AWS - IAM, Identity Center & SSO Enum

Jifunze na fanya mazoezi ya AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE) Jifunze na fanya mazoezi ya GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE)

Support HackTricks

Angalia mpango wa usajili!
Jiunge na 💬 kikundi cha Discord au kikundi cha telegram au fuata sisi kwenye Twitter 🐦 @hacktricks_live.
Shiriki mbinu za hacking kwa kuwasilisha PRs kwa HackTricks na HackTricks Cloud repos za github.

IAM

Unaweza kupata maelezo ya IAM katika:

AWS - Basic Information

Enumeration

Ruhusa kuu zinazohitajika:

iam:ListPolicies, iam:GetPolicy na iam:GetPolicyVersion
iam:ListRoles
iam:ListUsers
iam:ListGroups
iam:ListGroupsForUser
iam:ListAttachedUserPolicies
iam:ListAttachedRolePolicies
iam:ListAttachedGroupPolicies
iam:ListUserPolicies na iam:GetUserPolicy
iam:ListGroupPolicies na iam:GetGroupPolicy
iam:ListRolePolicies na iam:GetRolePolicy

# All IAMs
## Retrieves  information about all IAM users, groups, roles, and policies
## in your Amazon Web Services account, including their relationships  to
## one another. Use this operation to obtain a snapshot of the configura-
## tion of IAM permissions (users, groups, roles, and  policies)  in  your
## account.
aws iam get-account-authorization-details

# List users
aws iam get-user #Get current user information
aws iam list-users
aws iam list-ssh-public-keys #User keys for CodeCommit
aws iam get-ssh-public-key --user-name <username> --ssh-public-key-id <id> --encoding SSH #Get public key with metadata
aws iam list-service-specific-credentials #Get special permissions of the IAM user over specific services
aws iam get-user --user-name <username> #Get metadata of user, included permissions boundaries
aws iam list-access-keys #List created access keys
## inline policies
aws iam list-user-policies --user-name <username> #Get inline policies of the user
aws iam get-user-policy --user-name <username> --policy-name <policyname> #Get inline policy details
## attached policies
aws iam list-attached-user-policies --user-name <username> #Get policies of user, it doesn't get inline policies

# List groups
aws iam list-groups #Get groups
aws iam list-groups-for-user --user-name <username> #Get groups of a user
aws iam get-group --group-name <name> #Get group name info
## inline policies
aws iam list-group-policies --group-name <username> #Get inline policies of the group
aws iam get-group-policy --group-name <username> --policy-name <policyname> #Get an inline policy info
## attached policies
aws iam list-attached-group-policies --group-name <name> #Get policies of group, it doesn't get inline policies

# List roles
aws iam list-roles #Get roles
aws iam get-role --role-name <role-name> #Get role
## inline policies
aws iam list-role-policies --role-name <name> #Get inline policies of a role
aws iam get-role-policy --role-name <name> --policy-name <name> #Get inline policy details
## attached policies
aws iam list-attached-role-policies --role-name <role-name> #Get policies of role, it doesn't get inline policies

# List policies
aws iam list-policies [--only-attached] [--scope Local]
aws iam list-policies-granting-service-access --arn <identity> --service-namespaces <svc> # Get list of policies that give access to the user to the service
## Get policy content
aws iam get-policy --policy-arn <policy_arn>
aws iam list-policy-versions --policy-arn <arn>
aws iam get-policy-version --policy-arn <arn:aws:iam::975426262029:policy/list_apigateways> --version-id <VERSION_X>

# Enumerate providers
aws iam list-saml-providers
aws iam get-saml-provider --saml-provider-arn <ARN>
aws iam list-open-id-connect-providers
aws iam get-open-id-connect-provider --open-id-connect-provider-arn <ARN>

# Password Policy
aws iam get-account-password-policy

# MFA
aws iam list-mfa-devices
aws iam list-virtual-mfa-devices

Permissions Brute Force

Ikiwa unavutiwa na ruhusa zako lakini huna ufikiaji wa kuuliza IAM unaweza kila wakati kuzilazimisha.

bf-aws-permissions

Chombo bf-aws-permissions ni script ya bash tu ambayo itakimbia kwa kutumia wasifu ulioonyeshwa list*, describe*, get* vitendo vyote inavyoweza kupata kwa kutumia ujumbe wa msaada wa aws cli na kurudisha utekelezaji uliofanikiwa.

# Bruteforce permissions
bash bf-aws-permissions.sh -p default > /tmp/bf-permissions-verbose.txt

bf-aws-perms-simulate

Chombo bf-aws-perms-simulate kinaweza kupata ruhusa zako za sasa (au za wakuu wengine) ikiwa una ruhusa iam:SimulatePrincipalPolicy

# Ask for permissions
python3 aws_permissions_checker.py --profile <AWS_PROFILE> [--arn <USER_ARN>]

Perms2ManagedPolicies

Ikiwa umepata idhini fulani ambazo mtumiaji wako ana, na unafikiri kwamba zinatolewa na mwanachama wa AWS aliye na usimamizi (na si kwa mmoja wa kawaida). Unaweza kutumia chombo aws-Perms2ManagedRoles kuangalia yote mwanachama wa AWS aliye na usimamizi ambao unatoa idhini ulizogundua kuwa nazo.

# Run example with my profile
python3 aws-Perms2ManagedPolicies.py --profile myadmin --permissions-file example-permissions.txt

Inawezekana "kujua" kama ruhusa ulizonazo zimetolewa na jukumu linalosimamiwa na AWS ikiwa utaona kwamba una ruhusa juu ya huduma ambazo hazitumiki kwa mfano.

Cloudtrail2IAM

CloudTrail2IAM ni chombo cha Python ambacho kinachambua maktaba za AWS CloudTrail ili kutoa na kufupisha vitendo vilivyofanywa na kila mtu au tu mtumiaji au jukumu maalum. Chombo kitachambua kila maktaba ya cloudtrail kutoka kwenye bakuli lililoonyeshwa.

git clone https://github.com/carlospolop/Cloudtrail2IAM
cd Cloudtrail2IAM
pip install -r requirements.txt
python3 cloudtrail2IAM.py --prefix PREFIX --bucket_name BUCKET_NAME --profile PROFILE [--filter-name FILTER_NAME] [--threads THREADS]

Ikiwa unapata .tfstate (faili za hali za Terraform) au faili za CloudFormation (hizi mara nyingi ni faili za yaml zilizoko ndani ya bucket yenye kiambishi cf-templates), unaweza pia kuzisoma ili kupata usanidi wa aws na kujua ni ruhusa zipi zimepewa nani.

enumerate-iam

Ili kutumia chombo https://github.com/andresriancho/enumerate-iam kwanza unahitaji kupakua mwisho wote wa API AWS, kutoka kwa hizo skripti generate_bruteforce_tests.py itapata "list_", "describe_", na "get_" mwisho. Na hatimaye, itajaribu kuzipata kwa kutumia akreditivu zilizotolewa na kuonyesha kama ilifanya kazi.

(Katika uzoefu wangu chombo kinakwama katika hatua fulani, angalia marekebisho haya kujaribu kurekebisha hilo).

Katika uzoefu wangu chombo hiki ni kama kile cha awali lakini kinafanya kazi vibaya zaidi na kinachunguza ruhusa chache

# Install tool
git clone git@github.com:andresriancho/enumerate-iam.git
cd enumerate-iam/
pip install -r requirements.txt

# Download API endpoints
cd enumerate_iam/
git clone https://github.com/aws/aws-sdk-js.git
python3 generate_bruteforce_tests.py
rm -rf aws-sdk-js
cd ..

# Enumerate permissions
python3 enumerate-iam.py --access-key ACCESS_KEY --secret-key SECRET_KEY [--session-token SESSION_TOKEN] [--region REGION]

weirdAAL

Unaweza pia kutumia chombo weirdAAL. Chombo hiki kitakagua operesheni kadhaa za kawaida kwenye huduma kadhaa za kawaida (kitakagua baadhi ya ruhusa za kuorodhesha na pia baadhi ya ruhusa za privesc). Lakini kitakagua tu ukaguzi ulioandikwa (njia pekee ya kukagua vitu zaidi ni kuandika majaribio zaidi).

# Install
git clone https://github.com/carnal0wnage/weirdAAL.git
cd weirdAAL
python3 -m venv weirdAAL
source weirdAAL/bin/activate
pip3 install -r requirements.txt

# Create a .env file with aws credentials such as
[default]
aws_access_key_id = <insert key id>
aws_secret_access_key = <insert secret key>

# Setup DB
python3 create_dbs.py

# Invoke it
python3 weirdAAL.py -m ec2_describe_instances -t ec2test # Just some ec2 tests
python3 weirdAAL.py -m recon_all -t MyTarget # Check all permissions
# You will see output such as:
# [+] elbv2 Actions allowed are [+]
# ['DescribeLoadBalancers', 'DescribeAccountLimits', 'DescribeTargetGroups']

