#Security Tools #Open Source

Introducing Quiet Riot

Wes Ladd

July 4, 2022 - 2 min read

A Scalable AWS Enumeration and Footprinting Tool

Today I am releasing Quiet Riot, an “unauthenticated” tool for enumeration of services, roles, and users in an AWS account or in every AWS account in existence.

Update: I’ve also written a follow-up post describing additional capabilities, overall tool impacts, and relevant mitigations.

AWS IAM and Resource-Based Policies Background

AWS services that work with IAM include a number of services that support “resource-based policies”. These resource-based policies allow direct access to AWS service-level resources and are evaluated prior to Identity-based policies when determining whether a given user (unauthenticated user, any authenticated AWS principal, or a specific AWS IAM principal) has access to the specified resource. You can see the approximate policy evaluation logic of AWS IAM below:

PolicyEvaluationHorizontal111621

AWS Policy Evaluation Logic

Furthermore, AWS defines an IAM Principal as the following:

  • AWS account and root user
  • IAM users
  • Federated users (using web identity or SAML federation)
  • IAM roles
  • Assumed-role sessions
  • AWS services
  • Anonymous users

Why it matters

To determine the validity of a particular resource-based policy, the AWS IAM engine validates the form of a particular policy and critically, the validity of included AWS principals, at the time the policy is attached to the relevant resource. Many services that support such resource-based policies will throw an error for an invalid AWS principal in the policy. This means that a policy containing a single AWS principal can be used as a proxy to validate whether that principal exists or not….EVEN FOR ACCOUNTS THAT YOU DON’T OWN.

E̵x̵p̵l̵o̵i̵t̵a̵t̵i̵o̵n̵ “Featureploitation”

Originally identified by Daniel Grzelak and subsequently re-discovered a number of times, this technique can help attackers with a key capability — enumerating attack targets (Account IDs) and the associated footprint (root account e-mail, roles, users).

While AWS considers this capability a “feature”, I am curious to see what scale of featureploitation might change the perspective. To this end, I have developed an Offensive Security Tool (OST) to exploit this AWS feature for the maximum possible impact. Even this idea is not new. Will Bengston has previously suggested a similar technique. Seeing as how I haven’t found a tool that implements Will’s suggestion and I have limited software development experience, I decided to take the opportunity to hone my Python chops further.

Quiet Riot Capabilities

To use Quiet Riot, once you clone the repository, you can run main.py as the entry-point (and with sufficient credentials available to the aws cli) to perform automated deployment of scanning infrastructure (SNS topic, ECR-Public repository, and ECR-Private repository) and initiate dictionary-attack scanning for Account IDs, roles, and users across AWS. On completion, the scanning tool writes the results to the results/ directory and deletes the associated infrastructure.

Footprinting, Account IDs, and future state

I have included the beginnings of a wordlists directory, but would invite pull requests geared towards including better wordlists. In particular, static vendor users and roles and AWS “service-linked” roles give strong insights into the services and platforms/applications that a particular AWS account has configured.

I have included a list of AWS Account IDs identified so far by the tool. Given that there are 1 trillion potential Account IDs, it is unlikely I will ever enumerate all of them…but that won’t stop me from trying. See progress on this topic (wordlists/provided_account_ids.txt).

Finally, I have included a wordlist (wordlists/service-roles.txt) that can be used specifically to identify what services are used or have been used in a given account. Often the hardest place to start for attackers is with determining the footprint of a given cloud environment…and AWS resources-based policy validation is here to help. The use of the following AWS services should be identifiable by the configuration of their associated “service-linked” role:

  • CloudTrail
  • CloudWatch
  • Cognito
  • Config
  • DynamoDB
  • EC2
  • EC2 Image Builder
  • ECS
  • Elastic Load Balancer (ELB)
  • ElasticCache
  • EKS
  • Glue
  • GuardDuty
  • Kafka
  • Inspector
  • Lambda
  • Lex
  • Lightsail
  • Organizations
  • RDS
  • Redshift
  • SecurityHub
  • SageMaker
  • SSO
  • WAFv2
  • and more …


Author’s Note: While limited testing has been performed without incurring costs, the author takes no responsibility for costs incurred by running the tool.


Wes Ladd

July 4, 2022 - 2 min read

Wes Ladd

July 4, 2022 - 2 min read

Outline

A Scalable AWS Enumeration and Footprinting Tool

This article is intended to serve as a “blue...

Wes Ladd

July 4, 2022 - 2 min read

Join Train GRC Academy + Become A Cyber Risk Expert.

  • Stay Ahead Of The Latest Tech Trends
  • Breeze Through Assessments
  • Stop Hearing You Aren’t “Technical Enough”
Join Now
authLogo