AWS - IAM, Identity Center & SSO Enum

Tip

学习并练习 AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE)
学习并练习 GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE)
学习并练习 Az Hacking: HackTricks Training Azure Red Team Expert (AzRTE)

支持 HackTricks

IAM

你可以在以下位置找到 IAM 的描述

AWS - Basic Information

枚举

需要的主要权限:

  • iam:ListPolicies, iam:GetPolicy and iam:GetPolicyVersion
  • iam:ListRoles
  • iam:ListUsers
  • iam:ListGroups
  • iam:ListGroupsForUser
  • iam:ListAttachedUserPolicies
  • iam:ListAttachedRolePolicies
  • iam:ListAttachedGroupPolicies
  • iam:ListUserPolicies and iam:GetUserPolicy
  • iam:ListGroupPolicies and iam:GetGroupPolicy
  • iam:ListRolePolicies and iam:GetRolePolicy
# All IAMs
## Retrieves  information about all IAM users, groups, roles, and policies
## in your Amazon Web Services account, including their relationships  to
## one another. Use this operation to obtain a snapshot of the configura-
## tion of IAM permissions (users, groups, roles, and  policies)  in  your
## account.
aws iam get-account-authorization-details

# List users
aws iam get-user #Get current user information
aws iam list-users
aws iam list-ssh-public-keys #User keys for CodeCommit
aws iam get-ssh-public-key --user-name <username> --ssh-public-key-id <id> --encoding SSH #Get public key with metadata
aws iam list-service-specific-credentials #Get special permissions of the IAM user over specific services
aws iam get-user --user-name <username> #Get metadata of user, included permissions boundaries
aws iam list-access-keys #List created access keys
## inline policies
aws iam list-user-policies --user-name <username> #Get inline policies of the user
aws iam get-user-policy --user-name <username> --policy-name <policyname> #Get inline policy details
## attached policies
aws iam list-attached-user-policies --user-name <username> #Get policies of user, it doesn't get inline policies

# List groups
aws iam list-groups #Get groups
aws iam list-groups-for-user --user-name <username> #Get groups of a user
aws iam get-group --group-name <name> #Get group name info
## inline policies
aws iam list-group-policies --group-name <username> #Get inline policies of the group
aws iam get-group-policy --group-name <username> --policy-name <policyname> #Get an inline policy info
## attached policies
aws iam list-attached-group-policies --group-name <name> #Get policies of group, it doesn't get inline policies

# List roles
aws iam list-roles #Get roles
aws iam get-role --role-name <role-name> #Get role
## inline policies
aws iam list-role-policies --role-name <name> #Get inline policies of a role
aws iam get-role-policy --role-name <name> --policy-name <name> #Get inline policy details
## attached policies
aws iam list-attached-role-policies --role-name <role-name> #Get policies of role, it doesn't get inline policies

# List policies
aws iam list-policies [--only-attached] [--scope Local]
aws iam list-policies-granting-service-access --arn <identity> --service-namespaces <svc> # Get list of policies that give access to the user to the service
## Get policy content
aws iam get-policy --policy-arn <policy_arn>
aws iam list-policy-versions --policy-arn <arn>
aws iam get-policy-version --policy-arn <arn:aws:iam::975426262029:policy/list_apigateways> --version-id <VERSION_X>

# Enumerate providers
aws iam list-saml-providers
aws iam get-saml-provider --saml-provider-arn <ARN>
aws iam list-open-id-connect-providers
aws iam get-open-id-connect-provider --open-id-connect-provider-arn <ARN>

# Password Policy
aws iam get-account-password-policy

# MFA
aws iam list-mfa-devices
aws iam list-virtual-mfa-devices

通过故意触发失败进行隐蔽权限确认

List* 或 模拟器 APIs 被阻止时,你可以通过触发可预测的验证错误来在不创建持久性资源的情况下确认修改权限。AWS 在返回这些错误之前仍会评估 IAM,因此看到该错误就证明调用者具有该操作权限:

# Confirm iam:CreateUser without creating a new principal (fails only after authz)
aws iam create-user --user-name <existing_user>  # -> EntityAlreadyExistsException

# Confirm iam:CreateLoginProfile while learning password policy requirements
aws iam create-login-profile --user-name <target_user> --password lower --password-reset-required  # -> PasswordPolicyViolationException

这些尝试仍然会生成 CloudTrail 事件(带有 errorCode 设置),但会避免留下新的 IAM 工件,因此在交互式侦察期间对于低噪声权限验证很有用。

权限暴力破解

如果你想了解自己的权限,但无法访问以查询 IAM,你可以始终对其进行暴力破解。

bf-aws-permissions

该工具 bf-aws-permissions 只是一个 bash 脚本,它会使用指定的 profile 运行所有从 aws cli 帮助信息中找到的 list*describe*get* 操作,并返回成功执行的操作

# Bruteforce permissions
bash bf-aws-permissions.sh -p default > /tmp/bf-permissions-verbose.txt

bf-aws-perms-simulate

该工具 bf-aws-perms-simulate 可以找出你当前的权限(或其他主体的权限),前提是你拥有权限 iam:SimulatePrincipalPolicy

