From 5114276d2126077a1aa37ff827469ad36540d46c Mon Sep 17 00:00:00 2001 From: cfgs Date: Tue, 8 Aug 2023 14:43:13 +0200 Subject: [PATCH] feat: add new tool for cognito aws pentesting --- .../aws-cognito-privesc.md | 18 ++++++++++++++++++ .../aws-services/aws-cognito-enum/README.md | 18 ++++++++++++++++++ .../aws-cognito-enum/cognito-identity-pools.md | 18 ++++++++++++++++++ .../aws-cognito-enum/cognito-user-pools.md | 18 ++++++++++++++++++ 4 files changed, 72 insertions(+) diff --git a/pentesting-cloud/aws-security/aws-privilege-escalation/aws-cognito-privesc.md b/pentesting-cloud/aws-security/aws-privilege-escalation/aws-cognito-privesc.md index b45e69ed72..1ac0a6f595 100644 --- a/pentesting-cloud/aws-security/aws-privilege-escalation/aws-cognito-privesc.md +++ b/pentesting-cloud/aws-security/aws-privilege-escalation/aws-cognito-privesc.md @@ -20,6 +20,24 @@ For more info about Cognito check: [aws-cognito-enum](../aws-services/aws-cognito-enum/) {% endcontent-ref %} +### Tool for pentesting + +[Cognito Scanner](https://github.com/padok-team/cognito-scanner) is a CLI tool in python that implements different attacks on Cognito including a privesc escalation. + +#### Installation + +```bash +$ pip install cognito-scanner +``` + +#### Usage + +```bash +$ cognito-scanner --help +``` + +For more information check https://github.com/padok-team/cognito-scanner + ### Gathering credentials from Identity Pool As Cognito can grant **IAM role credentials** to both **authenticated** an **unauthenticated** **users**, if you locate the **Identity Pool ID** of an application (should be hardcoded on it) you can obtain new credentials and therefore privesc (inside an AWS account where you probably didn't even have any credential previously). diff --git a/pentesting-cloud/aws-security/aws-services/aws-cognito-enum/README.md b/pentesting-cloud/aws-security/aws-services/aws-cognito-enum/README.md index 26c8e1e185..e6e512eeaa 100644 --- a/pentesting-cloud/aws-security/aws-services/aws-cognito-enum/README.md +++ b/pentesting-cloud/aws-security/aws-services/aws-cognito-enum/README.md @@ -34,6 +34,24 @@ The learn what is a **Cognito Identity Pool check**: [cognito-identity-pools.md](cognito-identity-pools.md) {% endcontent-ref %} +## Tool for pentesting + +[Cognito Scanner](https://github.com/padok-team/cognito-scanner) is a CLI tool in python that implements different attacks on Cognito including account enumeration and privesc escalation. + +### Installation + +```bash +$ pip install cognito-scanner +``` + +### Usage + +```bash +$ cognito-scanner --help +``` + +For more information check https://github.com/padok-team/cognito-scanner + ## Enumeration {% code overflow="wrap" %} diff --git a/pentesting-cloud/aws-security/aws-services/aws-cognito-enum/cognito-identity-pools.md b/pentesting-cloud/aws-security/aws-services/aws-cognito-enum/cognito-identity-pools.md index 5e78d7ed90..a38f1ab7e0 100644 --- a/pentesting-cloud/aws-security/aws-services/aws-cognito-enum/cognito-identity-pools.md +++ b/pentesting-cloud/aws-security/aws-services/aws-cognito-enum/cognito-identity-pools.md @@ -30,6 +30,24 @@ This is **useful to keep information of a user** (who will be always using the s Moreover, the service **cognito-sync** is the service that allow to **manage and syncronize this information** (in the datasets, sending info in streams and SNSs msgs...). +### Tool for pentesting + +[Cognito Scanner](https://github.com/padok-team/cognito-scanner) is a CLI tool in python that implements different attacks on Cognito including unwanted account creation and identity pool escalation. + +#### Installation + +```bash +$ pip install cognito-scanner +``` + +#### Usage + +```bash +$ cognito-scanner --help +``` + +For more information check https://github.com/padok-team/cognito-scanner + ## Accessing IAM Roles ### Unauthenticated diff --git a/pentesting-cloud/aws-security/aws-services/aws-cognito-enum/cognito-user-pools.md b/pentesting-cloud/aws-security/aws-services/aws-cognito-enum/cognito-user-pools.md index 09d6213e4a..6807fd1078 100644 --- a/pentesting-cloud/aws-security/aws-services/aws-cognito-enum/cognito-user-pools.md +++ b/pentesting-cloud/aws-security/aws-services/aws-cognito-enum/cognito-user-pools.md @@ -33,6 +33,24 @@ User pools provide: * **User enumeration**: The registration functionality can be used to find usernames that already exists. This information can be useful for the brute-force attack. * **Login brute-force**: In the [**Authentication**](cognito-user-pools.md#authentication) section you have all the **methods** that a user have to **login**, you could try to brute-force them **find valid credentials**. +### Tool for pentesting + +[Cognito Scanner](https://github.com/padok-team/cognito-scanner) is a CLI tool in python that implements different attacks on Cognito including unwanted account creation and account oracle. + +#### Installation + +```bash +$ pip install cognito-scanner +``` + +#### Usage + +```bash +$ cognito-scanner --help +``` + +For more information check https://github.com/padok-team/cognito-scanner + ## Registration User Pools allows by **default** to **register new users**.