diff --git a/Gemfile.lock b/Gemfile.lock index 10a64f740229..fa5116de8cc5 100644 --- a/Gemfile.lock +++ b/Gemfile.lock @@ -5,6 +5,9 @@ PATH actionpack (~> 4.2.6) activerecord (~> 4.2.6) activesupport (~> 4.2.6) + aws-sdk-ec2 + aws-sdk-iam + aws-sdk-s3 backports bcrypt bcrypt_pbkdf @@ -111,6 +114,28 @@ GEM arel (6.0.4) arel-helpers (2.9.1) activerecord (>= 3.1.0, < 7) + aws-eventstream (1.0.3) + aws-partitions (1.174.0) + aws-sdk-core (3.54.2) + aws-eventstream (~> 1.0, >= 1.0.2) + aws-partitions (~> 1.0) + aws-sigv4 (~> 1.1) + jmespath (~> 1.0) + aws-sdk-ec2 (1.91.0) + aws-sdk-core (~> 3, >= 3.53.0) + aws-sigv4 (~> 1.1) + aws-sdk-iam (1.24.0) + aws-sdk-core (~> 3, >= 3.53.0) + aws-sigv4 (~> 1.1) + aws-sdk-kms (1.21.0) + aws-sdk-core (~> 3, >= 3.53.0) + aws-sigv4 (~> 1.1) + aws-sdk-s3 (1.42.0) + aws-sdk-core (~> 3, >= 3.53.0) + aws-sdk-kms (~> 1) + aws-sigv4 (~> 1.1) + aws-sigv4 (1.1.0) + aws-eventstream (~> 1.0, >= 1.0.2) backports (3.15.0) bcrypt (3.1.13) bcrypt_pbkdf (1.0.1) @@ -158,6 +183,7 @@ GEM http_parser.rb (0.6.0) i18n (0.9.5) concurrent-ruby (~> 1.0) + jmespath (1.4.0) jsobfu (0.4.2) rkelly-remix json (2.2.0) @@ -408,3 +434,4 @@ DEPENDENCIES BUNDLED WITH 1.17.3 + diff --git a/documentation/modules/auxiliary/cloud/aws/enum_ec2.md b/documentation/modules/auxiliary/cloud/aws/enum_ec2.md new file mode 100644 index 000000000000..414ba5c3eba0 --- /dev/null +++ b/documentation/modules/auxiliary/cloud/aws/enum_ec2.md @@ -0,0 +1,117 @@ +## Vulnerable Application + +Amazon Web Services (AWS) resources can be managed through an API that authenticates based on an `ACCESS_KEY_ID` and a `SECRET_ACCESS_KEY`. With these two pieces of information, an attacker can gain privileges which may include enumerating resources within the AWS account. + +This module authenticates to AWS EC2 (Elastic Compute Cloud) to identify compute instances that the credentials can see. The instances themselves may be connected to the public Internet, but are likely to be protected by security groups and subnet network ACLs. In any case, knowledge of the instances is the first step in evaluating their security. + +## Verification Steps + +### Create or acquire the credentials + + 1. (If necessary) Create an AWS account. Free trials are available. + 2. Login to the [AWS Console](https:\\console.aws.amazon.com\). + 3. Use the dropbown menu in the top-right with your username, then click on "My Security Credentials". + 4. Expand the "Access Keys" pane and click "Create New Access Key". + 5. Follow the steps in the AWS console, making sure to record both the 'access key ID' and 'secret access key'. (The 'secret access key' is only shown once, then can never be retrieved.) + +### Enumerate AWS resources using the credentials + + 1. Start msfconsole + 2. `use auxiliary/cloud/aws/enum_ec2` + 3. Set the `ACCESS_KEY_ID` and `SECRET_ACCESS_KEY` options. + 4. Optionally, set the `REGION` and `LIMIT` options. + 5. `run` + +## Options + + **ACCESS_KEY_ID** + + This AWS credential is like a username. It uniquely identifies the user, and is paired with a 'secret access key'. The access key ID is retrievable through the AWS console. + + An example `ACCESS_KEY_ID` would be `AKIA5C76TR3KXHXA5CRC` + + **SECRET_ACCESS_KEY** + + This AWS credential is like a password, and should be treated as such. It is paired with a 'access key ID'. The access key ID cannot be retrieved from AWS after it has been generated, but it may be discoverable through environment variables, configuration files, source code, or backups. + + An example `SECRET_ACCESS_KEY` would be `EKfx3wOWWiGk1WgBTAZfF\2dq3SbDsQj4jdyOMOv`. + +## Scenarios + +### Provided a valid 'access key ID' and 'secret access key' with sufficient privileges + +``` +msf5 auxiliary(cloud/aws/enum_iam) > run + +[+] Found 3 users. +[+] User Name: test1 +[+] User ID: AIDA5C76TR3KTTO3PTAJ7 +[+] Creation Date: 2019-06-14 18:18:23 UTC +[+] Tags: [] +[+] Groups: [] +[+] SSH Pub Keys: [] +[+] Policies: IAMUserChangePassword +[+] Signing certs: [] +[+] Password Used: 2019-06-17 19:55:57 UTC +[+] AWS Access Keys: AKIA5C76TR3K3JN3FYUE (Active) +[+] Console login: Enabled +[+] Two-factor auth: Enabled on 2019-06-17 20:01:05 UTC +[*] +[+] User Name: test2 +[+] User ID: AIDA5C76TR3KVHWFEQSDL +[+] Creation Date: 2019-06-14 18:18:35 UTC +[+] Tags: [] +[+] Groups: ["mygroup", "mygroup2"] +[+] SSH Pub Keys: [] +[+] Policies: IAMUserChangePassword +[+] Signing certs: [] +[+] Password Used: (Never) +[+] AWS Access Keys: AKIA5C76TR3KXHXA5CRC (Inactive) +[+] Console login: Enabled +[+] Two-factor auth: Disabled +[*] +[+] User Name: test3 +[+] User ID: AIDA5C76TR3KYI2HC4MOL +[+] Creation Date: 2019-06-14 18:18:44 UTC +[+] Tags: [] +[+] Groups: ["mygroup"] +[+] SSH Pub Keys: [] +[+] Policies: [] +[+] Signing certs: [] +[+] Password Used: (Never) +[+] AWS Access Keys: AKIA5C76TR3KWWADYZNB (Active) +[+] Console login: Disabled +[+] Two-factor auth: Disabled +[*] +[*] Auxiliary module execution completed +``` + +### Provided an invalid or inactive 'access key ID' + +``` +msf5 auxiliary(cloud/aws/enum_iam) > run + +[-] Auxiliary aborted due to failure: unexpected-reply: The security token included in the request is invalid. +[*] Auxiliary module execution completed +msf5 auxiliary(cloud/aws/enum_iam) > +``` + +### Provided an invalid 'secret access key' + +``` +msf5 auxiliary(cloud/aws/enum_iam) > run + +[-] Auxiliary aborted due to failure: unexpected-reply: The request signature we calculated does not match the signature you provided. Check your AWS Secret Access Key and signing method. Consult the service documentation for details. +[*] Auxiliary module execution completed +msf5 auxiliary(cloud/aws/enum_iam) > +``` + +### Provided an 'access key ID' or 'secret access key' with insufficient privileges + +``` +msf5 auxiliary(cloud\aws\enum_ec2) > run + +[-] Auxiliary aborted due to failure: unexpected-reply: User: arn:aws:iam::899712345657:user/test1 is not authorized to perform: iam:ListUsers on resource: arn:aws:iam::899712345657:user/ +[*] Auxiliary module execution completed +msf5 auxiliary(cloud\aws\enum_ec2) > +``` diff --git a/documentation/modules/auxiliary/cloud/aws/enum_iam.md b/documentation/modules/auxiliary/cloud/aws/enum_iam.md new file mode 100644 index 000000000000..ac7a1d9b71a7 --- /dev/null +++ b/documentation/modules/auxiliary/cloud/aws/enum_iam.md @@ -0,0 +1,102 @@ +## Vulnerable Application + +Amazon Web Services (AWS) resources can be managed through an API that authenticates based on an `ACCESS_KEY_ID` and a `SECRET_ACCESS_KEY`. With these two pieces of information, an attacker can gain privileges which may include enumerating resources within the AWS account. + +This module authenticates to AWS IAM (Identify Access Module) to identify user accounts that the credentials can see. The users themselves are likely protected with different credentials, including passwords or MFA tokens. In any case, knowledge of the users is the first step in evaluating their security. + +## Verification Steps + +### Create or acquire the credentials + + 1. (If necessary) Create an AWS account. Free trials are available. + 2. Login to the [AWS Console](https:\\console.aws.amazon.com\). + 3. Use the dropbown menu in the