exploitgraph 1.0.0__py3-none-any.whl

exploitgraph-1.0.0.dist-info/RECORD

@@ -0,0 +1,42 @@
+core/__init__.py,sha256=47DEQpj8HBSa-_TImW-5JCeuQeRkm5NMpJWZG3hSuFU,0
+core/attack_graph.py,sha256=Osej6YKoPJ6q5wrqcW0hQLgUsn95XV04HeqItOdzqIk,3856
+core/aws_client.py,sha256=D70-URLTRQbUfufCaKLeY-So-QPwuFSUJtMF_COuaEI,9796
+core/config.py,sha256=FgkykICftoB1slI3mzAls0kj1VOPYhtl2lqcExGUPLU,3086
+core/console.py,sha256=MKeGRWPwNvQqM1uwZcGmIK3hxxBX6_W4BeNRR73NpnQ,23051
+core/context_engine.py,sha256=6wVx-TZhAoY83xG8tIul_mKzmrK_tdmxRHzIieN2DK4,7226
+core/correlator.py,sha256=R63X_eR08UMuyR0IOjam5YKxZ-7GhurS20ibSAlfm3o,22238
+core/http_client.py,sha256=LY8W_To2vamHheCvpb9f1_iCJP8TDuScmbuPjSLQ_D8,8595
+core/logger.py,sha256=iazXJqI-OVLCQtIovjzD-b30cjzyRQWWsVhiZN9ReOo,3893
+core/module_loader.py,sha256=2MVVXcZUFdeM4PmY82FP7Pn22fMVxRjXdwRpELmfPkw,2886
+core/risk_engine.py,sha256=2bz6sPjKVZjNQdRqrYzaxXy8FUuK-kEe4B4NVnTx2Dw,1968
+core/session_manager.py,sha256=FdHzVADV_jWIEzYJDqMOV8CLBcg0hArYunnFaBQ58rQ,10688
+exploitgraph-1.0.0.dist-info/licenses/LICENSE,sha256=Nt_gc-40jBtmfDF4rIXJXB_mQ_ApZdn49uTSXrhv5w0,1070
+modules/__init__.py,sha256=47DEQpj8HBSa-_TImW-5JCeuQeRkm5NMpJWZG3hSuFU,0
+modules/base.py,sha256=oiopwu3TOxR_iYKFx1vso0krmWnv_Cu06FNlUKiQAvg,3283
+modules/cloud/__init__.py,sha256=47DEQpj8HBSa-_TImW-5JCeuQeRkm5NMpJWZG3hSuFU,0
+modules/cloud/aws_credential_validator.py,sha256=6JAyDr4AaIdVBfCocb6SJMOlzz3dZ_Hyii5Nbi91riw,15443
+modules/cloud/azure_enum.py,sha256=oqdjWM19gsGce1CmzvnLdggKcvSMhCw6r5_XJ_O7tZU,13277
+modules/cloud/cloudtrail_analyzer.py,sha256=B6QGJqexJhJjCATgCiDoRlrkv8FwuKafeWNIeylbjpM,22866
+modules/cloud/gcp_enum.py,sha256=5HC2Ln0Bqsj32gIbcEmQ1nGn4-eyOAvuz-TTh3i03bY,11758
+modules/cloud/iam_enum.py,sha256=dStnYqqmKY6uWSPrgflqqlbWq4_Dr2dameLxPtYJ838,15591
