance-arn <instance-arn> --permission-set-arn <perm-set-arn> --account-id <account_id>

# Get permissions sets affecting an account
aws sso-admin list-permission-sets-provisioned-to-account --instance-arn <instance-arn> --account-id <account_id>

# List users & groups from the identity store
aws identitystore list-users --identity-store-id <store-id>
aws identitystore list-groups --identity-store-id <store-id>
## Get members of groups
aws identitystore list-group-memberships --identity-store-id <store-id> --group-id <group-id>
## Get memberships or a user or a group
aws identitystore list-group-memberships-for-member --identity-store-id <store-id> --member-id <member-id>

Local Enumeration

可以在文件夹 $HOME/.aws 内创建文件 config,以配置可以通过 SSO 访问的配置文件,例如:

[default]
region = us-west-2
output = json

[profile my-sso-profile]
sso_start_url = https://my-sso-portal.awsapps.com/start
sso_region = us-west-2
sso_account_id = 123456789012
sso_role_name = MySSORole
region = us-west-2
output = json

[profile dependent-profile]
role_arn = arn:aws:iam::<acc-id>:role/ReadOnlyRole
source_profile = Hacktricks-Admin

此配置可以与以下命令一起使用:

# Login in ms-sso-profile
aws sso login --profile my-sso-profile
# Use dependent-profile
aws s3 ls --profile dependent-profile

当使用 SSO 的配置文件 访问某些信息时,凭据会被 缓存 在文件中,位于文件夹 $HOME/.aws/sso/cache 内。因此,它们可以 从那里读取和使用

此外,更多凭据 可以存储在文件夹 $HOME/.aws/cli/cache 中。此缓存目录主要在您 使用 AWS CLI 配置文件 时使用,这些配置文件使用 IAM 用户凭据或通过 IAM 假设 角色(不使用 SSO)。配置示例:

[profile crossaccountrole]
role_arn = arn:aws:iam::234567890123:role/SomeRole
source_profile = default
mfa_serial = arn:aws:iam::123456789012:mfa/saanvi
external_id = 123456

未经身份验证的访问

权限提升

利用后

持久性

创建用户并为其分配权限

# Create user identitystore:CreateUser
aws identitystore create-user --identity-store-id <store-id> --user-name privesc --display-name privesc --emails Value=sdkabflvwsljyclpma@tmmbt.net,Type=Work,Primary=True --name Formatted=privesc,FamilyName=privesc,GivenName=privesc
## After creating it try to login in the console using the selected username, you will receive an email with the code and then you will be able to select a password
  • 创建一个组并分配权限,并为其设置一个受控用户

  • 为受控用户或组提供额外权限

  • 默认情况下,只有来自管理账户的用户才能访问和控制 IAM 身份中心。

然而,可以通过委派管理员允许来自不同账户的用户进行管理。他们将没有完全相同的权限,但他们将能够执行 管理活动

支持 HackTricks

Last updated