· 7 years ago · Jan 04, 2019, 10:42 PM
1# Enumerate IAM
2
3The following code will attempt to enumerate operations that a given set of AWS AccessKeys can perform.
4
5## Usage
6```
7Usage: enumerate-iam.py [OPTIONS]
8
9 IAM Account Enumerator.
10
11 This code provides a mechanism to attempt to validate the permissions
12 assigned to a given set of AWS tokens.
13
14Options:
15 --access-key TEXT An AWS Access Key Id to check
16 --secret-key TEXT An AWS Secret Access Key to check
17 --session-token TEXT An AWS Session Token to check
18 --help Show this message and exit.
19```
20
21## Example
22
23```
24$ python enumerate-iam.py --access-key <KEY> --secret-key <SECRET>
252017-05-06 00:16:05,164 - 5692 - [INFO] Starting scrape for access-key-id "<KEY>"
262017-05-06 00:16:06,107 - 5692 - [ERROR] Failed to get everything at once (get_account_authorization_details) :(
272017-05-06 00:16:06,210 - 5692 - [INFO] -- Account ARN : arn:aws:iam::NNNNNNNNNNN:user/some-other-user
282017-05-06 00:16:06,210 - 5692 - [INFO] -- Account Id : NNNNNNNNNNN
292017-05-06 00:16:06,210 - 5692 - [INFO] -- Account Path: user/some-other-user
302017-05-06 00:16:06,321 - 5692 - [INFO] User "some-other-user" has 1 attached policies
312017-05-06 00:16:06,321 - 5692 - [INFO] -- Policy "some-policy" (arn:aws:iam::NNNNNNNNNNN:policy/some-policy)
322017-05-06 00:16:06,436 - 5692 - [INFO] User "some-other-user" has 1 inline policies
332017-05-06 00:16:06,436 - 5692 - [INFO] -- Policy "policygen-some-other-user-201705060014"
342017-05-06 00:16:06,543 - 5692 - [INFO] User "some-other-user" has 0 groups associated
352017-05-06 00:16:06,543 - 5692 - [INFO] Attempting common-service describe / list bruteforce.
36...
37```
38
39```
40$ python enumerate-iam.py --access-key <KEY> --secret-key <SECRET>
412017-05-05 23:52:27,194 - 3060 - [INFO] Starting scrape for access-key-id "<KEY>"
422017-05-05 23:52:28,206 - 3060 - [ERROR] Failed to get everything at once (get_account_authorization_details) :(
432017-05-05 23:52:28,293 - 3060 - [ERROR] Failed to retrieve any IAM data for this key.
442017-05-05 23:52:28,293 - 3060 - [INFO] -- Account ARN : arn:aws:iam::NNNNNNNNNNN:user/some-user
452017-05-05 23:52:28,293 - 3060 - [INFO] -- Account Id : NNNNNNNNNNN
462017-05-05 23:52:28,293 - 3060 - [INFO] -- Account Path: user/some-user
472017-05-05 23:52:28,293 - 3060 - [INFO] Attempting common-service describe / list bruteforce.
482017-05-05 23:52:28,301 - 3060 - [INFO] Checking ACM (Certificate Manager)
492017-05-05 23:52:28,737 - 3060 - [ERROR] -- list_certificates() failed
502017-05-05 23:52:28,762 - 3060 - [INFO] Checking CFN (CloudFormation)
512017-05-05 23:52:29,184 - 3060 - [ERROR] -- describe_stacks() failed
522017-05-05 23:52:29,193 - 3060 - [INFO] Checking CloudHSM
532017-05-05 23:52:29,611 - 3060 - [ERROR] -- list_hsms() failed
542017-05-05 23:52:29,625 - 3060 - [INFO] Checking CloudSearch
552017-05-05 23:52:30,069 - 3060 - [ERROR] -- list_domain_names() failed
562017-05-05 23:52:30,078 - 3060 - [INFO] Checking CloudTrail
572017-05-05 23:52:30,529 - 3060 - [ERROR] -- describe_trails() failed
582017-05-05 23:52:30,536 - 3060 - [INFO] Checking CloudWatch
592017-05-05 23:52:30,926 - 3060 - [ERROR] -- describe_alarm_history() failed
602017-05-05 23:52:30,936 - 3060 - [INFO] Checking CodeCommit
612017-05-05 23:52:31,338 - 3060 - [ERROR] -- list_repositories() failed
622017-05-05 23:52:31,374 - 3060 - [INFO] Checking CodeDeploy
632017-05-05 23:52:31,782 - 3060 - [ERROR] -- list_applications() failed
642017-05-05 23:52:31,881 - 3060 - [ERROR] -- list_deployments() failed
652017-05-05 23:52:31,953 - 3060 - [INFO] Checking EC2 (Elastic Compute)
662017-05-05 23:52:32,345 - 3060 - [ERROR] -- describe_instances() failed
672017-05-05 23:52:32,440 - 3060 - [ERROR] -- describe_images() failed
682017-05-05 23:52:32,539 - 3060 - [ERROR] -- describe_addresses() failed
692017-05-05 23:52:32,630 - 3060 - [ERROR] -- describe_hosts() failed
702017-05-05 23:52:32,721 - 3060 - [ERROR] -- describe_nat_gateways() failed
712017-05-05 23:52:32,819 - 3060 - [ERROR] -- describe_key_pairs() failed
722017-05-05 23:52:32,917 - 3060 - [ERROR] -- describe_snapshots() failed
732017-05-05 23:52:33,013 - 3060 - [ERROR] -- describe_volumes() failed
742017-05-05 23:52:33,111 - 3060 - [ERROR] -- describe_tags() failed
752017-05-05 23:52:33,207 - 3060 - [ERROR] -- describe_tags() failed
762017-05-05 23:52:33,305 - 3060 - [ERROR] -- describe_vpcs() failed
772017-05-05 23:52:33,319 - 3060 - [INFO] Checking ECS (DOCKER DOCKER DOCKER DOCKER ...)
782017-05-05 23:52:33,713 - 3060 - [ERROR] -- describe_clusters() failed
792017-05-05 23:52:33,730 - 3060 - [INFO] Checking ElasticBeanstalk
802017-05-05 23:52:34,167 - 3060 - [INFO] -- describe_applications() worked!
812017-05-05 23:52:34,352 - 3060 - [INFO] -- describe_environments() worked!
822017-05-05 23:52:34,365 - 3060 - [INFO] Checking ELB (Elastic Load Balancing)
832017-05-05 23:52:34,749 - 3060 - [ERROR] -- describe_load_balancers() failed
842017-05-05 23:52:34,763 - 3060 - [INFO] Checking ELBv2 (Elastic Load Balancing)
852017-05-05 23:52:35,135 - 3060 - [ERROR] -- describe_load_balancers() failed
862017-05-05 23:52:35,151 - 3060 - [INFO] Checking ElasticTranscoder
872017-05-05 23:52:35,561 - 3060 - [ERROR] -- list_pipelines() failed
882017-05-05 23:52:35,572 - 3060 - [INFO] Checking DynamoDB
892017-05-05 23:52:35,960 - 3060 - [ERROR] -- list_tables() failed
902017-05-05 23:52:36,003 - 3060 - [INFO] Checking IoT
912017-05-05 23:52:36,217 - 3060 - [ERROR] -- list_things() failed
922017-05-05 23:52:36,331 - 3060 - [ERROR] -- describe_endpoint() failed
932017-05-05 23:52:36,342 - 3060 - [INFO] Checking Kinesis
942017-05-05 23:52:36,733 - 3060 - [ERROR] -- list_streams() failed
952017-05-05 23:52:36,806 - 3060 - [INFO] Checking KMS (Key Management Service)
962017-05-05 23:52:37,229 - 3060 - [ERROR] -- list_keys() failed
972017-05-05 23:52:37,255 - 3060 - [INFO] Checking Lambda
982017-05-05 23:52:37,663 - 3060 - [ERROR] -- list_functions() failed
992017-05-05 23:52:37,701 - 3060 - [INFO] Checking OpsWorks
1002017-05-05 23:52:38,197 - 3060 - [INFO] -- describe_stacks() worked!
1012017-05-05 23:52:38,252 - 3060 - [INFO] Checking RDS (Relational Database Service)
1022017-05-05 23:52:38,726 - 3060 - [ERROR] -- describe_db_clusters() failed
1032017-05-05 23:52:38,821 - 3060 - [ERROR] -- describe_db_instances() failed
1042017-05-05 23:52:38,858 - 3060 - [INFO] Checking Route53 (DNS)
1052017-05-05 23:52:39,250 - 3060 - [ERROR] -- list_hosted_zones() failed
1062017-05-05 23:52:39,539 - 3060 - [INFO] Checking S3 (Simple Storage Service)
1072017-05-05 23:52:39,928 - 3060 - [ERROR] -- list_buckets() failed
1082017-05-05 23:52:39,956 - 3060 - [INFO] Checking SES (Simple Email Service)
1092017-05-05 23:52:40,344 - 3060 - [ERROR] -- list_identities() failed
1102017-05-05 23:52:40,361 - 3060 - [INFO] Checking SNS (Simple Notification Service)
1112017-05-05 23:52:40,750 - 3060 - [ERROR] -- list_topics() failed
1122017-05-05 23:52:40,767 - 3060 - [INFO] Checking SQS (Simple Queue Service)
1132017-05-05 23:52:41,151 - 3060 - [ERROR] -- list_queues() failed
1142017-05-05 23:52:41,171 - 3060 - [INFO] Checking Support
1152017-05-05 23:52:41,571 - 3060 - [ERROR] -- describe_cases() failed
116```
117
118## Code
119
120```python
121"""IAM Account Enumerator.
122
123This code provides a mechanism to attempt to validate the permissions assigned
124to a given set of AWS tokens.
125"""
126import re
127import sys
128import logging
129import datetime
130import boto3
131import pprint
132import botocore
133import click
134
135
136def report_arn(candidate):
137 ''' Attempt to extract and slice up an ARN from the input string. '''
138 logger = logging.getLogger()
139 arn_search = re.search(r'.*(arn:aws:.*:.*:.*:.*)\s*.*$', candidate)
140 if arn_search:
141 arn = arn_search.group(1)
142 logger.info('-- Account ARN : %s', arn)
143 logger.info('-- Account Id : %s', arn.split(':')[4])
144 logger.info('-- Account Path: %s', arn.split(':')[5])
145
146
147# This is lame and won't work with federated policies and a bunch of other cases.
148def build_arn(user_arn, policy_name, path='policy'):
149 ''' Chops up the user ARN and attempts and builds a policy ARN. '''
150 return '{}:{}/{}'.format(':'.join(user_arn.split(':')[0:5]), path, policy_name)
151
152
153def brute(access_key, secret_key, session_token):
154 ''' Attempt to brute-force common describe calls. '''
155 logger = logging.getLogger()
156 logger.info('Attempting common-service describe / list bruteforce.')
157
158 # ACM
159 acm = boto3.client(
160 'acm',
161 aws_access_key_id=access_key,
162 aws_secret_access_key=secret_key,
163 aws_session_token=session_token
164 )
165 logger.info('Checking ACM (Certificate Manager)')
166
167 try:
168 acm.list_certificates()
169 logger.info('-- list_certificates() worked!')
170 except botocore.exceptions.ClientError:
171 logger.error('-- list_certificates() failed')
172
173 # CloudFormation
174 cfn = boto3.client(
175 'cloudformation',
176 aws_access_key_id=access_key,
177 aws_secret_access_key=secret_key,
178 aws_session_token=session_token
179 )
180 logger.info('Checking CFN (CloudFormation)')
181
182 try:
183 cfn.describe_stacks()
184 logger.info('-- describe_stacks() worked!')