+modules/cloud/iam_privilege_escalation.py,sha256=Kfqz-sHUaom_uV29cVAjQ40VZWw267oK-zRBxlFhieU,21593
+modules/cloud/metadata_check.py,sha256=fXG0UKSVD5P1EUqVa2Y79XhvMkmVJMNd_zIjUkeoXqA,14583
+modules/cloud/s3_enum.py,sha256=YQdCkyjXWS31EgRWccfUZswktbuC2MDu5gZqZAalYW4,22203
+modules/discovery/__init__.py,sha256=47DEQpj8HBSa-_TImW-5JCeuQeRkm5NMpJWZG3hSuFU,0
+modules/discovery/http_enum.py,sha256=Vup-c49TOamzgHHbm6prlnfxb22yZ_fz7YXXg3qTTeo,10866
+modules/discovery/subdomain_enum.py,sha256=WTfQn3rQWMutIkFbDVLgUFjrDKmhOmx8YEeC8vRzGmQ,10548
+modules/exploitation/__init__.py,sha256=47DEQpj8HBSa-_TImW-5JCeuQeRkm5NMpJWZG3hSuFU,0
+modules/exploitation/api_exploit.py,sha256=ldfvTS66oFUcTcM1SotWTEhmQnuLizjPW6S6msJ7x8w,19526
+modules/exploitation/jwt_attack.py,sha256=qXMTqnGTBXCGKvpCceFaFskOQgUqmFQChpCIH8w5_R8,15591
+modules/exploitation/ssrf_scanner.py,sha256=D8RtgYEftvCJUXiCk8unyPEyXC_9VtNAZUxD4zvGDbg,11402
+modules/reporting/__init__.py,sha256=47DEQpj8HBSa-_TImW-5JCeuQeRkm5NMpJWZG3hSuFU,0
+modules/reporting/html_report.py,sha256=kgHxR_VXJni9c4NrVSpFrV0-VvQr782lVP1yeLqLNAY,24944
+modules/reporting/json_export.py,sha256=KHn5kguSGYRZw213PX1CBsk-ylqzixSpm-Eh0YwEd1s,4078
+modules/secrets/__init__.py,sha256=47DEQpj8HBSa-_TImW-5JCeuQeRkm5NMpJWZG3hSuFU,0
+modules/secrets/file_secrets.py,sha256=ic0NhwLbCvB1ARQMT8cyYUNmjrIWVYE0Picv-XPpR-g,16820
+modules/secrets/git_secrets.py,sha256=HcNqg7YXSqf-XkYiVOoH_dxYeO9VyYHe-Ylz3ehgfC0,11418
+exploitgraph-1.0.0.dist-info/METADATA,sha256=k8sSj2WrymQ-FxvnFUAHxjzkxj_D5vuM44N5LPM766o,15193
+exploitgraph-1.0.0.dist-info/WHEEL,sha256=aeYiig01lYGDzBgS8HxWXOg3uV61G9ijOsup-k9o1sk,91
+exploitgraph-1.0.0.dist-info/entry_points.txt,sha256=dG0vV2jtfX9ZXJ7upLKyG6pgbPJN1Ox2Rit9PO0BjjU,51
+exploitgraph-1.0.0.dist-info/top_level.txt,sha256=dXGiKnRy6F5ai_9PsEJ3Wl2UDtLkQJC3z8Q1MZJvAtw,13
+exploitgraph-1.0.0.dist-info/RECORD,,

