gitea-mirror/hacktricks-cloud
1
0
Fork 0
mirror of https://github.com/HackTricks-wiki/hacktricks-cloud.git synced 2025-12-23 15:37:53 -08:00
Code Issues Packages Projects Releases Wiki Activity
Files
a24ae510bf27f5f0e15104b31c0ca911ece713c9
hacktricks-cloud/pentesting-cloud/aws-security/aws-services/aws-iam-enum.md
Carlos Polop 5ef56bb6b3 Recreating repository history for branch master
2024-12-12 19:35:48 +01:00

441 lines
19 KiB
Markdown
Raw Blame History

# AWS - IAM, Identity Center & SSO Enum
{% hint style="success" %}
Learn & practice AWS Hacking:<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">\
Learn & practice GCP Hacking: <img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
<details>
<summary>Support HackTricks</summary>
* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.**
* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
</details>
{% endhint %}
## IAM
You can find a **description of IAM** in:
{% content-ref url="../aws-basic-information/" %}
[aws-basic-information](../aws-basic-information/)
{% endcontent-ref %}
### Enumeration
Main permissions needed:
* `iam:ListPolicies`, `iam:GetPolicy` and `iam:GetPolicyVersion`
* `iam:ListRoles`
* `iam:ListUsers`
* `iam:ListGroups`
* `iam:ListGroupsForUser`
* `iam:ListAttachedUserPolicies`
* `iam:ListAttachedRolePolicies`
* `iam:ListAttachedGroupPolicies`
* `iam:ListUserPolicies` and `iam:GetUserPolicy`
* `iam:ListGroupPolicies` and `iam:GetGroupPolicy`
* `iam:ListRolePolicies` and `iam:GetRolePolicy`
```bash
# All IAMs
## Retrieves information about all IAM users, groups, roles, and policies
## in your Amazon Web Services account, including their relationships to
## one another. Use this operation to obtain a snapshot of the configura-
## tion of IAM permissions (users, groups, roles, and policies) in your
## account.
aws iam get-account-authorization-details
# List users
aws iam get-user #Get current user information
aws iam list-users
aws iam list-ssh-public-keys #User keys for CodeCommit
aws iam get-ssh-public-key --user-name <username> --ssh-public-key-id <id> --encoding SSH #Get public key with metadata
aws iam list-service-specific-credentials #Get special permissions of the IAM user over specific services
aws iam get-user --user-name <username> #Get metadata of user, included permissions boundaries
aws iam list-access-keys #List created access keys
## inline policies
aws iam list-user-policies --user-name <username> #Get inline policies of the user
aws iam get-user-policy --user-name <username> --policy-name <policyname> #Get inline policy details
## attached policies
aws iam list-attached-user-policies --user-name <username> #Get policies of user, it doesn't get inline policies
# List groups
aws iam list-groups #Get groups
aws iam list-groups-for-user --user-name <username> #Get groups of a user
aws iam get-group --group-name <name> #Get group name info
## inline policies
aws iam list-group-policies --group-name <username> #Get inline policies of the group
aws iam get-group-policy --group-name <username> --policy-name <policyname> #Get an inline policy info
## attached policies
aws iam list-attached-group-policies --group-name <name> #Get policies of group, it doesn't get inline policies
# List roles
aws iam list-roles #Get roles
aws iam get-role --role-name <role-name> #Get role
## inline policies
aws iam list-role-policies --role-name <name> #Get inline policies of a role
aws iam get-role-policy --role-name <name> --policy-name <name> #Get inline policy details
## attached policies
aws iam list-attached-role-policies --role-name <role-name> #Get policies of role, it doesn't get inline policies
# List policies
aws iam list-policies [--only-attached] [--scope Local]
aws iam list-policies-granting-service-access --arn <identity> --service-namespaces <svc> # Get list of policies that give access to the user to the service
## Get policy content
aws iam get-policy --policy-arn <policy_arn>
aws iam list-policy-versions --policy-arn <arn>
aws iam get-policy-version --policy-arn <arn:aws:iam::975426262029:policy/list_apigateways> --version-id <VERSION_X>
# Enumerate providers
aws iam list-saml-providers
aws iam get-saml-provider --saml-provider-arn <ARN>
aws iam list-open-id-connect-providers
aws iam get-open-id-connect-provider --open-id-connect-provider-arn <ARN>
# Password Policy
aws iam get-account-password-policy
# MFA
aws iam list-mfa-devices
aws iam list-virtual-mfa-devices
```
### Permissions Brute Force
If you are interested in your own permissions but you don't have access to query IAM you could always brute-force them.
