AWS - IAM, Identity Center & SSO enumeracija

Tip

Nauči & vežbaj AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE)
Nauči & vežbaj GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE)
Nauči & vežbaj Az Hacking: HackTricks Training Azure Red Team Expert (AzRTE)

Podržite HackTricks

• Pogledajte subscription plans!
• Pridružite se 💬 Discord group or the telegram group or pratite nas na Twitter 🐦 @hacktricks_live.
• Podelite hacking tricks slanjem PR-ova na HackTricks i HackTricks Cloud github repos.

IAM

Opis IAM-a možete pronaći u:

AWS - Basic Information

Enumeracija

Glavne potrebne dozvole:

• iam:ListPolicies, iam:GetPolicy and iam:GetPolicyVersion
• iam:ListRoles
• iam:ListUsers
• iam:ListGroups
• iam:ListGroupsForUser
• iam:ListAttachedUserPolicies
• iam:ListAttachedRolePolicies
• iam:ListAttachedGroupPolicies
• iam:ListUserPolicies and iam:GetUserPolicy
• iam:ListGroupPolicies and iam:GetGroupPolicy
• iam:ListRolePolicies and iam:GetRolePolicy

# All IAMs
## Retrieves  information about all IAM users, groups, roles, and policies
## in your Amazon Web Services account, including their relationships  to
## one another. Use this operation to obtain a snapshot of the configura-
## tion of IAM permissions (users, groups, roles, and  policies)  in  your
## account.
aws iam get-account-authorization-details

# List users
aws iam get-user #Get current user information
aws iam list-users
aws iam list-ssh-public-keys #User keys for CodeCommit
aws iam get-ssh-public-key --user-name <username> --ssh-public-key-id <id> --encoding SSH #Get public key with metadata
aws iam list-service-specific-credentials #Get special permissions of the IAM user over specific services
aws iam get-user --user-name <username> #Get metadata of user, included permissions boundaries
aws iam list-access-keys #List created access keys
## inline policies
aws iam list-user-policies --user-name <username> #Get inline policies of the user
aws iam get-user-policy --user-name <username> --policy-name <policyname> #Get inline policy details
## attached policies
aws iam list-attached-user-policies --user-name <username> #Get policies of user, it doesn't get inline policies

# List groups
aws iam list-groups #Get groups
aws iam list-groups-for-user --user-name <username> #Get groups of a user
aws iam get-group --group-name <name> #Get group name info
## inline policies
aws iam list-group-policies --group-name <username> #Get inline policies of the group
aws iam get-group-policy --group-name <username> --policy-name <policyname> #Get an inline policy info
## attached policies
aws iam list-attached-group-policies --group-name <name> #Get policies of group, it doesn't get inline policies

# List roles
aws iam list-roles #Get roles
aws iam get-role --role-name <role-name> #Get role
## inline policies
aws iam list-role-policies --role-name <name> #Get inline policies of a role
aws iam get-role-policy --role-name <name> --policy-name <name> #Get inline policy details
## attached policies
aws iam list-attached-role-policies --role-name <role-name> #Get policies of role, it doesn't get inline policies

# List policies
aws iam list-policies [--only-attached] [--scope Local]
aws iam list-policies-granting-service-access --arn <identity> --service-namespaces <svc> # Get list of policies that give access to the user to the service
## Get policy content
aws iam get-policy --policy-arn <policy_arn>
aws iam list-policy-versions --policy-arn <arn>
aws iam get-policy-version --policy-arn <arn:aws:iam::975426262029:policy/list_apigateways> --version-id <VERSION_X>

# Enumerate providers
aws iam list-saml-providers
aws iam get-saml-provider --saml-provider-arn <ARN>
aws iam list-open-id-connect-providers
aws iam get-open-id-connect-provider --open-id-connect-provider-arn <ARN>

# Password Policy
aws iam get-account-password-policy

# MFA
aws iam list-mfa-devices
aws iam list-virtual-mfa-devices

Neprimetna potvrda dozvola pomoću namernih grešaka

Kada su blokirani List* ili simulator APIs, možete potvrditi dozvole za izmene bez kreiranja trajnih resursa prouzrokujući predvidljive greške validacije. AWS i dalje evaluira IAM pre nego što vrati ove greške, tako da pojava greške dokazuje da pozivalac ima tu akciju:

