PMapper:助你在AWS中实现IAM权限快速安全评估

关于PMapper

PMapper是一款功能强大的脚本工具,该工具本质上是一个基于Python开发的脚本/代码库,可以帮助广大研究人员识别一个AWS账号或AWS组织中存在安全风险的IAM配置,并对IAM权限执行快速评估。

PMapper可以将目标AWS帐户中的不同IAM用户和角色建模为有向图,从而帮助广大研究人员检查权限提升以及攻击者访问AWS资源或操作所可能采取的替代路径。PMapper还提供了一种查询机制,该机制使用了AWS授权行为的本地模拟方法,当运行查询以确定主体是否有权访问某个操作/资源时,PMapper还会检查该用户或角色是否可以访问其他有权访问该操作/资源的用户或角色。

工具要求

PMapper基于Python 3.5+开发,并使用了botocore库构建项目功能。除此之外,PMapper还需要pydot和graphviz这两个依赖组件,其中pydot可以通过pip安装,graphviz可以访问下列地址获取Windows、macOS和Linux版本:

Graphviz

工具安装

由于该工具基于Python 3.5开发,因此我们首先需要在本地设备上安装并配置好Python 3.5+环境。接下来,广大研究人员可以使用下列方法完成工具的下载和安装。

Pip安装

pip install principalmapper

源码安装

首先,使用下列命令将该项目源码克隆至本地:

git clone git@github.com:nccgroup/PMapper.git

然后使用pip完成工具的安装:

cd PMapperpip install .

Docker使用

将项目源码克隆至本地之后,切换到项目目录中,并执行下列命令:

cd PMapperdocker build -t $TAG .docker run -it $TAG

我们可以在调用docker run ...命令时,使用-e|--env或--env-file传递AWS_*环境变量,或使用-v加载你的~/.aws/目录,并使用AWS_CONFIG_FILE和AWS_SHARED_CREDENTIALS_FILE环境变量。

工具使用

为目标账号创建一个有向图,并通过AWS CLI配置访问:

$ pmapper --profile skywalker graph create# [... graph-creation output goes here ...]

运行一个查询,并查看谁创建了IAM用户:

$ pmapper --profile skywalker query 'who can do iam:CreateUser'# [... query output goes here ...]

运行一个查询,并查看谁启动了一个消耗大量资源的EC2实例(排除admin用户):

$ pmapper --account 000000000000 argquery -s --action 'ec2:RunInstances' --condition 'ec2:InstanceType=c6gd.16xlarge'# [... query output goes here ...]

运行权限提升预设查询,跳过报告当前“admin”用户:

$ pmapper --account 000000000000 query -s 'preset privesc *'# [... privesc report goes here ...]

针对目标账号为创建一个SVG格式的可视化访问图:

$ pmapper --account 000000000000 visualize --filetype svg# [... information output goes here, file created ...]

下面给出的是可视化有向图的实例:

使用--only-privesc命令生成的结果如下:

输出样例

拉取一张图:

esteringer@ubuntu:~/Documents/projects/Skywalker$ python pmapper.py graph
Using profile: skywalker
Pulling data for account [REDACTED]
Using principal with ARN arn:aws:iam::[REDACTED]:user/TestingSkywalker
[+] Starting EC2 checks.
[+] Starting IAM checks.
[+] Starting Lambda checks.
[+] Starting CloudFormation checks.
[+] Completed CloudFormation checks.
[+] Completed EC2 checks.
[+] Completed Lambda checks.
[+] Completed IAM checks.
Created an AWS Graph with 16 nodes and 53 edges
[NODES]
AWSNode("arn:aws:iam::[REDACTED]:user/AdminUser", properties={u'is_admin': True, u'type': u'user'})
AWSNode("arn:aws:iam::[REDACTED]:user/EC2Manager", properties={u'is_admin': False, u'type': u'user'})
AWSNode("arn:aws:iam::[REDACTED]:user/LambdaDeveloper", properties={u'is_admin': False, u'type': u'user'})
AWSNode("arn:aws:iam::[REDACTED]:user/LambdaFullAccess", properties={u'is_admin': False, u'type': u'user'})
AWSNode("arn:aws:iam::[REDACTED]:user/PowerUser", properties={u'is_admin': False, u'rootstr': u'arn:aws:iam::[REDACTED]:root', u'type': u'user'})
AWSNode("arn:aws:iam::[REDACTED]:user/S3ManagementUser", properties={u'is_admin': False, u'type': u'user'})
AWSNode("arn:aws:iam::[REDACTED]:user/S3ReadOnly", properties={u'is_admin': False, u'type': u'user'})
AWSNode("arn:aws:iam::[REDACTED]:user/TestingSkywalker", properties={u'is_admin': False, u'type': u'user'})
AWSNode("arn:aws:iam::[REDACTED]:role/AssumableRole", properties={u'is_admin': False, u'type': u'role', u'name': u'AssumableRole'})
AWSNode("arn:aws:iam::[REDACTED]:role/EC2-Fleet-Manager", properties={u'is_admin': False, u'type': u'role', u'name': u'EC2-Fleet-Manager'})
AWSNode("arn:aws:iam::[REDACTED]:role/EC2Role-Admin", properties={u'is_admin': True, u'type': u'role', u'name': u'EC2Role-Admin'})
AWSNode("arn:aws:iam::[REDACTED]:role/EC2WithS3ReadOnly", properties={u'is_admin': False, u'type': u'role', u'name': u'EC2WithS3ReadOnly'})
AWSNode("arn:aws:iam::[REDACTED]:role/EMR-Service-Role", properties={u'is_admin': False, u'type': u'role', u'name': u'EMR-Service-Role'})
AWSNode("arn:aws:iam::[REDACTED]:role/LambdaRole-S3ReadOnly", properties={u'is_admin': False, u'type': u'role', u'name': u'LambdaRole-S3ReadOnly'})
AWSNode("arn:aws:iam::[REDACTED]:role/ReadOnlyWithLambda", properties={u'is_admin': False, u'type': u'role', u'name': u'ReadOnlyWithLambda'})
AWSNode("arn:aws:iam::[REDACTED]:role/UpdateCredentials", properties={u'is_admin': False, u'type': u'role', u'name': u'UpdateCredentials'})
[EDGES]
(0,1,'ADMIN','can use existing administrative privileges to access')
(0,2,'ADMIN','can use existing administrative privileges to access')
(0,3,'ADMIN','can use existing administrative privileges to access')
(0,4,'ADMIN','can use existing administrative privileges to access')
(0,5,'ADMIN','can use existing administrative privileges to access')
(0,6,'ADMIN','can use existing administrative privileges to access')
(0,7,'ADMIN','can use existing administrative privileges to access')
(0,8,'ADMIN','can use existing administrative privileges to access')
(0,9,'ADMIN','can use existing administrative privileges to access')
(0,10,'ADMIN','can use existing administrative privileges to access')
(0,11,'ADMIN','can use existing administrative privileges to access')
(0,12,'ADMIN','can use existing administrative privileges to access')
(0,13,'ADMIN','can use existing administrative privileges to access')
(0,14,'ADMIN','can use existing administrative privileges to access')
(0,15,'ADMIN','can use existing administrative privileges to access')
(10,0,'ADMIN','can use existing administrative privileges to access')
(10,1,'ADMIN','can use existing administrative privileges to access')
(10,2,'ADMIN','can use existing administrative privileges to access')
(10,3,'ADMIN','can use existing administrative privileges to access')
(10,4,'ADMIN','can use existing administrative privileges to access')
(10,5,'ADMIN','can use existing administrative privileges to access')
(10,6,'ADMIN','can use existing administrative privileges to access')
(10,7,'ADMIN','can use existing administrative privileges to access')
(10,8,'ADMIN','can use existing administrative privileges to access')
(10,9,'ADMIN','can use existing administrative privileges to access')
(10,11,'ADMIN','can use existing administrative privileges to access')
(10,12,'ADMIN','can use existing administrative privileges to access')
(10,13,'ADMIN','can use existing administrative privileges to access')
(10,14,'ADMIN','can use existing administrative privileges to access')
(10,15,'ADMIN','can use existing administrative privileges to access')
(1,9,'EC2_USEPROFILE','can create an EC2 instance and use an existing instance profile to access')
(1,10,'EC2_USEPROFILE','can create an EC2 instance and use an existing instance profile to access')
(1,11,'EC2_USEPROFILE','can create an EC2 instance and use an existing instance profile to access')
(4,9,'EC2_USEPROFILE','can create an EC2 instance and use an existing instance profile to access')
(4,10,'EC2_USEPROFILE','can create an EC2 instance and use an existing instance profile to access')
(4,11,'EC2_USEPROFILE','can create an EC2 instance and use an existing instance profile to access')
(3,13,'LAMBDA_CREATEFUNCTION','can create a Lambda function and pass an execution role to access')
(3,14,'LAMBDA_CREATEFUNCTION','can create a Lambda function and pass an execution role to access')
(3,15,'LAMBDA_CREATEFUNCTION','can create a Lambda function and pass an execution role to access')
(9,10,'EC2_USEPROFILE','can create an EC2 instance and use an existing instance profile to access')
(4,13,'LAMBDA_CREATEFUNCTION','can create a Lambda function and pass an execution role to access')
(9,11,'EC2_USEPROFILE','can create an EC2 instance and use an existing instance profile to access')
(4,8,'STS_ASSUMEROLE','can use STS to assume the role')
(4,14,'LAMBDA_CREATEFUNCTION','can create a Lambda function and pass an execution role to access')
(4,15,'LAMBDA_CREATEFUNCTION','can create a Lambda function and pass an execution role to access')
(15,0,'IAM_CREATEKEY','can create access keys with IAM to access')
(15,1,'IAM_CREATEKEY','can create access keys with IAM to access')
(15,2,'IAM_CREATEKEY','can create access keys with IAM to access')
(15,3,'IAM_CREATEKEY','can create access keys with IAM to access')
(15,4,'IAM_CREATEKEY','can create access keys with IAM to access')
(15,5,'IAM_CREATEKEY','can create access keys with IAM to access')
(15,6,'IAM_CREATEKEY','can create access keys with IAM to access')
(15,7,'IAM_CREATEKEY','can create access keys with IAM to access')

