From 0ea40aea0581609cf7aa56fa9e1306046d03f13b Mon Sep 17 00:00:00 2001 From: carnal0wnage Date: Fri, 13 Apr 2018 14:01:25 -0400 Subject: [PATCH] brute minor update and iam updates --- libs/brute.py | 2 + libs/iam.py | 170 ++++++++++++++++++++++++++++++++++++++++++++++++- modules/iam.py | 24 ++++++- 3 files changed, 193 insertions(+), 3 deletions(-) diff --git a/libs/brute.py b/libs/brute.py index 455954a..0728312 100644 --- a/libs/brute.py +++ b/libs/brute.py @@ -835,6 +835,8 @@ def brute_iam_permissions(AWS_ACCESS_KEY_ID, AWS_SECRET_ACCESS_KEY): # ('ListUserPolicies', 'list_user_policies', (), {'UserName':'root'} ), ('ListGroups', 'list_groups', (), {}), ('ListUsers', 'list_users', (), {}), + ('ListRoles', 'list_roles', (), {}), + ('ListPolicies', 'list_policies', (), {}), # ('ListGroupsForUser', 'list_groups_for_user', (), {'UserName':account_username} ), ('GetCredentialReport', 'get_credential_report', (), {}), ('GetAccountSummary', 'get_account_summary', (), {}), diff --git a/libs/iam.py b/libs/iam.py index 4a5b4ed..ea5a988 100644 --- a/libs/iam.py +++ b/libs/iam.py @@ -13,10 +13,10 @@ import pprint pp = pprint.PrettyPrinter(indent=5, width=80) +region = 'us-east-1' regions = ['us-east-1'] - def check_root_account(AWS_ACCESS_KEY_ID, AWS_SECRET_ACCESS_KEY): - client = boto3.client('iam', aws_access_key_id=AWS_ACCESS_KEY_ID, aws_secret_access_key=AWS_SECRET_ACCESS_KEY,region_name=region) + client = boto3.client('iam', aws_access_key_id=AWS_ACCESS_KEY_ID, aws_secret_access_key=AWS_SECRET_ACCESS_KEY,region_name='us-east-1') try: acct_summary = client.get_account_summary() @@ -315,3 +315,169 @@ def iam_list_users(AWS_ACCESS_KEY_ID, AWS_SECRET_ACCESS_KEY): print("Unexpected error: {}" .format(e)) except KeyboardInterrupt: print("CTRL-C received, exiting...") + + +def iam_list_roles(AWS_ACCESS_KEY_ID, AWS_SECRET_ACCESS_KEY): + print("### Printing IAM Roles ###") + try: + for region in regions: + client = boto3.client('iam', aws_access_key_id=AWS_ACCESS_KEY_ID, aws_secret_access_key=AWS_SECRET_ACCESS_KEY, region_name=region) + + response = client.list_roles() + # print(response) + if response.get('Roles') is None: + print("{} likely does not have IAM permissions\n" .format(AWS_ACCESS_KEY_ID)) + elif len(response['Roles']) <= 0: + print("[-] ListRoles allowed for {} but no results [-]\n" .format(region)) + else: + for roles in response['Roles']: + print("Role Name: {}".format(roles['RoleName'])) + pp.pprint(roles) + print('\n') + # print(response) + except botocore.exceptions.ClientError as e: + if e.response['Error']['Code'] == 'InvalidClientTokenId': + sys.exit("{} : The AWS KEY IS INVALID. Exiting" .format(AWS_ACCESS_KEY_ID)) + elif e.response['Error']['Code'] == 'AccessDenied': + print('{} : Is NOT a root/IAM key' .format(AWS_ACCESS_KEY_ID)) + elif e.response['Error']['Code'] == 'SubscriptionRequiredException': + print('{} : Has permissions but isnt signed up for service - usually means you have a root account' .format(AWS_ACCESS_KEY_ID)) + elif e.response['Error']['Code'] == 'OptInRequired': + print('{} : Has permissions but isnt signed up for service - usually means you have a root account' .format(AWS_ACCESS_KEY_ID)) + else: + print("Unexpected error: {}" .format(e)) + except KeyboardInterrupt: + print("CTRL-C received, exiting...") + + +def iam_list_policies(AWS_ACCESS_KEY_ID, AWS_SECRET_ACCESS_KEY): + print("### Printing IAM Policies ###") + try: + for region in regions: + client = boto3.client('iam', aws_access_key_id=AWS_ACCESS_KEY_ID, aws_secret_access_key=AWS_SECRET_ACCESS_KEY, region_name=region) + + response = client.list_policies() + # print(response) + if response.get('Policies') is None: + print("{} likely does