top-right with your username, then click on "My Security Credentials". + 4. Expand the "Access Keys" pane and click "Create New Access Key". + 5. Follow the steps in the AWS console, making sure to record both the 'access key ID' and 'secret access key'. (The 'secret access key' is only shown once, then can never be retrieved.) + +### Enumerate AWS resources using the credentials + + 1. Start msfconsole + 2. `use auxiliary/cloud/aws/enum_iam` + 3. Set the `ACCESS_KEY_ID` and `SECRET_ACCESS_KEY` options. + 4. `run` + +## Options + + **ACCESS_KEY_ID** + + This AWS credential is like a username. It uniquely identifies the user, and is paired with a 'secret access key'. The access key ID is retrievable through the AWS console. + + An example `ACCESS_KEY_ID` would be `AKIA5C76TR3KXHXA5CRC` + + **SECRET_ACCESS_KEY** + + This AWS credential is like a password, and should be treated as such. It is paired with a 'access key ID'. The access key ID cannot be retrieved from AWS after it has been generated, but it may be discoverable through environment variables, configuration files, source code, or backups. + + An example `SECRET_ACCESS_KEY` would be `EKfx3wOWWiGk1WgBTAZfF\2dq3SbDsQj4jdyOMOv`. + + **REGION** + + AWS resources are located in regions. Optionally, this module's output can be filtered based on region to minimize the query to AWS. Alternatively, `REGION` can be left blank, such that all regions will be checked. + + An example region would be `us-west-2`. + + **LIMIT** + + Some AWS API calls support limiting output, such that the module will only reutrn the number of instances, without detailing the configuration of each instance. Optionally, this module's output can be filtered to minimize the query to AWS and the user output. Alternatively, `LIMIT` can be left blank, such that all EC2 instances will be detailed. + + Note that the `LIMIT` parameter is imposed per region, so the total number of results may be higher than the user-specified limit, but the maximum number of results for a single region will not exceed `LIMIT`. This behavior is due to the AWS API. + + An example `LIMIT` would be `10`. + +## Scenarios + +### Provided a valid 'access key ID' and 'secret access key' with sufficient privileges + +``` +msf5 auxiliary(cloud/aws/enum_ec2) > run + +[*] Found 0 instances in eu-north-1 +[*] Found 0 instances in ap-south-1 +[*] Found 0 instances in eu-west-3 +[*] Found 0 instances in eu-west-2 +[*] Found 0 instances in eu-west-1 +[*] Found 0 instances in ap-northeast-2 +[*] Found 0 instances in ap-northeast-1 +[*] Found 0 instances in sa-east-1 +[*] Found 0 instances in ca-central-1 +[*] Found 0 instances in ap-southeast-1 +[*] Found 0 instances in ap-southeast-2 +[*] Found 0 instances in eu-central-1 +[*] Found 0 instances in us-east-1 +[*] Found 0 instances in us-east-2 +[*] Found 0 instances in us-west-1 +[*] Found 1 instances in us-west-2 +[+] i-0f8bb3bbb06faf58d (running) +[+] Creation Date: 2019-06-11 23:14:48 UTC +[+] Public IP: 18.236.87.255 (ec2-18-236-87-255.us-west-2.compute.amazonaws.com) +[+] Private IP: 18.236.87.255 (ip-172-31-30-21.us-west-2.compute.internal) +[+] Security Group: sg-0d52cc35aaf82aff5 +[*] Auxiliary module execution completed +msf5 auxiliary(cloud/aws/enum_ec2) > +``` + +### Provided an invalid or inactive 'access key ID', or an invalid 'secret access key' + +``` +msf5 auxiliary(cloud\aws\enum_ec2) > run + +[-] Auxiliary aborted due to failure: unexpected-reply: AWS was not able to validate the provided access credentials +[*] Auxiliary module execution completed +msf5 auxiliary(cloud\aws\enum_ec2) > +``` + +### Provided