Password Spraying AWS IAM Users

Performing password spray attacks against AWS console users can lead to successful credentials validation and, in turn, access to the AWS user and AWS account.

We need to know the AWS Account ID for this technique to work. Refer to Enumerate AWS Account IDs for methods on how to obtain this.

Understanding Password Spraying Attacks

Password spraying involves trying a password against multiple accounts to avoid account lockout policies that may exist
Essentially, we're "guessing" the password and hoping it's valid for an account
Having MFA enforced for users is a great mitigating control to thwart this attack

Password Spraying Requirements

For this attack to work, the AWS Account ID should be known and we must have a list of usernames and passwords to test with
AWS IAM Account IDs can be discovered in several ways e.g.,
- Enumerate AWS Account IDs
AWS IAM usernames can be discovered in several ways e.g.,
- Enumerate (Unauthenticated) IAM Users and Roles
- Enumerate AWS IAM Users

Methods to Password Spray AWS Console Users

GoAWSConsoleSpray

can be used to discover valid credentials for AWS console users
While AWS console users have a username and password, it's worth noting that with valid AWS IAM Access Keys and the right permission, can be generated for the associated user

./go/bin/GoAWSConsoleSpray -a 111111111111 -u users.txt -p passwords.txt

2024/12/07 22:40:14 GoAWSConsoleSpray: [2] users loaded. [2] passwords loaded. [4] potential login requests.
2024/12/07 22:40:14 Spraying User: arn:aws:iam::111111111111:user/jonsnow
2024/12/07 22:40:14 (jonsnow)	[+] SUCCESS:	Valid Password: Password!@# 	MFA: false
2024/12/07 22:40:14 Spraying User: arn:aws:iam::111111111111:user/whitewalker

Using the tool, we shared a list of 2 usernames and 2 passwords, and got a valid hit on the user jonsnowand a password of password!@#

PreviousGenerate IAM Access Keys from CloudShell NextSubdomain Takeovers

Last updated 5 months ago

Was this helpful?