185 except botocore.exceptions.ClientError:
186 logger.error('-- describe_stacks() failed')
187
188 # CloudHSM
189 cloudhsm = boto3.client(
190 'cloudhsm',
191 aws_access_key_id=access_key,
192 aws_secret_access_key=secret_key,
193 aws_session_token=session_token
194 )
195 logger.info('Checking CloudHSM')
196
197 try:
198 cloudhsm.list_hsms()
199 logger.info('-- list_hsms() worked!')
200 except botocore.exceptions.ClientError:
201 logger.error('-- list_hsms() failed')
202
203 # CloudSearch
204 cloudsearch = boto3.client(
205 'cloudsearch',
206 aws_access_key_id=access_key,
207 aws_secret_access_key=secret_key,
208 aws_session_token=session_token
209 )
210 logger.info('Checking CloudSearch')
211
212 try:
213 cloudsearch.list_domain_names()
214 logger.info('-- list_domain_names() worked!')
215 except botocore.exceptions.ClientError:
216 logger.error('-- list_domain_names() failed')
217
218 # CloudTrail
219 cloudtrail = boto3.client(
220 'cloudtrail',
221 aws_access_key_id=access_key,
222 aws_secret_access_key=secret_key,
223 aws_session_token=session_token
224 )
225 logger.info('Checking CloudTrail')
226
227 try:
228 cloudtrail.describe_trails()
229 logger.info('-- describe_trails() worked!')
230 except botocore.exceptions.ClientError:
231 logger.error('-- describe_trails() failed')
232
233 # CloudWatch
234 cloudwatch = boto3.client(
235 'cloudwatch',
236 aws_access_key_id=access_key,
237 aws_secret_access_key=secret_key,
238 aws_session_token=session_token
239 )
240 logger.info('Checking CloudWatch')
241
242 try:
243 cloudwatch.describe_alarm_history()
244 logger.info('-- describe_alarm_history() worked!')
245 except botocore.exceptions.ClientError:
246 logger.error('-- describe_alarm_history() failed')
247
248 # CodeCommit
249 codecommit = boto3.client(
250 'codecommit',
251 aws_access_key_id=access_key,
252 aws_secret_access_key=secret_key,
253 aws_session_token=session_token
254 )
255 logger.info('Checking CodeCommit')
256
257 try:
258 codecommit.list_repositories()
259 logger.info('-- list_repositories() worked!')
260 except botocore.exceptions.ClientError:
261 logger.error('-- list_repositories() failed')
262
263 # CodeDeploy
264 codedeploy = boto3.client(
265 'codedeploy',
266 aws_access_key_id=access_key,
267 aws_secret_access_key=secret_key,
268 aws_session_token=session_token
269 )
270 logger.info('Checking CodeDeploy')
271
272 try:
273 codedeploy.list_applications()
274 logger.info('-- list_applications() worked!')
275 except botocore.exceptions.ClientError:
276 logger.error('-- list_applications() failed')
277
278 try:
279 codedeploy.list_deployments()
280 logger.info('-- list_deployments() worked!')
281 except botocore.exceptions.ClientError:
282 logger.error('-- list_deployments() failed')
283
284 # EC2
285 ec2 = boto3.client(
286 'ec2',
287 aws_access_key_id=access_key,
288 aws_secret_access_key=secret_key,
289 aws_session_token=session_token
290 )
291 logger.info('Checking EC2 (Elastic Compute)')
292
293 try:
294 ec2.describe_instances()
295 logger.info('-- describe_instances() worked!')
296 except botocore.exceptions.ClientError:
297 logger.error('-- describe_instances() failed')
298
299 try:
300 ec2.describe_images()
301 logger.info('-- describe_images() worked!')
