AWS - Cognito Enum

Learn AWS hacking from zero to hero with htARTE (HackTricks AWS Red Team Expert)!

Other ways to support HackTricks:

Cognito

Amazon Cognito is utilized for authentication, authorization, and user management in web and mobile applications. It allows users the flexibility to sign in either directly using a user name and password or indirectly through a third party, including Facebook, Amazon, Google, or Apple.

Central to Amazon Cognito are two primary components:

  1. User Pools: These are directories designed for your app users, offering sign-up and sign-in functionalities.

  2. Identity Pools: These pools are instrumental in authorizing users to access different AWS services. They are not directly involved in the sign-in or sign-up process but are crucial for resource access post-authentication.

User pools

To learn what is a Cognito User Pool check:

pageCognito User Pools

Identity pools

The learn what is a Cognito Identity Pool check:

pageCognito Identity Pools

Enumeration

# List Identity Pools
aws cognito-identity list-identity-pools --max-results 60
aws cognito-identity describe-identity-pool --identity-pool-id "eu-west-2:38b294756-2578-8246-9074-5367fc9f5367"
aws cognito-identity list-identities --identity-pool-id <ident-pool-id> --max-results 60
aws cognito-identity get-identity-pool-roles --identity-pool-id <ident-pool-id>

# Identities Datasets
## Get dataset of identity id (inside identity pool)
aws cognito-sync list-datasets --identity-pool-id <ident-pool-id> --identity-id <ident-id>
## Get info of the dataset
aws cognito-sync describe-dataset --identity-pool-id <value> --identity-id <value> --dataset-name <value>
## Get dataset records
aws cognito-sync list-records --identity-pool-id <value> --identity-id <value> --dataset-name <value>

# User Pools
## Get pools
aws cognito-idp list-user-pools --max-results 60

## Get users
aws cognito-idp list-users --user-pool-id <user-pool-id>

## Get groups
aws cognito-idp list-groups --user-pool-id <user-pool-id>

## Get users in a group
aws cognito-idp list-users-in-group --user-pool-id <user-pool-id> --group-name <group-name>

## List App IDs of a user pool
aws cognito-idp list-user-pool-clients --user-pool-id <user-pool-id>

## List configured identity providers for a user pool
aws cognito-idp list-identity-providers --user-pool-id <user-poo

## List user import jobs
aws cognito-idp list-user-import-jobs --user-pool-id <user-pool-id> --max-results 60

## Get MFA config of a user pool
aws cognito-idp get-user-pool-mfa-config --user-pool-id <user-pool-id>

## Get risk configuration
aws cognito-idp describe-risk-configuration --user-pool-id <user-pool-id>

Identity Pools - Unauthenticated Enumeration

Just knowing the Identity Pool ID you might be able get credentials of the role associated to unauthenticated users (if any). Check how here.

User Pools - Unauthenticated Enumeration

Even if you don't know a valid username inside Cognito, you might be able to enumerate valid usernames, BF the passwords of even register a new user just knowing the App client ID (which is usually found in source code). Check how here.

Privesc

pageAWS - Cognito Privesc

Unauthenticated Access

pageAWS - Cognito Unauthenticated Enum

Persistence

pageAWS - Cognito Persistence
Learn AWS hacking from zero to hero with htARTE (HackTricks AWS Red Team Expert)!

Other ways to support HackTricks:

Last updated