#### bf-aws-permissions
The tool [**bf-aws-permissions**](https://github.com/carlospolop/bf-aws-permissions) is just a bash script that will run using the indicated profile all the **`list*`, `describe*`, `get*`** actions it can find using `aws` cli help messages and **return the successful executions**.
{% code overflow="wrap" %}
```bash
# Bruteforce permissions
bash bf-aws-permissions.sh -p default > /tmp/bf-permissions-verbose.txt
```
{% endcode %}
#### bf-aws-perms-simulate
The tool [**bf-aws-perms-simulate**](https://github.com/carlospolop/bf-aws-perms-simulate) can find your current permission (or the ones of other principals) if you have the permission **`iam:SimulatePrincipalPolicy`**
```bash
# Ask for permissions
python3 aws_permissions_checker.py --profile <AWS_PROFILE> [--arn <USER_ARN>]
```
#### Perms2ManagedPolicies
If you found **some permissions your user has**, and you think that they are being granted by a **managed AWS role** (and not by a custom one). You can use the tool [**aws-Perms2ManagedRoles**](https://github.com/carlospolop/aws-Perms2ManagedPolicies) to check all the **AWS managed roles that grants the permissions you discovered that you have**.
{% code overflow="wrap" %}
```bash
# Run example with my profile
python3 aws-Perms2ManagedPolicies.py --profile myadmin --permissions-file example-permissions.txt
```
{% endcode %}
{% hint style="warning" %}
It's possible to "know" if the permissions you have are granted by an AWS managed role if you see that **you have permissions over services that aren't used** for example.
{% endhint %}
#### Cloudtrail2IAM
[**CloudTrail2IAM**](https://github.com/carlospolop/Cloudtrail2IAM) is a Python tool that analyses **AWS CloudTrail logs to extract and summarize actions** done by everyone or just an specific user or role. The tool will **parse every cloudtrail log from the indicated bucket**.
{% code overflow="wrap" %}
```bash
git clone https://github.com/carlospolop/Cloudtrail2IAM
cd Cloudtrail2IAM
pip install -r requirements.txt
python3 cloudtrail2IAM.py --prefix PREFIX --bucket_name BUCKET_NAME --profile PROFILE [--filter-name FILTER_NAME] [--threads THREADS]
```
{% endcode %}
{% hint style="warning" %}
If you find .tfstate (Terraform state files) or CloudFormation files (these are usually yaml files located inside a bucket with the prefix cf-templates), you can also read them to find aws configuration and find which permissions have been assigned to who.
{% endhint %}
#### enumerate-iam
To use the tool [**https://github.com/andresriancho/enumerate-iam**](https://github.com/andresriancho/enumerate-iam) you first need to download all the API AWS endpoints, from those the script **`generate_bruteforce_tests.py`** will get all the **"list\_", "describe\_", and "get\_" endpoints.** And finally, it will try to **access them** with the given credentials and **indicate if it worked**.
(In my experience the **tool hangs at some point**, [**checkout this fix**](https://github.com/andresriancho/enumerate-iam/pull/15/commits/77ad5b41216e3b5f1511d0c385da8cd5984c2d3c) to try to fix that).
{% hint style="warning" %}
In my experience this tool is like the previous one but working worse and checking less permissions
{% endhint %}
{% code overflow="wrap" %}
```bash
# Install tool
git clone git@github.com:andresriancho/enumerate-iam.git
cd enumerate-iam/
pip install -r requirements.txt
# Download API endpoints
cd enumerate_iam/
git clone https://github.com/aws/aws-sdk-js.git
python3 generate_bruteforce_tests.py
rm -rf aws-sdk-js
cd ..
# Enumerate permissions
python3 enumerate-iam.py --access-key ACCESS_KEY --secret-key SECRET_KEY [--session-token SESSION_TOKEN] [--region REGION]
```
{% endcode %}
#### weirdAAL
You could also use the tool [**weirdAAL**](https://github.com/carnal0wnage/weirdAAL/wiki). This tool will check **several common operations on several common services** (will check some enumeration permissions and also some privesc permissions). But it will only check the coded checks (the only way to check more stuff if coding more tests).