an 'access key ID' or 'secret access key' with insufficient privileges + +``` +msf5 auxiliary(cloud\aws\enum_ec2) > run + +[-] Auxiliary aborted due to failure: unexpected-reply: You are not authorized to perform this operation. +[*] Auxiliary module execution completed +msf5 auxiliary(cloud\aws\enum_ec2) > +``` diff --git a/documentation/modules/auxiliary/cloud/aws/enum_s3.md b/documentation/modules/auxiliary/cloud/aws/enum_s3.md new file mode 100644 index 000000000000..c38d9a381faa --- /dev/null +++ b/documentation/modules/auxiliary/cloud/aws/enum_s3.md @@ -0,0 +1,95 @@ +## Vulnerable Application + +Amazon Web Services (AWS) resources can be managed through an API that authenticates based on an `ACCESS_KEY_ID` and a `SECRET_ACCESS_KEY`. With these two pieces of information, an attacker can gain privileges which may include enumerating resources within the AWS account. + +This module authenticates to AWS S3 (Simple Storage Service), to identify buckets that the credentials can see. The files contained within buckets may be publicly readable and/or writable, or they may be locked down. In any case, knowledge of the buckets is the first step in evaluating their security. + +## Verification Steps + +### Create or acquire the credentials + + 1. (If necessary) Create an AWS account. Free trials are available. + 2. Login to the [AWS Console](https://console.aws.amazon.com/). + 3. Use the dropbown menu in the top-right with your username, then click on "My Security Credentials". + 4. Expand the "Access Keys" pane and click "Create New Access Key". + 5. Follow the steps in the AWS console, making sure to record both the 'access key ID' and 'secret access key'. (The 'secret access key' is only shown once, then can never be retrieved.) + +### Enumerate AWS resources using the credentials + + 1. Start msfconsole + 2. `use auxiliary/cloud/aws/enum_s3` + 3. Set the `ACCESS_KEY_ID` and `SECRET_ACCESS_KEY` options. + 4. Optionally, set the `REGION` option. + 5. `run` + +## Options + + **ACCESS_KEY_ID** + + This AWS credential is like a username. It uniquely identifies the user, and is paired with a 'secret access key'. The access key ID is retrievable through the AWS console. + + An example `ACCESS_KEY_ID` would be `AKIA5C76TR3KXHXA5CRC` + + **SECRET_ACCESS_KEY** + + This AWS credential is like a password, and should be treated as such. It is paired with a 'access key ID'. The access key ID cannot be retrieved from AWS after it has been generated, but it may be discoverable through environment variables, configuration files, source code, or backups. + + An example `SECRET_ACCESS_KEY` would be `EKfx3wOWWiGk1WgBTAZfF/2dq3SbDsQj4jdyOMOv`. + + **REGION** + + AWS resources are located in regions. Optionally, this module's output can be filtered based on region to minimize the query to AWS. Alternatively, `REGION` can be left blank, such that all regions will be checked. + + An example region would be `us-west-2`. + +## Scenarios + +### Provided a valid 'access key ID' and 'secret access key' with sufficient privileges + +``` +msf5 auxiliary(cloud/aws/enum_s3) > run +[+] Found 1 buckets. +[+] Name: asoto-secret-demo-bucket +[+] Creation Date: 2019-06-13 23:30:26 UTC +[+] # of Objects: 0 +[+] Region: us-west-2 +[+] Website: /index.html +[+] Owner: asoto +[+] Permissions: +[+] User 'asoto' granted FULL_CONTROL +[+] Group '' (http://acs.amazonaws.com/groups/s3/LogDelivery) granted READ +[*] +[*] Done. +[*] Auxiliary module execution completed +msf5 auxiliary(cloud/aws/enum_s3) > exit +``` + +### Provided an invalid or inactive 'access key ID' + +``` +msf5 