查询图信息:

esteringer@ubuntu:~/Documents/projects/Skywalker$ ./pmapper.py --profile skywalker query "who can do s3:GetObject with *"
user/AdminUser can do s3:GetObject with *
user/EC2Manager can do s3:GetObject with * through role/EC2Role-Adminuser/EC2Manager can create an EC2 instance and use an existing instance profile to access role/EC2Role-Admin
role/EC2Role-Admin can do s3:GetObject with *
user/LambdaFullAccess can do s3:GetObject with *
user/PowerUser can do s3:GetObject with *
user/S3ManagementUser can do s3:GetObject with *
user/S3ReadOnly can do s3:GetObject with *
user/TestingSkywalker can do s3:GetObject with *
role/EC2-Fleet-Manager can do s3:GetObject with * through role/EC2Role-Adminrole/EC2-Fleet-Manager can create an EC2 instance and use an existing instance profile to access role/EC2Role-Admin
role/EC2Role-Admin can do s3:GetObject with *
role/EC2Role-Admin can do s3:GetObject with *
role/EC2WithS3ReadOnly can do s3:GetObject with *
role/EMR-Service-Role can do s3:GetObject with *
role/LambdaRole-S3ReadOnly can do s3:GetObject with *
role/UpdateCredentials can do s3:GetObject with * through user/AdminUserrole/UpdateCredentials can create access keys with IAM to access user/AdminUser
user/AdminUser can do s3:GetObject with *

识别潜在的权限提升:

esteringer@ubuntu:~/Documents/projects/Skywalker$ ./pmapper.py --profile skywalker query "preset priv_esc user/PowerUser"
Discovered a potential path to change privileges:
user/PowerUser can change privileges because:user/PowerUser can access role/EC2Role-Admin because: user/PowerUser can create an EC2 instance and use an existing instance profile to access role/EC2Role-Adminand role/EC2Role-Admin can change its own privileges.