# Confirm iam:CreateUser without creating a new principal (fails only after authz)
aws iam create-user --user-name <existing_user>  # -> EntityAlreadyExistsException

# Confirm iam:CreateLoginProfile while learning password policy requirements
aws iam create-login-profile --user-name <target_user> --password lower --password-reset-required  # -> PasswordPolicyViolationException

Ovi pokušaji i dalje generišu CloudTrail događaje (sa podešenim errorCode), ali izbegavaju ostavljanje novih IAM artefakata, što ih čini korisnim za nisko-bučnu validaciju dozvola tokom interaktivnog recon-a.

Permissions Brute Force

Ako te zanimaju tvoje sopstvene dozvole, ali nemaš pristup da izvršiš upite na IAM, uvek ih možeš brute-force-ovati.

bf-aws-permissions

Alat bf-aws-permissions je samo bash skripta koja će, koristeći označeni profil, pokrenuti sve list*, describe*, get* akcije koje može da pronađe koristeći aws cli help poruke i vratiti uspešna izvršavanja.

# Bruteforce permissions
bash bf-aws-permissions.sh -p default > /tmp/bf-permissions-verbose.txt

bf-aws-perms-simulate

Alat bf-aws-perms-simulate može da pronađe vaše trenutne dozvole (ili one drugih principals) ako imate dozvolu iam:SimulatePrincipalPolicy

# Ask for permissions
python3 aws_permissions_checker.py --profile <AWS_PROFILE> [--arn <USER_ARN>]

Perms2ManagedPolicies

Ako ste pronašli neke dozvole koje vaš korisnik ima, i mislite da vam ih dodeljuje upravljana AWS uloga (a ne prilagođena). Možete koristiti alat aws-Perms2ManagedRoles da proverite sve upravljane AWS uloge koje dodeljuju dozvole koje ste otkrili da imate.

# Run example with my profile
python3 aws-Perms2ManagedPolicies.py --profile myadmin --permissions-file example-permissions.txt

Warning

Moguće je “saznati” da li su dozvole koje imaš dodeljene od strane AWS managed role ako, na primer, vidiš da imaš dozvole nad servisima koji se ne koriste.

Cloudtrail2IAM

CloudTrail2IAM je Python alat koji analizira AWS CloudTrail logove da bi izvukao i sumirao akcije izvršene od strane svih ili samo određenog korisnika ili role. Alat će parsirati svaki cloudtrail log iz naznačenog bucket-a.

git clone https://github.com/carlospolop/Cloudtrail2IAM
cd Cloudtrail2IAM
pip install -r requirements.txt
python3 cloudtrail2IAM.py --prefix PREFIX --bucket_name BUCKET_NAME --profile PROFILE [--filter-name FILTER_NAME] [--threads THREADS]

Warning

Ako pronađete .tfstate (Terraform state files) ili CloudFormation files (obično su to yaml fajlovi koji se nalaze u bucket-u sa prefiksom cf-templates), možete ih takođe pročitati da pronađete aws konfiguraciju i koje su permisije dodeljene kome.

enumerate-iam

To use the tool https://github.com/andresriancho/enumerate-iam you first need to download all the API AWS endpoints, from those the script generate_bruteforce_tests.py will get all the “list_”, “describe_”, and “get_” endpoints. And finally, it will try to access them with the given credentials and prikaže da li je uspelo.

(Po mom iskustvu, alat se u nekom trenutku zamrzne, checkout this fix da pokuša da to popravi).

Warning

Po mom iskustvu ovaj alat je poput prethodnog, ali radi lošije i proverava manje permisija

# Install tool
git clone git@github.com:andresriancho/enumerate-iam.git
cd enumerate-iam/
pip install -r requirements.txt

# Download API endpoints
cd enumerate_iam/
git clone https://github.com/aws/aws-sdk-js.git
python3 generate_bruteforce_tests.py
rm -rf aws-sdk-js
cd ..

# Enumerate permissions
python3 enumerate-iam.py --access-key ACCESS_KEY --secret-key SECRET_KEY [--session-token SESSION_TOKEN] [--region REGION]

weirdAAL

Možete takođe koristiti alat weirdAAL. Ovaj alat će proveriti nekoliko uobičajenih operacija na više uobičajenih servisa (proveriće neke enumeration permissions i takođe neke privesc permissions). Međutim, proverava samo kodirane provere — jedini način da se proveri više stvari je da se napišu (kodiraju) dodatni testovi.

# Install
git clone https://github.com/carnal0wnage/weirdAAL.git
cd weirdAAL
python3 -m venv weirdAAL
source weirdAAL/bin/activate
pip3 install -r requirements.txt

# Create a .env file with aws credentials such as
[default]
aws_access_key_id = <insert key id>
aws_secret_access_key = <insert secret key>

# Setup DB
python3 create_dbs.py

# Invoke it
python3 weirdAAL.py -m ec2_describe_instances -t ec2test # Just some ec2 tests
python3 weirdAAL.py -m recon_all -t MyTarget # Check all permissions
# You will see output such as:
# [+] elbv2 Actions allowed are [+]
# ['DescribeLoadBalancers', 'DescribeAccountLimits', 'DescribeTargetGroups']

Alati za hardening za BF dozvole

# Export env variables
./index.js --console=text --config ./config.js --json /tmp/out-cloudsploit.json

# Filter results removing unknown
jq 'map(select(.status | contains("UNKNOWN") | not))' /tmp/out-cloudsploit.json | jq 'map(select(.resource | contains("N/A") | not))' > /tmp/out-cloudsploit-filt.json

# Get services by regions
jq 'group_by(.region) | map({(.[0].region): ([map((.resource | split(":"))[2]) | unique])})' ~/Desktop/pentests/cere/greybox/core-dev-dev-cloudsploit-filtered.json

# https://github.com/turbot/steampipe-mod-aws-insights
steampipe check all --export=json

# https://github.com/turbot/steampipe-mod-aws-perimeter
# In this case you cannot output to JSON, so heck it in the dashboard
steampipe dashboard

<YourTool>

Nijedan od prethodnih alata nije u mogućnosti da proveri skoro sve dozvole, pa ako znate bolji alat pošaljite PR!

Unauthenticated Access

AWS - IAM & STS Unauthenticated Enum

Privilege Escalation

Na sledećoj stranici možete proveriti kako abuse IAM permissions to escalate privileges:

AWS - IAM Privesc

IAM Post Exploitation

AWS - IAM Post Exploitation

IAM Persistence

AWS - IAM Persistence

IAM Identity Center

Možete pronaći opis IAM Identity Center u:

AWS - Basic Information

Connect via SSO with CLI

# Connect with sso via CLI aws configure sso
aws configure sso

[profile profile_name]
sso_start_url = https://subdomain.awsapps.com/start/
sso_account_id = <account_numbre>
sso_role_name = AdministratorAccess
sso_region = us-east-1

Enumeracija

Glavni elementi Identity Center su:

• Korisnici i grupe
• Permission Sets: Imaju prikačene politike
• AWS nalozi

Zatim se kreiraju odnosi tako da korisnici/grupe imaju Permission Sets nad AWS nalozima.

Note

Obratite pažnju da postoje 3 načina za pridruživanje politika Permission Set-u: AWS managed policies, Customer managed policies (ove politike moraju biti kreirane u svim nalozima na koje Permission Set utiče), i inline policies (definisane u njemu).

# Check if IAM Identity Center is used
aws sso-admin list-instances

# Get Permissions sets. These are the policies that can be assigned
aws sso-admin list-permission-sets --instance-arn <instance-arn>
aws sso-admin describe-permission-set --instance-arn <instance-arn> --permission-set-arn <perm-set-arn>

## Get managed policies of a permission set
aws sso-admin list-managed-policies-in-permission-set --instance-arn <instance-arn> --permission-set-arn <perm-set-arn>
## Get inline policies of a permission set
aws sso-admin get-inline-policy-for-permission-set --instance-arn <instance-arn> --permission-set-arn <perm-set-arn>
## Get customer managed policies of a permission set
aws sso-admin list-customer-managed-policy-references-in-permission-set --instance-arn <instance-arn> --permission-set-arn <perm-set-arn>
## Get boundaries of a permission set
aws sso-admin get-permissions-boundary-for-permission-set --instance-arn <instance-arn> --permission-set-arn <perm-set-arn>