auxiliary(cloud/aws/enum_s3) > run + +[-] Auxiliary aborted due to failure: unexpected-reply: The AWS Access Key Id you provided does not exist in our records. +[*] Auxiliary module execution completed +msf5 auxiliary(cloud/aws/enum_s3) > +``` + +### Provided an invalid 'secret access key' + +``` +msf5 auxiliary(cloud/aws/enum_s3) > run + +[-] Auxiliary aborted due to failure: unexpected-reply: The request signature we calculated does not match the signature you provided. Check your key and signing method. +[*] Auxiliary module execution completed +msf5 auxiliary(cloud/aws/enum_s3) > +``` + +### Provided an 'access key ID' or 'secret access key' with insufficient privileges + +``` +msf5 auxiliary(cloud/aws/enum_s3) > run + +[-] Auxiliary aborted due to failure: unexpected-reply: Access Denied +[*] Auxiliary module execution completed +msf5 auxiliary(cloud/aws/enum_s3) > +``` diff --git a/metasploit-framework.gemspec b/metasploit-framework.gemspec index 288f7ece851f..012ab91050fe 100644 --- a/metasploit-framework.gemspec +++ b/metasploit-framework.gemspec @@ -198,4 +198,9 @@ Gem::Specification.new do |spec| spec.add_runtime_dependency 'faker' # Pinned as a dependency of i18n to the last working version spec.add_runtime_dependency 'concurrent-ruby','1.0.5' + + # AWS enumeration modules + spec.add_runtime_dependency 'aws-sdk-s3' + spec.add_runtime_dependency 'aws-sdk-ec2' + spec.add_runtime_dependency 'aws-sdk-iam' end diff --git a/modules/auxiliary/cloud/aws/enum_ec2.rb b/modules/auxiliary/cloud/aws/enum_ec2.rb new file mode 100644 index 000000000000..ac4152970a5d --- /dev/null +++ b/modules/auxiliary/cloud/aws/enum_ec2.rb @@ -0,0 +1,93 @@ +## +# This module requires Metasploit: https://metasploit.com/download +# Current source: https://github.com/rapid7/metasploit-framework +## + +require 'aws-sdk-ec2' + +class MetasploitModule < Msf::Auxiliary + def initialize(info = {}) + super( + update_info( + info, + 'Name' => 'Amazon Web Services EC2 instance enumeration', + 'Description' => %q( + Provided AWS credentials, this module will call the authenticated + API of Amazon Web Services to list all EC2 instances associated + with the account + ), + 'Author' => ['Aaron Soto '], + 'License' => MSF_LICENSE + ) + ) + + register_options( + [ + OptInt.new('LIMIT', [false, 'Only return the specified number of results from each region']), + OptString.new('REGION', [false, 'AWS Region (eg. "us-west-2")']), + OptString.new('ACCESS_KEY_ID', [true, 'AWS Access Key ID (eg. "AKIAXXXXXXXXXXXXXXXX")', '']), + OptString.new('SECRET_ACCESS_KEY', [true, 'AWS Secret Access Key (eg. "CA1+XXXXXXXXXXXXXXXXXXXXXX6aYDHHCBuLuV79")', '']) + ] + ) + end + + def handle_aws_errors(e) + if e.class.parents.include?(Aws) + fail_with(Failure::UnexpectedReply, e.message) + else + raise e + end + end + + def enumerate_regions + regions = [] + + ec2 = Aws::EC2::Resource.new( + region: 'us-west-1', + access_key_id: datastore['ACCESS_KEY_ID'], + secret_access_key: datastore['SECRET_ACCESS_KEY'] + ) + + ec2_regions = ec2.client.describe_regions.data.regions + ec2_regions.each do |r| + regions.append(r.region_name) + end + + regions + end + + def describe_ec2_instance(i) + print_good " #{i.id} (#{i.state.name})" + print_good " Creation Date: #{i.launch_time}" + print_good " Public IP: #{i.public_ip_address} (#{i.public_dns_name})" + print_good " Private IP: #{i.public_ip_address} (#{i.private_dns_name})" + i.security_groups.each do |s| + print_good " Security Group: #{s.group_id}" + end + end + + def run + regions = datastore['REGION'] ? [datastore['REGION']] : regions = enumerate_regions() + + regions.each do |region| + vprint_status "Checking #{region}..." + ec2 = Aws::EC2::Resource.new( + region: region, + access_key_id: datastore['ACCESS_KEY_ID'], + secret_access_key: datastore['SECRET_ACCESS_KEY'] + ) + + instances = ec2.instances.limit(datastore['LIMIT']) + print_status "Found #{ec2.instances.count} instances in #{region}" + + instances.each do |i| + describe_ec2_instance(i) + end + end + rescue Seahorse::Client::NetworkingError => e + print_error e.message + print_error 'Confirm region name (eg. us-west-2) is valid or blank before retrying' + rescue ::Exception => e + handle_aws_errors(e) + end +end diff --git a/modules/auxiliary/cloud/aws/enum_iam.rb b/modules/auxiliary/cloud/aws/enum_iam.rb new file mode 100644 index 000000000000..1339e222b425 --- /dev/null +++ b/modules/auxiliary/cloud/aws/enum_iam.rb @@ -0,0 +1,123 @@ +## +# This module requires Metasploit: https://metasploit.com/download +# Current source: https://github.com/rapid7/metasploit-framework +## + +require 'aws-sdk-iam' + +class MetasploitModule < Msf::Auxiliary + def initialize(info = {}) + super( + update_info( + info, + 'Name' => 'Amazon Web Services IAM credential enumeration', + 'Description' => %q( + Provided AWS credentials, this module will call the authenticated + API of Amazon Web Services to list all IAM credentials associated + with the account + ), + 'Author' => ['Aaron Soto '], + 'License' => MSF_LICENSE + ) + ) + + register_options( + [ + OptString.new('ACCESS_KEY_ID', [true, 'AWS Access Key ID (eg. "AKIAXXXXXXXXXXXXXXXX")', '']), + OptString.new('SECRET_ACCESS_KEY', [true, 'AWS Secret Access Key (eg. "CA1+XXXXXXXXXXXXXXXXXXXXXX6aYDHHCBuLuV79")', '']) + ] + ) + end + + def handle_aws_errors(e) + if e.class.parents.include?(Aws) + fail_with(Failure::UnexpectedReply, e.message) + else + raise e + end + end + + def describe_iam_users(i) + user = i.user_name + + print_good " User Name: #{user}" + print_good " User ID: #{i.user_id}" + print_good " Creation Date: #{i.create_date}" + print_good " Tags: #{i.tags}" + print_good " Groups: #{i.group_list}" + print_good " SSH Pub Keys: #{@iam.list_ssh_public_keys(user_name: user).ssh_public_keys}" + + policies = i.attached_managed_policies + if policies.empty? + print_good " Policies: []" + else + print_good " Policies: #{policies[0].policy_name}" + policies[1..policies.length].each do |p| + print_good " #{p.policy_name}" + end + end + + certs = @iam.list_signing_certificates(user_name: user).certificates + if certs.empty? + print_good " Signing certs: []" + else + print_good " Signing certs: #{certs[0].certificate_id} (#{certs[0].status})" + certs[1..certs.length].each do |c| + print_good " #{c.certificate_id} (#{c.status})" + end + end + + @users.each do |u| + if u.user_name == user + print_good " Password Used: #{u.password_last_used || '(Never)'}" + end + end + + keys = @iam.list_access_keys(user_name: user).access_key_metadata + if keys.empty? + print_good " AWS Access Keys: []" + else + print_good " AWS Access Keys: #{keys[0].access_key_id} (#{keys[0].status})" + keys[1..keys.length].each do |k| + print_good " #{k.access_key_id} (#{k.status})" + end + end + + begin + console_login = @iam.get_login_profile(user_name: user).empty? ? 'Disabled' : 'Enabled' + print_good " Console login: #{console_login}" + rescue Aws::IAM::Errors::NoSuchEntity + print_good " Console login: Disabled" + end + + mfa = @iam.list_mfa_devices(user_name: i.user_name).mfa_devices + mfa_enabled = mfa.empty? ? 'Disabled' : "Enabled on #{mfa[0].enable_date}" + print_good " Two-factor auth: #{mfa_enabled}" + + print_status '' + end + + def run + @iam = Aws::IAM::Client.new( + region: 'us-west-1', # This is meaningless, but required. Thanks AWS. + access_key_id: datastore['ACCESS_KEY_ID'], + secret_access_key: datastore['SECRET_ACCESS_KEY'] + ) + + @users = @iam.list_users.users + creds = @iam.get_account_authorization_details + + users = creds.user_detail_list + if users.empty? + print_status 'No users found.' + return + end + + print_good "Found #{users.count} users." + users.each do |i| + describe_iam_users(i) + end + rescue ::Exception => e + handle_aws_errors(e) + end +end diff --git a/modules/auxiliary/cloud/aws/enum_s3.rb b/modules/auxiliary/cloud/aws/enum_s3.rb new file mode 100644 index 000000000000..5e09beab83a9 --- /dev/null +++ b/modules/auxiliary/cloud/aws/enum_s3.rb @@ -0,0 +1,99 @@ +## +# This module requires Metasploit: https://metasploit.com/download +# Current source: https://github.com/rapid7/metasploit-framework +## + +require 'aws-sdk-s3' + +class MetasploitModule < Msf::Auxiliary + def initialize(info = {}) + super( + update_info( + info, + 'Name' => 'Amazon Web Services S3 instance enumeration', + 'Description' => %q( + Provided AWS credentials, this module will call the authenticated + API of Amazon Web Services to list all S3 buckets associated + with the account + ), + 'Author' => ['Aaron Soto '], + 'License' => MSF_LICENSE + ) + ) + + register_options( + [ + OptString.new('REGION', [false, 'AWS Region (eg. "us-west-2")']), + OptString.new('ACCESS_KEY_ID', [true, 'AWS Access Key ID (eg. "AKIAXXXXXXXXXXXXXXXX")', '']), + OptString.new('SECRET_ACCESS_KEY', [true, 'AWS Secret Access Key (eg. "CA1+XXXXXXXXXXXXXXXXXXXXXX6aYDHHCBuLuV79")', '']) + ] + ) + end + + def handle_aws_errors(e) + if e.class.parents.include?(Aws) + fail_with(Failure::UnexpectedReply, e.message) + else + raise e + end + end + + def describe_s3_bucket(i) + print_good " Name: #{i.name}" + print_good " Creation Date: #{i.creation_date}" + print_good " # of Objects: #{@s3.list_objects_v2(bucket: i.name).contents.length}" + print_good " Region: #{@s3.get_bucket_location(bucket: i.name).location_constraint}" + + begin + print_good " Website: /#{@s3.get_bucket_website(bucket: i.name).index_document.suffix}" + rescue Aws::S3::Errors::NoSuchWebsiteConfiguration + print_good " Website: (None)" + end + + acl = @s3.get_bucket_acl(bucket: i.name) + print_good " Owner: #{acl.owner.display_name}" + print_good " Permissions:" + acl.grants.each do |i| + grantee = i.grantee.type == "CanonicalUser" ? "User" : i.grantee.type + grantee << " '#{i.grantee.display_name}'" + grantee << " (#{i.grantee.email_address})" unless i.grantee.email_address.nil? + grantee << " (#{i.grantee.uri})" unless i.grantee.uri.nil? + print_good " #{grantee} granted #{i.permission}" + end + print_status '' + end + + def run + region = datastore['REGION'] + + @s3 = Aws::S3::Client.new( + region: "us-west-2", # This doesn't actually filter anything, but + # it's still required. Thanks AWS. :-( + access_key_id: datastore['ACCESS_KEY_ID'], + secret_access_key: datastore['SECRET_ACCESS_KEY'] + ) + + buckets = @s3.list_buckets.buckets + unless buckets.length > 0 + print_status 'No buckets found.' + return + end + + print_good "Found #{buckets.count} buckets." + if region.nil? + buckets.each do |i| + describe_s3_bucket(i) + end + else + print_good "Listing buckets that match REGION '#{datastore['REGION']}':" + buckets.each do |i| + if @s3.get_bucket_location(bucket: i.name).location_constraint.starts_with? region + describe_s3_bucket(i) + end + end + end + print_status 'Done.' + rescue ::Exception => e + handle_aws_errors(e) + end +end