exploitgraph-1.0.0.dist-info/WHEEL

@@ -0,0 +1,5 @@
+Wheel-Version: 1.0
+Generator: setuptools (82.0.1)
+Root-Is-Purelib: true
+Tag: py3-none-any
+

exploitgraph-1.0.0.dist-info/entry_points.txt

@@ -0,0 +1,2 @@
+[console_scripts]
+exploitgraph = exploitgraph:main

exploitgraph-1.0.0.dist-info/licenses/LICENSE

@@ -0,0 +1,21 @@
+MIT License
+
+Copyright (c) 2024 Prajwal Pawar
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in all
+copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+SOFTWARE.

exploitgraph-1.0.0.dist-info/top_level.txt

@@ -0,0 +1,2 @@
+core
+modules

modules/base.py

@@ -0,0 +1,82 @@
+"""ExploitGraph - BaseModule: the contract every module must fulfill."""
+from __future__ import annotations
+import abc, time, datetime
+from typing import TYPE_CHECKING, Any
+if TYPE_CHECKING:
+    from core.session_manager import Session
+
+
+class ModuleResult:
+    def __init__(self, success: bool, data: dict = None, error: str = ""):
+        self.success   = success
+        self.data      = data or {}
+        self.error     = error
+        self.timestamp = datetime.datetime.now(datetime.timezone.utc).isoformat()
+    def __bool__(self): return self.success
+
+
+class BaseModule(abc.ABC):
+    """
+    Abstract base class for all ExploitGraph modules.
+    Modules communicate ONLY via the shared Session object.
+    Modules must NEVER import or call other modules directly.
+    """
+    NAME:         str       = "unnamed_module"
+    DESCRIPTION:  str       = "No description"
+    AUTHOR:       str       = "ExploitGraph Community"
+    VERSION:      str       = "1.0.0"
+    CATEGORY:     str       = "misc"
+    SEVERITY:     str       = "INFO"
+    MITRE:        list[str] = []
+    AWS_PARALLEL: str       = ""
+    OPTIONS:      dict      = {}
+
+    def __init__(self):
+        self._options: dict[str, Any] = {k: v["default"] for k,v in self.OPTIONS.items()}
+        self._start: float = 0.0
+        self._elapsed: float = 0.0
+
+    @abc.abstractmethod
+    def run(self, session: "Session") -> ModuleResult: ...
+
+    def validate(self, session: "Session") -> tuple[bool, str]:
+        for name, meta in self.OPTIONS.items():
+            if meta.get("required") and not self._options.get(name):
+                return False, f"Required option '{name}' not set.  set {name} <value>"
+        return True, ""
+
+    def report(self, session: "Session") -> dict:
+        return {"module": self.NAME, "category": self.CATEGORY,
+                "severity": self.SEVERITY, "elapsed": self._elapsed}
+
+    def set_option(self, key: str, value: Any) -> tuple[bool, str]:
+        if key.upper() not in self.OPTIONS:
+            return False, f"Unknown option: {key}.  Valid: {list(self.OPTIONS.keys())}"
+        self._options[key.upper()] = value
+        return True, f"{key.upper()} => {value}"
+
+    def get_option(self, key: str, default: Any = None) -> Any:
+        return self._options.get(key.upper(), default)
+
+    def show_options(self) -> list[tuple]:
+        return [(name, str(self._options.get(name, meta.get("default",""))),
+                 "yes" if meta.get("required") else "no", meta.get("description",""))
+                for name, meta in self.OPTIONS.items()]
+
+    def _timer_start(self):  self._start = time.monotonic()
+    def _timer_stop(self) -> float:
+        self._elapsed = round(time.monotonic() - self._start, 2)
+        return self._elapsed
+
+    @staticmethod
+    def info(m):     from core.logger import log; log.module_info(m)
+    @staticmethod
+    def ok(m):       from core.logger import log; log.module_success(m)
+    @staticmethod
+    def warn(m):     from core.logger import log; log.module_warn(m)
+    @staticmethod
+    def err(m):      from core.logger import log; log.module_error(m)
+    @staticmethod
+    def critical(m): from core.logger import log; log.module_critical(m)
+
+    def __repr__(self): return f"<Module {self.CATEGORY}/{self.NAME} v{self.VERSION}>"

