gitea-mirror/hacktricks-cloud
1
0
Fork 0
mirror of https://github.com/HackTricks-wiki/hacktricks-cloud.git synced 2025-12-22 23:26:41 -08:00
Code Issues Packages Projects Releases Wiki Activity

Translated ['src/pentesting-cloud/aws-security/aws-unauthenticated-enum-

Browse Source
This commit is contained in:
Translator
2025-10-14 01:36:44 +00:00
parent fafefc6269
commit 04047b5fcf
215 changed files with 9361 additions and 6013 deletions
Download Patch File Download Diff File Expand all files Collapse all files

127
src/pentesting-cloud/aws-security/aws-persistence/aws-sts-persistence/README.md Normal file
View File

@@ -0,0 +1,127 @@
# AWS - STS Persistence
{{#include ../../../../banners/hacktricks-training.md}}
## STS
Pour plus d'informations, consultez :
{{#ref}}
../../aws-services/aws-sts-enum.md
{{#endref}}
### Assume role token
Les jetons temporaires ne peuvent pas être listés, donc maintenir un jeton temporaire actif est un moyen de conserver la persistance.
<pre class="language-bash"><code class="lang-bash">aws sts get-session-token --duration-seconds 129600
# With MFA
aws sts get-session-token \
--serial-number <mfa-device-name> \
--token-code <code-from-token>
# Hardware device name is usually the number from the back of the device, such as GAHT12345678
<strong># SMS device name is the ARN in AWS, such as arn:aws:iam::123456789012:sms-mfa/username
</strong># Vritual device name is the ARN in AWS, such as arn:aws:iam::123456789012:mfa/username
</code></pre>
### Role Chain Juggling
[**Role chaining is an acknowledged AWS feature**](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_terms-and-concepts.html#Role%20chaining), souvent utilisé pour maintenir une persistance furtive. Cela implique la capacité de **assume a role which then assumes another**, pouvant revenir au rôle initial de manière **cyclique**. Chaque fois qu'un rôle est assumé, le champ d'expiration des identifiants est rafraîchi. Par conséquent, si deux rôles sont configurés pour s'assumer mutuellement, cette configuration permet le renouvellement perpétuel des identifiants.
Vous pouvez utiliser cet [**tool**](https://github.com/hotnops/AWSRoleJuggler/) pour maintenir le role chaining :
```bash
./aws_role_juggler.py -h
usage: aws_role_juggler.py [-h] [-r ROLE_LIST [ROLE_LIST ...]]
optional arguments:
-h, --help show this help message and exit
-r ROLE_LIST [ROLE_LIST ...], --role-list ROLE_LIST [ROLE_LIST ...]
```
> [!CAUTION]
> Notez que le script [find_circular_trust.py](https://github.com/hotnops/AWSRoleJuggler/blob/master/find_circular_trust.py) de ce dépôt Github ne trouve pas toutes les façons dont une chaîne de rôles peut être configurée.
<details>
<summary>Code pour effectuer du Role Juggling depuis PowerShell</summary>
```bash
# PowerShell script to check for role juggling possibilities using AWS CLI
# Check for AWS CLI installation
if (-not (Get-Command "aws" -ErrorAction SilentlyContinue)) {
Write-Error "AWS CLI is not installed. Please install it and configure it with 'aws configure'."
exit
}
# Function to list IAM roles
function List-IAMRoles {
aws iam list-roles --query "Roles[*].{RoleName:RoleName, Arn:Arn}" --output json
}
# Initialize error count
$errorCount = 0
# List all roles
$roles = List-IAMRoles | ConvertFrom-Json
# Attempt to assume each role
foreach ($role in $roles) {
$sessionName = "RoleJugglingTest-" + (Get-Date -Format FileDateTime)
try {
$credentials = aws sts assume-role --role-arn $role.Arn --role-session-name $sessionName --query "Credentials" --output json 2>$null | ConvertFrom-Json
if ($credentials) {
Write-Host "Successfully assumed role: $($role.RoleName)"
Write-Host "Access Key: $($credentials.AccessKeyId)"
Write-Host "Secret Access Key: $($credentials.SecretAccessKey)"
Write-Host "Session Token: $($credentials.SessionToken)"
Write-Host "Expiration: $($credentials.Expiration)"
# Set temporary credentials to assume the next role
$env:AWS_ACCESS_KEY_ID = $credentials.AccessKeyId
$env:AWS_SECRET_ACCESS_KEY = $credentials.SecretAccessKey
$env:AWS_SESSION_TOKEN = $credentials.SessionToken
# Try to assume another role using the temporary credentials
foreach ($nextRole in $roles) {
if ($nextRole.Arn -ne $role.Arn) {
$nextSessionName = "RoleJugglingTest-" + (Get-Date -Format FileDateTime)
try {
$nextCredentials = aws sts assume-role --role-arn $nextRole.Arn --role-session-name $nextSessionName --query "Credentials" --output json 2>$null | ConvertFrom-Json
if ($nextCredentials) {
Write-Host "Also successfully assumed role: $($nextRole.RoleName) from $($role.RoleName)"
Write-Host "Access Key: $($nextCredentials.AccessKeyId)"
Write-Host "Secret Access Key: $($nextCredentials.SecretAccessKey)"
Write-Host "Session Token: $($nextCredentials.SessionToken)"
Write-Host "Expiration: $($nextCredentials.Expiration)"
}
} catch {
$errorCount++
}
}
}
# Reset environment variables
Remove-Item Env:\AWS_ACCESS_KEY_ID
Remove-Item Env:\AWS_SECRET_ACCESS_KEY
Remove-Item Env:\AWS_SESSION_TOKEN
} else {
$errorCount++
}
} catch {
$errorCount++
}
}
# Output the number of errors if any
if ($errorCount -gt 0) {
Write-Host "$errorCount error(s) occurred during role assumption attempts."
} else {
Write-Host "No errors occurred. All roles checked successfully."
}
Write-Host "Role juggling check complete."
```
</details>
{{#include ../../../../banners/hacktricks-training.md}}