iam:ListPolicies, iam:GetPolicy na iam:GetPolicyVersion
iam:ListRoles
iam:ListUsers
iam:ListGroups
iam:ListGroupsForUser
iam:ListAttachedUserPolicies
iam:ListAttachedRolePolicies
iam:ListAttachedGroupPolicies
iam:ListUserPolicies na iam:GetUserPolicy
iam:ListGroupPolicies na iam:GetGroupPolicy
iam:ListRolePolicies na iam:GetRolePolicy
# All IAMs## Retrieves information about all IAM users, groups, roles, and policies## in your Amazon Web Services account, including their relationships to## one another. Use this operation to obtain a snapshot of the configura-## tion of IAM permissions (users, groups, roles, and policies) in your## account.awsiamget-account-authorization-details# List usersawsiamget-user#Get current user informationawsiamlist-usersawsiamlist-ssh-public-keys#User keys for CodeCommitawsiamget-ssh-public-key--user-name<username>--ssh-public-key-id<id>--encodingSSH#Get public key with metadataawsiamlist-service-specific-credentials#Get special permissions of the IAM user over specific servicesawsiamget-user--user-name<username>#Get metadata of user, included permissions boundariesawsiamlist-access-keys#List created access keys## inline policiesawsiamlist-user-policies--user-name<username>#Get inline policies of the userawsiamget-user-policy--user-name<username>--policy-name<policyname>#Get inline policy details## attached policiesawsiamlist-attached-user-policies--user-name<username>#Get policies of user, it doesn't get inline policies# List groupsawsiamlist-groups#Get groupsawsiamlist-groups-for-user--user-name<username>#Get groups of a userawsiamget-group--group-name<name>#Get group name info## inline policiesawsiamlist-group-policies--group-name<username>#Get inline policies of the groupawsiamget-group-policy--group-name<username>--policy-name<policyname>#Get an inline policy info## attached policiesawsiamlist-attached-group-policies--group-name<name>#Get policies of group, it doesn't get inline policies# List rolesawsiamlist-roles#Get rolesawsiamget-role--role-name<role-name>#Get role## inline policiesawsiamlist-role-policies--role-name<name>#Get inline policies of a roleawsiamget-role-policy--role-name<name>--policy-name<name>#Get inline policy details## attached policiesawsiamlist-attached-role-policies--role-name<role-name>#Get policies of role, it doesn't get inline policies# List policiesawsiamlist-policies [--only-attached] [--scope Local]aws iam list-policies-granting-service-access --arn <identity> --service-namespaces <svc> # Get list of policies that give access to the user to the service
## Get policy contentawsiamget-policy--policy-arn<policy_arn>awsiamlist-policy-versions--policy-arn<arn>awsiamget-policy-version--policy-arn<arn:aws:iam::975426262029:policy/list_apigateways>--version-id<VERSION_X># Enumerate providersawsiamlist-saml-providersawsiamget-saml-provider--saml-provider-arn<ARN>awsiamlist-open-id-connect-providersawsiamget-open-id-connect-provider--open-id-connect-provider-arn<ARN># Password Policyawsiamget-account-password-policy# MFAawsiamlist-mfa-devicesawsiamlist-virtual-mfa-devices
Permissions Brute Force
Ikiwa unavutiwa na ruhusa zako lakini huna ufikiaji wa kuuliza IAM unaweza kila wakati kuzitafutia kwa nguvu.
bf-aws-permissions
Chombo bf-aws-permissions ni script ya bash ambayo itakimbia kwa kutumia wasifu ulioonyeshwa list*, describe*, get* vitendo vyote inavyoweza kupata kwa kutumia ujumbe wa msaada wa aws cli na kurudisha utekelezaji uliofanikiwa.
Chombo bf-aws-perms-simulate kinaweza kupata ruhusa zako za sasa (au za wakuu wengine) ikiwa una ruhusa iam:SimulatePrincipalPolicy
# Ask for permissionspython3aws_permissions_checker.py--profile<AWS_PROFILE> [--arn <USER_ARN>]
Perms2ManagedPolicies
Ikiwa umepata idhini fulani ambazo mtumiaji wako ana, na unafikiri kwamba zinatolewa na mwanachama wa AWS aliyepewa usimamizi (na sio wa kawaida). Unaweza kutumia chombo aws-Perms2ManagedRoles kuangalia yote mwanachama wa AWS aliyepewa usimamizi ambao unatoa idhini ulizogundua kuwa nazo.
