AWS - IAM, Identity Center & SSO Uorodheshaji

Tip

Jifunze na ufanye mazoezi ya AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE)
Jifunze na ufanye mazoezi ya GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE)
Jifunze na ufanye mazoezi ya Az Hacking: HackTricks Training Azure Red Team Expert (AzRTE)

Saidia HackTricks

• Angalia the subscription plans!
• Jiunge na 💬 Discord group au the telegram group au utufuate kwenye Twitter 🐦 @hacktricks_live.
• Shiriki hacking tricks kwa kutuma PRs kwa HackTricks and HackTricks Cloud github repos.

IAM

Unaweza kupata maelezo ya IAM katika:

AWS - Basic Information

Uorodheshaji

Ruhusa kuu zinazohitajika:

• iam:ListPolicies, iam:GetPolicy and iam:GetPolicyVersion
• iam:ListRoles
• iam:ListUsers
• iam:ListGroups
• iam:ListGroupsForUser
• iam:ListAttachedUserPolicies
• iam:ListAttachedRolePolicies
• iam:ListAttachedGroupPolicies
• iam:ListUserPolicies and iam:GetUserPolicy
• iam:ListGroupPolicies and iam:GetGroupPolicy
• iam:ListRolePolicies and iam:GetRolePolicy

# All IAMs
## Retrieves  information about all IAM users, groups, roles, and policies
## in your Amazon Web Services account, including their relationships  to
## one another. Use this operation to obtain a snapshot of the configura-
## tion of IAM permissions (users, groups, roles, and  policies)  in  your
## account.
aws iam get-account-authorization-details

# List users
aws iam get-user #Get current user information
aws iam list-users
aws iam list-ssh-public-keys #User keys for CodeCommit
aws iam get-ssh-public-key --user-name <username> --ssh-public-key-id <id> --encoding SSH #Get public key with metadata
aws iam list-service-specific-credentials #Get special permissions of the IAM user over specific services
aws iam get-user --user-name <username> #Get metadata of user, included permissions boundaries
aws iam list-access-keys #List created access keys
## inline policies
aws iam list-user-policies --user-name <username> #Get inline policies of the user
aws iam get-user-policy --user-name <username> --policy-name <policyname> #Get inline policy details
## attached policies
aws iam list-attached-user-policies --user-name <username> #Get policies of user, it doesn't get inline policies

# List groups
aws iam list-groups #Get groups
aws iam list-groups-for-user --user-name <username> #Get groups of a user
aws iam get-group --group-name <name> #Get group name info
## inline policies
aws iam list-group-policies --group-name <username> #Get inline policies of the group
aws iam get-group-policy --group-name <username> --policy-name <policyname> #Get an inline policy info
## attached policies
aws iam list-attached-group-policies --group-name <name> #Get policies of group, it doesn't get inline policies

# List roles
aws iam list-roles #Get roles
aws iam get-role --role-name <role-name> #Get role
## inline policies
aws iam list-role-policies --role-name <name> #Get inline policies of a role
aws iam get-role-policy --role-name <name> --policy-name <name> #Get inline policy details
## attached policies
aws iam list-attached-role-policies --role-name <role-name> #Get policies of role, it doesn't get inline policies

# List policies
aws iam list-policies [--only-attached] [--scope Local]
aws iam list-policies-granting-service-access --arn <identity> --service-namespaces <svc> # Get list of policies that give access to the user to the service
## Get policy content
aws iam get-policy --policy-arn <policy_arn>
aws iam list-policy-versions --policy-arn <arn>
aws iam get-policy-version --policy-arn <arn:aws:iam::975426262029:policy/list_apigateways> --version-id <VERSION_X>

# Enumerate providers
aws iam list-saml-providers
aws iam get-saml-provider --saml-provider-arn <ARN>
aws iam list-open-id-connect-providers
aws iam get-open-id-connect-provider --open-id-connect-provider-arn <ARN>

# Password Policy
aws iam get-account-password-policy

# MFA
aws iam list-mfa-devices
aws iam list-virtual-mfa-devices

Uthibitisho wa ruhusa kwa siri kupitia kushindwa kwa makusudi

Wakati List* au simulator APIs zimezimwa, unaweza kuhakiki ruhusa za mabadiliko bila kuunda rasilimali za kudumu kwa kulazimisha makosa ya uthibitishaji yanayoweza kutabirika. AWS bado huangalia IAM kabla ya kurudisha makosa haya, kwa hivyo kuona kosa kunathibitisha mwito ana haki ya kutekeleza kitendo hicho:

