DetentionDodger: Unmasking Leaked Credentials & Their Organizational Impact

by · Published · Updated

DetentionDodger is a tool designed to find users whose credentials have been leaked/compromised and the impact they have on the target.

Install

Local Installation

To install, the only thing needed, is to install the required libraries.

git clone https://github.com/Permiso-io-tools/DetentionDodger.git
python3 -m venv ./venv
source venv/bin/activate
python3 -m pip install -r requirements.txt

Then, just run the tool by running detentiondodger.py:

usage: DetentionDodger [-h] [-p PROFILE]

DetentionDodger is a tool designed to find users whose credentials have been leaked/compromised and the impact they have on the target

options:
  -h, --help            show this help message and exit
  -p PROFILE, --profile PROFILE
                        The AWS Profile Name to authenticate as. Default is 'default'. The credentials need to have access to iam:ListUsers, iam:ListUserPolicies,
                        iam:ListAttachedUserPolicies, iam:ListGroupsForUser, iam:ListGroupPolicies, iam:ListAttachedGroupPolicies, cloudtrail:LookupEvents,
                        iam:GetPolicyVersion, iam:GetPolicy

Docker

A Dockerfile is placed inside the main directory of the project. To build the image, inside the main directory of the project run:

docker build -t detentiondodger .

Then run the container with directories output and ~/.aws mounted to host:

docker run -v ~/.aws:/root/.aws -v ./output:/detentiondodger/output -it detentiondodger -h
usage: DetentionDodger [-h] [-p PROFILE]

DetentionDodger is a tool designed to find users whose credentials have been leaked/compromised and the impact they have on the target

options:
  -h, --help            show this help message and exit
  -p PROFILE, --profile PROFILE
                        The AWS Profile Name to authenticate as. Default is 'default'. The credentials need to have access to iam:ListUsers, iam:ListUserPolicies,
                        iam:ListAttachedUserPolicies, iam:ListGroupsForUser, iam:ListGroupPolicies, iam:ListAttachedGroupPolicies, cloudtrail:LookupEvents,
                        iam:GetPolicyVersion, iam:GetPolicy

Use

Finding all quarantied Users

When no user is specified using -u flag, the tool will list all the users and find the ones that either have the Quarantine Policy Attached or attempted to have it attached, by looking at the CloudTrail Logs. Then it will list all the policies them and their groups have and check the privileges based on the scenarios found on the scenarios directory.

Checking specific user

A user can be specified using -u flag. In that case, the check for the Quarantine Policy will not be done and the user will be checked only for the Privileges it has.

Source: https://github.com/Permiso-io-tools/

Tags: