AWS - IAM & STS Unauthenticated Enum
Last updated
Last updated
Jifunze na fanya mazoezi ya AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE) Jifunze na fanya mazoezi ya GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE)
Mbinu hii haifanyi kazi tena kwani ikiwa jukumu lipo au la, kila wakati unapata ujumbe huu wa kosa:
An error occurred (AccessDenied) when calling the AssumeRole operation: User: arn:aws:iam::947247140022:user/testenv is not authorized to perform: sts:AssumeRole on resource: arn:aws:iam::429217632764:role/account-balanceasdas
Unaweza kujaribu hii ukikimbia:
aws sts assume-role --role-arn arn:aws:iam::412345678909:role/superadmin --role-session-name s3-access-example
Kujaribu kuchukua jukumu bila ruhusa zinazohitajika kunasababisha ujumbe wa kosa kutoka AWS. Kwa mfano, ikiwa hauna ruhusa, AWS inaweza kurudisha:
Hujumuhimu huu unathibitisha uwepo wa jukumu lakini unaonyesha kwamba sera yake ya kudhani haikuruhusu kudhani. Kinyume chake, kujaribu kudhani jukumu lisilokuwepo kunasababisha kosa tofauti:
Interestingly, this method of kuamua kati ya majukumu yaliyopo na yasiyokuwepo is applicable even across different AWS accounts. With a valid AWS account ID and a targeted wordlist, one can enumerate the roles present in the account without facing any inherent limitations.
You can use this script to enumerate potential principals abusing this issue.
Configuring or updating an sera ya kuamini ya IAM inahusisha kufafanua ni rasilimali au huduma zipi za AWS zinazoruhusiwa kuchukua hiyo jukumu and obtain temporary credentials. If the specified resource in the policy ipo, the trust policy saves kwa mafanikio. However, if the resource haipo, an kosa linatokea, indicating that an invalid principal was provided.
Note that in that resource you could specify a cross account role or user:
arn:aws:iam::acc_id:role/role_name
arn:aws:iam::acc_id:user/user_name
This is a policy example:
Hiyo ni kosa utakalo pata ikiwa unatumia jukumu ambalo halipo. Ikiwa jukumu lipo, sera itakuwa imehifadhiwa bila makosa yoyote. (Kosa ni kwa ajili ya sasisho, lakini pia inafanya kazi wakati wa kuunda)
You can automate this process with https://github.com/carlospolop/aws_tools
bash unauth_iam.sh -t user -i 316584767888 -r TestRole -w ./unauth_wordlist.txt
Our using Pacu:
run iam__enum_users --role-name admin --account-id 229736458923 --word-list /tmp/names.txt
run iam__enum_roles --role-name admin --account-id 229736458923 --word-list /tmp/names.txt
The admin
role used in the example is a role in your account to by impersonated by pacu to create the policies it needs to create for the enumeration
Katika kesi ambapo jukumu lilikuwa limewekwa vibaya na linaruhusu mtu yeyote kulichukua:
The attacker could just assume it.
Fikiria kwamba umeweza kusoma Github Actions workflow inayofikia role ndani ya AWS. Hii imani inaweza kutoa ufikiaji kwa role yenye trust policy ifuatayo:
Hii sera ya kuaminiana inaweza kuwa sahihi, lakini ukosefu wa masharti zaidi unapaswa kukufanya usiamini. Hii ni kwa sababu jukumu la awali linaweza kuchukuliwa na MTU YEYOTE kutoka Github Actions! Unapaswa kubainisha katika masharti pia mambo mengine kama jina la shirika, jina la repo, env, brach...
Kukosekana kwa usanidi mwingine kunaweza kuwa kuongeza sharti kama ifuatavyo:
Note that wildcard (*) before the colon (:). Unaweza kuunda org kama org_name1 na kuchukua jukumu kutoka kwa Github Action.
Learn & practice AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE) Learn & practice GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE)