gitea-mirror/hacktricks-cloud
1
0
Fork 0
mirror of https://github.com/HackTricks-wiki/hacktricks-cloud.git synced 2026-01-14 05:46:25 -08:00
Code Issues Packages Projects Releases Wiki Activity

Translated ['src/README.md', 'src/banners/hacktricks-training.md', 'src/

Browse Source
This commit is contained in:
Translator
2024-12-31 20:29:08 +00:00
parent 2753c75e8b
commit 396dbafaf2
245 changed files with 9878 additions and 12609 deletions
Download Patch File Download Diff File Expand all files Collapse all files

126
src/pentesting-cloud/aws-security/aws-services/aws-iam-enum.md
View File

@@ -1,20 +1,20 @@
# AWS - IAM, Identity Center & SSO Enum
# AWS - IAM, Identiteitsentrum & SSO Enum
{{#include ../../../banners/hacktricks-training.md}}
## IAM
You can find a **description of IAM** in:
Jy kan 'n **beskrywing van IAM** vind in:
{{#ref}}
../aws-basic-information/
{{#endref}}
### Enumeration
### Enumerasie
Main permissions needed:
Hoof toestemmings benodig:
- `iam:ListPolicies`, `iam:GetPolicy` and `iam:GetPolicyVersion`
- `iam:ListPolicies`, `iam:GetPolicy` en `iam:GetPolicyVersion`
- `iam:ListRoles`
- `iam:ListUsers`
- `iam:ListGroups`
@@ -22,10 +22,9 @@ Main permissions needed:
- `iam:ListAttachedUserPolicies`
- `iam:ListAttachedRolePolicies`
- `iam:ListAttachedGroupPolicies`
- `iam:ListUserPolicies` and `iam:GetUserPolicy`
- `iam:ListGroupPolicies` and `iam:GetGroupPolicy`
- `iam:ListRolePolicies` and `iam:GetRolePolicy`
- `iam:ListUserPolicies` en `iam:GetUserPolicy`
- `iam:ListGroupPolicies` en `iam:GetGroupPolicy`
- `iam:ListRolePolicies` en `iam:GetRolePolicy`
```bash
# All IAMs
## Retrieves information about all IAM users, groups, roles, and policies
@@ -89,64 +88,54 @@ aws iam get-account-password-policy
aws iam list-mfa-devices
aws iam list-virtual-mfa-devices
```
### Toestemmings Brute Force
### Permissions Brute Force
If you are interested in your own permissions but you don't have access to query IAM you could always brute-force them.
As jy belangstel in jou eie toestemmings, maar jy het nie toegang om IAM te ondervra nie, kan jy altyd brute-force hulle.
#### bf-aws-permissions
The tool [**bf-aws-permissions**](https://github.com/carlospolop/bf-aws-permissions) is just a bash script that will run using the indicated profile all the **`list*`, `describe*`, `get*`** actions it can find using `aws` cli help messages and **return the successful executions**.
Die hulpmiddel [**bf-aws-permissions**](https://github.com/carlospolop/bf-aws-permissions) is net 'n bash-skrip wat sal loop met die aangeduide profiel al die **`list*`, `describe*`, `get*`** aksies wat dit kan vind met behulp van `aws` cli hulpboodskappe en **teruggee die suksesvolle uitvoerings**.
```bash
# Bruteforce permissions
bash bf-aws-permissions.sh -p default > /tmp/bf-permissions-verbose.txt
```
#### bf-aws-perms-simulate
The tool [**bf-aws-perms-simulate**](https://github.com/carlospolop/bf-aws-perms-simulate) can find your current permission (or the ones of other principals) if you have the permission **`iam:SimulatePrincipalPolicy`**
Die hulpmiddel [**bf-aws-perms-simulate**](https://github.com/carlospolop/bf-aws-perms-simulate) kan jou huidige toestemmings (of dié van ander principals) vind as jy die toestemming **`iam:SimulatePrincipalPolicy`** het.
```bash
# Ask for permissions
python3 aws_permissions_checker.py --profile <AWS_PROFILE> [--arn <USER_ARN>]
```
#### Perms2ManagedPolicies
If you found **some permissions your user has**, and you think that they are being granted by a **managed AWS role** (and not by a custom one). You can use the tool [**aws-Perms2ManagedRoles**](https://github.com/carlospolop/aws-Perms2ManagedPolicies) to check all the **AWS managed roles that grants the permissions you discovered that you have**.
