check_user.py

Check if the given credentials are canary tokens and, if not, it will check the user permissions, printing the Inline, Attached and the group permissions.

The user in test could have not the minimal privileges, so in this case the script will tell you the problem.

It can take in input a profile (specified by the p parameter) or a set of credentials. The code: https://github.com/lilloX/aws-toolbox/blob/master/Recognition/check_user.py

usage: check_user.py [-h] [-v] [-c] [-l | -p PROFILE] [-u ACCESSKEYID]
                     [-s SECRETACCESSKEYID] [-t SECURITYTOKEN]

Check the AWS credentials to understand the permissions associated

optional arguments:
  -h, --help            show this help message and exit
  -v                    increase output verbosity, show JSON documents
  -c                    stealth mode, run only the canary token check
  -l                    list available profiles
  -p PROFILE            check a user from the available profiles

Credentials mode:
  -u ACCESSKEYID        Access Key Id
  -s SECRETACCESSKEYID  Secret Access Key Id
  -t SECURITYTOKEN      Session token

Usage examples

List the available AWS profiles:

(venv) ➜ git:(master) ✗ python check_user.py -l                        
[*] Available profiles
default
lillox
canary

Check a canary token

(venv) ➜  Recognition git:(master) ✗ python check_user.py -p canary
[*] Using canary profile
[!] Canary token detected, quit

Check a low privileges user

(venv) ➜  Recognition git:(master) ✗ python check_user.py -p lillox
[*] Using lillox profile
[+] Not a know canary token
Account ID: 204[redacted]84 
User Name :lillo        User ID: AI[redacted]YA
[!] User: arn:aws:iam::204242959184:user/lillo is not authorized to perform: iam:ListGroupsForUser on resource: user lillo
[*] Inline User Policies and policy documents
[!] User: arn:aws:iam::204242959184:user/lillo is not authorized to perform: iam:ListUserPolicies on resource: user lillo
[*] Attached User Policies and policy documents
[!] User: arn:aws:iam::204242959184:user/lillo is not authorized to perform: iam:ListAttachedUserPolicies on resource: user lillo
[*] Group(s) Policies and policy documents

If the user has sufficient permissions we can also list the groups. Checking an admin user, the -v flag enable the policy print:

(venv) ➜  Recognition git:(master) ✗ python check_user.py -p lillox2 -v
[*] Using lillox2 profile
[+] Not a know canary token
Account ID: 20[redacted]84 
User Name :lillo        User ID: AI[redacted]XA
Group: admin
[*] Inline User Policies and policy documents
[+] Inline Policies: ['test-policy-inline-user']
[+] Policy document for test-policy-inline-user
{
    "UserName": "lillo",
    "PolicyName": "test-policy-inline-user",
    "PolicyDocument": {
        "Version": "2012-10-17",
        "Statement": [
            {
                "Sid": "VisualEditor0",
                "Effect": "Allow",
                "Action": "s3:*",
                "Resource": "*"
            }
        ]
    },
    "ResponseMetadata": {
        "RequestId": "12e125ae-09d5-49f5-b199-5e62ff91d638",
        "HTTPStatusCode": 200,
        "HTTPHeaders": {
            "x-amzn-requestid": "12e125ae-09d5-49f5-b199-5e62ff91d638",
            "content-type": "text/xml",
            "content-length": "845",
            "date": "Thu, 07 Nov 2019 17:00:16 GMT"
        },
        "RetryAttempts": 0
    }
}

[*] Attached User Policies and policy documents
[+] Attached Policies: [{'PolicyName': 'AmazonEC2ContainerRegistryReadOnly', 'PolicyArn': 'arn:aws:iam::aws:policy/AmazonEC2ContainerRegistryReadOnly'}]
[+] Policy document for AmazonEC2ContainerRegistryReadOnly
{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "ecr:GetAuthorizationToken",
                "ecr:BatchCheckLayerAvailability",
                "ecr:GetDownloadUrlForLayer",
                "ecr:GetRepositoryPolicy",
                "ecr:DescribeRepositories",
                "ecr:ListImages",
                "ecr:DescribeImages",
                "ecr:BatchGetImage"
            ],
            "Resource": "*"
        }
    ]
}

[*] Group(s) Policies and policy documents
[+] Inline Policies for the admin group: ['test-policy-inline-group']
[+] Policy document for test-policy-inline-group
{
    "GroupName": "admin",
    "PolicyName": "test-policy-inline-group",
    "PolicyDocument": {
        "Version": "2012-10-17",
        "Statement": [
            {
                "Sid": "Stmt1573145690000",
                "Effect": "Allow",
                "Action": [
                    "ec2:*"
                ],
                "Resource": [
                    "*"
                ]
            }
        ]
    },
    "ResponseMetadata": {
        "RequestId": "e80f9e04-34fc-4c6a-acf7-189f006450aa",
        "HTTPStatusCode": 200,
        "HTTPHeaders": {
            "x-amzn-requestid": "e80f9e04-34fc-4c6a-acf7-189f006450aa",
            "content-type": "text/xml",
            "content-length": "1049",
            "date": "Thu, 07 Nov 2019 17:00:16 GMT"
        },
        "RetryAttempts": 0
    }
}

[+] Attached Policies for the admin group: [{'PolicyName': 'ReadOnlyAccess', 'PolicyArn': 'arn:aws:iam::aws:policy/ReadOnlyAccess'}]
[+] Policy document for ReadOnlyAccess
{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Action": [
                "a4b:Get*",
                "a4b:List*",
                "a4b:Describe*",
                "a4b:Search*",
                 [... cut ...]
                "xray:BatchGet*",
                "xray:Get*"
            ],
            "Effect": "Allow",
            "Resource": "*"
        }
    ]
}

- lilloX

Share on: Diaspora*TwitterFacebookLinkedInHackerNewsEmailReddit


Comments

comments powered by Disqus