302 except botocore.exceptions.ClientError:
303 logger.error('-- describe_images() failed')
304
305 try:
306 ec2.describe_addresses()
307 logger.info('-- describe_addresses() worked!')
308 except botocore.exceptions.ClientError:
309 logger.error('-- describe_addresses() failed')
310
311 try:
312 ec2.describe_hosts()
313 logger.info('-- describe_hosts() worked!')
314 except botocore.exceptions.ClientError:
315 logger.error('-- describe_hosts() failed')
316
317 try:
318 ec2.describe_nat_gateways()
319 logger.info('-- describe_nat_gateways() worked!')
320 except botocore.exceptions.ClientError:
321 logger.error('-- describe_nat_gateways() failed')
322
323 try:
324 ec2.describe_key_pairs()
325 logger.info('-- describe_key_pairs() worked!')
326 except botocore.exceptions.ClientError:
327 logger.error('-- describe_key_pairs() failed')
328
329 try:
330 ec2.describe_snapshots()
331 logger.info('-- describe_snapshots() worked!')
332 except botocore.exceptions.ClientError:
333 logger.error('-- describe_snapshots() failed')
334
335 try:
336 ec2.describe_volumes()
337 logger.info('-- describe_volumes() worked!')
338 except botocore.exceptions.ClientError:
339 logger.error('-- describe_volumes() failed')
340
341 try:
342 ec2.describe_tags()
343 logger.info('-- describe_tags() worked!')
344 except botocore.exceptions.ClientError:
345 logger.error('-- describe_tags() failed')
346
347 try:
348 ec2.describe_tags()
349 logger.info('-- describe_tags() worked!')
350 except botocore.exceptions.ClientError:
351 logger.error('-- describe_tags() failed')
352
353 try:
354 ec2.describe_vpcs()
355 logger.info('-- describe_vpcs() worked!')
356 except botocore.exceptions.ClientError:
357 logger.error('-- describe_vpcs() failed')
358
359 # ECS
360 ecs = boto3.client(
361 'ecs',
362 aws_access_key_id=access_key,
363 aws_secret_access_key=secret_key,
364 aws_session_token=session_token
365 )
366 logger.info('Checking ECS (DOCKER DOCKER DOCKER DOCKER ...)')
367
368 try:
369 ecs.describe_clusters()
370 logger.info('-- describe_clusters() worked!')
371 except botocore.exceptions.ClientError:
372 logger.error('-- describe_clusters() failed')
373
374 # Elastic Beanstalk
375 beanstalk = boto3.client(
376 'elasticbeanstalk',
377 aws_access_key_id=access_key,
378 aws_secret_access_key=secret_key,
379 aws_session_token=session_token
380 )
381 logger.info('Checking ElasticBeanstalk')
382
383 try:
384 beanstalk.describe_applications()
385 logger.info('-- describe_applications() worked!')
386 except botocore.exceptions.ClientError:
387 logger.error('-- describe_applications() failed')
388
389 try:
390 beanstalk.describe_environments()
391 logger.info('-- describe_environments() worked!')
392 except botocore.exceptions.ClientError:
393 logger.error('-- describe_environments() failed')
394
395 # ELB
396 elb = boto3.client(
397 'elb',
398 aws_access_key_id=access_key,
399 aws_secret_access_key=secret_key,
400 aws_session_token=session_token
401 )
402 logger.info('Checking ELB (Elastic Load Balancing)')
403
404 try:
405 elb.describe_load_balancers()
406 logger.info('-- describe_load_balancers() worked!')
407 except botocore.exceptions.ClientError:
408 logger.error('-- describe_load_balancers() failed')
409
410 # ELBv2
411 elbv2 = boto3.client(
412 'elbv2',
413 aws_access_key_id=access_key,
414 aws_secret_access_key=secret_key,
415 aws_session_token=session_token
416 )
417 logger.info('Checking ELBv2 (Elastic Load Balancing)')
418
419 try:
420 elbv2.describe_load_balancers()
421 logger.info('-- describe_load_balancers() worked!')