```bash
# Install
git clone https://github.com/carnal0wnage/weirdAAL.git
cd weirdAAL
python3 -m venv weirdAAL
source weirdAAL/bin/activate
pip3 install -r requirements.txt
# Create a .env file with aws credentials such as
[default]
aws_access_key_id = <insert key id>
aws_secret_access_key = <insert secret key>
# Setup DB
python3 create_dbs.py
# Invoke it
python3 weirdAAL.py -m ec2_describe_instances -t ec2test # Just some ec2 tests
python3 weirdAAL.py -m recon_all -t MyTarget # Check all permissions
# You will see output such as:
# [+] elbv2 Actions allowed are [+]
# ['DescribeLoadBalancers', 'DescribeAccountLimits', 'DescribeTargetGroups']
```
#### Hardening Tools to BF permissions
{% tabs %}
{% tab title="CloudSploit" %}
{% code overflow="wrap" %}
```bash
# Export env variables
./index.js --console=text --config ./config.js --json /tmp/out-cloudsploit.json
# Filter results removing unknown
jq 'map(select(.status | contains("UNKNOWN") | not))' /tmp/out-cloudsploit.json | jq 'map(select(.resource | contains("N/A") | not))' > /tmp/out-cloudsploit-filt.json
# Get services by regions
jq 'group_by(.region) | map({(.[0].region): ([map((.resource | split(":"))[2]) | unique])})' ~/Desktop/pentests/cere/greybox/core-dev-dev-cloudsploit-filtered.json
```
{% endcode %}
{% endtab %}
{% tab title="SteamPipe" %}
```bash
# https://github.com/turbot/steampipe-mod-aws-insights
steampipe check all --export=json
# https://github.com/turbot/steampipe-mod-aws-perimeter
# In this case you cannot output to JSON, so heck it in the dashboard
steampipe dashboard
```
{% endtab %}
{% endtabs %}
#### \<YourTool>
Neither of the previous tools is capable of checking close to all permissions, so if you know a better tool send a PR!
### Unauthenticated Access
{% content-ref url="../aws-unauthenticated-enum-access/aws-iam-and-sts-unauthenticated-enum.md" %}
[aws-iam-and-sts-unauthenticated-enum.md](../aws-unauthenticated-enum-access/aws-iam-and-sts-unauthenticated-enum.md)
{% endcontent-ref %}
### Privilege Escalation
In the following page you can check how to **abuse IAM permissions to escalate privileges**:
{% content-ref url="../aws-privilege-escalation/aws-iam-privesc.md" %}
[aws-iam-privesc.md](../aws-privilege-escalation/aws-iam-privesc.md)
{% endcontent-ref %}
### IAM Post Exploitation
{% content-ref url="../aws-post-exploitation/aws-iam-post-exploitation.md" %}
[aws-iam-post-exploitation.md](../aws-post-exploitation/aws-iam-post-exploitation.md)
{% endcontent-ref %}
### IAM Persistence
{% content-ref url="../aws-persistence/aws-iam-persistence.md" %}
[aws-iam-persistence.md](../aws-persistence/aws-iam-persistence.md)
{% endcontent-ref %}
## IAM Identity Center
You can find a **description of IAM Identity Center** in:
{% content-ref url="../aws-basic-information/" %}
[aws-basic-information](../aws-basic-information/)
{% endcontent-ref %}
### Connect via SSO with CLI
```bash
# Connect with sso via CLI aws configure sso
aws configure sso
[profile profile_name]
sso_start_url = https://subdomain.awsapps.com/start/
sso_account_id = <account_numbre>
sso_role_name = AdministratorAccess
sso_region = us-east-1
```
### Enumeration
The main elements of the Identity Center are:
* Users and groups
* Permission Sets: Have policies attached
* AWS Accounts
Then, relationships are created so users/groups have Permission Sets over AWS Account.
{% hint style="info" %}
Note that there are 3 ways to attach policies to a Permission Set. Attaching AWS managed policies, Customer managed policies (these policies needs to be created in all the accounts the Permissions Set is affecting), and inline policies (defined in there).
{% endhint %}
```bash
# Check if IAM Identity Center is used
aws sso-admin list-instances
# Get Permissions sets. These are the policies that can be assigned
aws sso-admin list-permission-sets --instance-arn <instance-arn>
aws sso-admin describe-permission-set --instance-arn <instance-arn> --permission-set-arn <perm-set-arn>
## Get managed policies of a permission set
aws sso-admin list-managed-policies-in-permission-set --instance-arn <instance-arn> --permission-set-arn <perm-set-arn>
## Get inline policies of a permission set
aws sso-admin get-inline-policy-for-permission-set --instance-arn <instance-arn> --permission-set-arn <perm-set-arn>
## Get customer managed policies of a permission set
aws sso-admin list-customer-managed-policy-references-in-permission-set --instance-arn <instance-arn> --permission-set-arn <perm-set-arn>
## Get boundaries of a permission set
aws sso-admin get-permissions-boundary-for-permission-set --instance-arn <instance-arn> --permission-set-arn <perm-set-arn>
## List accounts a permission set is affecting
aws sso-admin list-accounts-for-provisioned-permission-set --instance-arn <instance-arn> --permission-set-arn <perm-set-arn>
## List principals given a permission set in an account
aws sso-admin list-account-assignments --instance-arn <instance-arn> --permission-set-arn <perm-set-arn> --account-id <account_id>
# Get permissions sets affecting an account
aws sso-admin list-permission-sets-provisioned-to-account --instance-arn <instance-arn> --account-id <account_id>
# List users & groups from the identity store
aws identitystore list-users --identity-store-id <store-id>
aws identitystore list-groups --identity-store-id <store-id>
## Get members of groups
aws identitystore list-group-memberships --identity-store-id <store-id> --group-id <group-id>
## Get memberships or a user or a group
aws identitystore list-group-memberships-for-member --identity-store-id <store-id> --member-id <member-id>
```
### Local Enumeration
It's possible to create inside the folder `$HOME/.aws` the file config to configure profiles that are accessible via SSO, for example:
```ini
[default]
region = us-west-2
output = json
[profile my-sso-profile]
sso_start_url = https://my-sso-portal.awsapps.com/start
sso_region = us-west-2
sso_account_id = 123456789012
sso_role_name = MySSORole
region = us-west-2
output = json
[profile dependent-profile]
role_arn = arn:aws:iam::<acc-id>:role/ReadOnlyRole
source_profile = Hacktricks-Admin
```
This configuration can be used with the commands:
```bash
# Login in ms-sso-profile
aws sso login --profile my-sso-profile
# Use dependent-profile
aws s3 ls --profile dependent-profile
```
When a **profile from SSO is used** to access some information, the credentials are **cached** in a file inside the folder **`$HOME/.aws/sso/cache`**. Therefore they can be **read and used from there**.
Moreover, **more credentials** can be stored in the folder **`$HOME/.aws/cli/cache`**. This cache directory is primarily used when you are **working with AWS CLI profiles** that use IAM user credentials or **assume** roles through IAM (without SSO). Config example:
```ini
[profile crossaccountrole]
role_arn = arn:aws:iam::234567890123:role/SomeRole
source_profile = default
mfa_serial = arn:aws:iam::123456789012:mfa/saanvi
external_id = 123456
```
### Unauthenticated Access
{% content-ref url="../aws-unauthenticated-enum-access/aws-identity-center-and-sso-unauthenticated-enum.md" %}
[aws-identity-center-and-sso-unauthenticated-enum.md](../aws-unauthenticated-enum-access/aws-identity-center-and-sso-unauthenticated-enum.md)
{% endcontent-ref %}
### Privilege Escalation
{% content-ref url="../aws-privilege-escalation/aws-sso-and-identitystore-privesc.md" %}
[aws-sso-and-identitystore-privesc.md](../aws-privilege-escalation/aws-sso-and-identitystore-privesc.md)
{% endcontent-ref %}
### Post Exploitation
{% content-ref url="../aws-post-exploitation/aws-sso-and-identitystore-post-exploitation.md" %}
[aws-sso-and-identitystore-post-exploitation.md](../aws-post-exploitation/aws-sso-and-identitystore-post-exploitation.md)
{% endcontent-ref %}
### Persistence
#### Create a user an assign permissions to it
{% code overflow="wrap" %}
```bash
# Create user identitystore:CreateUser
aws identitystore create-user --identity-store-id <store-id> --user-name privesc --display-name privesc --emails Value=sdkabflvwsljyclpma@tmmbt.net,Type=Work,Primary=True --name Formatted=privesc,FamilyName=privesc,GivenName=privesc
## After creating it try to login in the console using the selected username, you will receive an email with the code and then you will be able to select a password
```
{% endcode %}
* Create a group and assign it permissions and set on it a controlled user
* Give extra permissions to a controlled user or group
* By default, only users with permissions form the Management Account are going to be able to access and control the IAM Identity Center.
However, it's possible via Delegate Administrator to allow users from a different account to manage it. They won't have exactly the same permission, but they will be able to perform [**management activities**](https://docs.aws.amazon.com/singlesignon/latest/userguide/delegated-admin.html).
{% hint style="success" %}
Learn & practice AWS Hacking:<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">\
Learn & practice GCP Hacking: <img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
<details>
<summary>Support HackTricks</summary>
* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.**
* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
</details>
{% endhint %}
Reference in New Issue View Git Blame Copy Permalink