As jy **sekere toestemmings gevind het wat jou gebruiker het**, en jy dink dat dit toegeken word deur 'n **bestuurde AWS rol** (en nie deur 'n pasgemaakte een nie). Jy kan die hulpmiddel [**aws-Perms2ManagedRoles**](https://github.com/carlospolop/aws-Perms2ManagedPolicies) gebruik om al die **AWS bestuurde rolle wat die toestemmings wat jy ontdek het dat jy het, toeken** te kontroleer.
```bash
# Run example with my profile
python3 aws-Perms2ManagedPolicies.py --profile myadmin --permissions-file example-permissions.txt
```
> [!WARNING]
> It's possible to "know" if the permissions you have are granted by an AWS managed role if you see that **you have permissions over services that aren't used** for example.
> Dit is moontlik om te "weet" of die toestemmings wat jy het, toegeken is deur 'n AWS bestuurde rol as jy sien dat **jy toestemmings oor dienste het wat nie gebruik word nie** byvoorbeeld.
#### Cloudtrail2IAM
[**CloudTrail2IAM**](https://github.com/carlospolop/Cloudtrail2IAM) is a Python tool that analyses **AWS CloudTrail logs to extract and summarize actions** done by everyone or just an specific user or role. The tool will **parse every cloudtrail log from the indicated bucket**.
[**CloudTrail2IAM**](https://github.com/carlospolop/Cloudtrail2IAM) is 'n Python-gereedskap wat **AWS CloudTrail logs analiseer om aksies** wat deur almal of net 'n spesifieke gebruiker of rol gedoen is, te onttrek en saam te vat. Die gereedskap sal **elke cloudtrail log van die aangeduide emmer parse**.
```bash
git clone https://github.com/carlospolop/Cloudtrail2IAM
cd Cloudtrail2IAM
pip install -r requirements.txt
python3 cloudtrail2IAM.py --prefix PREFIX --bucket_name BUCKET_NAME --profile PROFILE [--filter-name FILTER_NAME] [--threads THREADS]
```
> [!WARNING]
> If you find .tfstate (Terraform state files) or CloudFormation files (these are usually yaml files located inside a bucket with the prefix cf-templates), you can also read them to find aws configuration and find which permissions have been assigned to who.
> As jy .tfstate (Terraform toestand lêers) of CloudFormation lêers (dit is gewoonlik yaml lêers wat binne 'n emmer met die voorvoegsel cf-templates geleë is) vind, kan jy dit ook lees om aws konfigurasie te vind en te sien watter toestemmings aan wie toegeken is.
#### enumerate-iam
To use the tool [**https://github.com/andresriancho/enumerate-iam**](https://github.com/andresriancho/enumerate-iam) you first need to download all the API AWS endpoints, from those the script **`generate_bruteforce_tests.py`** will get all the **"list\_", "describe\_", and "get\_" endpoints.** And finally, it will try to **access them** with the given credentials and **indicate if it worked**.
Om die hulpmiddel [**https://github.com/andresriancho/enumerate-iam**](https://github.com/andresriancho/enumerate-iam) te gebruik, moet jy eers al die API AWS eindpunte aflaai, van daardie sal die skrip **`generate_bruteforce_tests.py`** al die **"list\_", "describe\_", en "get\_" eindpunte kry.** En uiteindelik sal dit probeer om **toegang tot hulle** te verkry met die gegewe akrediteer en **aangee of dit gewerk het**.
(In my experience the **tool hangs at some point**, [**checkout this fix**](https://github.com/andresriancho/enumerate-iam/pull/15/commits/77ad5b41216e3b5f1511d0c385da8cd5984c2d3c) to try to fix that).
(Volgens my ervaring hang die **hulpmiddel op 'n sekere punt**, [**kyk na hierdie oplossing**](https://github.com/andresriancho/enumerate-iam/pull/15/commits/77ad5b41216e3b5f1511d0c385da8cd5984c2d3c) om te probeer om dit reg te stel).
> [!WARNING]
> In my experience this tool is like the previous one but working worse and checking less permissions
> Volgens my ervaring is hierdie hulpmiddel soos die vorige, maar werk erger en kontroleer minder toestemmings.
```bash
# Install tool
git clone git@github.com:andresriancho/enumerate-iam.git
@@ -163,11 +152,9 @@ cd ..
# Enumerate permissions
python3 enumerate-iam.py --access-key ACCESS_KEY --secret-key SECRET_KEY [--session-token SESSION_TOKEN] [--region REGION]
```
#### weirdAAL
You could also use the tool [**weirdAAL**](https://github.com/carnal0wnage/weirdAAL/wiki). This tool will check **several common operations on several common services** (will check some enumeration permissions and also some privesc permissions). But it will only check the coded checks (the only way to check more stuff if coding more tests).
