As part of our Cloud Security Penetration Test service, White Oak Security has observed quite a few different AWS deployments over the years; ranging from extremely secure and locked down following the principles of least-privilege-access, to more open and inadequately permissioned AWS configurations. As part of those standard misconfigurations, we’ve noticed a frequent amount of IAM accounts deployed without any Multi-Factor Authentication (MFA) policy in place.
These accounts lacking MFA, if deployed with a poor password, are susceptible to brute-force attacks as AWS does not enforce any account lockout policy by default [1]. According to Amazon’s documentation, “you can’t create a “lockout policy” to lock a user out of the account after a specified number of failed sign-in attempts. Amazon does perform some network throttling and bruteforce rate-limiting, however, these can easily be avoided with a bit of a time delay.
Additionally, we were unable to identify any tool that already exists that simply attempts to spray AWS account console credentials.
Today we’re releasing a simple AWS Console Password Spraying tool that provides a couple of benefits:
Simply provide an AWS Account ID, a list of usernames, and a list of passwords, and the tool will begin performing the password spray.
The likelihood of a successful password spraying attack depends on several attributes:
From an AWS Auditing perspective, if you have console access and you want to attempt to gain access to a list of users as part of your penetration test, you would be looking for IAM users that have a valid password age but are not configured with MFA.
This tool is very loud and was not created to be stealthy. By default, AWS logs all console authentication attempts [2], both failures and successes, in CloudTrail. This includes the source IP, user-agent, time, and accounts targeted. Therefore, if you want this to be a bit more opsec safe, White Oak Security recommends modifying the user-agent as well as using some method to distribute your traffic across a variety of nodes (such as the AWS API Gateway [3]).
To counter some of the AWS network defenses, we have built-in a delay argument to throttle the amount of traffic, as well as some built-in error handling to increase the delay when AWS detects a brute-force attack. By waiting several seconds after this detection occurs, it appears to reset the timer and allows for an additional ~30 password spray requests before triggering the detection again.
GoAWSConsoleSpray Tool
GoAWSConsoleSpray can be found on our WhiteOakSecurity GitHub.