# Password Spraying AWS IAM Users

{% hint style="danger" %}
We need to know the AWS Account ID for this technique to work. Refer to [enumerate-aws-account-ids](https://www.techwithtyler.dev/cloud-security/aws/aws-offensive-security/aws-attacks-and-techniques/enumerate-aws-account-ids "mention") for methods on how to obtain this.
{% endhint %}

## Understanding Password Spraying Attacks

* Password spraying involves trying a password against multiple accounts to avoid account lockout policies that may exist
* Essentially, we're "guessing" the password and hoping it's valid for an account
* Having MFA enforced for users is a great mitigating control to thwart this attack

## Password Spraying Requirements

* For this attack to work, the AWS Account ID should be known and we must have a list of usernames and passwords to test with
* AWS IAM Account IDs can be discovered in several ways e.g.,&#x20;
  * [enumerate-aws-account-ids](https://www.techwithtyler.dev/cloud-security/aws/aws-offensive-security/aws-attacks-and-techniques/enumerate-aws-account-ids "mention")
* AWS IAM usernames can be discovered in several ways e.g.,&#x20;
  * [enumerate-unauthenticated-iam-users-and-roles](https://www.techwithtyler.dev/cloud-security/aws/aws-offensive-security/aws-attacks-and-techniques/enumerate-unauthenticated-iam-users-and-roles "mention")&#x20;
  * [enumerate-aws-iam-users](https://www.techwithtyler.dev/cloud-security/aws/aws-offensive-security/aws-attacks-and-techniques/enumerate-aws-iam-users "mention")

***

## Methods to Password Spray AWS Console Users

### GoAWSConsoleSpray

* [GoAWSConsoleSpray](https://www.techwithtyler.dev/cloud-security/tools/goawsconsolespray) can be used to discover valid credentials for AWS console users
* While AWS console users have a username and password, it's worth noting that with valid AWS IAM Access Keys and the right permission, [console login credentials](https://www.techwithtyler.dev/cloud-security/aws/aws-offensive-security/aws-attacks-and-techniques/generate-aws-console-session) can be generated for the associated user

{% code overflow="wrap" %}

```bash
./go/bin/GoAWSConsoleSpray -a 111111111111 -u users.txt -p passwords.txt

2024/12/07 22:40:14 GoAWSConsoleSpray: [2] users loaded. [2] passwords loaded. [4] potential login requests.
2024/12/07 22:40:14 Spraying User: arn:aws:iam::111111111111:user/jonsnow
2024/12/07 22:40:14 (jonsnow)	[+] SUCCESS:	Valid Password: Password!@# 	MFA: false
2024/12/07 22:40:14 Spraying User: arn:aws:iam::111111111111:user/whitewalker
```

{% endcode %}

* Using the tool, we shared a list of 2 usernames and 2 passwords, and got a valid hit on the user `jonsnow`and a password of `password!@#`