422 except botocore.exceptions.ClientError:
423 logger.error('-- describe_load_balancers() failed')
424
425 # ElasticTranscoder
426 elastictranscoder = boto3.client(
427 'elastictranscoder',
428 aws_access_key_id=access_key,
429 aws_secret_access_key=secret_key,
430 aws_session_token=session_token
431 )
432 logger.info('Checking ElasticTranscoder')
433
434 try:
435 elastictranscoder.list_pipelines()
436 logger.info('-- list_pipelines() worked!')
437 except botocore.exceptions.ClientError:
438 logger.error('-- list_pipelines() failed')
439
440 # DynomoDB
441 dynamodb = boto3.client(
442 'dynamodb',
443 aws_access_key_id=access_key,
444 aws_secret_access_key=secret_key,
445 aws_session_token=session_token
446 )
447 logger.info('Checking DynamoDB')
448
449 try:
450 dynamodb.list_tables()
451 logger.info('-- list_tables() worked!')
452 except botocore.exceptions.ClientError:
453 logger.error('-- list_tables() failed')
454
455 # IoT
456 iot = boto3.client(
457 'iot',
458 aws_access_key_id=access_key,
459 aws_secret_access_key=secret_key,
460 aws_session_token=session_token
461 )
462 logger.info('Checking IoT')
463
464 try:
465 iot.list_things()
466 logger.info('-- list_things() worked!')
467 except botocore.exceptions.ClientError:
468 logger.error('-- list_things() failed')
469
470 try:
471 iot.describe_endpoint()
472 logger.info('-- describe_endpoint() worked!')
473 except botocore.exceptions.ClientError:
474 logger.error('-- describe_endpoint() failed')
475
476 # Kinesis
477 kinesis = boto3.client(
478 'kinesis',
479 aws_access_key_id=access_key,
480 aws_secret_access_key=secret_key,
481 aws_session_token=session_token
482 )
483 logger.info('Checking Kinesis')
484
485 try:
486 kinesis.list_streams()
487 logger.info('-- list_streams() worked!')
488 except botocore.exceptions.ClientError:
489 logger.error('-- list_streams() failed')
490
491 # KMS
492 kms = boto3.client(
493 'kms',
494 aws_access_key_id=access_key,
495 aws_secret_access_key=secret_key,
496 aws_session_token=session_token
497 )
498 logger.info('Checking KMS (Key Management Service)')
499
500 try:
501 kms.list_keys()
502 logger.info('-- list_keys() worked!')
503 except botocore.exceptions.ClientError:
504 logger.error('-- list_keys() failed')
505
506 # Lambda
507 lmb = boto3.client(
508 'lambda',
509 aws_access_key_id=access_key,
510 aws_secret_access_key=secret_key,
511 aws_session_token=session_token
512 )
513 logger.info('Checking Lambda')
514
515 try:
516 lmb.list_functions()
517 logger.info('-- list_functions() worked!')
518 except botocore.exceptions.ClientError:
519 logger.error('-- list_functions() failed')
520
521 # OpsWorks
522 opsworks = boto3.client(
523 'opsworks',
524 aws_access_key_id=access_key,
525 aws_secret_access_key=secret_key,
526 aws_session_token=session_token
527 )
528 logger.info('Checking OpsWorks')
529
530 try:
531 opsworks.describe_stacks()
532 logger.info('-- describe_stacks() worked!')
533 except botocore.exceptions.ClientError:
534 logger.error('-- describe_stacks() failed')
535
536 # RDS
537 rds = boto3.client(
538 'rds',
539 aws_access_key_id=access_key,
540 aws_secret_access_key=secret_key,
541 aws_session_token=session_token
542 )
543 logger.info('Checking RDS (Relational Database Service)')
544
545 try:
546 rds.describe_db_clusters()
547 logger.info('-- describe_db_clusters() worked!')
