andresriancho/enumerate-iam andresriancho/enumerate-iam

  • Stars
    star
    840
  • Rank 52,245 (Top 2 %)
  • Language
    Python
  • License
    GNU General Publi...
  • Created about 5 years ago
  • Updated 12 months ago
Twitter logo Share LinkedIn logo Share Facebook logo Share
andresriancho/enumerate-iam
github

andresriancho

Reviews

There are no reviews yet. Be the first to send feedback to the community and the maintainers!

Repository Details

Enumerate the permissions associated with AWS credential set

Enumerate IAM permissions

Found a set of AWS credentials and have no idea which permissions it might have?

$ ./enumerate-iam.py --access-key AKIA... --secret-key StF0q...
2019-05-10 15:57:58,447 - 21345 - [INFO] Starting permission enumeration for access-key-id "AKIA..."
2019-05-10 15:58:01,532 - 21345 - [INFO] Run for the hills, get_account_authorization_details worked!
2019-05-10 15:58:01,537 - 21345 - [INFO] -- {
    "RoleDetailList": [
        {
            "Tags": [], 
            "AssumeRolePolicyDocument": {
                "Version": "2008-10-17", 
                "Statement": [
                    {
...
2019-05-10 15:58:26,709 - 21345 - [INFO] -- gamelift.list_builds() worked!
2019-05-10 15:58:26,850 - 21345 - [INFO] -- cloudformation.list_stack_sets() worked!
2019-05-10 15:58:26,982 - 21345 - [INFO] -- directconnect.describe_locations() worked!
2019-05-10 15:58:27,021 - 21345 - [INFO] -- gamelift.describe_matchmaking_rule_sets() worked!
2019-05-10 15:58:27,311 - 21345 - [INFO] -- sqs.list_queues() worked!

Now you do!

enumerate-iam.py tries to brute force all API calls allowed by the IAM policy. The calls performed by this tool are all non-destructive (only get* and list* calls are performed).

Installation

git clone [email protected]:andresriancho/enumerate-iam.git
cd enumerate-iam/
pip install -r requirements.txt

Library

This software was written to be easy to integrate with other tools, just import the main function and provide the required arguments:

from enumerate_iam.main import enumerate_iam

enumerate_iam(access_key,
              secret_key,
              session_token,
              region)

The output will contain all the enumerated permission information in a python dictionary.

Other tools

Before writing enumerate-iam.py I tried a few that performed the same task. Decided to write my own because the others:

  • Did not check for all API calls
  • Where painfully slow when adding more API calls to the list
  • Did not return the permissions in a programmatic way

Updating the API calls

The API calls to be performed during permission enumeration are stored in enumerate_iam/bruteforce_tests.py, a Python dict() which is generated by enumerate_iam/generate_bruteforce_tests.py using the API documentation available in the aws-sdk-js library.

AWS releases new services every quarter, to make sure that this tool is finding all the existing permissions run:

cd enumerate_iam/
git clone https://github.com/aws/aws-sdk-js.git
python generate_bruteforce_tests.py
rm -rf aws-sdk-js

Related tools

This tool was released as part of the Internet-Scale Analysis of AWS Cognito Security research. During this research the cc-lambda tool was also used to extract information from the Common Crawl data.

Initial code

The initial code was released in this gist and improved in multiple ways:

  • Complete refactoring
  • Results returned in a programmatic way
  • Threads
  • Improved logging
  • Increased API call coverage
  • Export as a library

More Repositories

1

w3af

w3af: web application attack and audit framework, the open source web vulnerability scanner.
Python
4,309
star
2

nimbostratus

Tools for fingerprinting and exploiting Amazon cloud infrastructures
Python
429
star
3

race-condition-exploit

Tool to help with the exploitation of web application race conditions
Python
178
star
4

websocket-fuzzer

HTML5 WebSocket message fuzzer
Python
133
star
5

mongo-objectid-predict

Predict Mongo ObjectIds
Python
106
star
6

jwt-fuzzer

JWT fuzzer
Python
104
star
7

cc-lambda

Search the common crawl using lambda functions
Python
76
star
8

secure-ubuntu-desktop

Maintain a list of tips and tricks to be used by Ubuntu users to secure their laptops.
65
star
9

w3af-webui

Django Web UI contributed by Yandex for w3af.
JavaScript
52
star
10

vpc-vpn-pivot

Pivot into private VPC networks using a VPN connection
Python
37
star
11

django-moth

A Django vulnerable Web application for testing the w3af framework
Python
31
star
12

w3af-moth

A set of vulnerable PHP scripts used to test w3af's vulnerability detection features.
HTML
29
star
13

w3af-kali

w3af packaging for Kali distribution
Python
25
star
14

splunk-logger

A logging handler for Splunk. Lets you send information to Splunk directly from your Python code.
Python
23
star
15

aws-audit-automation

Tools to automate AWS Cloud security assessments
Python
23
star
16

nimbostratus-target

This repository holds a target infrastructure you can use for running the nimbostratus tools.
Python
22
star
17

w3af-api-client

REST API client to consume w3af
Python
17
star
18

pico-wavsep

A minimalistic way to run WAVSEP
Python
13
star
19

docker-anomalies

Docker container anomaly detection
Python
12
star
20

owaspantisamy

Automatically exported from code.google.com/p/owaspantisamy
HTML
12
star
21

aws-backup

AWS Backup implementation in terraform
HCL
12
star
22

pico

Tool to identify and exploit timing attacks
Python
10
star
23

burp-proxy-search

Burp suite HTTP history advanced search
Python
10
star
24

w3af-module

Tools to install w3af as a Python module
Python
9
star
25

docker-tag-naming

A small tool that helps name docker tags
Python
9
star
26

sentinela

Sentinela is a highly configurable operating system watchdog which can take actions based on pre-configured rules.
Python
8
star
27

collector

Collect performance metrics for any software using AWS
Python
7
star
28

w3af-api-docker

Docker image for w3af REST API with nginx, uwsgi and supervisord
Python
6
star
29

w3af-packages

Files and utilities that define w3af packages and installers for Windows, Debian, FreeBSD, etc.
C
6
star
30

w3af-qa

Quality related stuff for w3af.
Python
4
star
31

dirty-dependency-check

Vulnerability dependency check for Maven projects
Python
4
star
32

django-uwsgi-nginx-ssh

Django 1.5.1 with uwsgi, nginx and SSH.
Nginx
4
star
33

cryptopals

My solutions to the cryptopals challenge
Python
4
star
34

w3af-performance-analysis

Analysis tool for performance output generated by w3af
Python
3
star
35

hash-blender

Takes various inputs and separators, mixes them, applies a hash function and verifies if match was found
Python
3
star
36

py-xchat-twitter

Twitter client written as an XChat plugin (Python)
Python
3
star
37

pico-string-compare-local

String comparison scripts for pico
Python
2
star
38

qotd

A simple quote of the day library
Python
2
star
39

w3af-misc

Misc code loosely related to the w3af project.
Python
1
star
40

burp-extensions

Collection of Burp extensions
1
star
41

w3af-kali-ci

A helper repository to build w3af-kali in CircleCI
Shell
1
star
42

django-registration

https://bitbucket.org/ubernostrum/django-registration with minor modifications
Python
1
star
43

django-rest-framework-timing

Minimalistic Django REST framework to test timing attacks
Python
1
star
44

high-entropy-json

Call Lyft's high-entropy-string for each string in a JSON document
Python
1
star