Amazon Web Services EC2 instance enumeration - Metasploit


This page contains detailed information about how to use the auxiliary/cloud/aws/enum_ec2 metasploit module. For list of all metasploit modules, visit the Metasploit Module Library.

Table Of Contents
hide

Module Overview

Name: Amazon Web Services EC2 instance enumeration
Module: auxiliary/cloud/aws/enum_ec2
Source code: modules/auxiliary/cloud/aws/enum_ec2.rb
Disclosure date: -
Last modification time: 2021-05-27 15:15:31 +0000
Supported architecture(s): -
Supported platform(s): -
Target service / protocol: -
Target network port(s): -
List of CVEs: -

Provided AWS credentials, this module will call the authenticated API of Amazon Web Services to list all EC2 instances associated with the account

Module Ranking and Traits

Module Ranking:

  • normal: The exploit is otherwise reliable, but depends on a specific version and can't (or doesn't) reliably autodetect. More information about ranking can be found here.

Basic Usage

msf > use auxiliary/cloud/aws/enum_ec2
msf auxiliary(enum_ec2) > show targets
    ... a list of targets ...
msf auxiliary(enum_ec2) > set TARGET target-id
msf auxiliary(enum_ec2) > show options
    ... show and set options ...
msf auxiliary(enum_ec2) > exploit

Knowledge Base

Vulnerable Application

Amazon Web Services (AWS) resources can be managed through an API that authenticates based on an ACCESS_KEY_ID and a SECRET_ACCESS_KEY. With these two pieces of information, an attacker can gain privileges which may include enumerating resources within the AWS account.

This module authenticates to AWS EC2 (Elastic Compute Cloud) to identify compute instances that the credentials can see. The instances themselves may be connected to the public Internet, but are likely to be protected by security groups and subnet network ACLs. In any case, knowledge of the instances is the first step in evaluating their security.

Verification Steps

Create or acquire the credentials

  1. (If necessary) Create an AWS account. Free trials are available.
  2. Login to the [AWS Console](https:\console.aws.amazon.com).
  3. Use the dropbown menu in the top-right with your username, then click on "My Security Credentials".
  4. Expand the "Access Keys" pane and click "Create New Access Key".
  5. Follow the steps in the AWS console, making sure to record both the 'access key ID' and 'secret access key'. (The 'secret access key' is only shown once, then can never be retrieved.)

Enumerate AWS resources using the credentials

  1. Start msfconsole
  2. use auxiliary/cloud/aws/enum_ec2
  3. Set the ACCESS_KEY_ID and SECRET_ACCESS_KEY options.
  4. Optionally, set the REGION and LIMIT options.
  5. run

Options

ACCESS_KEY_ID

This AWS credential is like a username. It uniquely identifies the user, and is paired with a 'secret access key'. The access key ID is retrievable through the AWS console.

An example ACCESS_KEY_ID would be AKIA5C76TR3KXHXA5CRC

SECRET_ACCESS_KEY

This AWS credential is like a password, and should be treated as such. It is paired with a 'access key ID'. The access key ID cannot be retrieved from AWS after it has been generated, but it may be discoverable through environment variables, configuration files, source code, or backups.

An example SECRET_ACCESS_KEY would be EKfx3wOWWiGk1WgBTAZfF\2dq3SbDsQj4jdyOMOv.

Scenarios

Provided a valid 'access key ID' and 'secret access key' with sufficient privileges

msf5 auxiliary(cloud/aws/enum_iam) > run

[+] Found 3 users.
[+]   User Name:       test1
[+]   User ID:         AIDA5C76TR3KTTO3PTAJ7
[+]   Creation Date:   2019-06-14 18:18:23 UTC
[+]   Tags:            []
[+]   Groups:          []
[+]   SSH Pub Keys:    []
[+]   Policies:        IAMUserChangePassword
[+]   Signing certs:   []
[+]   Password Used:   2019-06-17 19:55:57 UTC
[+]   AWS Access Keys: AKIA5C76TR3K3JN3FYUE (Active)
[+]   Console login:   Enabled
[+]   Two-factor auth: Enabled on 2019-06-17 20:01:05 UTC
[*] 
[+]   User Name:       test2
[+]   User ID:         AIDA5C76TR3KVHWFEQSDL
[+]   Creation Date:   2019-06-14 18:18:35 UTC
[+]   Tags:            []
[+]   Groups:          ["mygroup", "mygroup2"]
[+]   SSH Pub Keys:    []
[+]   Policies:        IAMUserChangePassword
[+]   Signing certs:   []
[+]   Password Used:   (Never)
[+]   AWS Access Keys: AKIA5C76TR3KXHXA5CRC (Inactive)
[+]   Console login:   Enabled
[+]   Two-factor auth: Disabled
[*] 
[+]   User Name:       test3
[+]   User ID:         AIDA5C76TR3KYI2HC4MOL
[+]   Creation Date:   2019-06-14 18:18:44 UTC
[+]   Tags:            []
[+]   Groups:          ["mygroup"]
[+]   SSH Pub Keys:    []
[+]   Policies:        []
[+]   Signing certs:   []
[+]   Password Used:   (Never)
[+]   AWS Access Keys: AKIA5C76TR3KWWADYZNB (Active)
[+]   Console login:   Disabled
[+]   Two-factor auth: Disabled
[*] 
[*] Auxiliary module execution completed