not have IAM permissions\n" .format(AWS_ACCESS_KEY_ID)) + elif len(response['Policies']) <= 0: + print("[-] ListPolicies allowed for {} but no results [-]\n" .format(region)) + else: + for policy in response['Policies']: + print("Policy Name: {}".format(policy['PolicyName'])) + pp.pprint(policy) + print('\n') + # print(response) + except botocore.exceptions.ClientError as e: + if e.response['Error']['Code'] == 'InvalidClientTokenId': + sys.exit("{} : The AWS KEY IS INVALID. Exiting" .format(AWS_ACCESS_KEY_ID)) + elif e.response['Error']['Code'] == 'AccessDenied': + print('{} : Is NOT a root/IAM key' .format(AWS_ACCESS_KEY_ID)) + elif e.response['Error']['Code'] == 'SubscriptionRequiredException': + print('{} : Has permissions but isnt signed up for service - usually means you have a root account' .format(AWS_ACCESS_KEY_ID)) + elif e.response['Error']['Code'] == 'OptInRequired': + print('{} : Has permissions but isnt signed up for service - usually means you have a root account' .format(AWS_ACCESS_KEY_ID)) + else: + print("Unexpected error: {}" .format(e)) + except KeyboardInterrupt: + print("CTRL-C received, exiting...") + +# dont use see below +def iam_list_user_policies(AWS_ACCESS_KEY_ID, AWS_SECRET_ACCESS_KEY, username): + print("### Printing IAM Policies for {} ###".format(username)) + try: + for region in regions: + client = boto3.client('iam', aws_access_key_id=AWS_ACCESS_KEY_ID, aws_secret_access_key=AWS_SECRET_ACCESS_KEY, region_name=region) + + response = client.list_user_policies(UserName=username) + # print(response) + if response.get('PolicyNames') is None: + print("{} likely does not have IAM permissions\n" .format(AWS_ACCESS_KEY_ID)) + elif len(response['PolicyNames']) <= 0: + print("[-] ListUserPolicies allowed for {} but no results [-]\n" .format(region)) + else: + for policy in response['PolicyNames']: + print("Policy Name: {}".format(policy['PolicyName'])) + pp.pprint(policy) + print('\n') + # print(response) + except botocore.exceptions.ClientError as e: + if e.response['Error']['Code'] == 'InvalidClientTokenId': + sys.exit("{} : The AWS KEY IS INVALID. Exiting" .format(AWS_ACCESS_KEY_ID)) + elif e.response['Error']['Code'] == 'AccessDenied': + print('{} : Is NOT a root/IAM key' .format(AWS_ACCESS_KEY_ID)) + elif e.response['Error']['Code'] == 'SubscriptionRequiredException': + print('{} : Has permissions but isnt signed up for service - usually means you have a root account' .format(AWS_ACCESS_KEY_ID)) + elif e.response['Error']['Code'] == 'OptInRequired': + print('{} : Has permissions but isnt signed up for service - usually means you have a root account' .format(AWS_ACCESS_KEY_ID)) + else: + print("Unexpected error: {}" .format(e)) + except KeyboardInterrupt: + print("CTRL-C received, exiting...") + +def iam_list_attached_user_policies(AWS_ACCESS_KEY_ID, AWS_SECRET_ACCESS_KEY, username): + print("### Printing Attached IAM Policies for {} ###".format(username)) + try: + for region in regions: + client = boto3.client('iam', aws_access_key_id=AWS_ACCESS_KEY_ID, aws_secret_access_key=AWS_SECRET_ACCESS_KEY, region_name=region) + + response = client.list_attached_user_policies(UserName=username) + # print(response) + if response.get('AttachedPolicies') is None: + print("{} likely does not have IAM permissions\n" .format(AWS_ACCESS_KEY_ID)) + elif len(response['AttachedPolicies']) <= 0: + print("[-] ListAttachedUserPolicies allowed for {} but no results [-]\n" .format(region)) + else: + for policy in response['AttachedPolicies']: + #print("Policy Name: {}".format(policy['PolicyName'])) + pp.pprint(policy) + print('\n') + # print(response) + except botocore.exceptions.ClientError as e: + if e.response['Error']['Code'] == 