andresriancho / enumerate-iam Goto Github PK

Enumerate the permissions associated with AWS credential set

License: GNU General Public License v3.0

Python 100.00%

enumerate-iam's Introduction

Enumerate IAM permissions

Found a set of AWS credentials and have no idea which permissions it might have?

$ ./enumerate-iam.py --access-key AKIA... --secret-key StF0q...
2019-05-10 15:57:58,447 - 21345 - [INFO] Starting permission enumeration for access-key-id "AKIA..."
2019-05-10 15:58:01,532 - 21345 - [INFO] Run for the hills, get_account_authorization_details worked!
2019-05-10 15:58:01,537 - 21345 - [INFO] -- {
    "RoleDetailList": [
        {
            "Tags": [], 
            "AssumeRolePolicyDocument": {
                "Version": "2008-10-17", 
                "Statement": [
                    {
...
2019-05-10 15:58:26,709 - 21345 - [INFO] -- gamelift.list_builds() worked!
2019-05-10 15:58:26,850 - 21345 - [INFO] -- cloudformation.list_stack_sets() worked!
2019-05-10 15:58:26,982 - 21345 - [INFO] -- directconnect.describe_locations() worked!
2019-05-10 15:58:27,021 - 21345 - [INFO] -- gamelift.describe_matchmaking_rule_sets() worked!
2019-05-10 15:58:27,311 - 21345 - [INFO] -- sqs.list_queues() worked!

Now you do!

enumerate-iam.py tries to brute force all API calls allowed by the IAM policy. The calls performed by this tool are all non-destructive (only get* and list* calls are performed).

Installation

git clone [email protected]:andresriancho/enumerate-iam.git
cd enumerate-iam/
pip install -r requirements.txt

Library

This software was written to be easy to integrate with other tools, just import the main function and provide the required arguments:

from enumerate_iam.main import enumerate_iam

enumerate_iam(access_key,
              secret_key,
              session_token,
              region)

The output will contain all the enumerated permission information in a python dictionary.

Other tools

Before writing enumerate-iam.py I tried a few that performed the same task. Decided to write my own because the others:

Did not check for all API calls
Where painfully slow when adding more API calls to the list
Did not return the permissions in a programmatic way

Updating the API calls

The API calls to be performed during permission enumeration are stored in enumerate_iam/bruteforce_tests.py, a Python dict() which is generated by enumerate_iam/generate_bruteforce_tests.py using the API documentation available in the aws-sdk-js library.

AWS releases new services every quarter, to make sure that this tool is finding all the existing permissions run:

cd enumerate_iam/
git clone https://github.com/aws/aws-sdk-js.git
python generate_bruteforce_tests.py
rm -rf aws-sdk-js

Related tools

This tool was released as part of the Internet-Scale Analysis of AWS Cognito Security research. During this research the cc-lambda tool was also used to extract information from the Common Crawl data.

Initial code

The initial code was released in this gist and improved in multiple ways:

Complete refactoring
Results returned in a programmatic way
Threads
Improved logging
Increased API call coverage
Export as a library

enumerate-iam's People

Contributors

Stargazers

Watchers

Forkers

yassineaboukir mrzzkllen w1ck3dth1ngs lewerkun chussenot scottellis-idexx-zz sasqwatch riddhi-shree keystroke95 mgeeky xiaozhu1337 shahid1996 sherlocksecurity pentest-tools anotherwayin 5l1v3r1 abdilahrf hax0rgb praetorian-inc y0zg midoxnet slooppe evgenisabev tamjid0x01 hack404-007 sleepyeinstein 0xbharath kp625544 mmg1 bbghunter kmcquade doyensec leppikallio tolidano polling-repo-continua codeh4ck3r ransomware-book chhajershrenik testrod pushpullzeroones spartanssec hackeratprocyon jonbrouse im-hanzou hehacks hollow667 anees264 hackorcode jijijimamami ivasoft stevieg27 vinhjaxt hartl3y94 jaymanza mhuckaby binaryscary resenhacyber vmaas-in brijeshagrwal donmagee nobbieboy1337 affilares blackap3rture syllogy 5un9hun juljeanpierre ramikan kfiducia chrismeistre davyranger uwuzone an0nym0us3r notdodo christofersimbar mmmonk ekmixon tester-byte zicohip shiriskumar fernievijay yougoglencoco designerscoders darkoneiroi abdullahalsolaiman kopfjager007 ksanchezcld bbhunter vectracommunity djengineer gl4ssesbo1 tuyenee undercraftse gtmnagalla 0xbruno m3ldis cyberindia1 cmd-ctrl-freq huseyince dzmitry-savitski gustavstofberg

enumerate-iam's Issues

Unexpected argument: max_attempts

Hi,

It looks like the recent commit (0edfae5) to mitigate the rate limit issue is screwing up the tool execution:

2019-06-23 23:49:34,547 - 35055 - [INFO] Attempting common-service describe / list brute force.
Traceback (most recent call last):
  File "./enumerate-iam.py", line 24, in <module>
    main()
  File "./enumerate-iam.py", line 20, in main
    args.region)
  File "/Users/yassineaboukir/Desktop/Hacktools/enumerate-iam/enumerate_iam/main.py", line 204, in enumerate_iam
    output['bruteforce'] = enumerate_using_bruteforce(access_key, secret_key, session_token, region)
  File "/Users/yassineaboukir/Desktop/Hacktools/enumerate-iam/enumerate_iam/main.py", line 74, in enumerate_using_bruteforce
    results = pool.map(check_one_permission, args_generator)
  File "/Library/Frameworks/Python.framework/Versions/2.7/lib/python2.7/multiprocessing/pool.py", line 253, in map
    return self.map_async(func, iterable, chunksize).get()
  File "/Library/Frameworks/Python.framework/Versions/2.7/lib/python2.7/multiprocessing/pool.py", line 572, in get
    raise self._value
TypeError: Got unexpected keyword argument 'max_attempts'

The issue is due to the fact that max_attempts is unexpected as mentioned above. You should have adjusted retries={'max_attempts': 1} instead.

Regards.

Add --dry-run option

OPTIONS
       --dry-run | --no-dry-run (boolean)
          Checks whether you have the required  permissions  for  the  action,
          without actually making the request, and provides an error response.
          If you have the required permissions, the error response is  DryRun-
          Operation . Otherwise, it is UnauthorizedOperation .

With this option the tool might run faster!

Enable it by default?

Attribute Error

When run with python enumerate-iam.py......... It says attribute error

botocore.exceptions.ReadTimeoutError):

AttributeError: 'module' object has no attribute 'ReadTimeoutError'

When run with python3 enumerate-iam.py....... it just hangs in terminal

Any help is appreciated

broken on python3

$ python3 ./enumerate-iam.py
Traceback (most recent call last):
File "./enumerate-iam.py", line 4, in
from enumerate_iam.main import enumerate_iam
File "/home/pkeel/git/enumerate-iam/enumerate_iam/main.py", line 135
def check_one_permission((access_key, secret_key, session_token, region, service_name, operation_name)):
^
SyntaxError: invalid syntax

enumerate-iam not running

i run this command after installing the tool and installing all requirements

./enumerate-iam.py --access-key AK*************** --secret-key Mi**************************************

this command give me the error

Traceback (most recent call last):
File "./enumerate-iam.py", line 4, in
from enumerate_iam.main import enumerate_iam
File "/root/enumerate-iam/enumerate_iam/main.py", line 22, in
import boto3
ImportError: No module named boto3

intstall it boto3 with agian sudo pip install boto3 they give this response

Requirement already satisfied: boto3 in /usr/local/lib/python3.8/dist-packages (1.16.9)
Requirement already satisfied: s3transfer<0.4.0,>=0.3.0 in /usr/local/lib/python3.8/dist-packages (from boto3) (0.3.3)
Requirement already satisfied: jmespath<1.0.0,>=0.7.1 in /usr/local/lib/python3.8/dist-packages (from boto3) (0.10.0)
Requirement already satisfied: botocore<1.20.0,>=1.19.9 in /usr/local/lib/python3.8/dist-packages (from boto3) (1.19.9)
Requirement already satisfied: python-dateutil<3.0.0,>=2.1 in /usr/lib/python3/dist-packages (from botocore<1.20.0,>=1.19.9->boto3) (2.7.3)
Requirement already satisfied: urllib3<1.26,>=1.25.4; python_version != "3.4" in /usr/local/lib/python3.8/dist-packages (from botocore<1.20.0,>=1.19.9->boto3) (1.25.8)

after i run again the

./enumerate-iam.py --access-key AK*************** --secret-key Mi**************************************

but this again give me same error

how can i solve this error ??? please any help kindly

Thanks in advance

Resource_tracker Error:Leaked semaphore object

I'm getting the following error(AccessKeyId redacted) when I run enumerate-iam.py. I have a Macbook Pro M3. Please help!