548 except botocore.exceptions.ClientError:
549 logger.error('-- describe_db_clusters() failed')
550
551 try:
552 rds.describe_db_instances()
553 logger.info('-- describe_db_instances() worked!')
554 except botocore.exceptions.ClientError:
555 logger.error('-- describe_db_instances() failed')
556
557 # Route53
558 route53 = boto3.client(
559 'route53',
560 aws_access_key_id=access_key,
561 aws_secret_access_key=secret_key,
562 aws_session_token=session_token
563 )
564 logger.info('Checking Route53 (DNS)')
565
566 try:
567 route53.list_hosted_zones()
568 logger.info('-- list_hosted_zones() worked!')
569 except botocore.exceptions.ClientError:
570 logger.error('-- list_hosted_zones() failed')
571
572 # S3
573 s3 = boto3.client(
574 's3',
575 aws_access_key_id=access_key,
576 aws_secret_access_key=secret_key,
577 aws_session_token=session_token
578 )
579 logger.info('Checking S3 (Simple Storage Service)')
580
581 try:
582 s3.list_buckets()
583 logger.info('-- list_buckets() worked!')
584 except botocore.exceptions.ClientError:
585 logger.error('-- list_buckets() failed')
586
587 # SES
588 ses = boto3.client(
589 'ses',
590 aws_access_key_id=access_key,
591 aws_secret_access_key=secret_key,
592 aws_session_token=session_token
593 )
594 logger.info('Checking SES (Simple Email Service)')
595
596 try:
597 ses.list_identities()
598 logger.info('-- list_identities() worked!')
599 except botocore.exceptions.ClientError:
600 logger.error('-- list_identities() failed')
601
602 # sns
603 sns = boto3.client(
604 'sns',
605 aws_access_key_id=access_key,
606 aws_secret_access_key=secret_key,
607 aws_session_token=session_token
608 )
609 logger.info('Checking SNS (Simple Notification Service)')
610
611 try:
612 sns.list_topics()
613 logger.info('-- list_topics() worked!')
614 except botocore.exceptions.ClientError:
615 logger.error('-- list_topics() failed')
616
617 # SQS
618 sqs = boto3.client(
619 'sqs',
620 aws_access_key_id=access_key,
621 aws_secret_access_key=secret_key,
622 aws_session_token=session_token
623 )
624 logger.info('Checking SQS (Simple Queue Service)')
625
626 try:
627 sqs.list_queues()
628 logger.info('-- list_queues() worked!')
629 except botocore.exceptions.ClientError:
630 logger.error('-- list_queues() failed')
631
632 # support
633 support = boto3.client(
634 'support',
635 aws_access_key_id=access_key,
636 aws_secret_access_key=secret_key,
637 aws_session_token=session_token
638 )
639 logger.info('Checking Support')
640
641 try:
642 support.describe_cases()
643 logger.info('-- describe_cases() worked!')
644 except botocore.exceptions.ClientError:
645 logger.error('-- describe_cases() failed')
646
647@click.command()
648@click.option('--access-key', help='An AWS Access Key Id to check')
649@click.option('--secret-key', help='An AWS Secret Access Key to check')
650@click.option('--session-token', help='An AWS Session Token to check')
651def main(access_key, secret_key, session_token):
652 """IAM Account Enumerator.
653
654This code provides a mechanism to attempt to validate the permissions assigned
655to a given set of AWS tokens.
656 """
657 logging.basicConfig(
658 level=logging.INFO,
659 format='%(asctime)s - %(process)d - [%(levelname)s] %(message)s',
660 )
661 logger = logging.getLogger()
662
663 # Suppress boto INFO.
664 logging.getLogger('boto3').setLevel(logging.WARNING)
665 logging.getLogger('botocore').setLevel(logging.WARNING)
666 logging.getLogger('nose').setLevel(logging.WARNING)
667
668 # Ensure requires parameters are set.
