• Stars
    star
    169
  • Rank 224,453 (Top 5 %)
  • Language
    Python
  • License
    Apache License 2.0
  • Created over 2 years ago
  • Updated 4 months ago

Reviews

There are no reviews yet. Be the first to send feedback to the community and the maintainers!

Repository Details

IAMSpy

This is the repository containing IAMSpy, a library that utilises the Z3 prover to attempt to answer questions about AWS IAM. It can "load" a variety of IAM policies and convert them to generate Z3 constraints and a model, from which queries can be made on identifying whether actions are allowed or not. The aim of this library is to allow others to build new IAM tooling without having to worry about implementing their own IAM parsing and reasoning tools. Additionally, IAMSpy hopes to provide a focal point for the community to document observed IAM quirks allowing everyone to benefit from parsing that accounts for these oddities.

NOTE: This is a work in progress. IAMSpy currently does not support all features/quirks within AWS IAM, mileage may vary for different cloud environments. We encourage others to contribute to the project. Please raise issues for any issues found, or general discussions to be had, and improvements are very much appreciated through pull requests.

How To

NOTE: Should you pull newer changes for IAMSpy, it is recommended to re-generate any models that may have been pre-computed. This is because internal representations of data are likely to regularly change whilst IAMSpy is being built out to completion.

IAMSpy can be installed through poetry install from a checked out repository. This will set up a python virtualenv to be used with IAMSpy. If you would like to install IAMSpy into another python environment, pip install /path/to/iamspy

It should be noted that GAADs generated by by the get-account-authorization-details might miss some required data. For example, when using permission boundaries, managed policies may not be included in the GAAD that are used by boundaries but nothing else.

Library

The primary interface for applications to utilise IAMSpy is the Model class. This and an instantiated version called model can be found within the root of the module, and importable with from iamspy import model.

This model exposes the following to allow use of IAMSpy:

  • model.save(filename)

    Saves the current model to filename

  • model.load_model(filename)

    Loads a model from filename that was saved through save

  • model.load_gaad(filename)

    Will load a GAAD stored within the provided filename. The GAAD will be parsed and added to the current model, the parsed GAAD is also returned

  • model.load_resource_policies(filename)

    Loads and parses resource policies from the provided filename into the model

  • model.can_i(source, action, resource, conditions=[], condition_file=None, strict_conditions=False)

    Checks whether the provided source can perform action on target resource. source and resource must be fully qualified ARNs.

    Optional parameters include:

    • conditions - List of = delimited key-value strings containing strings to set within conditions
    • condition_file - Filename of a conditions file following the format of conditions within a statement block to add further constraints on the request, such as specifying non string conditions or providing multiple values such as a date greater than a set time
    • strict_conditions - Boolean to enable inputted conditions are set as provided, and all other conditions explicitly as not provided. Setting this prevents IAMSpy enabling and setting conditions to get an action accepted without it being specified in the earlier statements.
  • model.who_can(action, resource, conditions=[], condition_file=None, strict_conditions=False)

    Returns all users or roles who are able to perform action on the resource. resource must be a fully qualified ARN

    Optional paramaters are the same as for the can-i method.

CLI

IAMSpy comes with a light-weight CLI wrapper around its main library entrypoints, once installed this is available as the iamspy application. --help should help with identifying available calls and parameters in a pinch. The various commands are detailed below:

Loading policies can be done with the various load-* subcommands, at the moment this is load-gaad and load-resources however more are anticipated to be added.

# Load an accounts GAAD obtained from "aws iam get-account-authorization-details"
iamspy load-gaad gaad.json

# Load resource policies following the format shown in resources.json.example
iamspy load-resources resources.json

The iamspy CLI will save generated constraints into a file on disk upon execution of these commands. Subsequent commands loads this file to load earlier generated data. By default this is stored within model.smt2, however this can be overridden with the -f flag to commands, for example iamspy load-gaad -f different.smt2 gaad.json. This flag would then need to be provided for each subsequent command.

Once all policies desired have been loaded, queries can be made with the can-i sucommand.