# Confirm iam:CreateUser without creating a new principal (fails only after authz)
aws iam create-user --user-name <existing_user>  # -> EntityAlreadyExistsException

# Confirm iam:CreateLoginProfile while learning password policy requirements
aws iam create-login-profile --user-name <target_user> --password lower --password-reset-required  # -> PasswordPolicyViolationException

Majaribio haya bado huunda matukio ya CloudTrail (na errorCode imewekwa) lakini huzuia kuacha artifacts mpya za IAM, na huwafanya kuwa muhimu kwa uthibitishaji wa ruhusa kwa kelele ndogo wakati wa interactive recon.

Permissions Brute Force

Ikiwa ungependa kujua ruhusa zako mwenyewe lakini huna ufikiaji wa kuhoji IAM, unaweza kila wakati kuzifanyia brute-force.

bf-aws-permissions

Zana bf-aws-permissions ni tu bash script ambayo itaendesha ikitumia profile iliyotajwa zote hatua za list*, describe*, get* zinazoweza kupatikana kwa kutumia ujumbe wa msaada wa aws cli na kurudisha utekelezaji uliofanikiwa.

# Bruteforce permissions
bash bf-aws-permissions.sh -p default > /tmp/bf-permissions-verbose.txt

bf-aws-perms-simulate

Chombo bf-aws-perms-simulate kinaweza gundua ruhusa zako za sasa (au za principals wengine) ikiwa una ruhusa iam:SimulatePrincipalPolicy

# Ask for permissions
python3 aws_permissions_checker.py --profile <AWS_PROFILE> [--arn <USER_ARN>]

Perms2ManagedPolicies

Kama umepata idhini fulani ambazo mtumiaji wako ana, na ukidhani zinatolewa na managed AWS role (na si ile ya custom). Unaweza kutumia zana aws-Perms2ManagedRoles ili kukagua zote AWS managed roles that grants the permissions you discovered that you have.

# Run example with my profile
python3 aws-Perms2ManagedPolicies.py --profile myadmin --permissions-file example-permissions.txt

Warning

Inawezekana “kujua” ikiwa ruhusa ulizo nazo zimetolewa na role inayosimamiwa na AWS ikiwa utaona, kwa mfano, kwamba una ruhusa kwa huduma ambazo hazitumiki.

Cloudtrail2IAM

CloudTrail2IAM ni zana ya Python inayochambua AWS CloudTrail logs ili kutoa na kufupisha vitendo vilivyofanywa na kila mtu au mtumiaji au role maalum. Zana hiyo itapitia kila cloudtrail log kutoka kwa bucket iliyotajwa.

git clone https://github.com/carlospolop/Cloudtrail2IAM
cd Cloudtrail2IAM
pip install -r requirements.txt
python3 cloudtrail2IAM.py --prefix PREFIX --bucket_name BUCKET_NAME --profile PROFILE [--filter-name FILTER_NAME] [--threads THREADS]

Warning

Ikiwa utapata .tfstate (Terraform state files) au CloudFormation files (hizi kawaida ni yaml files zilizopo ndani ya bucket yenye prefix cf-templates), unaweza pia kuvisoma ili kupata mipangilio ya aws na kuona ni ruhusa gani zimepewa nani.

enumerate-iam

To use the tool https://github.com/andresriancho/enumerate-iam kwanza unahitaji kupakua endpoints zote za API za AWS; kutoka kwa hizo script generate_bruteforce_tests.py itapata endpoints zote za “list_”, “describe_”, and “get_” endpoints. Na hatimaye, itajaribu kuwafikia kwa credentials zilizotolewa na kuonyesha kama ilifanya kazi.

(Kwa uzoefu wangu tool inakamatika sehemu fulani, checkout this fix ili kujaribu kurekebisha hilo).

Warning

Kwa uzoefu wangu tool hii ni kama ile ya awali lakini inafanya kazi vibaya zaidi na inakagua ruhusa chache

# Install tool
git clone git@github.com:andresriancho/enumerate-iam.git
cd enumerate-iam/
pip install -r requirements.txt

# Download API endpoints
cd enumerate_iam/
git clone https://github.com/aws/aws-sdk-js.git
python3 generate_bruteforce_tests.py
rm -rf aws-sdk-js
cd ..

