Skip to content

Add Console /tb/creds endpoint credential extraction technique #491

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
Frichetten merged 2 commits into from
Feb 2, 2026
Merged

Add Console /tb/creds endpoint credential extraction technique #491

Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
de5bd23
Document IAM credentials extraction methods from Console
AI-redteam Jan 29, 2026
1b2f564
Merge branch 'main' into main
Frichetten Jan 31, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
82 changes: 82 additions & 0 deletions content/aws/post_exploitation/get_iam_creds_from_console_session.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -56,3 +56,85 @@ print({
![POC Credentials Retrieval using boto3](../../images/aws/post_exploitation/get_iam_creds_from_console_session/poc_boto3_creds_retrieval.png)

This approach leverages boto3's automatic credential detection within the CloudShell environment, providing the same temporary credentials that are available through the metadata service endpoint. The credentials obtained this way will have the same TTL limitations as other methods described above.

## Extracting Credentials via Console Service Endpoints

The AWS Console itself exposes temporary credentials through essentially undocumented internal API endpoints. When you interact with AWS services in the Console, the browser fetches service scoped IAM credentials from service-specific endpoints to perform actions on your behalf.

### The `/tb/creds` Endpoint

Each AWS service in the Console has its own credential endpoint following the pattern:

```
https://{region}.console.aws.amazon.com/{service}/tb/creds
```

Examples:
- `https://us-east-1.console.aws.amazon.com/s3/tb/creds`
- `https://us-east-1.console.aws.amazon.com/ec2/tb/creds`
- `https://us-east-1.console.aws.amazon.com/lambda/tb/creds`
- `https://us-east-1.console.aws.amazon.com/console/tb/creds`

These endpoints return JSON containing temporary credentials:

```json
{
"accessKeyId": "ASIAX...",
"secretAccessKey": "...",
"sessionToken": "...",
"expiration": "2024-01-15T00:51:45.000Z"
}
```


*Each service endpoint returns credentials scoped to that specific service. The `/s3/tb/creds` endpoint returns credentials with S3 permissions, while `/ec2/tb/creds` returns EC2-scoped credentials. To obtain credentials for multiple services, you must request from each endpoint.*

### Manual Extraction via Browser DevTools

You can manually extract these credentials using your browser's Developer Tools:

1. Open the AWS Console and navigate to any service (e.g., S3)
2. Open Developer Tools (F12) and go to the **Network** tab
3. In the Console, perform an action that requires credentials (refresh the page or click on a resource)
4. Filter network requests by `tb/creds`
<img width="836" height="417" alt="image" src="https://github.com/user-attachments/assets/52111b5f-c67e-431f-80b3-081ca7a05ee4" />

5. Click on the matching request and view the **Response** tab
<img width="461" height="165" alt="image" src="https://github.com/user-attachments/assets/02890fff-fad2-4e17-a532-e31abce70ce1" />



### Automated Extraction with CLIer

[CLIer](https://github.com/AI-redteam/clier) is a browser extension that automates the extraction of these credentials. It works by intercepting `fetch()` and `XMLHttpRequest` calls to the `/tb/creds` endpoints as you browse the AWS Console.

<img width="458" height="571" alt="image" src="https://github.com/user-attachments/assets/1ab8e026-2f78-48fd-a05e-4a9b86382afa" />


**How it works:**

1. The extension injects JavaScript into AWS Console pages
2. It patches `window.fetch` and `XMLHttpRequest.prototype` to monitor network requests
3. When a request matches the `/{service}/tb/creds` pattern, it clones and parses the response
4. Credentials are stored locally and can be exported in multiple formats (Bash, PowerShell, AWS config, JSON, or QR code)

### Why This Works

The AWS Console is a single-page application that needs IAM credentials to make API calls on behalf of the user. Unlike traditional session cookies, these credentials:

- Are fetched dynamically via JavaScript when needed
- Exist only in the browser's JavaScript heap (not in localStorage, cookies, or IndexedDB)
- Have short TTLs (typically 15 minutes)
- Are scoped to specific services

This bypasses all controls that are generally used to restrict users from accessing STS creds. Every existing control can be in place and the console will still provide access to these creds.


### Detection Considerations

From a defensive perspective, this technique:

- Does not generate additional CloudTrail logs beyond normal Console usage
- Uses the same endpoints the Console uses legitimately
- Cannot be distinguished from normal Console activity at the API level