# Ask for permissions
python3 aws_permissions_checker.py --profile <AWS_PROFILE> [--arn <USER_ARN>]

Perms2ManagedPolicies

如果你发现 你的用户拥有的一些权限,并且你认为这些权限是由 AWS 托管角色(而不是自定义角色)授予的,你可以使用工具 aws-Perms2ManagedRoles 来检查所有授予你所发现权限的 AWS 托管角色

# Run example with my profile
python3 aws-Perms2ManagedPolicies.py --profile myadmin --permissions-file example-permissions.txt

Warning

有时你可以“判断”你所拥有的权限是否由 AWS 管理的角色授予,例如当你发现 你对未使用的服务拥有权限

Cloudtrail2IAM

CloudTrail2IAM 是一个 Python 工具,用来分析 从 AWS CloudTrail 日志中提取并汇总操作,可以针对所有人或仅针对某个特定用户或角色。该工具会 解析指定 bucket 中的每个 cloudtrail 日志

git clone https://github.com/carlospolop/Cloudtrail2IAM
cd Cloudtrail2IAM
pip install -r requirements.txt
python3 cloudtrail2IAM.py --prefix PREFIX --bucket_name BUCKET_NAME --profile PROFILE [--filter-name FILTER_NAME] [--threads THREADS]

Warning

如果你发现 .tfstate(Terraform 状态文件)或 CloudFormation 文件(这些通常是位于以 cf-templates 为前缀的 bucket 中的 yaml 文件),你也可以读取它们以查找 aws 配置并确定哪些权限被分配给了谁。

enumerate-iam

To use the tool https://github.com/andresriancho/enumerate-iam you first need to download all the API AWS endpoints, from those the script generate_bruteforce_tests.py will get all the “list_”, “describe_”, and “get_” endpoints. And finally, it will try to access them with the given credentials and indicate if it worked.

(In my experience the tool hangs at some point, checkout this fix to try to fix that).

Warning

根据我的经验,这个工具类似于前一个,但表现更差并且检查的权限更少

# Install tool
git clone git@github.com:andresriancho/enumerate-iam.git
cd enumerate-iam/
pip install -r requirements.txt

# Download API endpoints
cd enumerate_iam/
git clone https://github.com/aws/aws-sdk-js.git
python3 generate_bruteforce_tests.py
rm -rf aws-sdk-js
cd ..

# Enumerate permissions
python3 enumerate-iam.py --access-key ACCESS_KEY --secret-key SECRET_KEY [--session-token SESSION_TOKEN] [--region REGION]

weirdAAL

你也可以使用工具 weirdAAL。该工具会检查多个常见服务上若干常见操作(会检查一些枚举权限,也会检查一些 privesc 权限)。但它只会检查已编码的检测(要检查更多内容,唯一的方法是编写更多测试)。

# Install
git clone https://github.com/carnal0wnage/weirdAAL.git
cd weirdAAL
python3 -m venv weirdAAL
source weirdAAL/bin/activate
pip3 install -r requirements.txt

# Create a .env file with aws credentials such as
[default]
aws_access_key_id = <insert key id>
aws_secret_access_key = <insert secret key>

# Setup DB
python3 create_dbs.py

# Invoke it
python3 weirdAAL.py -m ec2_describe_instances -t ec2test # Just some ec2 tests
python3 weirdAAL.py -m recon_all -t MyTarget # Check all permissions
# You will see output such as:
# [+] elbv2 Actions allowed are [+]
# ['DescribeLoadBalancers', 'DescribeAccountLimits', 'DescribeTargetGroups']

针对 BF permissions 的加固工具

# Export env variables
./index.js --console=text --config ./config.js --json /tmp/out-cloudsploit.json

# Filter results removing unknown
jq 'map(select(.status | contains("UNKNOWN") | not))' /tmp/out-cloudsploit.json | jq 'map(select(.resource | contains("N/A") | not))' > /tmp/out-cloudsploit-filt.json

# Get services by regions
jq 'group_by(.region) | map({(.[0].region): ([map((.resource | split(":"))[2]) | unique])})' ~/Desktop/pentests/cere/greybox/core-dev-dev-cloudsploit-filtered.json

<YourTool>

Neither of the previous tools is capable of checking close to all permissions, so if you know a better tool send a PR!