许可证协议

本项目的开发与发布遵循AGPL-3.0开源许可协议。

项目地址

PMapper:【GitHub传送门】

本文来自互联网用户投稿,该文观点仅代表作者本人,不代表本站立场。本站仅提供信息存储空间服务,不拥有所有权,不承担相关法律责任。如若转载,请注明出处:http://www.mzph.cn/bicheng/14742.shtml

如若内容造成侵权/违法违规/事实不符,请联系多彩编程网进行投诉反馈email:809451989@qq.com,一经查实,立即删除!

相关文章

Hive环境搭建

1 安装Hive 下载文件 # wget -P /opt/ https://mirrors.huaweicloud.com/apache/hive/hive-2.3.8/apache-hive-2.3.8-bin.tar.gz 解压缩 # tar -zxvf /opt/apache-hive-2.3.8-bin.tar.gz -C /opt/ 修改hive文件夹名字 # mv /opt/apache-hive-2.3.8-bin /opt/hive 配置环境变量 …

【大模型部署】在C# Winform中使用文心一言ERNIE-3.5 4K 聊天模型

【大模型部署】在C# Winform中使用文心一言ERNIE-3.5 4K 聊天模型 前言 今天来写一个简单的ernie-c#的例子,主要参考了百度智能云的例子,然后自己改了改,学习了ERNIE模型的鉴权方式,数据流的格式和简单的数据解析,实…

面试八股之MySQL篇1——慢查询定位篇

🌈hello,你好鸭,我是Ethan,一名不断学习的码农,很高兴你能来阅读。 ✔️目前博客主要更新Java系列、项目案例、计算机必学四件套等。 🏃人生之义,在于追求,不在成败,勤通…

linux 上除了shell、python脚本以外,还有什么脚本语言用得比较多?

在开始前我有一些资料,是我根据网友给的问题精心整理了一份「 Linux的资料从专业入门到高级教程」, 点个关注在评论区回复“888”之后私信回复“888”,全部无偿共享给大家!!!说到在 Linux下的编程&#xf…

柯桥成人商务英语“​cold”是“冷”,“shoulder”是“肩膀”,​cold shoulder可不是冷肩膀!

英文中有很多俚语(idioms)都与身体部位有关,非常有趣。 今天,英语君就为大家介绍一些和身体部位有关的俚语,一起来看看吧! cold shoulder “cold shoulder”不能用字面意思理解为“冷肩膀”,我们…

智慧校园学工管理系统的部署

学工体系思政服务该怎么规划建造?思政作为高校育人的中心使命,在做到让学生健康高兴生长的一起,也应满意学生生长成才的各类需求。使用技术为学生供给优质的信息化服务,是其间的有效途径。大数据让个性化教育成为可能,…

【题解】AB33 相差不超过k的最多数(排序 + 滑动窗口)

https://www.nowcoder.com/practice/562630ca90ac40ce89443c91060574c6?tpId308&tqId40490&ru/exam/oj 排序 滑动窗口 #include <iostream> #include <vector> #include <algorithm> using namespace std;int main() {int n, k;cin >> n &…

【探索数据结构】线性表之顺序表

&#x1f389;&#x1f389;&#x1f389;欢迎莅临我的博客空间&#xff0c;我是池央&#xff0c;一个对C和数据结构怀有无限热忱的探索者。&#x1f64c; &#x1f338;&#x1f338;&#x1f338;这里是我分享C/C编程、数据结构应用的乐园✨ &#x1f388;&#x1f388;&…

丰田精益生产的模板

丰田精益生产&#xff0c;也被称为丰田生产方式&#xff08;Toyota Production System, TPS&#xff09;&#xff0c;是一套完整的生产和管理系统&#xff0c;其核心目标是最大化效率、消除浪费&#xff0c;并通过持续改进来提升产品质量。 学习优秀企业 学习福特 丰田精益生产…