# Enumerate permissions
python3 enumerate-iam.py --access-key ACCESS_KEY --secret-key SECRET_KEY [--session-token SESSION_TOKEN] [--region REGION]

weirdAAL

Unaweza pia kutumia zana weirdAAL. Zana hii itakagua operesheni kadhaa za kawaida kwenye huduma kadhaa za kawaida (itatathmini baadhi ya enumeration permissions na pia baadhi ya privesc permissions). Lakini itakagua tu coded checks (njia pekee ya kukagua vitu zaidi ni kuandika tests zaidi).

# Install
git clone https://github.com/carnal0wnage/weirdAAL.git
cd weirdAAL
python3 -m venv weirdAAL
source weirdAAL/bin/activate
pip3 install -r requirements.txt

# Create a .env file with aws credentials such as
[default]
aws_access_key_id = <insert key id>
aws_secret_access_key = <insert secret key>

# Setup DB
python3 create_dbs.py

# Invoke it
python3 weirdAAL.py -m ec2_describe_instances -t ec2test # Just some ec2 tests
python3 weirdAAL.py -m recon_all -t MyTarget # Check all permissions
# You will see output such as:
# [+] elbv2 Actions allowed are [+]
# ['DescribeLoadBalancers', 'DescribeAccountLimits', 'DescribeTargetGroups']

Vifaa vya Hardening kwa ruhusa za BF

# Export env variables
./index.js --console=text --config ./config.js --json /tmp/out-cloudsploit.json

# Filter results removing unknown
jq 'map(select(.status | contains("UNKNOWN") | not))' /tmp/out-cloudsploit.json | jq 'map(select(.resource | contains("N/A") | not))' > /tmp/out-cloudsploit-filt.json

# Get services by regions
jq 'group_by(.region) | map({(.[0].region): ([map((.resource | split(":"))[2]) | unique])})' ~/Desktop/pentests/cere/greybox/core-dev-dev-cloudsploit-filtered.json

# https://github.com/turbot/steampipe-mod-aws-insights
steampipe check all --export=json

# https://github.com/turbot/steampipe-mod-aws-perimeter
# In this case you cannot output to JSON, so heck it in the dashboard
steampipe dashboard

<YourTool>

Hakuna kati ya zana zilizotajwa hapo awali inayoweza kuangalia karibu ruhusa zote, hivyo ikiwa unajua zana bora, tuma PR!

Unauthenticated Access

AWS - IAM & STS Unauthenticated Enum

Privilege Escalation

Kwenye ukurasa unaofuata unaweza kuona jinsi ya abuse IAM permissions to escalate privileges:

AWS - IAM Privesc

IAM Post Exploitation

AWS - IAM Post Exploitation

IAM Persistence

AWS - IAM Persistence

IAM Identity Center

Unaweza kupata description of IAM Identity Center katika:

AWS - Basic Information

Connect via SSO with CLI

# Connect with sso via CLI aws configure sso
aws configure sso

[profile profile_name]
sso_start_url = https://subdomain.awsapps.com/start/
sso_account_id = <account_numbre>
sso_role_name = AdministratorAccess
sso_region = us-east-1

Uorodheshaji

Mambo kuu ya Identity Center ni:

• Watumiaji na vikundi
• Permission Sets: Zina policies zimeambatishwa
• AWS Accounts

Kisha, uhusiano huundwa ili watumiaji/vikundi wawe na Permission Sets kwa AWS Account.

Note

Kumbuka kwamba kuna njia 3 za kuambatisha policies kwa Permission Set. Kuambatisha AWS managed policies, Customer managed policies (policies hizi zinahitaji kuundwa katika akaunti zote ambazo Permission Set inaathiri), na inline policies (zilizoelezwa ndani yake).

# Check if IAM Identity Center is used
aws sso-admin list-instances

# Get Permissions sets. These are the policies that can be assigned
aws sso-admin list-permission-sets --instance-arn <instance-arn>
aws sso-admin describe-permission-set --instance-arn <instance-arn> --permission-set-arn <perm-set-arn>

## Get managed policies of a permission set
aws sso-admin list-managed-policies-in-permission-set --instance-arn <instance-arn> --permission-set-arn <perm-set-arn>
## Get inline policies of a permission set
aws sso-admin get-inline-policy-for-permission-set --instance-arn <instance-arn> --permission-set-arn <perm-set-arn>
## Get customer managed policies of a permission set
aws sso-admin list-customer-managed-policy-references-in-permission-set --instance-arn <instance-arn> --permission-set-arn <perm-set-arn>
## Get boundaries of a permission set
aws sso-admin get-permissions-boundary-for-permission-set --instance-arn <instance-arn> --permission-set-arn <perm-set-arn>

