Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

AWS EC2, S3, and IAM Enumeration #11977

Merged
merged 16 commits into from Jun 27, 2019

Conversation

Projects
None yet
5 participants
@asoto-r7
Copy link
Contributor

commented Jun 14, 2019

Ready for testing and landing

It'd be nice to for Metasploit to support enumerating AWS resources. In the short term, that might be limited to AWS credentials and EC2, S3, and IAM enumeration. In the future, we might add support for pulling credentials from a target, enumerating additional AWS resources, supporting two-factor authentication, and other user-provided suggestions.

Roadmap:

  • Write a module for AWS EC2 instance enumeration
  • Write a module for AWS S3 bucket enumeration
  • Write a module for AWS IAM user enumeration
  • Consider centralizing common code (error handling, region enumeration, etc) -- Nah. Not worth it right now.
  • Consider updating the metasploit_data_model to support information about cloud-based hosts (EC2), loot (S3), and creds (IAM). -- Maybe in a later PR, after we get a feel for other environments.

Verification

List the steps needed to make sure this thing works

  • Start msfconsole
  • use auxiliary/cloud/aws/enum_ec2
  • Set ACCESS_KEY_ID and SECRET_ACCESS_KEY options
  • run
  • Observe something similar to the following:
[+] Found 1 instances in us-west-2:
[+]   i-0f8bb3bbb06faf58d (running)
[+]     Creation Date:  2019-06-11 23:14:48 UTC
[+]     Public IP:      18.236.87.255 (ec2-18-236-87-255.us-west-2.compute.amazonaws.com)
[+]     Private IP:     18.236.87.255 (ip-172-31-30-21.us-west-2.compute.internal)
[+]     Security Group: sg-0d52cc35aaf82aff5
[*] Auxiliary module execution completed
  • use auxiliary/cloud/aws/enum_s3
  • Set ACCESS_KEY_ID and SECRET_ACCESS_KEY options
  • run
  • Observe something similar to the following:
[+] Found 1 buckets.
[+]   Name:           asoto-r7-bucket
[+]   Creation Date:  2019-06-13 23:30:26 UTC
[+]   # of Objects:   0
[+]   Region:         us-west-2
[+]   Website:        /index.html
[+]   Owner:          asoto-r7
[+]   Permissions:
[+]                   User 'asoto-r7' granted FULL_CONTROL
[+]                   Group '' (http://acs.amazonaws.com/groups/s3/LogDelivery) granted READ
[+] 
[+] Done.
  • use auxiliary/cloud/aws/enum_iam
  • Set ACCESS_KEY_ID and SECRET_ACCESS_KEY options
  • run
  • Observe something similar to the following:
[+] Found 3 users.
[+]   User Name:       test1
[+]   User ID:         AIDA5C76TR3KTTO3PTAJ7
[+]   Creation Date:   2019-06-14 18:18:23 UTC
[+]   Tags:            []
[+]   Groups:          []
[+]   SSH Pub Keys:    []
[+]   Policies:        AlexaForBusinessFullAccess
[+]                    AdministratorAccess
[+]                    IAMUserChangePassword
[+]   Signing certs:   []
[+]   Password Used:   2019-06-17 19:55:57 UTC
[+]   AWS Access Keys: AKIA5C76TR3KRDKAATIV (Active)
[+]                    AKIA5C76TR3K23AASHX5 (Active)
[+]   Console login:   Enabled
[+]   Two-factor auth: Enabled on 2019-06-17 20:01:05 UTC
[+] 
[+]   User Name:       test2
[+]   User ID:         AIDA5C76TR3KVHWFAASDL
[+]   Creation Date:   2019-06-14 18:18:35 UTC
[+]   Tags:            []
[+]   Groups:          ["mygroup", "mygroup2"]
[+]   SSH Pub Keys:    []
[+]   Policies:        IAMUserChangePassword
[+]   Signing certs:   []
[+]   Password Used:   (Never)
[+]   AWS Access Keys: []
[+]   Console login:   Enabled
[+]   Two-factor auth: Disabled
[+] 
[+]   User Name:       test3
[+]   User ID:         AIDA5C76TR3KYI2HAAMOL
[+]   Creation Date:   2019-06-14 18:18:44 UTC
[+]   Tags:            []
[+]   Groups:          ["mygroup"]
[+]   SSH Pub Keys:    []
[+]   Policies:        []
[+]   Signing certs:   []
[+]   Password Used:   (Never)
[+]   AWS Access Keys: AKIA5C76TR3KWWADYZNB (Active)
[+]   Console login:   []
[+]   Two-factor auth: Disabled
[+] 
[*] Auxiliary module execution completed

asoto-r7 added some commits Jun 12, 2019

Show resolved Hide resolved modules/auxiliary/cloud/aws/ec2_enumerate.rb Outdated
Show resolved Hide resolved modules/auxiliary/cloud/aws/ec2_enumerate.rb Outdated
Show resolved Hide resolved modules/auxiliary/cloud/aws/ec2_enumerate.rb Outdated
Show resolved Hide resolved modules/auxiliary/cloud/aws/ec2_enumerate.rb Outdated
Show resolved Hide resolved modules/auxiliary/cloud/aws/ec2_enumerate.rb Outdated
Show resolved Hide resolved modules/auxiliary/cloud/aws/s3_enumerate.rb Outdated
Show resolved Hide resolved modules/auxiliary/cloud/aws/s3_enumerate.rb Outdated
Show resolved Hide resolved modules/auxiliary/cloud/aws/s3_enumerate.rb Outdated
Show resolved Hide resolved modules/auxiliary/cloud/aws/s3_enumerate.rb Outdated
Show resolved Hide resolved modules/auxiliary/cloud/aws/s3_enumerate.rb Outdated

@asoto-r7 asoto-r7 changed the title AWS support: EC2 Enumeration (and more on the way) WIP: AWS support for EC2 and S3 Enumeration Jun 14, 2019

@asoto-r7 asoto-r7 changed the title WIP: AWS support for EC2 and S3 Enumeration WIP: AWS EC2 and S3 Enumeration Jun 14, 2019

@sempervictus

This comment has been minimized.

Copy link
Contributor

commented Jun 14, 2019

I think I pushed a lab overhaul using one of the higher level libs like fog before.
If we are going to do cloud enum, might as well do it for all/most cloud APIs being the thought. Problem I ran into was that the Rex override for net/http was required to do it over pivots, which iirc was a blocker.
Will dig deeper into this, thanks much, most clients without cloud resources aren't hiring pentesters...

asoto-r7 added some commits Jun 14, 2019

@asoto-r7

This comment has been minimized.

Copy link
Contributor Author

commented Jun 17, 2019

Appeased the Travis gods tests, and addressed the excellent code review from @jrobles-r7. Thanks, Jacob! 👍

@asoto-r7 asoto-r7 changed the title WIP: AWS EC2 and S3 Enumeration WIP: AWS EC2, S3, and IAM Enumeration Jun 20, 2019

@asoto-r7 asoto-r7 changed the title WIP: AWS EC2, S3, and IAM Enumeration AWS EC2, S3, and IAM Enumeration Jun 20, 2019

@asoto-r7 asoto-r7 removed the delayed label Jun 20, 2019

jrobles-r7 added some commits Jun 24, 2019

Adjust logic
Early return to reduce nesting ifs
@jrobles-r7

This comment has been minimized.

Copy link
Contributor

commented Jun 24, 2019

Untested changes asoto-r7#3

@jrobles-r7

This comment has been minimized.

Copy link
Contributor

commented Jun 25, 2019

Should this PR include Gemfile.lock changes? When I tested the PR the Gemfile.lock file was updated.

The module docs are still needed.

asoto-r7 added some commits Jun 25, 2019

@wvu-r7

wvu-r7 approved these changes Jun 26, 2019

Copy link
Contributor

left a comment

Code and docs look solid. Was thinking of suggesting Rex::Text::Table, but some of the output has its own structure and isn't only text. Might not be suitable. Good job!

@wvu-r7 wvu-r7 removed the needs-docs label Jun 26, 2019

asoto-r7 added some commits Jun 26, 2019

@jhart-r7

This comment has been minimized.

Copy link
Contributor

commented Jun 27, 2019

This is great. One nice addition to the EC2 instance enumeration code would be to pull EC2 user/instance metadata which can be a great source of intel, oftentimes including keys/passwords and code.

@asoto-r7 asoto-r7 merged commit 7de8d76 into rapid7:master Jun 27, 2019

0 of 2 checks passed

Metasploit Automation - Test Execution Failed to pass tests.
Details
Metasploit Automation - Sanity Test Execution Running automation sanity tests. Details available on completion.
Details

asoto-r7 added a commit that referenced this pull request Jun 27, 2019

@asoto-r7

This comment has been minimized.

Copy link
Contributor Author

commented Jun 27, 2019

Release Notes

Three new modules (auxiliary/cloud/aws/enum_ec2, auxiliary/cloud/aws/enum_iam, and auxiliary/cloud/aws/enum_s3) allow enumeration of Amazon Web Services EC2, IAM, and S3 resources, when provided AWS credentials.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.