HackTricks CloudAWS - IAM, Identity Center & SSO
Tip
Leer & oefen AWS Hacking:
HackTricks Training AWS Red Team Expert (ARTE)
Leer & oefen GCP Hacking:HackTricks Training GCP Red Team Expert (GRTE)
Leer & oefen Az Hacking:HackTricks Training Azure Red Team Expert (AzRTE)
Ondersteun HackTricks
- Kyk na die subscription plans!
- Sluit aan by die 💬 Discord group of die telegram group of volg ons op Twitter 🐦 @hacktricks_live.
- Deel hacking tricks deur PRs in te dien by die HackTricks en HackTricks Cloud github repos.
IAM
Jy kan ’n beskrywing van IAM vind in:
Enumeration
Belangrikste toestemmings benodig:
iam:ListPolicies,iam:GetPolicyeniam:GetPolicyVersioniam:ListRolesiam:ListUsersiam:ListGroupsiam:ListGroupsForUseriam:ListAttachedUserPoliciesiam:ListAttachedRolePoliciesiam:ListAttachedGroupPoliciesiam:ListUserPolicieseniam:GetUserPolicyiam:ListGroupPolicieseniam:GetGroupPolicyiam:ListRolePolicieseniam:GetRolePolicy
# All IAMs
## Retrieves information about all IAM users, groups, roles, and policies
## in your Amazon Web Services account, including their relationships to
## one another. Use this operation to obtain a snapshot of the configura-
## tion of IAM permissions (users, groups, roles, and policies) in your
## account.
aws iam get-account-authorization-details
# List users
aws iam get-user #Get current user information
aws iam list-users
aws iam list-ssh-public-keys #User keys for CodeCommit
aws iam get-ssh-public-key --user-name <username> --ssh-public-key-id <id> --encoding SSH #Get public key with metadata
aws iam list-service-specific-credentials #Get special permissions of the IAM user over specific services
aws iam get-user --user-name <username> #Get metadata of user, included permissions boundaries
aws iam list-access-keys #List created access keys
## inline policies
aws iam list-user-policies --user-name <username> #Get inline policies of the user
aws iam get-user-policy --user-name <username> --policy-name <policyname> #Get inline policy details
## attached policies
aws iam list-attached-user-policies --user-name <username> #Get policies of user, it doesn't get inline policies
# List groups
aws iam list-groups #Get groups
aws iam list-groups-for-user --user-name <username> #Get groups of a user
aws iam get-group --group-name <name> #Get group name info
## inline policies
aws iam list-group-policies --group-name <username> #Get inline policies of the group
aws iam get-group-policy --group-name <username> --policy-name <policyname> #Get an inline policy info
## attached policies
aws iam list-attached-group-policies --group-name <name> #Get policies of group, it doesn't get inline policies
# List roles
aws iam list-roles #Get roles
aws iam get-role --role-name <role-name> #Get role
## inline policies
aws iam list-role-policies --role-name <name> #Get inline policies of a role
aws iam get-role-policy --role-name <name> --policy-name <name> #Get inline policy details
## attached policies
aws iam list-attached-role-policies --role-name <role-name> #Get policies of role, it doesn't get inline policies
# List policies
aws iam list-policies [--only-attached] [--scope Local]
aws iam list-policies-granting-service-access --arn <identity> --service-namespaces <svc> # Get list of policies that give access to the user to the service
## Get policy content
aws iam get-policy --policy-arn <policy_arn>
aws iam list-policy-versions --policy-arn <arn>
aws iam get-policy-version --policy-arn <arn:aws:iam::975426262029:policy/list_apigateways> --version-id <VERSION_X>
# Enumerate providers
aws iam list-saml-providers
aws iam get-saml-provider --saml-provider-arn <ARN>
aws iam list-open-id-connect-providers
aws iam get-open-id-connect-provider --open-id-connect-provider-arn <ARN>
# Password Policy
aws iam get-account-password-policy
# MFA
aws iam list-mfa-devices
aws iam list-virtual-mfa-devices
Stilswyende permissiebevestiging deur doelbewuste mislukkings
Wanneer List* of simulator APIs geblokkeer is, kan jy bevestig muterende permissies sonder om permanente resources te skep deur voorspelbare validasiefoute af te dwing. AWS evalueer steeds IAM voordat hierdie foute teruggestuur word, so om die fout te sien bewys dat die caller toestemming vir die aksie het:
# Confirm iam:CreateUser without creating a new principal (fails only after authz)
aws iam create-user --user-name <existing_user> # -> EntityAlreadyExistsException
# Confirm iam:CreateLoginProfile while learning password policy requirements
aws iam create-login-profile --user-name <target_user> --password lower --password-reset-required # -> PasswordPolicyViolationException
Hierdie pogings genereer steeds CloudTrail-geleenthede (met errorCode ingestel) maar vermy om nuwe IAM-artifakte agter te laat, wat hulle nuttig maak vir laag-ruis toestemmingsverifikasie tydens interaktiewe recon.
Toestemmings Brute Force
As jy in jou eie toestemmings belangstel maar jy het nie toegang om IAM te bevraagteken nie, kan jy hulle altyd brute-force.
bf-aws-permissions
Die tool bf-aws-permissions is net ’n bash script wat, met die aangeduide profiel, al die list*, describe*, get* aksies wat dit kan vind deur die aws cli helpboodskappe te gebruik, sal uitvoer en die suksesvolle uitvoerings teruggee.
# Bruteforce permissions
bash bf-aws-permissions.sh -p default > /tmp/bf-permissions-verbose.txt
bf-aws-perms-simulate
Die hulpmiddel bf-aws-perms-simulate kan jou huidige toestemming vind (of dié van ander principals) as jy die toestemming iam:SimulatePrincipalPolicy het
# Ask for permissions
python3 aws_permissions_checker.py --profile <AWS_PROFILE> [--arn <USER_ARN>]
Perms2ManagedPolicies
As jy sekere permissies wat jou gebruiker het gevind het, en jy dink hulle word deur ’n bestuurde AWS-rol toegeken (en nie deur ’n pasgemaakte een nie), kan jy die hulpmiddel aws-Perms2ManagedRoles gebruik om al die AWS-bestuurde rolle wat die permissies wat jy ontdek het, verleen na te gaan.
# Run example with my profile
python3 aws-Perms2ManagedPolicies.py --profile myadmin --permissions-file example-permissions.txt
Warning
Dit is moontlik om te “weet” of die toestemmings wat jy het deur ’n AWS managed role verleen is as jy byvoorbeeld sien dat jy toestemmings oor dienste het wat nie gebruik word nie.
Cloudtrail2IAM
CloudTrail2IAM is ’n Python-instrument wat AWS CloudTrail logs analiseer om aksies te onttrek en saam te vat wat deur almal of net ’n spesifieke gebruiker of rol uitgevoer is. Die tool sal elke CloudTrail-log van die aangeduide bucket ontleed.
git clone https://github.com/carlospolop/Cloudtrail2IAM
cd Cloudtrail2IAM
pip install -r requirements.txt
python3 cloudtrail2IAM.py --prefix PREFIX --bucket_name BUCKET_NAME --profile PROFILE [--filter-name FILTER_NAME] [--threads THREADS]
Warning
As jy .tfstate (Terraform state files) of CloudFormation-lêers vind (dit is gewoonlik yaml-lêers in ’n bucket met die voorvoegsel cf-templates), kan jy hulle ook lees om aws-konfigurasie te vind en te bepaal watter toestemmings aan wie toegeken is.
enumerate-iam
To use the tool https://github.com/andresriancho/enumerate-iam you first need to download all the API AWS endpoints, from those the script generate_bruteforce_tests.py will get all the “list_”, “describe_”, and “get_” endpoints. And finally, it will try to access them with the given credentials and indicate if it worked.
(In my experience the tool hangs at some point, checkout this fix to try to fix that).
Warning
Volgens my ervaring is hierdie tool soos die vorige een, maar werk dit slegter en kontroleer dit minder toestemmings
# Install tool
git clone git@github.com:andresriancho/enumerate-iam.git
cd enumerate-iam/
pip install -r requirements.txt
# Download API endpoints
cd enumerate_iam/
git clone https://github.com/aws/aws-sdk-js.git
python3 generate_bruteforce_tests.py
rm -rf aws-sdk-js
cd ..
