Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Enhancement module/add akid decoder and module #391

Merged
merged 4 commits into from
Jan 9, 2024
Merged

Enhancement module/add akid decoder and module #391

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
4 commits
Select commit Hold shift + click to select a range
c94551c
Add util to decode access key ID from https://medium.com/@TalBeerySec…
DaveYesland Jan 8, 2024
5234918
Add util to decode akid from https://medium.com/@TalBeerySec/a-short-…
DaveYesland Jan 8, 2024
9531406
Merge branch 'master' into enhancement-module/add_akid_decoder_and_mo…
DaveYesland Jan 9, 2024
faca698
Merge branch 'master' into enhancement-module/add_akid_decoder_and_mo…
DaveYesland Jan 9, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
Empty file added pacu/modules/iam__decode_accesskey_id/__init__.py
View file
Open in desktop
Empty file.
39 changes: 39 additions & 0 deletions pacu/modules/iam__decode_accesskey_id/main.py
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,39 @@
#!/usr/bin/env python3
import argparse
from pacu.utils import decode_accesskey_id

module_info = {
'name': 'iam__decode_accesskey_id',
'author': 'Rhino Security Labs',
'category': 'enum',
'one_liner': 'This module decodes an access key ID to get the AWS account ID. Based on: https://medium.com/@TalBeerySec/a-short-note-on-aws-key-id-f88cc4317489',
'description': 'This module decodes an access key ID to get the AWS account ID without making and AWS API calls. Based on: https://medium.com/@TalBeerySec/a-short-note-on-aws-key-id-f88cc4317489',
'services': ['IAM'],
'prerequisite_modules': [],
'external_dependencies': [],
'arguments_to_autocomplete': [],
}

parser = argparse.ArgumentParser(add_help=True, description=module_info['description'])

parser.add_argument('access_key_id', nargs='?', default='', help='The access key ID to decode. If not provided, the current access key ID for the current profile will be used.')


def main(args, pacu_main):

key_info = pacu_main.key_info
args = parser.parse_args(args)

user = key_info()

if args.access_key_id:
accesskey_id = args.access_key_id
else:
accesskey_id = user['AccessKeyId']

data = decode_accesskey_id(accesskey_id)
return data


def summary(data, pacu_main):
return f"Account ID: {data}"
25 changes: 25 additions & 0 deletions pacu/utils.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -2,6 +2,9 @@
import sys
import typing
import zipfile
import base64
import binascii
import re
from pathlib import Path
from typing import Optional, Union

Expand Down Expand Up @@ -96,3 +99,25 @@ def zip_file(file_path: Path, file_data: dict) -> bytes:

with open(file_path, 'rb') as f:
return f.read()


def decode_accesskey_id(AWSKeyID):
'''
Taken from: https://medium.com/@TalBeerySec/a-short-note-on-aws-key-id-f88cc4317489
AWSKeyID is the AWS Access Key ID
This function returns the AWS Account ID
'''
regex = re.compile('(?<![A-Z0-9])[A-Z0-9]{20}(?![A-Z0-9])')
if not regex.match(AWSKeyID):
print('Invalid AWS Access Key ID')
return

trimmed_AWSKeyID = AWSKeyID[4:]
x = base64.b32decode(trimmed_AWSKeyID)
y = x[0:6]

z = int.from_bytes(y, byteorder='big', signed=False)
mask = int.from_bytes(binascii.unhexlify(b'7fffffffff80'), byteorder='big', signed=False)

e = (z & mask) >> 7
return ("{:012d}".format(e))
Loading