# At the very basic level, this takes a source ARN, an IAM action and a resource ARN. From this it will return True/False
iamspy can-i arn:aws:iam::123456789012:user/bob s3:GetObject arn:aws:s3:::bucket/object

Further arguments can be supplied to provide information and further constraints on conditions

# Providing string based condition values can be done through the "-c" parameter
iamspy can-i arn:aws:iam::123456789012:user/bob s3:GetObject arn:aws:s3:::bucket/object -c aws:referer=bobby.tables

# Other condition settings, such as IP or ARN types, or providing a range of values (for example saying the input condition is at least this value) can be done by creating a conditions file. This follows the same formation of the conditions block within a statement, and can be provided through the -C parameter. An example can be seen within conditions.json.example
iamspy can-i arn:aws:iam::123456789012:user/bob s3:GetObject arn:aws:s3:::bucket/object -C conditions.json

# By default, IAMSpy will attempt to set input conditions as needed to get a statement through the model and allowed. This may involve setting conditions automatically as required by policies observed. If this behavious is not desired, --strict-conditions should be set
iamspy can-i arn:aws:iam::123456789012:user/bob s3:GetObject arn:aws:s3:::bucket/object --strict-conditions

Queries can also be made with the who-can subcommand.

# Queries take an IAM action and a resource ARN and return a list of User or Role arns which have permission to perform the action on the resource
iamspy who-can s3:GetObject arn:aws:s3:::bucket/object

# As with the can-i method. Condition values can be done with the "-c" parameter (see 'can-i' subcommand)
iamspy who-can s3:GetObject arn:aws:s3:::bucket/object -c aws:referer=bobby.tables

# Condition statements can be loaded with the -C parameter (see 'can-i' subcommand)
iamspy who-can s3:GetObject arn:aws:s3:::bucket/object -C conditions.json

# Automatic setting of conditions can be disabled with --strict-conditions (see 'can-i' subcommand)
iamspy who-can s3:GetObject arn:aws:s3:::bucket/object --strict-conditions

Development

  • Checkout the repo
  • poetry install
  • poetry shell

Code Quality

flake8 is used for code quality checks, configured with --max-line-length=120. To ignore specific warnings, use # noqa: E9876 with the appropriate E/W number from flake8 docs. At present, the approved ignores are:

  • # noqa: E712 for cases where flake8 is complaining about comparison statements inside z3 statements.

Credits

This project stands on the shoulders of others. In particular, we'd like to highlight:

More Repositories

1

drozer

The Leading Security Assessment Framework for Android.
Python
3,894
star
2

chainsaw

Rapidly Search and Hunt through Windows Forensic Artefacts
Rust
2,713
star
3

C3

Custom Command and Control (C3). A framework for rapid prototyping of custom C2 channels, while still providing integration with existing offensive toolkits.
C++
1,498
star
4

needle

The iOS Security Testing Framework
Python
1,331
star
5

doublepulsar-detection-script

A python2 script for sweeping a network to find windows systems compromised with the DOUBLEPULSAR implant.
Python
1,008
star
6

awspx

A graph-based tool for visualizing effective access and resource relationships in AWS environments.
Python
913
star
7

python-exe-unpacker

A helper script for unpacking and decompiling EXEs compiled from python code.
Python
751
star
8

leonidas

Automated Attack Simulation in the Cloud, complete with detection use cases.
Jupyter Notebook
446
star
9

android-keystore-audit

JavaScript
385
star
10

physmem2profit

Physmem2profit can be used to create a minidump of a target hosts' LSASS process by analysing physical memory remotely
C#
364
star
11

Jandroid

Python
323
star
12

CallStackSpoofer

A PoC implementation for spoofing arbitrary call stacks when making sys calls (e.g. grabbing a handle via NtOpenProcess)
C++
294
star
13

bitlocker-spi-toolkit

Tools for decoding TPM SPI transaction and extracting the BitLocker key from them.
Python
271
star
14

captcha22

CAPTCHA22 is a toolset for building, and training, CAPTCHA cracking models using neural networks.
Python
243
star
15

doublepulsar-c2-traffic-decryptor

A python2 script for processing a PCAP file to decrypt C2 traffic sent to DOUBLEPULSAR implant
Python
224
star
16

snake

snake - a malware storage zoo
Shell
205
star
17

Jamf-Attack-Toolkit

Suite of tools to facilitate attacks against the Jamf macOS management platform.
Python
172
star
18

damn-vulnerable-llm-agent

Python
169
star
19

LinuxCatScale

Incident Response collection and processing scripts with automated reporting scripts
Shell
165
star
20

