Quiet Riot: enumeration tool for scalable, unauthenticated validation of AWS principals
Quiet Riot
An enumeration tool for scalable, unauthenticated validation of AWS principals; including AWS Account IDs, root e-mail addresses, users, and roles.
Featureploitation Limits
Throttling
After performing extensive analysis of scaling methods using the AWS Python (Boto3) SDK, I was able to determine that the bottleneck for scanning (at least for Python and awscli -based tools) is I/O capacity of a single-threaded Python application. After modifying the program to run with multiple threads, I was able to trigger exceptions in individual threads due to throttling by the various AWS APIs. You can see the results from running a few benchmarking test scans here. APIs that I tested had wildly different throttling limits and notably, s3 bucket policy attempts took ~10x as long as similar attempts against other services.
With further testing, I settled on a combination of SNS, ECR-Public, and ECR-Private services running in US-East-1 in ~40%/50%/10% configuration split with ~700 threads. The machine I used was a 2020 Macbook Air (M1 and 16 GB RAM). This configuration yielded on average ~1100 calls/sec, though the actual number of calls can fluctuate significantly depending on a variety of factors including network connectivity. Under these configurations, I did occasionally throw an exception on a thread from throttling…but I have subsequently configured additional re-try attempts (4 -> 7) via botocore that will eliminate this issue with a minor performance trade-off.
Computational Difficulty
To attempt every possible Account ID in AWS (1,000,000,000,000) would require an infeasible amount of time given only one account. Even assuming absolute efficiency*, over the course of a day an attacker will only be able to make 95,040,000 validation checks. Over 30 days, this is 2,851,200,000 validation checks and we are still over 28 years away from enumerating every valid AWS Account ID. Fortunately, there is nothing stopping us from registering many AWS accounts and automating this scan. While there is an initial limit of 20 accounts per AWS organization, I was able to get this limit increased for my Organization via console self-service and approval from an AWS representative. The approval occurred without any further questions and now I’m off to automate this writ large. Again, assuming absolute efficiency, the 28 years of scanning could potentially be reduced down to ~100 days.
*~1100 API calls/check per second in perpetuity per account and never repeating a guessed Account ID.
Potential Supported Services
| # | AWS Service | Description | API Limits | Resource Pricing | Enumeration Capability |
|---|---|---|---|---|---|
| 1 | SNS | Managed Serverless Notification Service | Unknown | Unknown | Yes |
| 2 | KMS | Encryption Key Management Service | Unknown | Unknown | Yes |
| 3 | SecretsManager | Managed Secret Store | Unknown | Unknown | Yes |
| 4 | CodeArtifact | Managed Source Code Repository | Unknown | Unknown | Yes |
| 5 | ECR Public | Managed Container Registry | Unknown | Unknown | Yes |
| 6 | ECR Private | Managed Container Registry | Unknown | Unknown | Yes |
| 7 | Lambda | Managed Serverless Function | Unknown | Unknown | Yes |
| 8 | s3 | Managed Serverless Object Store | Unknown | Unknown | Yes |
| 9 | SES | SMTP Automation Service | Unknown | Unknown | Unknown |
| 10 | ACM | Private Certificate Authority | Unknown | Unknown | Unknown |
| 11 | CodeBuild | Software Build Agent | Unknown | Unknown | Unknown |
| 12 | AWS Backup | Managed Backup Service | Unknown | Unknown | Unknown |
| 13 | Cloud9 | Managed IDE | Unknown | Unknown | Unknown |
| 14 | Glue | Managed ETL Job Service | Unknown | Unknown | Unknown |
| 15 | EKS | Managed K8s Service | Unknown | Unknown | Unknown |
| 16 | Lex V2 | Managed NLP Service | Unknown | Unknown | Unknown |
| 17 | CloudWatch Logs | Managed Log Pipeline/Monitoring | Unknown | Unknown | Unknown |
| 18 | VPC Endpoints | Managed Virtual Network | Unknown | Unknown | Unknown |
| 19 | Elemental MediaStore | Unknown | Unknown | Unknown | Unknown |
| 20 | OpenSearch | Managed ElasticSearch | Unknown | Unknown | Unknown |
| 21 | EventBridge | Managed Serverless Event Hub | Unknown | Unknown | Unknown |
| 22 | EventBridge Schemas | Managed Serverless Event Hub | Unknown | Unknown | Unknown |
| 23 | IoT | Internet-of-Things Management | Unknown | Unknown | Unknown |
| 24 | s3 Glacier | Cold Object Storage | Unknown | Unknown | Unknown |
| 25 | ECS | Managed Container Orchestration | Unknown | Unknown | Unknown |
| 26 | Serverless Application Repository | Managed Source Code Repository | Unknown | Unknown | No |
| 27 | SQS | Managed Serverless Queueing Service | Unknown | Unknown | No |
| 28 | EFS | Managed Serverless Elastic File System | Unknown | Unknown | No |