# Enumerate permissions
python3 enumerate-iam.py --access-key ACCESS_KEY --secret-key SECRET_KEY [--session-token SESSION_TOKEN] [--region REGION]
weirdAAL
Jy kan ook die hulpmiddel weirdAAL gebruik. Hierdie hulpmiddel sal verskeie algemene operasies op verskeie algemene dienste nagaan (dit sal sekere enumeration permissies en ook sekere privesc permissies nagaan). Maar dit sal slegs die gekodeerde checks nagaan (die enigste manier om meer te kontroleer is deur meer toetse te kodeer).
# Install
git clone https://github.com/carnal0wnage/weirdAAL.git
cd weirdAAL
python3 -m venv weirdAAL
source weirdAAL/bin/activate
pip3 install -r requirements.txt
# Create a .env file with aws credentials such as
[default]
aws_access_key_id = <insert key id>
aws_secret_access_key = <insert secret key>
# Setup DB
python3 create_dbs.py
# Invoke it
python3 weirdAAL.py -m ec2_describe_instances -t ec2test # Just some ec2 tests
python3 weirdAAL.py -m recon_all -t MyTarget # Check all permissions
# You will see output such as:
# [+] elbv2 Actions allowed are [+]
# ['DescribeLoadBalancers', 'DescribeAccountLimits', 'DescribeTargetGroups']
Hardening-gereedskap vir BF-toestemmings
# Export env variables
./index.js --console=text --config ./config.js --json /tmp/out-cloudsploit.json
# Filter results removing unknown
jq 'map(select(.status | contains("UNKNOWN") | not))' /tmp/out-cloudsploit.json | jq 'map(select(.resource | contains("N/A") | not))' > /tmp/out-cloudsploit-filt.json
# Get services by regions
jq 'group_by(.region) | map({(.[0].region): ([map((.resource | split(":"))[2]) | unique])})' ~/Desktop/pentests/cere/greybox/core-dev-dev-cloudsploit-filtered.json
<YourTool>
Geen van die vorige hulpmiddels kan byna al die permissies nagaan nie — as jy ’n beter hulpmiddel ken, stuur asseblief ’n PR!
Unauthenticated Access
AWS - IAM & STS Unauthenticated Enum
Privilegie-eskalasie
Op die volgende bladsy kan jy sien hoe om IAM-permissies te misbruik om privilegies te eskaleer:
IAM Post Exploitation
IAM Persistence
IAM Identity Center
Jy kan ’n beskrywing van IAM Identity Center vind in:
Koppel via SSO met die CLI
# Connect with sso via CLI aws configure sso
aws configure sso
[profile profile_name]
sso_start_url = https://subdomain.awsapps.com/start/
sso_account_id = <account_numbre>
sso_role_name = AdministratorAccess
sso_region = us-east-1
Enumeration
Die hoofelemente van die Identity Center is:
- Gebruikers en groepe
- Permission Sets: het beleide gekoppel
- AWS Accounts
Daarna word verhoudings geskep sodat gebruikers/groepe Permission Sets oor ’n AWS Account het.
Note
Let wel dat daar 3 maniere is om beleide aan ’n Permission Set te koppel: AWS managed policies, Customer managed policies (hierdie policies moet geskep word in al die accounts wat die Permission Set beïnvloed), en inline policies (gedefinieer daarin).
