diff --git a/content/aws/post_exploitation/get_iam_creds_from_console_session.md b/content/aws/post_exploitation/get_iam_creds_from_console_session.md index d184766a..45e194c0 100644 --- a/content/aws/post_exploitation/get_iam_creds_from_console_session.md +++ b/content/aws/post_exploitation/get_iam_creds_from_console_session.md @@ -1,9 +1,7 @@ --- -author_name: Nick Frichette +author_name: Nick Frichette and Ben Stevens title: "Get IAM Credentials from a Console Session" description: Convert access to the AWS Console into IAM credentials. -hide: - - toc --- # Get IAM Credentials from a Console Session @@ -14,9 +12,15 @@ hide: --- + +- :material-tools:{ .lg .middle } __Tools mentioned in this article__ + + --- + __Warning__: Always review source code before using an attack tool. + [CLIer](https://github.com/AI-redteam/clier) When performing a penetration test or red team assessment, it is not uncommon to gain access to a developer's machine. This presents an opportunity for you to jump into AWS infrastructure via credentials on the system. For a myriad of reasons you may not have access to credentials in the `.aws` folder, but instead have access to their browser's session cookies (for example via cookies.sqlite in FireFox). @@ -69,11 +73,12 @@ Each AWS service in the Console has its own credential endpoint following the pa https://{region}.console.aws.amazon.com/{service}/tb/creds ``` -Examples: -- `https://us-east-1.console.aws.amazon.com/s3/tb/creds` -- `https://us-east-1.console.aws.amazon.com/ec2/tb/creds` -- `https://us-east-1.console.aws.amazon.com/lambda/tb/creds` -- `https://us-east-1.console.aws.amazon.com/console/tb/creds` +Examples: + +* `https://us-east-1.console.aws.amazon.com/s3/tb/creds` +* `https://us-east-1.console.aws.amazon.com/ec2/tb/creds` +* `https://us-east-1.console.aws.amazon.com/lambda/tb/creds` +* `https://us-east-1.console.aws.amazon.com/console/tb/creds` These endpoints return JSON containing temporary credentials: @@ -86,7 +91,6 @@ These endpoints return JSON containing temporary credentials: } ``` - *Each service endpoint returns credentials scoped to that specific service. The `/s3/tb/creds` endpoint returns credentials with S3 permissions, while `/ec2/tb/creds` returns EC2-scoped credentials. To obtain credentials for multiple services, you must request from each endpoint.* ### Manual Extraction via Browser DevTools @@ -97,19 +101,16 @@ You can manually extract these credentials using your browser's Developer Tools: 2. Open Developer Tools (F12) and go to the **Network** tab 3. In the Console, perform an action that requires credentials (refresh the page or click on a resource) 4. Filter network requests by `tb/creds` -image +![Showing broswer creds](../../images/aws/post_exploitation/get_iam_creds_from_console_session/browser_creds.png) 5. Click on the matching request and view the **Response** tab -image - - +![Creds](../../images/aws/post_exploitation/get_iam_creds_from_console_session/creds.png) ### Automated Extraction with CLIer [CLIer](https://github.com/AI-redteam/clier) is a browser extension that automates the extraction of these credentials. It works by intercepting `fetch()` and `XMLHttpRequest` calls to the `/tb/creds` endpoints as you browse the AWS Console. -image - +![CLIer](../../images/aws/post_exploitation/get_iam_creds_from_console_session/clier.png) **How it works:** @@ -129,7 +130,6 @@ The AWS Console is a single-page application that needs IAM credentials to make This bypasses all controls that are generally used to restrict users from accessing STS creds. Every existing control can be in place and the console will still provide access to these creds. - ### Detection Considerations From a defensive perspective, this technique: @@ -137,4 +137,3 @@ From a defensive perspective, this technique: - Does not generate additional CloudTrail logs beyond normal Console usage - Uses the same endpoints the Console uses legitimately - Cannot be distinguished from normal Console activity at the API level - diff --git a/content/images/aws/post_exploitation/get_iam_creds_from_console_session/browser_creds.png b/content/images/aws/post_exploitation/get_iam_creds_from_console_session/browser_creds.png new file mode 100644 index 00000000..a230e1a6 Binary files /dev/null and b/content/images/aws/post_exploitation/get_iam_creds_from_console_session/browser_creds.png differ diff --git a/content/images/aws/post_exploitation/get_iam_creds_from_console_session/clier.png b/content/images/aws/post_exploitation/get_iam_creds_from_console_session/clier.png new file mode 100644 index 00000000..fca96469 Binary files /dev/null and b/content/images/aws/post_exploitation/get_iam_creds_from_console_session/clier.png differ diff --git a/content/images/aws/post_exploitation/get_iam_creds_from_console_session/creds.png b/content/images/aws/post_exploitation/get_iam_creds_from_console_session/creds.png new file mode 100644 index 00000000..b61c1909 Binary files /dev/null and b/content/images/aws/post_exploitation/get_iam_creds_from_console_session/creds.png differ