Module: PWN::AWS::IAM

Defined in:

lib/pwn/aws/iam.rb

Overview

This module provides a client for making API requests to AWS Identity and Access Management.

Constant Summary

@@logger =

PWN::Plugins::PWNLogger.create

Class Method Summary

• .authors ⇒ Object

  Author(s)

  0day Inc.

• .connect(opts = {}) ⇒ Object

  Supported Method Parameters

  PWN::AWS::IAM.connect( region: ‘required - region name to connect (eu-west-1, ap-southeast-1, ap-southeast-2, eu-central-1, ap-northeast-2, ap-northeast-1, us-east-1, sa-east-1, us-west-1, us-west-2)’, access_key_id: ‘required - Use AWS STS for best privacy (i.e. temporary access key id)’, secret_access_key: ‘required - Use AWS STS for best privacy (i.e. temporary secret access key’, sts_session_token: ‘optional - Temporary token returned by STS client for best privacy’ ).

• .decode_key(opts = {}) ⇒ Object

  Supported Method Parameters

  PWN::AWS::IAM.decode_key( key: ‘required - key to decode’, key_type: ‘optional - key type :access_key_id|:secret_access_key|:sts_session_token (Default: access_key_id)’, ).

• .disconnect(opts = {}) ⇒ Object

  Supported Method Parameters

  PWN::AWS::IAM.disconnect( iam_obj: ‘required - iam_obj returned from #connect method’ ).

• .help ⇒ Object

  Display Usage for this Module.

Class Method Details

.authors ⇒ Object

Author(s)

0day Inc. <support@0dayinc.com>

# File 'lib/pwn/aws/iam.rb', line 168

public_class_method def self.authors
  "AUTHOR(S):
    0day Inc. <support@0dayinc.com>
  "
end

.connect(opts = {}) ⇒ Object

Supported Method Parameters

PWN::AWS::IAM.connect(

region: 'required - region name to connect (eu-west-1, ap-southeast-1, ap-southeast-2, eu-central-1, ap-northeast-2, ap-northeast-1, us-east-1, sa-east-1, us-west-1, us-west-2)',
access_key_id: 'required - Use AWS STS for best privacy (i.e. temporary access key id)',
secret_access_key: 'required - Use AWS STS for best privacy (i.e. temporary secret access key',
sts_session_token: 'optional - Temporary token returned by STS client for best privacy'

)

# File 'lib/pwn/aws/iam.rb', line 21

public_class_method def self.connect(opts = {})
  region = opts[:region].to_s.scrub.chomp.strip
  access_key_id = opts[:access_key_id].to_s.scrub.chomp.strip
  secret_access_key = opts[:secret_access_key].to_s.scrub.chomp.strip
  sts_session_token = opts[:sts_session_token].to_s.scrub.chomp.strip

  @@logger.info('Connecting to AWS IAM...')
  if sts_session_token == ''
    iam_obj = Aws::IAM::Client.new(
      region: region,
      access_key_id: access_key_id,
      secret_access_key: secret_access_key
    )
  else
    iam_obj = Aws::IAM::Client.new(
      region: region,
      access_key_id: access_key_id,
      secret_access_key: secret_access_key,
      session_token: sts_session_token
    )
  end
  @@logger.info("complete.\n")

  iam_obj
rescue StandardError => e
  raise e
end

.decode_key(opts = {}) ⇒ Object

Supported Method Parameters

PWN::AWS::IAM.decode_key(

key: 'required - key to decode',
key_type: 'optional - key type :access_key_id|:secret_access_key|:sts_session_token (Default: access_key_id)',

)