modules/cloud/aws_credential_validator.py

@@ -0,0 +1,340 @@
+"""
+ExploitGraph Module: AWS Credential Validator
+Category: cloud
+
+Validates AWS credentials discovered by file_secrets or cloudtrail_analyzer.
+Uses read-only STS + IAM calls to:
+  1. Confirm the key is still active (GetCallerIdentity)
+  2. Enumerate accessible services and permissions
+  3. Detect privilege level (admin vs limited)
+  4. Map potential lateral movement paths
+
+All operations are READ-ONLY and non-destructive.
+
+MITRE: T1078.004 — Valid Accounts: Cloud Accounts
+"""
+from __future__ import annotations
+import re
+from typing import TYPE_CHECKING
+
+from modules.base import BaseModule, ModuleResult
+
+if TYPE_CHECKING:
+    from core.session_manager import Session
+
+# Services to probe for access (safe list/describe calls only)
+PROBE_SERVICES = [
+    ("s3",         "list_buckets",              {},                    "s3:ListAllMyBuckets"),
+    ("iam",        "list_users",                {"MaxItems": 5},       "iam:ListUsers"),
+    ("iam",        "list_roles",                {"MaxItems": 5},       "iam:ListRoles"),
+    ("ec2",        "describe_instances",        {"MaxResults": 5},     "ec2:DescribeInstances"),
+    ("ec2",        "describe_security_groups",  {"MaxResults": 5},     "ec2:DescribeSecurityGroups"),
+    ("lambda",     "list_functions",            {"MaxItems": 5},       "lambda:ListFunctions"),
+    ("rds",        "describe_db_instances",     {"MaxRecords": 5},     "rds:DescribeDBInstances"),
+    ("sts",        "get_caller_identity",       {},                    "sts:GetCallerIdentity"),
+    ("secretsmanager","list_secrets",           {"MaxResults": 5},     "secretsmanager:ListSecrets"),
+]
+
+# Policies indicating admin-level access
+ADMIN_INDICATORS = [
+    "AdministratorAccess",
+    "PowerUserAccess",
+    "FullAccess",
+]
+
+
+class AwsCredentialValidator(BaseModule):
+
+    NAME        = "aws_credential_validator"
+    DESCRIPTION = "Validate discovered AWS credentials using STS + enumerate accessible services and IAM permissions"
+    AUTHOR      = "ExploitGraph Team"
+    VERSION     = "1.1.0"
+    CATEGORY    = "cloud"
+    SEVERITY    = "CRITICAL"
+    MITRE       = ["T1078.004", "T1580"]
+    AWS_PARALLEL = "aws sts get-caller-identity && aws iam list-attached-user-policies"
+
+    OPTIONS = {
+        "AWS_ACCESS_KEY":   {"default": "",          "required": False, "description": "AWS Access Key ID to validate"},
+        "AWS_SECRET_KEY":   {"default": "",          "required": False, "description": "AWS Secret Access Key"},
+        "AWS_SESSION_TOKEN":{"default": "",          "required": False, "description": "AWS Session Token (for temporary creds)"},
+        "AWS_REGION":       {"default": "us-east-1", "required": False, "description": "AWS region"},
+        "AWS_PROFILE":      {"default": "",          "required": False, "description": "AWS CLI profile name"},
+        "PROBE_SERVICES":   {"default": "true",      "required": False, "description": "Probe accessible AWS services"},
+        "ENUM_POLICIES":    {"default": "true",      "required": False, "description": "Enumerate attached IAM policies"},
+    }
+
+    def run(self, session: "Session") -> ModuleResult:
+        from core.logger import log
+        from core.aws_client import verify_credentials, get_client, is_available, has_credentials
+
+        self._timer_start()
+        log.section("AWS Credential Validator")
+        log.info("MITRE: T1078.004 — Valid Accounts: Cloud Accounts")
+        log.info("All operations are READ-ONLY")
+
+        if not is_available():
+            log.warning("boto3 not installed. Install: pip install boto3")
+            log.step("Manual validation: aws sts get-caller-identity --profile <profile>")
+            return ModuleResult(False, {}, "boto3 required")
+
+        # Collect all credentials to test
+        creds_to_test = self._gather_credentials(session)
+
+        if not creds_to_test:
+            log.warning("No AWS credentials found in session.")
+            log.step("Run secrets/file_secrets or cloud/cloudtrail_analyzer first.")
+            return ModuleResult(True, {"validated": 0,
+                                        "skipped_reason": "No AWS credentials in session"})
+
+        log.info(f"Credentials to validate: {len(creds_to_test)}")
+
+        valid_count = 0
+        results = []
+
+        for cred in creds_to_test:
+            ak    = cred["access_key"]
+            sk    = cred.get("secret_key", "")
+            token = cred.get("session_token", "")
+
+            if not ak:
+                continue
+
+            log.step(f"Validating: {ak[:12]}... (from {cred.get('source', 'unknown')})")
+
+            # Step 1: STS GetCallerIdentity — proves the key works
+            identity = verify_credentials(ak, sk, token,
+                                          self.get_option("AWS_REGION", "us-east-1"))
+
+            if identity["valid"]:
+                valid_count += 1
+                arn     = identity["arn"]
+                account = identity["account"]
+
+                log.critical(f"VALID AWS CREDENTIALS!")
+                log.secret("Access Key", ak)
+                log.secret("ARN",        arn)
