CodeSnag

AWS SSO Device-Code Phishing Toolkit for Red / Purple Teams

CodeSnag automates an end-to-end AWS device-code authorization phish. An operator delivers a single link; when the victim clicks it, a fresh device code is generated on-the-fly, the victim is seamlessly redirected to the legitimate AWS SSO authorization page, and — if they approve — CodeSnag captures their SSO token for the operator.

Intended use: Authorized red-team and purple-team engagements only.

---

How It Works

           ┌──────────────┐
Victim ──► │  CloudFront   │
 clicks    │  distribution │
 link      └──────┬───────┘
                   │ GET /api/v1
                   ▼
           ┌──────────────┐    generates device code     ┌───────────────────┐
           │ API Gateway   │ ──────────────────────────► │ AWS SSO OIDC      │
           │  + redirect   │ ◄── verificationUriComplete │ (target org)      │
           │    Lambda     │                              └───────────────────┘
           └──────┬───────┘
                   │ 302 redirect to                      ┌───────────────────┐
                   │ verification URL  ──────────────────►│ Victim sees the   │
                   │                                      │ real AWS SSO      │
                   │                                      │ "Authorize" page  │
                   │                                      └───────────────────┘
                   │ SQS message
                   │ (device_code + OIDC app creds)
                   ▼
           ┌──────────────┐    polls create_token         ┌───────────────────┐
           │  Process      │ ──────────────────────────► │ AWS SSO OIDC      │
           │  Lambda       │ ◄── SSO access token         │ (target org)      │
           │  (SQS trigger)│                              └───────────────────┘
           └──────┬───────┘
                   │ writes .sso-token + .csv
                   ▼
           ┌──────────────┐
           │  S3 Bucket    │  ← operator retrieves loot
           │  (IP-locked)  │
           └──────────────┘

Step by Step

1. Operator deploys CodeSnag with terraform apply. Terraform creates: CloudFront distribution, API Gateway, two Lambda functions, an SQS queue, and an S3 bucket.
2. Operator delivers the CloudFront (or API Gateway) URL to the target — via email, chat, social engineering, etc.
3. Victim clicks the link. The redirect Lambda:
   • Registers a temporary OIDC client with the target's AWS SSO.
   • Starts device authorization, obtaining a one-time verificationUriComplete URL.
   • Returns an HTTP 302, sending the victim's browser straight to the real AWS SSO approval page.
   • Queues the device code + OIDC credentials to SQS.
4. Victim approves the device on the legitimate AWS SSO page (it looks completely normal).
5. Process Lambda (triggered by SQS) polls create_token until the victim approves, then:
   • Saves the raw SSO access token to S3 (.sso-token file).
   • Enumerates every AWS account and role the victim can access.
   • Pulls temporary STS credentials for each role.
   • Writes everything to S3 as a CSV.
6. Operator downloads the token and/or CSV from S3 and operates.

---

Prerequisites

• AWS CLI configured with credentials that can deploy infrastructure.
• Terraform >= 1.3.
• The target organization's SSO start URL and its region.

Finding the Target SSO Details

The SSO start URL is a subdomain of awsapps.com:

https://<subdomain>.awsapps.com/start

Curl that URL — the response headers / redirect will reveal the SSO region (e.g. us-east-1).

---

Quick Start

# 1. Clone the repo
git clone <repo-url> && cd codesnag

# 2. Create your operator config
cp terraform.tfvars.example terraform.tfvars

Edit terraform.tfvars — there are only three required values:

Variable	Example	What it is
sso_start_url	https://acme.awsapps.com/start	Target's SSO start URL
sso_region	us-east-1	Region of the target SSO instance
source_ip	198.51.100.42	Your IP (S3 bucket access allow-list)

Optional:

Variable	Default	What it is
region	us-east-2	AWS region to deploy CodeSnag infra

# 3. Deploy
terraform init
terraform apply

Terraform will output:

• payload_url_cloudfront — the phishing link (CloudFront).
• payload_url_api_gateway — alternative phishing link (direct API Gateway).
• loot_bucket — S3 bucket name where tokens and creds land.

No Python editing. No manual zipping. Terraform handles Lambda packaging automatically via archive_file, and all operator-specific values are injected as environment variables.

---

Using the Stolen Token

The SSO access token is valid for 8 hours.

Option A — CLI

Use aws-sso-device-code-authentication:

python3 main.py \
  -u https://acme.awsapps.com/start \
  -r us-east-1 \
  -i <downloaded>.sso-token

This lists every account the victim has access to and can generate AWS access keys for any role.

Option B — Browser

1. Go to https://<subdomain>.awsapps.com/start
2. Open DevTools → Application → Cookies
3. Replace the value of x-amz-sso_authn with the stolen SSO token
4. Refresh the page — you're now logged in as the victim.

---

Tearing Down

terraform destroy

This removes all AWS resources created by CodeSnag.

---

Project Structure

.
├── main.tf                      # All infrastructure (CloudFront, API GW, Lambda, SQS, S3, IAM)
├── lambda_redirect_payload.py   # Generates device code, redirects victim, queues polling job
├── lambda_process_payload.py    # Polls for approval, dumps token + creds to S3
├── terraform.tfvars.example     # Operator config template (copy → terraform.tfvars)
├── .gitignore                   # Keeps state, zips, and tfvars out of version control
└── README.md

---

References

This project builds on the research and tooling by Christophe Tafani-Dereeper:

• Blog post: Phishing for AWS Credentials via AWS SSO Device Code Authentication
• Tool: aws-sso-device-code-authentication