Jy kan ook die hulpmiddel [**weirdAAL**](https://github.com/carnal0wnage/weirdAAL/wiki) gebruik. Hierdie hulpmiddel sal **verskeie algemene operasies op verskeie algemene dienste nagaan** (sal 'n paar enumerasie-toestemmings en ook 'n paar privesc-toestemmings nagaan). Maar dit sal slegs die gekodeerde toetse nagaan (die enigste manier om meer goed na te gaan is om meer toetse te kodeer).
```bash
# Install
git clone https://github.com/carnal0wnage/weirdAAL.git
@@ -191,12 +178,10 @@ python3 weirdAAL.py -m recon_all -t MyTarget # Check all permissions
# [+] elbv2 Actions allowed are [+]
# ['DescribeLoadBalancers', 'DescribeAccountLimits', 'DescribeTargetGroups']
```
#### Hardening Tools to BF permissions
#### Versterking van Gereedskap om BF-toestemmings
{{#tabs }}
{{#tab name="CloudSploit" }}
```bash
# Export env variables
./index.js --console=text --config ./config.js --json /tmp/out-cloudsploit.json
@@ -207,11 +192,9 @@ jq 'map(select(.status | contains("UNKNOWN") | not))' /tmp/out-cloudsploit.json
# Get services by regions
jq 'group_by(.region) | map({(.[0].region): ([map((.resource | split(":"))[2]) | unique])})' ~/Desktop/pentests/cere/greybox/core-dev-dev-cloudsploit-filtered.json
```
{{#endtab }}
{{#tab name="SteamPipe" }}
```bash
# https://github.com/turbot/steampipe-mod-aws-insights
steampipe check all --export=json
@@ -220,15 +203,14 @@ steampipe check all --export=json
# In this case you cannot output to JSON, so heck it in the dashboard
steampipe dashboard
```
{{#endtab }}
{{#endtabs }}
#### \<YourTool>
Neither of the previous tools is capable of checking close to all permissions, so if you know a better tool send a PR!
Geen van die vorige gereedskap is in staat om naby al die toestemmings te kontroleer nie, so as jy 'n beter gereedskap ken, stuur 'n PR!
### Unauthenticated Access
### Ongeauthentiseerde Toegang
{{#ref}}
../aws-unauthenticated-enum-access/aws-iam-and-sts-unauthenticated-enum.md
@@ -236,7 +218,7 @@ Neither of the previous tools is capable of checking close to all permissions, s
### Privilege Escalation
In the following page you can check how to **abuse IAM permissions to escalate privileges**:
Op die volgende bladsy kan jy kyk hoe om **IAM-toestemmings te misbruik om voorregte te verhoog**:
{{#ref}}
../aws-privilege-escalation/aws-iam-privesc.md
@@ -248,22 +230,21 @@ In the following page you can check how to **abuse IAM permissions to escalate p
../aws-post-exploitation/aws-iam-post-exploitation.md
{{#endref}}
### IAM Persistence
### IAM Persistensie
{{#ref}}
../aws-persistence/aws-iam-persistence.md
{{#endref}}
## IAM Identity Center
## IAM Identiteitsentrum
You can find a **description of IAM Identity Center** in:
Jy kan 'n **beskrywing van IAM Identiteitsentrum** vind in:
{{#ref}}
../aws-basic-information/
{{#endref}}
### Connect via SSO with CLI
### Verbinding via SSO met CLI
```bash
# Connect with sso via CLI aws configure sso
aws configure sso
@@ -274,20 +255,18 @@ sso_account_id = <account_numbre>
sso_role_name = AdministratorAccess
sso_region = us-east-1
```
### Enumeration
The main elements of the Identity Center are:
Die hoofelemente van die Identiteitsentrum is:
- Users and groups
- Permission Sets: Have policies attached
- AWS Accounts
- Gebruikers en groepe
- Toestemmingsstelle: Het beleide aangeheg
- AWS-rekeninge
Then, relationships are created so users/groups have Permission Sets over AWS Account.
Dan word verhoudings geskep sodat gebruikers/groepe Toestemmingsstelle oor AWS-rekening het.
> [!NOTE]
> Note that there are 3 ways to attach policies to a Permission Set. Attaching AWS managed policies, Customer managed policies (these policies needs to be created in all the accounts the Permissions Set is affecting), and inline policies (defined in there).
> Let daarop dat daar 3 maniere is om beleide aan 'n Toestemmingsstel te heg. Heg AWS bestuurde beleide, Kliënt bestuurde beleide (hierdie beleide moet in al die rekeninge geskep word wat die Toestemmingsstel beïnvloed), en inline beleide (gedefinieer daar).