【每日刷题】Day48

【每日刷题】Day48 &#x1f955;个人主页&#xff1a;开敲&#x1f349; &#x1f525;所属专栏&#xff1a;每日刷题&#x1f34d; &#x1f33c;文章目录&#x1f33c; 1. 872. 叶子相似的树 - 力扣&#xff08;LeetCode&#xff09; 2. 114. 二叉树展开为链表 - 力扣&…

react中怎么为props设置默认值

在React中&#xff0c;你可以使用ES6的类属性&#xff08;class properties&#xff09;或者函数组件中的默认参数&#xff08;default parameters&#xff09;来定义props的默认值。 1.类组件中定义默认props 对于类组件&#xff0c;你可以在组件内部使用defaultProps属性来…

如何撰写EI会议的投稿信?

撰写EI会议的投稿信&#xff08;Cover Letter&#xff09;是向会议组织者介绍你的论文和研究工作的一个重要环节。以下是撰写投稿信的一些关键步骤和建议&#xff1a; 投稿信的结构 信头 你的信息&#xff1a;包括姓名、职位、单位名称、通讯地址、电子邮件和电话号码。日期&am…

力扣652. 寻找重复的子树

Problem: 652. 寻找重复的子树 文章目录 题目描述思路复杂度Code 题目描述 思路 1.利用二叉树的后序遍历将原始的二叉树序列化&#xff08;之所以利用后序遍历是因为其在归的过程中是会携带左右子树的节点信息,而这些节点信息正是该解法要利用的东西&#xff09;&#xff1b; 2…

【ai】chatgpt的plugin已经废弃

发现找不到按钮,原来是要申请: https://openai.com/index/chatgpt-plugins/ 发现申请已经跳转了,好像是废弃了? 不接受新插件了,但是openai的api 是可以继续用的。 https://openai.com/waitlist/plugins/We are no longer accepting new Plugins, builders can now create…

Windows11的这个地方暴露着你的隐私,把它关掉避免尴尬

前言 现在的电脑真的是越来越智能化&#xff01;现在有很多小伙伴都是用着Windows11的吧&#xff01;用习惯了Windows11之后&#xff0c;突然发现它还是挺顺手的。 但不知道你有没有发现&#xff0c;Windows11上面有个地方暴露着你的隐私。这个隐私可能是某个小姐姐的图片&am…

XSS---DOM破坏

文章目录 前言一、pandas是什么&#xff1f;二、使用步骤 1.引入库2.读入数据总结 一.什么是DOM破坏 在HTML中&#xff0c;如果使用一些特定的属性名&#xff08;如id或name&#xff09;给DOM元素命名&#xff0c;这些属性会在全局作用域中创建同名的全局变量&#xff0c;指向对…

LiveGBS流媒体平台GB/T28181用户手册-用户管理:添加用户、编辑、关联通道、搜索、重置密码

LiveGBS流媒体平台GB/T28181用户手册-用户管理:添加用户、编辑、关联通道、搜索、重置密码 1、用户管理1.1、添加用户1.2、编辑用户1.3、关联通道1.4、重置密码1.5、搜索1.6、删除 2、搭建GB28181视频直播平台 1、用户管理 1.1、添加用户 添加用户&#xff0c;可以配置登陆用户…

STM32-按键控制LED

接上篇LED点亮;http://t.csdnimg.cn/9r6z7 目录 一.硬件设计 二.软件设计 三.完整代码 四.结束语 一.硬件设计 按钮接电源插入PB0引脚,如上图所示 二.软件设计 void key_init() {GPIO_InitTypeDef GPIO_InitStruct;//使能时钟RCC_APB2PeriphClockCmd(RCC_APB2Periph_GPIO…

【LeetCode:496. 下一个更大元素 I + 单调栈】

&#x1f680; 算法题 &#x1f680; &#x1f332; 算法刷题专栏 | 面试必备算法 | 面试高频算法 &#x1f340; &#x1f332; 越难的东西,越要努力坚持&#xff0c;因为它具有很高的价值&#xff0c;算法就是这样✨ &#x1f332; 作者简介&#xff1a;硕风和炜&#xff0c;…