Zana za Kuimarisha BF ruhusa

# Export env variables
./index.js --console=text --config ./config.js --json /tmp/out-cloudsploit.json

# Filter results removing unknown
jq 'map(select(.status | contains("UNKNOWN") | not))' /tmp/out-cloudsploit.json | jq 'map(select(.resource | contains("N/A") | not))' > /tmp/out-cloudsploit-filt.json

# Get services by regions
jq 'group_by(.region) | map({(.[0].region): ([map((.resource | split(":"))[2]) | unique])})' ~/Desktop/pentests/cere/greybox/core-dev-dev-cloudsploit-filtered.json

# https://github.com/turbot/steampipe-mod-aws-insights
steampipe check all --export=json

# https://github.com/turbot/steampipe-mod-aws-perimeter
# In this case you cannot output to JSON, so heck it in the dashboard
steampipe dashboard

<YourTool>

Hakuna kati ya zana zilizopita zinazoweza kuangalia karibu ruhusa zote, hivyo ikiwa unajua zana bora zaidi tuma PR!

Upatikanaji Usioidhinishwa

AWS - IAM & STS Unauthenticated Enum

Kuinua Haki

Katika ukurasa ufuatao unaweza kuangalia jinsi ya kutumia ruhusa za IAM ili kuinua haki:

AWS - IAM Privesc

IAM Baada ya Kutekeleza

AWS - IAM Post Exploitation

IAM Kudumu

AWS - IAM Persistence

Kituo cha Utambulisho wa IAM

Unaweza kupata maelezo ya Kituo cha Utambulisho wa IAM katika:

AWS - Basic Information

Unganisha kupitia SSO na CLI

# Connect with sso via CLI aws configure sso
aws configure sso

[profile profile_name]
sso_start_url = https://subdomain.awsapps.com/start/
sso_account_id = <account_numbre>
sso_role_name = AdministratorAccess
sso_region = us-east-1

Enumeration

Vipengele vikuu vya Kituo cha Utambulisho ni:

Watumiaji na vikundi
Seti za Ruhusa: Zina sera zilizounganishwa
Akaunti za AWS

Kisha, uhusiano huundwa ili watumiaji/vikundi wawe na Seti za Ruhusa juu ya Akaunti ya AWS.

Kumbuka kwamba kuna njia 3 za kuunganisha sera kwenye Seti ya Ruhusa. Kuunganisha sera zinazodhibitiwa na AWS, sera zinazodhibitiwa na Wateja (sera hizi zinahitaji kuundwa katika akaunti zote ambazo Seti za Ruhusa zinahusisha), na sera za ndani (zilizofafanuliwa hapo).

# Check if IAM Identity Center is used
aws sso-admin list-instances

# Get Permissions sets. These are the policies that can be assigned
aws sso-admin list-permission-sets --instance-arn <instance-arn>
aws sso-admin describe-permission-set --instance-arn <instance-arn> --permission-set-arn <perm-set-arn>

## Get managed policies of a permission set
aws sso-admin list-managed-policies-in-permission-set --instance-arn <instance-arn> --permission-set-arn <perm-set-arn>
## Get inline policies of a permission set
aws sso-admin get-inline-policy-for-permission-set --instance-arn <instance-arn> --permission-set-arn <perm-set-arn>
## Get customer managed policies of a permission set
aws sso-admin list-customer-managed-policy-references-in-permission-set --instance-arn <instance-arn> --permission-set-arn <perm-set-arn>
## Get boundaries of a permission set
aws sso-admin get-permissions-boundary-for-permission-set --instance-arn <instance-arn> --permission-set-arn <perm-set-arn>

## List accounts a permission set is affecting
aws sso-admin list-accounts-for-provisioned-permission-set --instance-arn <instance-arn> --permission-set-arn <perm-set-arn>
## List principals given a permission set in an account
aws sso-admin list-account-assignments --instance-arn <instance-arn> --permission-set-arn <perm-set-arn> --account-id <account_id>

# Get permissions sets affecting an account
aws sso-admin list-permission-sets-provisioned-to-account --instance-arn <instance-arn> --account-id <account_id>

# List users & groups from the identity store
aws identitystore list-users --identity-store-id <store-id>
aws identitystore list-groups --identity-store-id <store-id>
## Get members of groups
aws identitystore list-group-memberships --identity-store-id <store-id> --group-id <group-id>
## Get memberships or a user or a group
aws identitystore list-group-memberships-for-member --identity-store-id <store-id> --member-id <member-id>