# Check if IAM Identity Center is used
aws sso-admin list-instances
# Get Permissions sets. These are the policies that can be assigned
aws sso-admin list-permission-sets --instance-arn <instance-arn>
aws sso-admin describe-permission-set --instance-arn <instance-arn> --permission-set-arn <perm-set-arn>
## Get managed policies of a permission set
aws sso-admin list-managed-policies-in-permission-set --instance-arn <instance-arn> --permission-set-arn <perm-set-arn>
## Get inline policies of a permission set
aws sso-admin get-inline-policy-for-permission-set --instance-arn <instance-arn> --permission-set-arn <perm-set-arn>
## Get customer managed policies of a permission set
aws sso-admin list-customer-managed-policy-references-in-permission-set --instance-arn <instance-arn> --permission-set-arn <perm-set-arn>
## Get boundaries of a permission set
aws sso-admin get-permissions-boundary-for-permission-set --instance-arn <instance-arn> --permission-set-arn <perm-set-arn>
## List accounts a permission set is affecting
aws sso-admin list-accounts-for-provisioned-permission-set --instance-arn <instance-arn> --permission-set-arn <perm-set-arn>
## List principals given a permission set in an account
aws sso-admin list-account-assignments --instance-arn <instance-arn> --permission-set-arn <perm-set-arn> --account-id <account_id>
# Get permissions sets affecting an account
aws sso-admin list-permission-sets-provisioned-to-account --instance-arn <instance-arn> --account-id <account_id>
# List users & groups from the identity store
aws identitystore list-users --identity-store-id <store-id>
aws identitystore list-groups --identity-store-id <store-id>
## Get members of groups
aws identitystore list-group-memberships --identity-store-id <store-id> --group-id <group-id>
## Get memberships or a user or a group
aws identitystore list-group-memberships-for-member --identity-store-id <store-id> --member-id <member-id>
Lokale Enumerasie
Dit is moontlik om binne die gids $HOME/.aws die lêer config te skep om profiele te konfigureer wat via SSO toeganklik is, byvoorbeeld:
[default]
region = us-west-2
output = json
[profile my-sso-profile]
sso_start_url = https://my-sso-portal.awsapps.com/start
sso_region = us-west-2
sso_account_id = 123456789012
sso_role_name = MySSORole
region = us-west-2
output = json
[profile dependent-profile]
role_arn = arn:aws:iam::<acc-id>:role/ReadOnlyRole
source_profile = Hacktricks-Admin
Hierdie konfigurasie kan met die volgende opdragte gebruik word:
# Login in ms-sso-profile
aws sso login --profile my-sso-profile
# Use dependent-profile
aws s3 ls --profile dependent-profile
Wanneer ’n profiel vanaf SSO gebruik word om toegang tot sekere inligting te kry, word die credentials cached in ’n lêer binne die gids $HOME/.aws/sso/cache. Daarom kan hulle van daar gelees en gebruik word.
Verder kan meer credentials gestoor word in die gids $HOME/.aws/cli/cache. Hierdie cache-gids word hoofsaaklik gebruik wanneer jy werk met AWS CLI profiles wat IAM user credentials gebruik of assume roles deur IAM (sonder SSO). Config example:
[profile crossaccountrole]
role_arn = arn:aws:iam::234567890123:role/SomeRole
source_profile = default
mfa_serial = arn:aws:iam::123456789012:mfa/saanvi
external_id = 123456
Ongeauthentiseerde Toegang
AWS - Identity Center & SSO Unauthenticated Enum
Privilegie-eskalasie
AWS - SSO & identitystore Privesc
Post-uitbuiting
AWS - SSO & identitystore Post Exploitation
Persistensie
Skep ’n gebruiker en ken regte daaraan toe
# Create user identitystore:CreateUser
aws identitystore create-user --identity-store-id <store-id> --user-name privesc --display-name privesc --emails Value=sdkabflvwsljyclpma@tmmbt.net,Type=Work,Primary=True --name Formatted=privesc,FamilyName=privesc,GivenName=privesc
## After creating it try to login in the console using the selected username, you will receive an email with the code and then you will be able to select a password
- Skep ’n groep, ken dit toestemmings toe en stel ’n beheerde gebruiker daarop
- Gee ekstra toestemmings aan ’n beheerde gebruiker of groep
- Per verstek sal slegs gebruikers met toestemmings van die Management Account toegang hê tot en die IAM Identity Center kan beheer.
Dit is egter moontlik via Delegate Administrator om gebruikers van ’n ander rekening toe te laat om dit te bestuur. Hulle sal nie presies dieselfde toestemmings hê nie, maar hulle sal in staat wees om bestuursaktiwiteite uit te voer.
Tip
Leer & oefen AWS Hacking:
Leer & oefen GCP Hacking:
Leer & oefen Az Hacking:Ondersteun HackTricks
- Kyk na die subscription plans!
- Sluit aan by die 💬 Discord group of die telegram group of volg ons op Twitter 🐦 @hacktricks_live.
- Deel hacking tricks deur PRs in te dien by die HackTricks en HackTricks Cloud github repos.