Provided an invalid or inactive 'access key ID'

msf5 auxiliary(cloud/aws/enum_iam) > run

[-] Auxiliary aborted due to failure: unexpected-reply: The security token included in the request is invalid.
[*] Auxiliary module execution completed
msf5 auxiliary(cloud/aws/enum_iam) >

Provided an invalid 'secret access key'

msf5 auxiliary(cloud/aws/enum_iam) > run

[-] Auxiliary aborted due to failure: unexpected-reply: The request signature we calculated does not match the signature you provided. Check your AWS Secret Access Key and signing method. Consult the service documentation for details.
[*] Auxiliary module execution completed
msf5 auxiliary(cloud/aws/enum_iam) >

Provided an 'access key ID' or 'secret access key' with insufficient privileges

msf5 auxiliary(cloud\aws\enum_ec2) > run

[-] Auxiliary aborted due to failure: unexpected-reply: User: arn:aws:iam::899712345657:user/test1 is not authorized to perform: iam:ListUsers on resource: arn:aws:iam::899712345657:user/
[*] Auxiliary module execution completed
msf5 auxiliary(cloud\aws\enum_ec2) >

Go back to menu.

Msfconsole Usage

Here is how the cloud/aws/enum_ec2 auxiliary module looks in the msfconsole:

msf6 > use auxiliary/cloud/aws/enum_ec2

msf6 auxiliary(cloud/aws/enum_ec2) > show info

       Name: Amazon Web Services EC2 instance enumeration
     Module: auxiliary/cloud/aws/enum_ec2
    License: Metasploit Framework License (BSD)
       Rank: Normal

Provided by:
  Aaron Soto <[email protected]>

Check supported:
  No

Basic options:
  Name               Current Setting  Required  Description
  ----               ---------------  --------  -----------
  ACCESS_KEY_ID                       yes       AWS Access Key ID (eg. "AKIAXXXXXXXXXXXXXXXX")
  LIMIT                               no        Only return the specified number of results from each region
  REGION                              no        AWS Region (eg. "us-west-2")
  SECRET_ACCESS_KEY                   yes       AWS Secret Access Key (eg. "CA1+XXXXXXXXXXXXXXXXXXXXXX6aYDHHCBuLuV79")

Description:
  Provided AWS credentials, this module will call the authenticated 
  API of Amazon Web Services to list all EC2 instances associated with 
  the account

Module Options

This is a complete list of options available in the cloud/aws/enum_ec2 auxiliary module:

msf6 auxiliary(cloud/aws/enum_ec2) > show options

Module options (auxiliary/cloud/aws/enum_ec2):

   Name               Current Setting  Required  Description
   ----               ---------------  --------  -----------
   ACCESS_KEY_ID                       yes       AWS Access Key ID (eg. "AKIAXXXXXXXXXXXXXXXX")
   LIMIT                               no        Only return the specified number of results from each region
   REGION                              no        AWS Region (eg. "us-west-2")
   SECRET_ACCESS_KEY                   yes       AWS Secret Access Key (eg. "CA1+XXXXXXXXXXXXXXXXXXXXXX6aYDHHCBuLuV79")

Advanced Options

Here is a complete list of advanced options supported by the cloud/aws/enum_ec2 auxiliary module:

msf6 auxiliary(cloud/aws/enum_ec2) > show advanced

Module advanced options (auxiliary/cloud/aws/enum_ec2):

   Name       Current Setting  Required  Description
   ----       ---------------  --------  -----------
   VERBOSE    false            no        Enable detailed status messages
   WORKSPACE                   no        Specify the workspace for this module

Auxiliary Actions

This is a list of all auxiliary actions that the cloud/aws/enum_ec2 module can do:

msf6 auxiliary(cloud/aws/enum_ec2) > show actions

Auxiliary actions:

   Name  Description
   ----  -----------

Evasion Options

Here is the full list of possible evasion options supported by the cloud/aws/enum_ec2 auxiliary module in order to evade defenses (e.g. Antivirus, EDR, Firewall, NIDS etc.):

msf6 auxiliary(cloud/aws/enum_ec2) > show evasion

Module evasion options:

   Name  Current Setting  Required  Description
   ----  ---------------  --------  -----------

Go back to menu.

Error Messages

This module may fail with the following error messages:

Error Messages

Check for the possible causes from the code snippets below found in the module source code. This can often times help in identifying the root cause of the problem.

Confirm region name (eg. us-west-2) is valid or blank before retrying

Here is a relevant code snippet related to the "Confirm region name (eg. us-west-2) is valid or blank before retrying" error message:

83:	      instances.each do |i|
84:	        describe_ec2_instance(i)
85:	      end
86:	    end
87:	  rescue Seahorse::Client::NetworkingError => e
88:	    print_error e.message
89:	    print_error 'Confirm region name (eg. us-west-2) is valid or blank before retrying'
90:	  rescue ::Exception => e
91:	    handle_aws_errors(e)
92:	  end
93:	end

Go back to menu.

Go back to menu.

See Also

Check also the following modules related to this module:

Authors

Version

This page has been produced using Metasploit Framework version 6.1.24-dev. For more modules, visit the Metasploit Module Library.

Go back to menu.