```bash
# Check if IAM Identity Center is used
aws sso-admin list-instances
@@ -321,11 +300,9 @@ aws identitystore list-group-memberships --identity-store-id <store-id> --group-
## Get memberships or a user or a group
aws identitystore list-group-memberships-for-member --identity-store-id <store-id> --member-id <member-id>
```
### Plaaslike Enumerasie
### Local Enumeration
It's possible to create inside the folder `$HOME/.aws` the file config to configure profiles that are accessible via SSO, for example:
Dit is moontlik om binne die gids `$HOME/.aws` die lêer config te skep om profiele te konfigureer wat via SSO toeganklik is, byvoorbeeld:
```ini
[default]
region = us-west-2
@@ -343,20 +320,16 @@ output = json
role_arn = arn:aws:iam::<acc-id>:role/ReadOnlyRole
source_profile = Hacktricks-Admin
```
This configuration can be used with the commands:
Hierdie konfigurasie kan gebruik word met die opdragte:
```bash
# Login in ms-sso-profile
aws sso login --profile my-sso-profile
# Use dependent-profile
aws s3 ls --profile dependent-profile
```
Wanneer 'n **profiel van SSO gebruik word** om toegang tot sekere inligting te verkry, word die geloofsbriewe **in 'n lêer in die gids **`$HOME/.aws/sso/cache`** gestoor. Daarom kan dit **gelees en daar gebruik word**.
When a **profile from SSO is used** to access some information, the credentials are **cached** in a file inside the folder **`$HOME/.aws/sso/cache`**. Therefore they can be **read and used from there**.
Moreover, **more credentials** can be stored in the folder **`$HOME/.aws/cli/cache`**. This cache directory is primarily used when you are **working with AWS CLI profiles** that use IAM user credentials or **assume** roles through IAM (without SSO). Config example:
Boonop kan **meer geloofsbriewe** in die gids **`$HOME/.aws/cli/cache`** gestoor word. Hierdie cache-gids word hoofsaaklik gebruik wanneer jy **met AWS CLI-profiele werk** wat IAM-gebruiker geloofsbriewe gebruik of **aanneem** rolle deur IAM (sonder SSO). Konfigurasie voorbeeld:
```ini
[profile crossaccountrole]
role_arn = arn:aws:iam::234567890123:role/SomeRole
@@ -364,8 +337,7 @@ source_profile = default
mfa_serial = arn:aws:iam::123456789012:mfa/saanvi
external_id = 123456
```
### Unauthenticated Access
### Ongeauthentiseerde Toegang
{{#ref}}
../aws-unauthenticated-enum-access/aws-identity-center-and-sso-unauthenticated-enum.md
@@ -383,24 +355,18 @@ external_id = 123456
../aws-post-exploitation/aws-sso-and-identitystore-post-exploitation.md
{{#endref}}
### Persistence
#### Create a user an assign permissions to it
### Volharding
#### Skep 'n gebruiker en ken toestemmings aan dit toe
```bash
# Create user identitystore:CreateUser
aws identitystore create-user --identity-store-id <store-id> --user-name privesc --display-name privesc --emails Value=sdkabflvwsljyclpma@tmmbt.net,Type=Work,Primary=True --name Formatted=privesc,FamilyName=privesc,GivenName=privesc
## After creating it try to login in the console using the selected username, you will receive an email with the code and then you will be able to select a password
```
- Skep 'n groep en ken dit toestemmings toe en stel 'n beheerde gebruiker daarop in
- Gee ekstra toestemmings aan 'n beheerde gebruiker of groep
- Standaard sal slegs gebruikers met toestemmings van die Bestuursrekening toegang hê tot en beheer oor die IAM Identiteitsentrum.
- Create a group and assign it permissions and set on it a controlled user
- Give extra permissions to a controlled user or group
- By default, only users with permissions form the Management Account are going to be able to access and control the IAM Identity Center.
However, it's possible via Delegate Administrator to allow users from a different account to manage it. They won't have exactly the same permission, but they will be able to perform [**management activities**](https://docs.aws.amazon.com/singlesignon/latest/userguide/delegated-admin.html).
Dit is egter moontlik om via 'n Gedelegeerde Administrateur gebruikers van 'n ander rekening toe te laat om dit te bestuur. Hulle sal nie presies dieselfde toestemming hê nie, maar hulle sal in staat wees om [**bestuursaktiwiteite**](https://docs.aws.amazon.com/singlesignon/latest/userguide/delegated-admin.html) uit te voer.
{{#include ../../../banners/hacktricks-training.md}}