## List accounts a permission set is affecting
aws sso-admin list-accounts-for-provisioned-permission-set --instance-arn <instance-arn> --permission-set-arn <perm-set-arn>
## List principals given a permission set in an account
aws sso-admin list-account-assignments --instance-arn <instance-arn> --permission-set-arn <perm-set-arn> --account-id <account_id>

# Get permissions sets affecting an account
aws sso-admin list-permission-sets-provisioned-to-account --instance-arn <instance-arn> --account-id <account_id>

# List users & groups from the identity store
aws identitystore list-users --identity-store-id <store-id>
aws identitystore list-groups --identity-store-id <store-id>
## Get members of groups
aws identitystore list-group-memberships --identity-store-id <store-id> --group-id <group-id>
## Get memberships or a user or a group
aws identitystore list-group-memberships-for-member --identity-store-id <store-id> --member-id <member-id>

Lokalna enumeracija

Moguće je kreirati u folderu $HOME/.aws fajl config koji konfiguriše profile dostupne putem SSO, na primer:

[default]
region = us-west-2
output = json

[profile my-sso-profile]
sso_start_url = https://my-sso-portal.awsapps.com/start
sso_region = us-west-2
sso_account_id = 123456789012
sso_role_name = MySSORole
region = us-west-2
output = json

[profile dependent-profile]
role_arn = arn:aws:iam::<acc-id>:role/ReadOnlyRole
source_profile = Hacktricks-Admin

Ova konfiguracija se može koristiti sa komandama:

# Login in ms-sso-profile
aws sso login --profile my-sso-profile
# Use dependent-profile
aws s3 ls --profile dependent-profile

Kada se koristi profil iz SSO za pristup nekoj informaciji, kredencijali su keširani u fajlu unutar foldera $HOME/.aws/sso/cache. Stoga se mogu pročitati i koristiti odatle.

Pored toga, u folderu $HOME/.aws/cli/cache može biti sačuvano još kredencijala. Ovaj cache direktorijum se prvenstveno koristi kada radite sa AWS CLI profiles koji koriste IAM user credentials ili assume role kroz IAM (bez SSO). Primer konfiguracije:

[profile crossaccountrole]
role_arn = arn:aws:iam::234567890123:role/SomeRole
source_profile = default
mfa_serial = arn:aws:iam::123456789012:mfa/saanvi
external_id = 123456

Pristup bez autentifikacije

AWS - Identity Center & SSO Unauthenticated Enum

Eskalacija privilegija

AWS - SSO & identitystore Privesc

Post-eksploatacija

AWS - SSO & identitystore Post Exploitation

Održavanje pristupa

Kreirajte korisnika i dodelite mu dozvole

# Create user identitystore:CreateUser
aws identitystore create-user --identity-store-id <store-id> --user-name privesc --display-name privesc --emails Value=sdkabflvwsljyclpma@tmmbt.net,Type=Work,Primary=True --name Formatted=privesc,FamilyName=privesc,GivenName=privesc
## After creating it try to login in the console using the selected username, you will receive an email with the code and then you will be able to select a password

• Kreirajte grupu, dodelite joj dozvole i postavite u nju kontrolisanog korisnika
• Dodelite dodatne dozvole kontrolisanom korisniku ili grupi
• Podrazumevano, samo korisnici sa dozvolama iz Management Account-a moći će da pristupe i kontrolišu IAM Identity Center.

Međutim, moguće je putem Delegate Administrator-a dozvoliti korisnicima iz drugog naloga da njime upravljaju. Neće imati potpuno iste dozvole, ali će moći da izvrše management activities.

Tip

Nauči & vežbaj AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE)
Nauči & vežbaj GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE)
Nauči & vežbaj Az Hacking: HackTricks Training Azure Red Team Expert (AzRTE)

Podržite HackTricks

• Pogledajte subscription plans!
• Pridružite se 💬 Discord group or the telegram group or pratite nas na Twitter 🐦 @hacktricks_live.
• Podelite hacking tricks slanjem PR-ova na HackTricks i HackTricks Cloud github repos.