+                log.secret("Account ID", account)
+                log.info(f"AWS cmd: aws sts get-caller-identity "
+                         f"--access-key-id {ak} --secret-access-key <key>")
+
+                result = {
+                    "access_key": ak,
+                    "arn":        arn,
+                    "account":    account,
+                    "source":     cred.get("source", ""),
+                    "services":   {},
+                    "policies":   [],
+                    "privilege":  "UNKNOWN",
+                }
+
+                # Step 2: Probe which services are accessible
+                if self.get_option("PROBE_SERVICES", "true").lower() == "true":
+                    accessible = self._probe_services(ak, sk, token, session)
+                    result["services"] = accessible
+                    log.success(f"Accessible services: {', '.join(accessible.keys())}")
+
+                # Step 3: Enumerate IAM policies
+                if self.get_option("ENUM_POLICIES", "true").lower() == "true":
+                    username = arn.split("/")[-1] if "/" in arn else ""
+                    policies, privilege = self._enum_policies(ak, sk, token, username, session)
+                    result["policies"]  = policies
+                    result["privilege"] = privilege
+                    log.success(f"Privilege level: {privilege}")
+
+                results.append(result)
+
+                # Add to session
+                session.add_exploit_result(
+                    module  = self.NAME,
+                    action  = f"AWS Credential Validated: {arn}",
+                    success = True,
+                    detail  = f"Key {ak[:12]}... is VALID | Account: {account}",
+                    data    = result,
+                )
+
+                session.add_finding(
+                    module          = self.NAME,
+                    title           = f"Valid AWS Credentials — {result['privilege']} Access",
+                    severity        = "CRITICAL",
+                    description     = (
+                        f"AWS Access Key {ak[:12]}... is valid and active. "
+                        f"Identity: {arn}. "
+                        f"Privilege level: {result['privilege']}. "
+                        f"Accessible services: {', '.join(result['services'].keys())}"
+                    ),
+                    evidence        = (
+                        f"Access Key: {ak}\n"
+                        f"ARN: {arn}\n"
+                        f"Account: {account}\n"
+                        f"Accessible: {', '.join(result['services'].keys())}\n"
+                        f"Policies: {', '.join(result['policies'][:5])}"
+                    ),
+                    recommendation  = (
+                        "Immediately rotate this key:\n"
+                        f"aws iam update-access-key --access-key-id {ak} --status Inactive\n"
+                        "Then investigate how it was exposed and audit all actions taken."
+                    ),
+                    cvss_score      = 10.0 if result["privilege"] == "ADMIN" else 9.0,
+                    aws_parallel    = "Stolen IAM credential — immediate privilege escalation risk",
+                    mitre_technique = "T1078.004",
+                )
+
+                # Update attack graph
+                session.add_graph_node(
+                    "aws_access",
+                    f"AWS Access\n{arn.split('/')[-1]}",
+                    "access", "CRITICAL",
+                    f"Account: {account} | Privilege: {result['privilege']}"
+                )
+                session.add_graph_edge("cloudtrail_creds", "aws_access",
+                                       "credential validation", "T1078.004")
+
+            else:
+                log.warning(f"Invalid/expired: {ak[:12]}... ({identity['error']})")
+
+        elapsed = self._timer_stop()
+        log.success(f"Validation done in {elapsed}s — {valid_count}/{len(creds_to_test)} valid")
+
+        return ModuleResult(True, {
+            "credentials_tested": len(creds_to_test),
+            "valid":              valid_count,
+            "results":            results,
+        })
+
+    def _gather_credentials(self, session: "Session") -> list[dict]:
+        """Build credential pairs from session secrets."""
+        # Explicit options override
+        if self.get_option("AWS_ACCESS_KEY"):
+            return [{
+                "access_key":    self.get_option("AWS_ACCESS_KEY"),
+                "secret_key":    self.get_option("AWS_SECRET_KEY"),
+                "session_token": self.get_option("AWS_SESSION_TOKEN", ""),
+                "source":        "module options",
+            }]
+
+        # Pair up access keys and secret keys from session
+        creds = []
+        access_keys  = [s["value"] for s in session.secrets
+                         if s["secret_type"] == "AWS_ACCESS_KEY"]
+        secret_keys  = [s["value"] for s in session.secrets
+                         if s["secret_type"] == "AWS_SECRET_KEY"]
+        session_toks = [s["value"] for s in session.secrets
+                         if s["secret_type"] == "AWS_SESSION_TOKEN"]
+
+        # Pair them positionally
+        for i, ak in enumerate(access_keys):