IceKube

Python
161
star
21

peas

PEAS is a Python 2 library and command line application for running commands on an ActiveSync server e.g. Microsoft Exchange.
Python
152
star
22

ppid-spoofing

Scripts for performing and detecting parent PID spoofing
PowerShell
127
star
23

detectree

Data visualization for blue teams
Svelte
123
star
24

GarbageMan

GarbageMan is a set of tools for analyzing .NET binaries through heap analysis.
C++
113
star
25

drozer-agent

The Android Agent for the Mercury Security Assessment Framework.
Java
111
star
26

doublepulsar-usermode-injector

A utility to use the usermode shellcode from the DOUBLEPULSAR payload to reflectively load an arbitrary DLL into another process, for use in testing detection techniques or other security research.
C
104
star
27

TickTock

C++
102
star
28

ModuleStomping

https://blog.f-secure.com/hiding-malicious-code-with-module-stomping/
C++
87
star
29

dotnet-gargoyle

A spiritual .NET equivalent to the Gargoyle memory scanning evasion technique
C#
50
star
30

cloud-wiki

A public cloud security knowledgebase - https://www.secwiki.cloud/
CSS
48
star
31

AMSIDetection

AMSI detection PoC
C#
29
star
32

tau-engine

A document tagging library
Rust
29
star
33

radare2-scripts

A collection of useful radare2 scripts!
Python
25
star
34

CVE-2021-25374_Samsung-Account-Access

This script can be used to gain access to a victim's Samsung Account if they have a specific version of Samsung Members installed on their Samsung Device, and if the victim's device is from the US or Korea region.
Python
22
star
35

ESFang

ESF modular ingestion tool for development and research.
Objective-C
18
star
36

macOSTriageCollectionScript

A triage data collection script for macOS
Shell
17
star
37

lazarus-sigma-rules

17
star
38

RemotePSpy

RemotePSpy provides live monitoring of remote PowerShell sessions, which is particularly useful for older (pre-5.0) versions of PowerShell which do not have comprehensive logging facilities built in.
Python
17
star
39

FLAIR

F-Secure Lightweight Acqusition for Incident Response (FLAIR)
Batchfile
16
star
40

mongo-rs

A higher-level wrapper on top of the official bson & mongodb crates.
Rust
15
star
41

llm-vulnerable-recruitment-app

An example vulnerable app that integrates an LLM
Python
12
star
42

volatility-plugins

Python
11
star
43

FixerUpper

A Burp extension to enable modification of FIX messages when relayed from MitM_Relay
Python
11
star
44

snake-core

snake-core - the real snake
Python
11
star
45

jdiesel

jdiesel fuels the drozer
Java
10
star
46

deject

Memory dump and Sample analysis tool
Python
8
star
47

memory-carving-scripts

Scripts for extracting useful information from infected memory dumps
PowerShell
7
star
48

shadowhammer

Tools related to 'shadowhammer' attack, https://securelist.com/operation-shadowhammer/89992
Python
7
star
49

keywe-tooling

Tools that can be used to interact with the KeyWe Smart Lock device.
Python
6
star
50

datamate

Python
6
star
51

usb-ninja-detection-poc

USB Ninja Detection PoC
C++
5
star
52

iocs

YARA
5
star
53

snake-scales

snake-scales - the default repository of snake scales
Python
4
star
54

dreamer

Easier cloud infrastructure with Terraform and Ansible
Python
4
star
55

snake-skin

snake-skin - the web ui for snake
Svelte
2
star
56

boops-boops-android-agent

Java
1
star
57

snake-tail

snake-tail - the command line ui for snake
Python
1
star
58

slide-decks

1
star