669 if access_key is None:
670 logger.fatal('No access-key provided, cannot continue.')
671 sys.exit(-1)
672 if secret_key is None:
673 logger.fatal('No secret-key provided, cannot continue.')
674 sys.exit(-1)
675
676 # Connect to the IAM API and start testing.
677 logger.info('Starting scrape for access-key-id "%s"', access_key)
678 iam = boto3.client(
679 'iam',
680 aws_access_key_id=access_key,
681 aws_secret_access_key=secret_key,
682 aws_session_token=session_token
683 )
684
685 # Try for the kitchen sink.
686 try:
687 everything = iam.get_account_authorization_details()
688 logger.info('Run for the hills, get_account_authorization_details worked!')
689 logger.info('-- %s', everything)
690 except botocore.exceptions.ClientError:
691 logger.error('Failed to get everything at once (get_account_authorization_details) :(')
692
693 # Attempt to get user to start.
694 try:
695 user = iam.get_user()
696 report_arn(user['User']['Arn'])
697 except botocore.exceptions.ClientError as err:
698 logger.error('Failed to retrieve any IAM data for this key.')
699 report_arn(str(err))
700 brute(access_key=access_key, secret_key=secret_key, session_token=session_token)
701 sys.exit(0)
702
703 # Attempt to get policies attached to this user.
704 try:
705 user_policies = iam.list_attached_user_policies(UserName=user['User']['UserName'])
706 logger.info(
707 'User "%s" has %0d attached policies',
708 user['User']['UserName'],
709 len(user_policies['AttachedPolicies'])
710 )
711
712 # List all policies, if present.
713 for policy in user_policies['AttachedPolicies']:
714 logger.info('-- Policy "%s" (%s)', policy['PolicyName'], policy['PolicyArn'])
715 except botocore.exceptions.ClientError as err:
716 logger.error(
717 'Unable to query for user policies for "%s" (list_attached_user_policies): %s',
718 user['User']['UserName'],
719 err
720 )
721
722 # Attempt to get inline policies for this user.
723 try:
724 user_policies = iam.list_user_policies(UserName=user['User']['UserName'])
725 logger.info(
726 'User "%s" has %0d inline policies',
727 user['User']['UserName'],
728 len(user_policies['PolicyNames'])
729 )
730
731 # List all policies, if present.
732 for policy in user_policies['PolicyNames']:
733 logger.info('-- Policy "%s"', policy)
734
735 except botocore.exceptions.ClientError as err:
736 logger.error(
737 'Unable to query for user policies for "%s" (list_user_policies): %s',
738 user['User']['UserName'],
739 err
740 )
741
742 # Attempt to get the groups attached to this user.
743 try:
744 user_groups = iam.list_groups_for_user(UserName=user['User']['UserName'])
745 logger.info(
746 'User "%s" has %0d groups associated',
747 user['User']['UserName'],
748 len(user_groups['Groups'])
749 )
750
751 # List all groups, if present.
752 for group in user_groups['Groups']:
753 try:
754 group_policy = iam.list_group_policies(GroupName=group['GroupName'])
755 logger.info(
756 '-- Group "%s" has %0d inline policies',
757 group['GroupName'],
758 len(group_policy['PolicyNames'])
759 )
760
761 # List all group policy names.
762 for policy in group_policy['PolicyNames']:
763 logger.info('---- Policy "%s"', policy)
764 except botocore.exceptions.ClientError as err:
765 logger.error(
766 '---- Failed to get policies for group "%s" (list_group_policies): %s',
767 group['GroupName'],
768 err
769 )
770 except botocore.exceptions.ClientError as err:
771 logger.error(
772 'Unable to query for groups for %s (list_groups_for_user): %s',
773 user['User']['UserName'],
774 err
775 )
776
777 # Try a brute-force approach.
778 brute(access_key=access_key, secret_key=secret_key, session_token=session_token)
779
780if __name__ == '__main__':
781 main()
782```