Enumerating users

Like we covered in the IAM chapter earlier on, an IAM role has a trust policy document that specifies what IAM resources/accounts can request temporary credentials from it. Behind the scenes, all IAM resources are created uniquely and IAM role trust policies recognize that. The reason for this is that, if you specify that the user Mike can assume a certain role, then Mike is deleted; in theory, an attacker could create another IAM user named Mike and assume that role. In practice, that is not the case, because behind the scenes, the roles trust policy is referencing a unique user ID rather than just the user name.

Because of that conversion from user ARN to a unique user ID behind the scenes, IAM will not let you set a trust policy that allows access to a non-existent user. Also, roles can be assumed to be cross-account, so you can specify other account IDs in the trust policy.

Given both those facts, if we as an attacker have the account ID of another account, we can essentially brute-force which users exist in their account. This process has been automated in a Pacu module named iam__enum_users. With Pacu open and configured, we can run the following command to enumerate IAM users in the account with the ID 000000000000:

run iam__enum_users --account-id 000000000000 --role-name TestRole

TestRole is an IAM role that was created in my own account. Pacu uses that role to update the trust policy document for enumeration, so it is important that this module is run with your own AWS access keys and you give it the role name of a role that those keys have access to update.

When running the module, your own AWS CloudTrail logs will get flooded with iam:UpdateAssumeRolePolicy logs, but the target account will not see a thing, allowing you to stealthily gather information on the target environment.

Using a custom wordlist, we were able to enumerate two users, Alexa and Test, from the target account with the ID 000000000000 (this is just a demo, this won't work for you because 000000000000 is not a real AWS account). The output from the Pacu module looks something like this:

Pacu (Demo:imported-default) > run iam__enum_users --account-id 000000000000 --role-name TestRole
  Running module iam__enum_users...
[iam__enum_users] Warning: This script does not check if the keys you supplied have the correct permissions. Make sure they are allowed to use iam:UpdateAssumeRolePolicy on the role that you pass into --role-name!

[iam__enum_users] Targeting account ID: 000000000000

[iam__enum_users] Starting user enumeration...

[iam__enum_users]   Found user: arn:aws:iam::000000000000:user/Alexa
[iam__enum_users]   Found user: arn:aws:iam::000000000000:user/Test

[iam__enum_users] Found 2 user(s):

[iam__enum_users]     arn:aws:iam::000000000000:user/Alexa
[iam__enum_users]     arn:aws:iam::000000000000:user/Test

[iam__enum_users] iam__enum_users completed.

[iam__enum_users] MODULE SUMMARY:

  2 user(s) found after 7 guess(es).

The output shows that it found two valid users out of seven total guesses from our modified wordlist. At the time of writing, the default wordlist that Pacu uses has 1,136 names that it will try.

..................Content has been hidden....................

You can't read the all page of ebook, please click here login for view all page.
Reset
18.119.131.72