# Run example with my profilepython3aws-Perms2ManagedPolicies.py--profilemyadmin--permissions-fileexample-permissions.txt
Inawezekana "kujua" kama ruhusa ulizonazo zimetolewa na jukumu la AWS lililosimamiwa ikiwa utaona kwamba una ruhusa juu ya huduma ambazo hazitumiki kwa mfano.
Cloudtrail2IAM
CloudTrail2IAM ni chombo cha Python kinachochambua maktaba ya AWS CloudTrail ili kutoa na kufupisha vitendo vilivyofanywa na kila mtu au tu mtumiaji au jukumu maalum. Chombo kitachambua kila maktaba ya cloudtrail kutoka kwenye bakuli lililoonyeshwa.
Ikiwa unapata .tfstate (faili za hali za Terraform) au faili za CloudFormation (hizi mara nyingi ni faili za yaml zilizoko ndani ya bucket yenye kiambishi cf-templates), unaweza pia kuzisoma ili kupata usanidi wa aws na kujua ni ruhusa zipi zimepewa nani.
enumerate-iam
Ili kutumia chombo https://github.com/andresriancho/enumerate-iam unahitaji kwanza kupakua mwisho wote wa API AWS, kutoka kwa hizo skripti generate_bruteforce_tests.py itapata "list_", "describe_", na "get_" mwisho. Na hatimaye, itajaribu kuzipata kwa kutumia akreditivu zilizotolewa na kuonyesha kama ilifanya kazi.
(Katika uzoefu wangu chombo kinakwama katika hatua fulani, angalia marekebisho haya kujaribu kurekebisha hilo).
Katika uzoefu wangu chombo hiki ni kama kile cha awali lakini kinafanya kazi vibaya zaidi na kuangalia ruhusa chache
Unaweza pia kutumia chombo weirdAAL. Chombo hiki kitakagua operesheni kadhaa za kawaida kwenye huduma kadhaa za kawaida (kitakagua baadhi ya ruhusa za kuorodhesha na pia baadhi ya ruhusa za privesc). Lakini kitakagua tu ukaguzi ulioandikwa (njia pekee ya kukagua vitu zaidi ni kuandika majaribio zaidi).
# Installgitclonehttps://github.com/carnal0wnage/weirdAAL.gitcdweirdAALpython3-mvenvweirdAALsourceweirdAAL/bin/activatepip3install-rrequirements.txt# Create a .env file with aws credentials such as[default]aws_access_key_id=<insertkeyid>aws_secret_access_key=<insertsecretkey># Setup DBpython3create_dbs.py# Invoke itpython3weirdAAL.py-mec2_describe_instances-tec2test# Just some ec2 testspython3weirdAAL.py-mrecon_all-tMyTarget# Check all permissions# You will see output such as:# [+] elbv2 Actions allowed are [+]# ['DescribeLoadBalancers', 'DescribeAccountLimits', 'DescribeTargetGroups']
# https://github.com/turbot/steampipe-mod-aws-insightssteampipecheckall--export=json# https://github.com/turbot/steampipe-mod-aws-perimeter# In this case you cannot output to JSON, so heck it in the dashboardsteampipedashboard
<YourTool>
Hakuna kati ya zana zilizotangulia zinazoweza kuangalia karibu ruhusa zote, hivyo ikiwa unajua zana bora zaidi tuma PR!
# Connect with sso via CLI aws configure ssoawsconfiguresso[profile profile_name]sso_start_url=https://subdomain.awsapps.com/start/sso_account_id=<account_numbre>sso_role_name=AdministratorAccesssso_region=us-east-1
Enumeration
Vipengele vikuu vya Kituo cha Utambulisho ni:
Watumiaji na vikundi
Seti za Ruhusa: Zina sera zilizounganishwa
Akaunti za AWS
Kisha, uhusiano huundwa ili watumiaji/vikundi wawe na Seti za Ruhusa juu ya Akaunti ya AWS.
