Ecosyste.ms: Awesome

An open API service indexing awesome lists of open source software.

https://github.com/andresriancho/enumerate-iam

Enumerate the permissions associated with AWS credential set
https://github.com/andresriancho/enumerate-iam

Last synced: about 1 month ago
JSON representation

Enumerate the permissions associated with AWS credential set

Lists

README 

        
## Enumerate IAM permissions



Found a set of AWS credentials and have no idea which permissions it might have?



```console

$ ./enumerate-iam.py --access-key AKIA... --secret-key StF0q...

2019-05-10 15:57:58,447 - 21345 - [INFO] Starting permission enumeration for access-key-id "AKIA..."

2019-05-10 15:58:01,532 - 21345 - [INFO] Run for the hills, get_account_authorization_details worked!

2019-05-10 15:58:01,537 - 21345 - [INFO] -- {

    "RoleDetailList": [

        {

            "Tags": [], 

            "AssumeRolePolicyDocument": {

                "Version": "2008-10-17", 

                "Statement": [

                    {

...

2019-05-10 15:58:26,709 - 21345 - [INFO] -- gamelift.list_builds() worked!

2019-05-10 15:58:26,850 - 21345 - [INFO] -- cloudformation.list_stack_sets() worked!

2019-05-10 15:58:26,982 - 21345 - [INFO] -- directconnect.describe_locations() worked!

2019-05-10 15:58:27,021 - 21345 - [INFO] -- gamelift.describe_matchmaking_rule_sets() worked!

2019-05-10 15:58:27,311 - 21345 - [INFO] -- sqs.list_queues() worked!

```



Now you do!



`enumerate-iam.py` tries to brute force all API calls allowed by the IAM policy.

The calls performed by this tool are all non-destructive (only get* and list*

calls are performed).



## Installation



```

git clone [email protected]:andresriancho/enumerate-iam.git

cd enumerate-iam/

pip install -r requirements.txt

```



## Library



This software was written to be easy to integrate with other tools, just import

the main function and provide the required arguments:



```python

from enumerate_iam.main import enumerate_iam



enumerate_iam(access_key,

              secret_key,

              session_token,

              region)

```



The output will contain all the enumerated permission information in a python

dictionary.



## Other tools



Before writing `enumerate-iam.py` I tried a few that performed the same task.

Decided to write my own because the others:



 * Did not check for all API calls

 * Where painfully slow when adding more API calls to the list

 * Did not return the permissions in a programmatic way



## Updating the API calls



The API calls to be performed during permission enumeration are stored in

`enumerate_iam/bruteforce_tests.py`, a Python dict() which is generated by

`enumerate_iam/generate_bruteforce_tests.py` using the API documentation

available in the `aws-sdk-js` library. 



AWS releases new services every quarter, to make sure that this tool is

finding all the existing permissions run:



```console

cd enumerate_iam/

git clone https://github.com/aws/aws-sdk-js.git

python generate_bruteforce_tests.py

rm -rf aws-sdk-js

```



## Related tools



This tool was released as part of the [Internet-Scale Analysis of AWS Cognito Security](https://www.blackhat.com/us-19/briefings/schedule/?hootPostID=4abc475398765919352042ac015752e6#internet-scale-analysis-of-aws-cognito-security-15829)

research. During this research the [cc-lambda](https://github.com/andresriancho/cc-lambda) tool

was also used to extract information from the Common Crawl data.



## Initial code



The initial code was released in [this gist](https://gist.github.com/darkarnium/1df59865f503355ef30672168063da4e)

and improved in multiple ways:



 * Complete refactoring

 * Results returned in a programmatic way

 * Threads

 * Improved logging

 * Increased API call coverage

 * Export as a library