+            sk    = secret_keys[i]    if i < len(secret_keys)  else ""
+            token = session_toks[i]   if i < len(session_toks) else ""
+            source_info = next(
+                (s["source"] for s in session.secrets if s["value"] == ak), "session"
+            )
+            creds.append({"access_key": ak, "secret_key": sk,
+                           "session_token": token, "source": source_info})
+
+        # Also try access-key-only validation (STS might still work)
+        for ak in access_keys:
+            if not any(c["access_key"] == ak for c in creds):
+                creds.append({"access_key": ak, "secret_key": "",
+                               "session_token": "", "source": "session (key only)"})
+
+        return creds
+
+    def _probe_services(self, ak: str, sk: str, token: str,
+                         session: "Session") -> dict[str, str]:
+        """Try safe list/describe calls on common AWS services."""
+        from core.logger import log
+        from core.aws_client import get_client
+        import botocore.exceptions
+
+        accessible = {}
+        region = self.get_option("AWS_REGION", "us-east-1")
+
+        for service, method, kwargs, permission in PROBE_SERVICES:
+            try:
+                client = get_client(service, region=region,
+                                    access_key=ak, secret_key=sk,
+                                    session_token=token)
+                if not client:
+                    continue
+                fn = getattr(client, method)
+                response = fn(**kwargs)
+                accessible[service] = permission
+                log.step(f"  ✓ {service}: {method} succeeded ({permission})")
+            except Exception as e:
+                pass  # error handled upstream
+            except Exception as e:
+                if "AccessDenied" in err or "Unauthorized" in err:
+                    pass  # Expected — no access
+                elif "is not subscribed" in err:
+                    pass  # Service not in region
+                else:
+                    pass
+
+        return accessible
+
+    def _enum_policies(self, ak: str, sk: str, token: str,
+                        username: str, session: "Session") -> tuple[list[str], str]:
+        """Enumerate IAM policies attached to the user and determine privilege level."""
+        from core.logger import log
+        from core.aws_client import get_client
+        import botocore.exceptions
+
+        region  = self.get_option("AWS_REGION", "us-east-1")
+        iam     = get_client("iam", region=region, access_key=ak,
+                              secret_key=sk, session_token=token)
+        if not iam:
+            return [], "UNKNOWN"
+
+        policies  = []
+        privilege = "LIMITED"
+
+        try:
+            # Attached managed policies
+            if username:
+                resp = iam.list_attached_user_policies(UserName=username)
+                for p in resp.get("AttachedPolicies", []):
+                    name = p["PolicyName"]
+                    policies.append(name)
+                    log.step(f"  Policy: {name}")
+                    if any(ind in name for ind in ADMIN_INDICATORS):
+                        privilege = "ADMIN"
+                        log.critical(f"  ADMIN POLICY FOUND: {name}")
+
+            # Inline policies
+            if username:
+                resp2 = iam.list_user_policies(UserName=username)
+                for name in resp2.get("PolicyNames", []):
+                    policies.append(f"inline:{name}")
+                    log.step(f"  Inline policy: {name}")
+                    # Fetch and check for wildcards
+                    try:
+                        doc = iam.get_user_policy(UserName=username, PolicyName=name)
+                        doc_str = str(doc.get("PolicyDocument", ""))
+                        if '"*"' in doc_str and '"Action": "*"' in doc_str:
+                            privilege = "ADMIN"
+                            log.critical(f"  WILDCARD POLICY: {name} — full admin!")
+                    except Exception:
+                        pass  # network/connection error — continue scanning
+
+            # Try GetAccountAuthorizationDetails for full picture
+            try:
+                details = iam.get_account_authorization_details(Filter=["User"])
+                for user_detail in details.get("UserDetailList", []):
+                    if user_detail.get("UserName") == username:
+                        attached = user_detail.get("AttachedManagedPolicies", [])
+                        for p in attached:
+                            name = p["PolicyName"]
+                            if name not in policies:
+                                policies.append(name)
+                            if any(ind in name for ind in ADMIN_INDICATORS):
+                                privilege = "ADMIN"
+            except Exception:
+                pass  # network/connection error — continue scanning
+
+        except botocore.exceptions.ClientError as e:
+            pass  # error handled upstream
+        except botocore.exceptions.ClientError as e:
+                log.warning(f"IAM enum error: {e}")
+
+        return policies, privilege