2024-04-19 11:11:08,771 - 67068 - [INFO] Starting permission enumeration for access-key-id "XXXXXXXXXXXXXXXXXXXX"
2024-04-19 11:11:08,951 - 67068 - [INFO] Attempting common-service describe / list brute force.
2024-04-19 11:11:13,034 - 67068 - [ERROR] Remove kinesisvideo.get_dash_streaming_session_url action
2024-04-19 11:11:13,512 - 67068 - [ERROR] Remove rolesanywhere.get_crl action
2024-04-19 11:11:13,512 - 67068 - [ERROR] Remove rolesanywhere.get_profile action
2024-04-19 11:11:13,575 - 67068 - [ERROR] Remove rolesanywhere.get_trust_anchor action
2024-04-19 11:11:14,009 - 67068 - [ERROR] Remove greengrass.list_components action
2024-04-19 11:11:14,023 - 67068 - [ERROR] Remove greengrass.list_core_devices action
2024-04-19 11:11:14,039 - 67068 - [ERROR] Remove greengrass.list_deployments action
2024-04-19 11:11:14,421 - 67068 - [ERROR] Remove es.get_compatible_versions action
2024-04-19 11:11:14,421 - 67068 - [ERROR] Remove es.list_versions action
2024-04-19 11:11:14,580 - 67068 - [ERROR] Remove sso.list_application_providers action
2024-04-19 11:11:14,580 - 67068 - [ERROR] Remove sso.list_instances action
2024-04-19 11:11:14,776 - 67068 - [ERROR] Remove es.describe_reserved_instances action
2024-04-19 11:11:14,820 - 67068 - [ERROR] Remove es.describe_outbound_connections action
2024-04-19 11:11:14,856 - 67068 - [ERROR] Remove es.describe_inbound_connections action
2024-04-19 11:11:14,943 - 67068 - [ERROR] Remove es.describe_reserved_instance_offerings action
2024-04-19 11:11:16,418 - 67068 - [ERROR] Remove sms-voice.describe_spend_limits action
2024-04-19 11:11:16,418 - 67068 - [ERROR] Remove sms-voice.describe_account_limits action
2024-04-19 11:11:16,418 - 67068 - [ERROR] Remove sms-voice.describe_opt_out_lists action
2024-04-19 11:11:16,418 - 67068 - [ERROR] Remove sms-voice.describe_account_attributes action
Library/Frameworks/Python.framework/Versions/3.12/lib/python3.12/multiprocessing/resource_tracker.py:254: UserWarning: resource_tracker: There appear to be 2 leaked semaphore objects to clean up at shutdown
  warnings.warn('resource_tracker: There appear to be %d '

TypeError: 'dict_keys' object is not subscriptable

Is it Python2 compatible only?
Just tried it with Python3 and got:

Traceback (most recent call last):
  File "enumerate-iam.py", line 24, in <module>
    main()
  File "enumerate-iam.py", line 20, in main
    args.region)
  File "enumerate-iam/enumerate_iam/main.py", line 204, in enumerate_iam
    output['bruteforce'] = enumerate_using_bruteforce(access_key, secret_key, session_token, region)
  File "enumerate-iam/enumerate_iam/main.py", line 74, in enumerate_using_bruteforce
    results = pool.map(check_one_permission, args_generator)
  File "/anaconda3/lib/python3.7/multiprocessing/pool.py", line 268, in map
    return self._map_async(func, iterable, mapstar, chunksize).get()
  File "/anaconda3/lib/python3.7/multiprocessing/pool.py", line 383, in _map_async
    iterable = list(iterable)
  File "/Users/t/Work/aws_/enumerate-iam/enumerate_iam/main.py", line 91, in generate_args
    random.shuffle(service_names)
  File "/anaconda3/lib/python3.7/random.py", line 278, in shuffle
    x[i], x[j] = x[j], x[i]
TypeError: 'dict_keys' object is not subscriptable

endpoint url

You should add a way to do a custom endpoint url when running the script.

just hangs on random check

Hi,

Thanks for the wonderful tool.

Maybe I'm doing something wrong, because it "hangs" on random checks every time.
I tried to wait, but after an hour there is nothing - no errors, no timeouts.

I already tried to use DEBUG flag, but it does not saying much.

Yes I updated the check definitions with :

cd enumerate_iam/
git clone https://github.com/aws/aws-sdk-js.git
python generate_bruteforce_tests.py
rm -rf aws-sdk-js

Kind regards,
PY

globalaccelerator.describe_accelerator_attributes Error

The brute force test globalaccelerator.describe_accelerator_attributes always produces errors:

2023-11-07 09:26:56,841 - 52836 - [ERROR] Remove globalaccelerator.describe_accelerator_attributes action

This is because describe_accelerator_attributes requires an --accelerator-arn parameter. See: https://docs.aws.amazon.com/cli/latest/reference/globalaccelerator/describe-accelerator-attributes.html

I propose removing that test.