'InvalidClientTokenId': + sys.exit("{} : The AWS KEY IS INVALID. Exiting" .format(AWS_ACCESS_KEY_ID)) + elif e.response['Error']['Code'] == 'AccessDenied': + print('{} : Is NOT a root/IAM key' .format(AWS_ACCESS_KEY_ID)) + elif e.response['Error']['Code'] == 'SubscriptionRequiredException': + print('{} : Has permissions but isnt signed up for service - usually means you have a root account' .format(AWS_ACCESS_KEY_ID)) + elif e.response['Error']['Code'] == 'OptInRequired': + print('{} : Has permissions but isnt signed up for service - usually means you have a root account' .format(AWS_ACCESS_KEY_ID)) + else: + print("Unexpected error: {}" .format(e)) + except KeyboardInterrupt: + print("CTRL-C received, exiting...") + +def iam_list_entities_for_policy(AWS_ACCESS_KEY_ID, AWS_SECRET_ACCESS_KEY, policy_arn): + print("### Printing IAM Entity Policies for {} ###".format(policy_arn)) + try: + for region in regions: + client = boto3.client('iam', aws_access_key_id=AWS_ACCESS_KEY_ID, aws_secret_access_key=AWS_SECRET_ACCESS_KEY, region_name=region) + + response = client.list_entities_for_policy(PolicyArn=policy_arn) + print(response) + + #this needs a if data for PolicyGroups, PolicyUsers, PolicyRoles do stuff + + #if response.get('AttachedPolicies') is None: + # print("{} likely does not have IAM permissions\n" .format(AWS_ACCESS_KEY_ID)) + #elif len(response['AttachedPolicies']) <= 0: + # print("[-] ListAttachedUserPolicies allowed for {} but no results [-]\n" .format(region)) + #else: + # for policy in response['AttachedPolicies']: + # #print("Policy Name: {}".format(policy['PolicyName'])) + # pp.pprint(policy) + # print('\n') + # # print(response) + except botocore.exceptions.ClientError as e: + if e.response['Error']['Code'] == 'InvalidClientTokenId': + sys.exit("{} : The AWS KEY IS INVALID. Exiting" .format(AWS_ACCESS_KEY_ID)) + elif e.response['Error']['Code'] == 'AccessDenied': + print('{} : Is NOT a root/IAM key' .format(AWS_ACCESS_KEY_ID)) + elif e.response['Error']['Code'] == 'SubscriptionRequiredException': + print('{} : Has permissions but isnt signed up for service - usually means you have a root account' .format(AWS_ACCESS_KEY_ID)) + elif e.response['Error']['Code'] == 'OptInRequired': + print('{} : Has permissions but isnt signed up for service - usually means you have a root account' .format(AWS_ACCESS_KEY_ID)) + else: + print("Unexpected error: {}" .format(e)) + except KeyboardInterrupt: + print("CTRL-C received, exiting...") \ No newline at end of file diff --git a/modules/iam.py b/modules/iam.py index cdbc9a3..f14f884 100644 --- a/modules/iam.py +++ b/modules/iam.py @@ -19,4 +19,26 @@ def step_iam_get_account_summary(): def step_iam_list_users(): - iam_list_users(AWS_ACCESS_KEY_ID, AWS_SECRET_ACCESS_KEY) \ No newline at end of file + iam_list_users(AWS_ACCESS_KEY_ID, AWS_SECRET_ACCESS_KEY) + +def step_iam_check_root_account(): + check_root_account(AWS_ACCESS_KEY_ID, AWS_SECRET_ACCESS_KEY) + +def step_iam_get_password_policy(): + get_password_policy(AWS_ACCESS_KEY_ID, AWS_SECRET_ACCESS_KEY) + +def step_iam_list_roles(): + iam_list_roles(AWS_ACCESS_KEY_ID, AWS_SECRET_ACCESS_KEY) + +def step_iam_list_policies(): + iam_list_policies(AWS_ACCESS_KEY_ID, AWS_SECRET_ACCESS_KEY) + +#have to figure out the argument passing part here first +def step_iam_list_user_policies(): + iam_list_user_policies(AWS_ACCESS_KEY_ID, AWS_SECRET_ACCESS_KEY, 'root') + +def step_iam_list_attached_user_policies(): + iam_list_attached_user_policies(AWS_ACCESS_KEY_ID, AWS_SECRET_ACCESS_KEY, 'root') + +def step_iam_list_entities_for_policy(): + iam_list_entities_for_policy(AWS_ACCESS_KEY_ID, AWS_SECRET_ACCESS_KEY, 'arn:aws:iam::xxxxxxx')