Local Enumeration

Inawezekana kuunda ndani ya folda $HOME/.aws faili config ili kuunda miprofaili inayopatikana kupitia SSO, kwa mfano:

[default]
region = us-west-2
output = json

[profile my-sso-profile]
sso_start_url = https://my-sso-portal.awsapps.com/start
sso_region = us-west-2
sso_account_id = 123456789012
sso_role_name = MySSORole
region = us-west-2
output = json

[profile dependent-profile]
role_arn = arn:aws:iam::<acc-id>:role/ReadOnlyRole
source_profile = Hacktricks-Admin

Hii usanidi unaweza kutumika na amri:

# Login in ms-sso-profile
aws sso login --profile my-sso-profile
# Use dependent-profile
aws s3 ls --profile dependent-profile

Wakati profaili kutoka SSO inatumika kupata taarifa fulani, taarifa za kuingia zinahifadhiwa katika faili ndani ya folda $HOME/.aws/sso/cache. Hivyo basi zinaweza kusomwa na kutumika kutoka hapo.

Zaidi ya hayo, taarifa zaidi za kuingia zinaweza kuhifadhiwa katika folda $HOME/.aws/cli/cache. Hii folda ya cache inatumika hasa unapokuwa ukifanya kazi na AWS CLI profiles zinazotumia taarifa za kuingia za mtumiaji wa IAM au kuchukua majukumu kupitia IAM (bila SSO). Mfano wa usanidi:

[profile crossaccountrole]
role_arn = arn:aws:iam::234567890123:role/SomeRole
source_profile = default
mfa_serial = arn:aws:iam::123456789012:mfa/saanvi
external_id = 123456

Kudumu

Unda mtumiaji na uweke ruhusa kwake

# Create user identitystore:CreateUser
aws identitystore create-user --identity-store-id <store-id> --user-name privesc --display-name privesc --emails Value=sdkabflvwsljyclpma@tmmbt.net,Type=Work,Primary=True --name Formatted=privesc,FamilyName=privesc,GivenName=privesc
## After creating it try to login in the console using the selected username, you will receive an email with the code and then you will be able to select a password

Unda kundi na uweke ruhusa na kuweka mtumiaji anayedhibitiwa
Toa ruhusa za ziada kwa mtumiaji au kundi lililodhibitiwa
Kwa kawaida, ni watumiaji pekee wenye ruhusa kutoka Akaunti ya Usimamizi watakaoweza kufikia na kudhibiti Kituo cha Utambulisho wa IAM.

Hata hivyo, inawezekana kupitia Msimamizi wa Wajibu kuruhusu watumiaji kutoka akaunti tofauti kuisimamia. Hawa hawataweza kuwa na ruhusa sawa, lakini wataweza kufanya shughuli za usimamizi.

Support HackTricks

Check the subscription plans!
Join the 💬 Discord group or the telegram group or follow us on Twitter 🐦 @hacktricks_live.
Share hacking tricks by submitting PRs to the HackTricks and HackTricks Cloud github repos.

PreviousAWS - Kinesis Data Firehose Enum NextAWS - KMS Enum

Last updated 3 days ago

IAM

Enumeration

Permissions Brute Force

bf-aws-permissions

bf-aws-perms-simulate

Perms2ManagedPolicies

Cloudtrail2IAM

enumerate-iam

weirdAAL

Zana za Kuimarisha BF ruhusa

<YourTool>

Upatikanaji Usioidhinishwa

Kuinua Haki

IAM Baada ya Kutekeleza

IAM Kudumu

Kituo cha Utambulisho wa IAM

Unganisha kupitia SSO na CLI

Enumeration

Local Enumeration

Upatikanaji Usioidhinishwa

Kuinua Mamlaka

Baada ya Kutekeleza

Kudumu

Unda mtumiaji na uweke ruhusa kwake

IAM

Enumeration

Permissions Brute Force

bf-aws-permissions

bf-aws-perms-simulate

Perms2ManagedPolicies

Cloudtrail2IAM

enumerate-iam

weirdAAL

Zana za Kuimarisha BF ruhusa

<YourTool>

Upatikanaji Usioidhinishwa

Kuinua Haki

IAM Baada ya Kutekeleza

IAM Kudumu

Kituo cha Utambulisho wa IAM

Unganisha kupitia SSO na CLI

Enumeration

Local Enumeration

Upatikanaji Usioidhinishwa

Kuinua Mamlaka

Baada ya Kutekeleza

Kudumu

Unda mtumiaji na uweke ruhusa kwake