## List accounts a permission set is affecting
aws sso-admin list-accounts-for-provisioned-permission-set --instance-arn <instance-arn> --permission-set-arn <perm-set-arn>
## List principals given a permission set in an account
aws sso-admin list-account-assignments --instance-arn <instance-arn> --permission-set-arn <perm-set-arn> --account-id <account_id>

# Get permissions sets affecting an account
aws sso-admin list-permission-sets-provisioned-to-account --instance-arn <instance-arn> --account-id <account_id>

# List users & groups from the identity store
aws identitystore list-users --identity-store-id <store-id>
aws identitystore list-groups --identity-store-id <store-id>
## Get members of groups
aws identitystore list-group-memberships --identity-store-id <store-id> --group-id <group-id>
## Get memberships or a user or a group
aws identitystore list-group-memberships-for-member --identity-store-id <store-id> --member-id <member-id>

Uorodheshaji wa Kijijini

Inawezekana kuunda ndani ya folda $HOME/.aws faili config ili kusanidi profaili zinazopatikana kupitia SSO, kwa mfano:

[default]
region = us-west-2
output = json

[profile my-sso-profile]
sso_start_url = https://my-sso-portal.awsapps.com/start
sso_region = us-west-2
sso_account_id = 123456789012
sso_role_name = MySSORole
region = us-west-2
output = json

[profile dependent-profile]
role_arn = arn:aws:iam::<acc-id>:role/ReadOnlyRole
source_profile = Hacktricks-Admin

Usanidi huu unaweza kutumika na amri zifuatazo:

# Login in ms-sso-profile
aws sso login --profile my-sso-profile
# Use dependent-profile
aws s3 ls --profile dependent-profile

Wakati profile kutoka SSO inapotumika kupata baadhi ya taarifa, nyaraka za uthibitisho zimehifadhiwa katika faili ndani ya folda $HOME/.aws/sso/cache. Kwa hivyo zinaweza kusomwa na kutumika kutoka huko.

Zaidi ya hayo, nyaraka zaidi za uthibitisho zinaweza kuhifadhiwa katika folda $HOME/.aws/cli/cache. Mfolda hii ya cache inatumiwa hasa unapokuwa unafanya kazi na AWS CLI profiles zinazotumia nyaraka za watumiaji wa IAM au assume roles kupitia IAM (bila SSO). Mfano wa config:

[profile crossaccountrole]
role_arn = arn:aws:iam::234567890123:role/SomeRole
source_profile = default
mfa_serial = arn:aws:iam::123456789012:mfa/saanvi
external_id = 123456

Unauthenticated Access

AWS - Identity Center & SSO Unauthenticated Enum

Privilege Escalation

AWS - SSO & identitystore Privesc

Post Exploitation

AWS - SSO & identitystore Post Exploitation

Persistence

Unda mtumiaji na umpe ruhusa

# Create user identitystore:CreateUser
aws identitystore create-user --identity-store-id <store-id> --user-name privesc --display-name privesc --emails Value=sdkabflvwsljyclpma@tmmbt.net,Type=Work,Primary=True --name Formatted=privesc,FamilyName=privesc,GivenName=privesc
## After creating it try to login in the console using the selected username, you will receive an email with the code and then you will be able to select a password

• Unda kikundi, umpe ruhusa, na umweke mtumiaji udhibitiwa ndani yake
• Mpa ruhusa za ziada mtumiaji udhibitiwa au kikundi
• Kwa chaguo-msingi, watumiaji pekee wenye ruhusa kutoka Management Account ndio watakaoweza kufikia na kudhibiti IAM Identity Center.

Hata hivyo, inawezekana kupitia Delegate Administrator kuruhusu watumiaji kutoka account tofauti kusimamia. Hawatakuwa na ruhusa sawa kabisa, lakini wataweza kutekeleza management activities.

Tip

Jifunze na ufanye mazoezi ya AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE)
Jifunze na ufanye mazoezi ya GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE)
Jifunze na ufanye mazoezi ya Az Hacking: HackTricks Training Azure Red Team Expert (AzRTE)

Saidia HackTricks

• Angalia the subscription plans!
• Jiunge na 💬 Discord group au the telegram group au utufuate kwenye Twitter 🐦 @hacktricks_live.
• Shiriki hacking tricks kwa kutuma PRs kwa HackTricks and HackTricks Cloud github repos.