Kumbuka kwamba kuna njia 3 za kuunganisha sera kwenye Seti ya Ruhusa. Kuunganisha sera zinazodhibitiwa na AWS, sera zinazodhibitiwa na Mteja (sera hizi zinahitaji kuundwa katika akaunti zote ambazo Seti za Ruhusa zinahusisha), na sera za ndani (zilizofafanuliwa hapo).
# Check if IAM Identity Center is usedawssso-adminlist-instances# Get Permissions sets. These are the policies that can be assignedawssso-adminlist-permission-sets--instance-arn<instance-arn>awssso-admindescribe-permission-set--instance-arn<instance-arn>--permission-set-arn<perm-set-arn>## Get managed policies of a permission setawssso-adminlist-managed-policies-in-permission-set--instance-arn<instance-arn>--permission-set-arn<perm-set-arn>## Get inline policies of a permission setawssso-adminget-inline-policy-for-permission-set--instance-arn<instance-arn>--permission-set-arn<perm-set-arn>## Get customer managed policies of a permission setaws sso-admin list-customer-managed-policy-references-in-permission-set --instance-arn <instance-arn> --permission-set-arn <perm-set-arn>
## Get boundaries of a permission setaws sso-admin get-permissions-boundary-for-permission-set --instance-arn <instance-arn> --permission-set-arn <perm-set-arn>
## List accounts a permission set is affectingaws sso-admin list-accounts-for-provisioned-permission-set --instance-arn <instance-arn> --permission-set-arn <perm-set-arn>
## List principals given a permission set in an accountaws sso-admin list-account-assignments --instance-arn <instance-arn> --permission-set-arn <perm-set-arn> --account-id <account_id>
# Get permissions sets affecting an accountawssso-adminlist-permission-sets-provisioned-to-account--instance-arn<instance-arn>--account-id<account_id># List users & groups from the identity storeawsidentitystorelist-users--identity-store-id<store-id>awsidentitystorelist-groups--identity-store-id<store-id>## Get members of groupsawsidentitystorelist-group-memberships--identity-store-id<store-id>--group-id<group-id>## Get memberships or a user or a groupawsidentitystorelist-group-memberships-for-member--identity-store-id<store-id>--member-id<member-id>
Local Enumeration
Inawezekana kuunda ndani ya folda $HOME/.aws faili la config ili kuunda wasifu ambao unaweza kupatikana kupitia SSO, kwa mfano:
# Login in ms-sso-profileawsssologin--profilemy-sso-profile# Use dependent-profileawss3ls--profiledependent-profile
Wakati profaili kutoka SSO inatumika kupata taarifa fulani, taarifa za kuingia zinahifadhiwa katika faili ndani ya folda $HOME/.aws/sso/cache. Hivyo basi zinaweza kusomwa na kutumika kutoka hapo.
Zaidi ya hayo, taarifa zaidi za kuingia zinaweza kuhifadhiwa katika folda $HOME/.aws/cli/cache. Hii folda ya cache inatumika hasa unapokuwa ukifanya kazi na AWS CLI profiles zinazotumia taarifa za kuingia za mtumiaji wa IAM au kuchukua majukumu kupitia IAM (bila SSO). Mfano wa usanidi:
# Create user identitystore:CreateUseraws identitystore create-user --identity-store-id <store-id> --user-name privesc --display-name privesc --emails Value=sdkabflvwsljyclpma@tmmbt.net,Type=Work,Primary=True --name Formatted=privesc,FamilyName=privesc,GivenName=privesc
## After creating it try to login in the console using the selected username, you will receive an email with the code and then you will be able to select a password
Unda kundi na uweke ruhusa na kuweka mtumiaji anayedhibitiwa
Toa ruhusa za ziada kwa mtumiaji au kundi lililodhibitiwa
Kwa kawaida, ni watumiaji pekee wenye ruhusa kutoka Akaunti ya Usimamizi watakaoweza kufikia na kudhibiti Kituo cha Utambulisho wa IAM.
Hata hivyo, inawezekana kupitia Msimamizi wa Wajibu kuruhusu watumiaji kutoka akaunti tofauti kuisimamia. Hawa hawataweza kuwa na ruhusa sawa, lakini wataweza kufanya shughuli za usimamizi.