# File 'lib/pwn/aws/iam.rb', line 54

public_class_method def self.decode_key(opts = {})
  key = opts[:key].to_s.scrub.chomp.strip.upcase
  raise 'ERROR: Key is required' if key == ''

  key_type = opts[:key_type] || :access_key_id
  key_type = key_type.to_s.scrub.chomp.strip.to_sym

  decoded_key = {}

  prefix = key[0..3].to_s.downcase.to_sym
  case prefix
  when :abia
    resource_type = 'AWS STS Service Bearer Token'
    decoded_key[:prefix] = prefix
  when :acca
    resource_type = 'Context Specific Credential'
    decoded_key[:prefix] = prefix
  when :agpa
    resource_type = 'Group'
    decoded_key[:prefix] = prefix
  when :aida
    resource_type = 'IAM User'
    decoded_key[:prefix] = prefix
  when :aipa
    resource_type = 'EC2 Instance Profile'
    decoded_key[:prefix] = prefix
  when :akia
    resource_type = 'Access Key'
    decoded_key[:prefix] = prefix
  when :anpa
    resource_type = 'Managed Policy'
    decoded_key[:prefix] = prefix
  when :anva
    resource_type = 'Version in a Managed Policy'
    decoded_key[:prefix] = prefix
  when :apka
    resource_type = 'Public Key'
    decoded_key[:prefix] = prefix
  when :aroa
    resource_type = 'Role'
    decoded_key[:prefix] = prefix
  when :asca
    resource_type = 'Certificate'
    decoded_key[:prefix] = prefix
  when :asia
    resource_type = 'Temporary (AWS STS) Keys'
    decoded_key[:prefix] = prefix
  else
    resource_type = 'Secret Access Key' if key_type == :secret_access_key
    resource_type = 'STS Session' if key_type == :sts_session_token
  end

  decoded_key[:resource_type] = resource_type

  case key_type
  when :access_key_id
    suffix = key[4..-1]
    decoded_suffix = Base32.decode(suffix)
    trimmed_decoded_suffix = decoded_suffix[0..5]
    z = trimmed_decoded_suffix.bytes.inject { |total, byte| (total << 8) + byte }
    mask = 0x7FFFFFFFFF80
    key = (z & mask) >> 7
    decoded_key[:account_id] = key
  when :secret_access_key, :sts_session_token
    decoded_key[:decoded_key] = Base64.strict_decode64(key)
  else
    raise "ERROR: Invalid Key Type: #{key_type}.  Valid key types are :access_key_id|:secret_access_key|:sts_session_token"
  end
  decoded_key[:key_type] = key_type

  decoded_key
rescue StandardError => e
  raise e
end

.disconnect(opts = {}) ⇒ Object

Supported Method Parameters

PWN::AWS::IAM.disconnect(

iam_obj: 'required - iam_obj returned from #connect method'

)

# File 'lib/pwn/aws/iam.rb', line 155

public_class_method def self.disconnect(opts = {})
  iam_obj = opts[:iam_obj]
  @@logger.info('Disconnecting...')
  iam_obj = nil
  @@logger.info("complete.\n")

  iam_obj
rescue StandardError => e
  raise e
end

.help ⇒ Object

Display Usage for this Module

# File 'lib/pwn/aws/iam.rb', line 176

public_class_method def self.help
  puts "USAGE:
    iam_obj = #{self}.connect(
      region: 'required - region name to connect (eu-west-1, ap-southeast-1, ap-southeast-2, eu-central-1, ap-northeast-2, ap-northeast-1, us-east-1, sa-east-1, us-west-1, us-west-2)',
      access_key_id: 'required - Use AWS STS for best privacy (i.e. temporary access key id)',
      secret_access_key: 'required - Use AWS STS for best privacy (i.e. temporary secret access key',
      sts_session_token: 'optional - Temporary token returned by STS client for best privacy'
    )
    puts iam_obj.public_methods

    decoded_key = #{self}.decode_key(
      key: 'required - key to decode',
      key_type: 'optional - key type :access_key_id|:secret_access_key|:sts_session_token (Default: access_key_id
    )

    #{self}.disconnect(
      iam_obj: 'required - iam_obj returned from #connect method'
    )

    #{self}.authors
  "
end