# All IAMs## Retrieves information about all IAM users, groups, roles, and policies## in your Amazon Web Services account, including their relationships to## one another. Use this operation to obtain a snapshot of the configura-## tion of IAM permissions (users, groups, roles, and policies) in your## account.awsiamget-account-authorization-details# List usersawsiamget-user#Get current user informationawsiamlist-usersawsiamlist-ssh-public-keys#User keys for CodeCommitawsiamget-ssh-public-key--user-name<username>--ssh-public-key-id<id>--encodingSSH#Get public key with metadataawsiamlist-service-specific-credentials#Get special permissions of the IAM user over specific servicesawsiamget-user--user-name<username>#Get metadata of user, included permissions boundariesawsiamlist-access-keys#List created access keys## inline policiesawsiamlist-user-policies--user-name<username>#Get inline policies of the userawsiamget-user-policy--user-name<username>--policy-name<policyname>#Get inline policy details## attached policiesawsiamlist-attached-user-policies--user-name<username>#Get policies of user, it doesn't get inline policies# List groupsawsiamlist-groups#Get groupsawsiamlist-groups-for-user--user-name<username>#Get groups of a userawsiamget-group--group-name<name>#Get group name info## inline policiesawsiamlist-group-policies--group-name<username>#Get inline policies of the groupawsiamget-group-policy--group-name<username>--policy-name<policyname>#Get an inline policy info## attached policiesawsiamlist-attached-group-policies--group-name<name>#Get policies of group, it doesn't get inline policies# List rolesawsiamlist-roles#Get rolesawsiamget-role--role-name<role-name>#Get role## inline policiesawsiamlist-role-policies--role-name<name>#Get inline policies of a roleawsiamget-role-policy--role-name<name>--policy-name<name>#Get inline policy details## attached policiesawsiamlist-attached-role-policies--role-name<role-name>#Get policies of role, it doesn't get inline policies# List policiesawsiamlist-policies [--only-attached] [--scope Local]aws iam list-policies-granting-service-access --arn <identity> --service-namespaces <svc> # Get list of policies that give access to the user to the service
## Get policy contentawsiamget-policy--policy-arn<policy_arn>awsiamlist-policy-versions--policy-arn<arn>awsiamget-policy-version--policy-arn<arn:aws:iam::975426262029:policy/list_apigateways>--version-id<VERSION_X># Enumerate providersawsiamlist-saml-providersawsiamget-saml-provider--saml-provider-arn<ARN>awsiamlist-open-id-connect-providersawsiamget-open-id-connect-provider--open-id-connect-provider-arn<ARN># Password Policyawsiamget-account-password-policy# MFAawsiamlist-mfa-devicesawsiamlist-virtual-mfa-devices
# Installgitclonehttps://github.com/carnal0wnage/weirdAAL.gitcdweirdAALpython3-mvenvweirdAALsourceweirdAAL/bin/activatepip3install-rrequirements.txt# Create a .env file with aws credentials such as[default]aws_access_key_id=<insertkeyid>aws_secret_access_key=<insertsecretkey># Setup DBpython3create_dbs.py# Invoke itpython3weirdAAL.py-mec2_describe_instances-tec2test# Just some ec2 testspython3weirdAAL.py-mrecon_all-tMyTarget# Check all permissions# You will see output such as:# [+] elbv2 Actions allowed are [+]# ['DescribeLoadBalancers', 'DescribeAccountLimits', 'DescribeTargetGroups']
# https://github.com/turbot/steampipe-mod-aws-insightssteampipecheckall--export=json# https://github.com/turbot/steampipe-mod-aws-perimeter# In this case you cannot output to JSON, so heck it in the dashboardsteampipedashboard
<YourTool>
之前的工具都无法检查所有权限,因此如果你知道更好的工具,请发送 PR!
未经身份验证的访问
权限提升
在以下页面中,你可以查看如何 滥用 IAM 权限以提升权限:
IAM 后期利用
IAM 持久性
IAM 身份中心
你可以在以下位置找到 IAM 身份中心的描述:
通过 SSO 使用 CLI 连接
# Connect with sso via CLI aws configure ssoawsconfiguresso[profile profile_name]sso_start_url=https://subdomain.awsapps.com/start/sso_account_id=<account_numbre>sso_role_name=AdministratorAccesssso_region=us-east-1
# Check if IAM Identity Center is usedawssso-adminlist-instances# Get Permissions sets. These are the policies that can be assignedawssso-adminlist-permission-sets--instance-arn<instance-arn>awssso-admindescribe-permission-set--instance-arn<instance-arn>--permission-set-arn<perm-set-arn>## Get managed policies of a permission setawssso-adminlist-managed-policies-in-permission-set--instance-arn<instance-arn>--permission-set-arn<perm-set-arn>## Get inline policies of a permission setawssso-adminget-inline-policy-for-permission-set--instance-arn<instance-arn>--permission-set-arn<perm-set-arn>## Get customer managed policies of a permission setaws sso-admin list-customer-managed-policy-references-in-permission-set --instance-arn <instance-arn> --permission-set-arn <perm-set-arn>
## Get boundaries of a permission setaws sso-admin get-permissions-boundary-for-permission-set --instance-arn <instance-arn> --permission-set-arn <perm-set-arn>
## List accounts a permission set is affectingaws sso-admin list-accounts-for-provisioned-permission-set --instance-arn <instance-arn> --permission-set-arn <perm-set-arn>
## List principals given a permission set in an accountaws sso-admin list-account-assignments --instance-arn <instance-arn> --permission-set-arn <perm-set-arn> --account-id <account_id>
# Get permissions sets affecting an accountawssso-adminlist-permission-sets-provisioned-to-account--instance-arn<instance-arn>--account-id<account_id># List users & groups from the identity storeawsidentitystorelist-users--identity-store-id<store-id>awsidentitystorelist-groups--identity-store-id<store-id>## Get members of groupsawsidentitystorelist-group-memberships--identity-store-id<store-id>--group-id<group-id>## Get memberships or a user or a groupawsidentitystorelist-group-memberships-for-member--identity-store-id<store-id>--member-id<member-id>
# Create user identitystore:CreateUseraws identitystore create-user --identity-store-id <store-id> --user-name privesc --display-name privesc --emails Value=sdkabflvwsljyclpma@tmmbt.net,Type=Work,Primary=True --name Formatted=privesc,FamilyName=privesc,GivenName=privesc
## After creating it try to login in the console using the selected username, you will receive an email with the code and then you will be able to select a password