未认证访问

AWS - IAM & STS Unauthenticated Enum

权限提升

在下面的页面中,你可以查看如何 滥用 IAM 权限 来进行权限提升

AWS - IAM Privesc

IAM 后利用

AWS - IAM Post Exploitation

IAM 持久化

AWS - IAM Persistence

IAM Identity Center

关于 IAM Identity Center 的描述可在以下位置找到:

AWS - Basic Information

通过 SSO 使用 CLI 连接

# Connect with sso via CLI aws configure sso
aws configure sso

[profile profile_name]
sso_start_url = https://subdomain.awsapps.com/start/
sso_account_id = <account_numbre>
sso_role_name = AdministratorAccess
sso_region = us-east-1

枚举

Identity Center 的主要元素有:

  • 用户和组
  • Permission Sets:附加了策略
  • AWS Accounts

然后会创建关系,使用户/组在 AWS Account 上拥有 Permission Sets。

Note

注意有三种方法可以将策略附加到 Permission Set:附加 AWS managed policies、Customer managed policies(这些策略需要在 Permission Set 所影响的所有账户中创建),以及 inline policies(在其中定义)。

# Check if IAM Identity Center is used
aws sso-admin list-instances

# Get Permissions sets. These are the policies that can be assigned
aws sso-admin list-permission-sets --instance-arn <instance-arn>
aws sso-admin describe-permission-set --instance-arn <instance-arn> --permission-set-arn <perm-set-arn>

## Get managed policies of a permission set
aws sso-admin list-managed-policies-in-permission-set --instance-arn <instance-arn> --permission-set-arn <perm-set-arn>
## Get inline policies of a permission set
aws sso-admin get-inline-policy-for-permission-set --instance-arn <instance-arn> --permission-set-arn <perm-set-arn>
## Get customer managed policies of a permission set
aws sso-admin list-customer-managed-policy-references-in-permission-set --instance-arn <instance-arn> --permission-set-arn <perm-set-arn>
## Get boundaries of a permission set
aws sso-admin get-permissions-boundary-for-permission-set --instance-arn <instance-arn> --permission-set-arn <perm-set-arn>

## List accounts a permission set is affecting
aws sso-admin list-accounts-for-provisioned-permission-set --instance-arn <instance-arn> --permission-set-arn <perm-set-arn>
## List principals given a permission set in an account
aws sso-admin list-account-assignments --instance-arn <instance-arn> --permission-set-arn <perm-set-arn> --account-id <account_id>

# Get permissions sets affecting an account
aws sso-admin list-permission-sets-provisioned-to-account --instance-arn <instance-arn> --account-id <account_id>

# List users & groups from the identity store
aws identitystore list-users --identity-store-id <store-id>
aws identitystore list-groups --identity-store-id <store-id>
## Get members of groups
aws identitystore list-group-memberships --identity-store-id <store-id> --group-id <group-id>
## Get memberships or a user or a group
aws identitystore list-group-memberships-for-member --identity-store-id <store-id> --member-id <member-id>

本地枚举

可以在文件夹 $HOME/.aws 中创建名为 config 的文件,以配置通过 SSO 可访问的 profiles,例如:

[default]
region = us-west-2
output = json

[profile my-sso-profile]
sso_start_url = https://my-sso-portal.awsapps.com/start
sso_region = us-west-2
sso_account_id = 123456789012
sso_role_name = MySSORole
region = us-west-2
output = json

[profile dependent-profile]
role_arn = arn:aws:iam::<acc-id>:role/ReadOnlyRole
source_profile = Hacktricks-Admin

此配置可与以下命令一起使用:

# Login in ms-sso-profile
aws sso login --profile my-sso-profile
# Use dependent-profile
aws s3 ls --profile dependent-profile

使用来自 SSO 的 profile来访问某些信息时,凭证会被缓存在位于文件夹 $HOME/.aws/sso/cache 内的文件中。因此它们可以从那里读取并使用

此外,更多凭证可以存储在文件夹 $HOME/.aws/cli/cache 中。该缓存目录主要在你使用 AWS CLI profiles(这些 profiles 使用 IAM 用户凭证,或通过 IAM assume 角色,且不使用 SSO)时使用。配置示例:

[profile crossaccountrole]
role_arn = arn:aws:iam::234567890123:role/SomeRole
source_profile = default
mfa_serial = arn:aws:iam::123456789012:mfa/saanvi
external_id = 123456

未认证访问

AWS - Identity Center & SSO Unauthenticated Enum

权限提升

AWS - SSO & identitystore Privesc

利用后操作

AWS - SSO & identitystore Post Exploitation

持久性

创建一个用户并为其分配权限

# Create user identitystore:CreateUser
aws identitystore create-user --identity-store-id <store-id> --user-name privesc --display-name privesc --emails Value=sdkabflvwsljyclpma@tmmbt.net,Type=Work,Primary=True --name Formatted=privesc,FamilyName=privesc,GivenName=privesc
## After creating it try to login in the console using the selected username, you will receive an email with the code and then you will be able to select a password
  • 创建一个组并为其分配权限,并在其上设置一个受控用户
  • 向受控用户或组授予额外权限
  • 默认情况下,只有来自 Management Account 并具有权限的用户才能访问和控制 IAM Identity Center。

不过,可以通过 Delegate Administrator 允许来自不同账户的用户进行管理。他们不会拥有完全相同的权限,但他们将能够执行 management activities

Tip

学习并练习 AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE)
学习并练习 GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE)
学习并练习 Az Hacking: HackTricks Training Azure Red Team Expert (AzRTE)

支持 HackTricks