AWS - IAM & STS Unauthenticated Enum
Last updated
Last updated
Learn & practice AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE) Learn & practice GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE)
Teknolojia hii haitumiki tena kwani ikiwa jukumu lipo au la, kila wakati unapata kosa hili:
An error occurred (AccessDenied) when calling the AssumeRole operation: User: arn:aws:iam::947247140022:user/testenv is not authorized to perform: sts:AssumeRole on resource: arn:aws:iam::429217632764:role/account-balanceasdas
Unaweza kujaribu hii ukikimbia:
aws sts assume-role --role-arn arn:aws:iam::412345678909:role/superadmin --role-session-name s3-access-example
Kujaribu kuchukua jukumu bila ruhusa zinazohitajika kunasababisha ujumbe wa kosa la AWS. Kwa mfano, ikiwa hauna ruhusa, AWS inaweza kurudisha:
Hujumuhimu huu unathibitisha uwepo wa jukumu lakini unaonyesha kwamba sera yake ya kudhani jukumu haikuruhusu kudhani. Kinyume chake, kujaribu kudhani jukumu lisilokuwepo kunasababisha kosa tofauti:
Interestingly, this method of kuamua kati ya majukumu yaliyopo na yasiyokuwepo is applicable even across different AWS accounts. With a valid AWS account ID and a targeted wordlist, one can enumerate the roles present in the account without facing any inherent limitations.
You can use this script to enumerate potential principals abusing this issue.
Configuring or updating an sera ya kuamini ya IAM inahusisha kufafanua ni rasilimali au huduma zipi za AWS zinazoruhusiwa kuchukua jukumu hilo na kupata akreditif za muda. If the specified resource in the policy ipo, the trust policy saves kwa mafanikio. However, if the resource haipo, an kosa linatokea, indicating that an invalid principal was provided.
Note that in that resource you could specify a cross account role or user:
arn:aws:iam::acc_id:role/role_name
arn:aws:iam::acc_id:user/user_name
This is a policy example:
Hiyo ni kosa utakalo pata ikiwa utatumia jukumu ambalo halipo. Ikiwa jukumu lipo, sera itakuwa imehifadhiwa bila makosa yoyote. (Kosa ni kwa ajili ya sasisho, lakini pia inafanya kazi wakati wa kuunda)
You can automate this process with https://github.com/carlospolop/aws_tools
bash unauth_iam.sh -t user -i 316584767888 -r TestRole -w ./unauth_wordlist.txt
Our using Pacu:
run iam__enum_users --role-name admin --account-id 229736458923 --word-list /tmp/names.txt
run iam__enum_roles --role-name admin --account-id 229736458923 --word-list /tmp/names.txt
The admin
role used in the example is a role in your account to by impersonated by pacu to create the policies it needs to create for the enumeration
Katika kesi ambapo jukumu lilikuwa limewekwa vibaya na linaruhusu mtu yeyote kulichukua:
The attacker could just assume it.
Fikiria kwamba umeweza kusoma Github Actions workflow inayofikia role ndani ya AWS. Hii imani inaweza kutoa ufikiaji kwa role yenye trust policy ifuatayo:
Hii sera ya kuaminiana inaweza kuwa sahihi, lakini ukosefu wa masharti zaidi unapaswa kukufanya usiamini. Hii ni kwa sababu jukumu la awali linaweza kuchukuliwa na MTU YEYOTE kutoka Github Actions! Unapaswa kubainisha katika masharti pia mambo mengine kama jina la shirika, jina la repo, env, brach...
Kukosekana kwa usanidi mwingine kunaweza kuwa kuongeza sharti kama ifuatavyo:
Note that wildcard (*) before the colon (:). Unaweza kuunda org kama org_name1 na kuchukua jukumu kutoka kwa Github Action.
Learn & practice AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE) Learn & practice GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE)