Skip to content

tardiseclabs/AliPath

BranchesTags

Repository files navigation

AliPath

Alibaba Cloud RAM → BloodHound Graph Tool

AliPath collects Alibaba Cloud RAM (Resource Access Management) relationships and converts them into BloodHound-compatible JSON — enabling cloud pentesters and defenders to visualize privilege escalation paths in Alibaba Cloud environments.

Inspired by IAMhounddog for AWS.

Architecture

AliPath/
├── core/
│   ├── client.py              # Alibaba Cloud RAM SDK client
│   └── graph_builder.py       # OpenGraph node/edge builder
├── models/
│   ├── nodes.py               # Node types (User, Group, Role, Policy, ...)
│   └── edges.py               # Edge types (MemberOf, AttachedPolicy, ...)
├── collector/
│   ├── ram_users.py            # Enumerate users, policies, groups, keys
│   ├── ram_groups.py           # Enumerate groups and policies
│   ├── ram_roles.py            # Enumerate roles and trust policies
│   ├── ram_policies.py         # Parse policy documents, detect dangers
│   └── ram_relationships.py    # Build CanAssume, PassRole, AdminTo edges
├── exporters/
│   ├── bloodhound_exporter.py  # BloodHound JSON export
│   └── neo4j_exporter.py       # Neo4j Cypher/CSV export
├── import/
│   ├── types.json              # BloodHound custom node types
│   └── queries.json            # Pre-built Cypher queries
├── examples/
│   └── output.json             # Example BloodHound output
├── main.py                     # CLI entrypoint
├── requirements.txt
├── pyproject.toml
└── config.example.json

Data Model

AliPath conforms to the BloodHound OpenGraph schema:

graph LR;
    User-->|MemberOf|Group;
    User-->|AttachedPolicy|Policy;
    Group-->|AttachedPolicy|Policy;
    Role-->|AttachedPolicy|Policy;
    Principal-->|AssumeRole|Role;
    User-->|CanAssume|Role;
    User-->|HasAccessKey|AccessKey;
    Policy-->|AdminTo|Account;
    Policy-->|action|Resource;
Loading

Alibaba Cloud RAM → BloodHound Mapping

Alibaba Cloud Entity BloodHound Node Kind Properties
RAM User AliUser name, displayname, user_id, create_date
RAM Group AliGroup name, comments
RAM Role AliRole name, arn, trust_policy, description
RAM Policy AliPolicy name, policy_type, policy_document
Cloud Account AliCloudAccount account_id, region
External/Service Principal AliPrincipal name, type (RAM/Service/Federated)
Resource (service prefix) AliResource name

Edge Types

Edge Kind Direction Description
aliMemberOf User → Group User is a member of the group
aliAttachedPolicy User/Group/Role → Policy Policy is attached to the principal
aliAssumeRoleAllowed Principal → Role Trust policy permits assumption
aliCanAssume User/Role → Role Effective ability to assume (trust+perm)
aliAdminTo Principal → Account Effective admin access
aliHasAccessKey User → AccessKey User has an API access key
ramPassRoleAllowed Principal → Resource Principal can pass roles to services
aliDangerousPrivilege Policy → Resource Dangerous permission granted

Installation

# Clone the repository
git clone https://github.com/your-org/AliPath.git
cd AliPath

# Install dependencies
pip install -r requirements.txt

# Or install as package
pip install -e .

Requirements

Authentication

Environment Variables (Recommended)

export ALIBABA_CLOUD_ACCESS_KEY_ID="your_access_key_id"
export ALIBABA_CLOUD_ACCESS_KEY_SECRET="your_access_key_secret"

Config File

cp config.example.json config.json
# Edit config.json with your credentials

Required RAM Permissions

AliPath needs read-only access to RAM APIs:

{
  "Statement": [
    {
      "Action": [
        "ram:ListUsers", "ram:GetUser",
        "ram:ListGroups", "ram:ListGroupsForUser",
        "ram:ListRoles", "ram:GetRole",
        "ram:ListPolicies", "ram:GetPolicy", "ram:GetPolicyVersion",
        "ram:ListPoliciesForUser", "ram:ListPoliciesForGroup", "ram:ListPoliciesForRole",
        "ram:ListAccessKeys", "ram:GetAccountAlias"
      ],
      "Effect": "Allow",
      "Resource": "*"
    }
  ],
  "Version": "1"
}

Usage

1. Collect RAM Data

python main.py collect --region cn-hangzhou

This will:

  1. Authenticate to Alibaba Cloud
  2. Enumerate all RAM users, groups, roles, and policies
  3. Parse policy documents and trust policies
  4. Build identity relationships
  5. Detect privilege escalation paths
  6. Export BloodHound JSON to output/

2. Export Data

# BloodHound JSON format
python main.py export --bloodhound

# Neo4j Cypher/CSV format
python main.py export --neo4j

# Both formats
python main.py export --bloodhound --neo4j

3. Visualize Attack Paths

python main.py visualize

Prints a text-based summary and highlights potential privilege escalation paths.

4. Import into BloodHound

  1. Download and setup BloodHound CE
  2. Import output/output.json using Administration → File Ingest
  3. Import custom node types:
    • Go to Profile → API Key Management → Create Token
    • Use the token to import import/types.json via the custom-nodes API
  4. Run pre-built queries from the Cypher tab

Sample Attack Path Analysis

Path 1: User → Group → AdminAccess

alice → MemberOf → Admins → AttachedPolicy → AdministratorAccess → AdminTo → Account

Impact: User alice has full admin access via the Admins group.

Path 2: User → AssumeRole → AdminRole

bob → CanAssume → ECSAdminRole → AttachedPolicy → AdministratorAccess

Impact: User bob can escalate to admin by assuming the ECSAdminRole.

Path 3: User → PassRole → ECS Instance Escalation

charlie → ramPassRoleAllowed → ECSAdminRole → (ECS instance with role)

Impact: User charlie can pass an admin role to an ECS instance, then connect to it for privilege escalation.

Dangerous Privileges Detected

AliPath flags the following dangerous permissions:

Action Severity Description
* CRITICAL Full wildcard — god mode
ram:* CRITICAL Full RAM control
ram:PassRole HIGH Can pass roles to services
ram:AssumeRole HIGH Can assume other roles
ram:AttachPolicyToUser HIGH Can attach any policy to any user
ram:AttachPolicyToGroup HIGH Can attach any policy to any group
ram:AttachPolicyToRole HIGH Can attach any policy to any role
ram:CreateAccessKey HIGH Can create access keys for any user
ram:CreateUser HIGH Can create new RAM users
ram:CreateRole HIGH Can create new roles
ram:CreatePolicy HIGH Can create arbitrary policies
ram:UpdateRole HIGH Can modify role trust policies
ram:SetDefaultPolicyVersion HIGH Can swap active policy version
sts:AssumeRole HIGH STS assume role

Alibaba Cloud RAM API References

AliPath uses the following RAM APIs via alibabacloud_ram20150501:

  • ListUsers / GetUser
  • ListGroups / ListGroupsForUser
  • ListRoles / GetRole
  • ListPolicies / GetPolicy / GetPolicyVersion
  • ListPoliciesForUser / ListPoliciesForGroup / ListPoliciesForRole
  • ListAccessKeys
  • GetAccountAlias

Credits

AliPath is inspired by IAMhounddog by Virtue Security, which builds BloodHound-compatible graphs for AWS IAM.

License

MIT License — See LICENSE for details.

About

No description, website, or topics provided.

Resources

Readme

License

MIT license
Activity

Stars

1 star

Watchers

0 watching

Forks

0 forks
Report repository

Releases

No releases published

Packages

 
 
 

Contributors

Languages