Amazon Web Services S3 instance enumeration - Metasploit
This page contains detailed information about how to use the auxiliary/cloud/aws/enum_s3 metasploit module. For list of all metasploit modules, visit the Metasploit Module Library.
Module Overview
Name: Amazon Web Services S3 instance enumeration
Module: auxiliary/cloud/aws/enum_s3
Source code: modules/auxiliary/cloud/aws/enum_s3.rb
Disclosure date: -
Last modification time: 2021-05-27 15:15:31 +0000
Supported architecture(s): -
Supported platform(s): -
Target service / protocol: -
Target network port(s): -
List of CVEs: -
Provided AWS credentials, this module will call the authenticated API of Amazon Web Services to list all S3 buckets associated with the account
Module Ranking and Traits
Module Ranking:
- normal: The exploit is otherwise reliable, but depends on a specific version and can't (or doesn't) reliably autodetect. More information about ranking can be found here.
Basic Usage
msf > use auxiliary/cloud/aws/enum_s3
msf auxiliary(enum_s3) > show targets
... a list of targets ...
msf auxiliary(enum_s3) > set TARGET target-id
msf auxiliary(enum_s3) > show options
... show and set options ...
msf auxiliary(enum_s3) > exploit
Knowledge Base
Vulnerable Application
Amazon Web Services (AWS) resources can be managed through an API that authenticates based on an ACCESS_KEY_ID and a SECRET_ACCESS_KEY. With these two pieces of information, an attacker can gain privileges which may include enumerating resources within the AWS account.
This module authenticates to AWS S3 (Simple Storage Service), to identify buckets that the credentials can see. The files contained within buckets may be publicly readable and/or writable, or they may be locked down. In any case, knowledge of the buckets is the first step in evaluating their security.
Verification Steps
Create or acquire the credentials
- (If necessary) Create an AWS account. Free trials are available.
- Login to the AWS Console.
- Use the dropbown menu in the top-right with your username, then click on "My Security Credentials".
- Expand the "Access Keys" pane and click "Create New Access Key".
- Follow the steps in the AWS console, making sure to record both the 'access key ID' and 'secret access key'. (The 'secret access key' is only shown once, then can never be retrieved.)
Enumerate AWS resources using the credentials
- Start msfconsole
use auxiliary/cloud/aws/enum_s3- Set the
ACCESS_KEY_IDandSECRET_ACCESS_KEYoptions. - Optionally, set the
REGIONoption. run
Options
ACCESS_KEY_ID
This AWS credential is like a username. It uniquely identifies the user, and is paired with a 'secret access key'. The access key ID is retrievable through the AWS console.
An example ACCESS_KEY_ID would be AKIA5C76TR3KXHXA5CRC
SECRET_ACCESS_KEY
This AWS credential is like a password, and should be treated as such. It is paired with a 'access key ID'. The access key ID cannot be retrieved from AWS after it has been generated, but it may be discoverable through environment variables, configuration files, source code, or backups.
An example SECRET_ACCESS_KEY would be EKfx3wOWWiGk1WgBTAZfF/2dq3SbDsQj4jdyOMOv.
REGION
AWS resources are located in regions. Optionally, this module's output can be filtered based on region to minimize the query to AWS. Alternatively, REGION can be left blank, such that all regions will be checked.
An example region would be us-west-2.
Scenarios
Provided a valid 'access key ID' and 'secret access key' with sufficient privileges
msf5 auxiliary(cloud/aws/enum_s3) > run
[+] Found 1 buckets.
[+] Name: asoto-secret-demo-bucket
[+] Creation Date: 2019-06-13 23:30:26 UTC
[+] # of Objects: 0
[+] Region: us-west-2
[+] Website: /index.html
[+] Owner: asoto
[+] Permissions:
[+] User 'asoto' granted FULL_CONTROL
[+] Group '' (http://acs.amazonaws.com/groups/s3/LogDelivery) granted READ
[*]
[*] Done.
[*] Auxiliary module execution completed
msf5 auxiliary(cloud/aws/enum_s3) > exit
Provided an invalid or inactive 'access key ID'
msf5 auxiliary(cloud/aws/enum_s3) > run
[-] Auxiliary aborted due to failure: unexpected-reply: The AWS Access Key Id you provided does not exist in our records.
[*] Auxiliary module execution completed
msf5 auxiliary(cloud/aws/enum_s3) >
Provided an invalid 'secret access key'
msf5 auxiliary(cloud/aws/enum_s3) > run
[-] Auxiliary aborted due to failure: unexpected-reply: The request signature we calculated does not match the signature you provided. Check your key and signing method.
[*] Auxiliary module execution completed
msf5 auxiliary(cloud/aws/enum_s3) >
Provided an 'access key ID' or 'secret access key' with insufficient privileges
msf5 auxiliary(cloud/aws/enum_s3) > run
[-] Auxiliary aborted due to failure: unexpected-reply: Access Denied
[*] Auxiliary module execution completed
msf5 auxiliary(cloud/aws/enum_s3) >
Go back to menu.
Msfconsole Usage
Here is how the cloud/aws/enum_s3 auxiliary module looks in the msfconsole:
msf6 > use auxiliary/cloud/aws/enum_s3
msf6 auxiliary(cloud/aws/enum_s3) > show info
Name: Amazon Web Services S3 instance enumeration
Module: auxiliary/cloud/aws/enum_s3
License: Metasploit Framework License (BSD)
Rank: Normal
Provided by:
Aaron Soto <[email protected]>
Check supported:
No
Basic options:
Name Current Setting Required Description
---- --------------- -------- -----------
ACCESS_KEY_ID yes AWS Access Key ID (eg. "AKIAXXXXXXXXXXXXXXXX")
REGION no AWS Region (eg. "us-west-2")
SECRET_ACCESS_KEY yes AWS Secret Access Key (eg. "CA1+XXXXXXXXXXXXXXXXXXXXXX6aYDHHCBuLuV79")
Description:
Provided AWS credentials, this module will call the authenticated
API of Amazon Web Services to list all S3 buckets associated with
the account
Module Options
This is a complete list of options available in the cloud/aws/enum_s3 auxiliary module:
msf6 auxiliary(cloud/aws/enum_s3) > show options
Module options (auxiliary/cloud/aws/enum_s3):
Name Current Setting Required Description
---- --------------- -------- -----------
ACCESS_KEY_ID yes AWS Access Key ID (eg. "AKIAXXXXXXXXXXXXXXXX")
REGION no AWS Region (eg. "us-west-2")
SECRET_ACCESS_KEY yes AWS Secret Access Key (eg. "CA1+XXXXXXXXXXXXXXXXXXXXXX6aYDHHCBuLuV79")
Advanced Options
Here is a complete list of advanced options supported by the cloud/aws/enum_s3 auxiliary module:
msf6 auxiliary(cloud/aws/enum_s3) > show advanced
Module advanced options (auxiliary/cloud/aws/enum_s3):
Name Current Setting Required Description
---- --------------- -------- -----------
VERBOSE false no Enable detailed status messages
WORKSPACE no Specify the workspace for this module
Auxiliary Actions
This is a list of all auxiliary actions that the cloud/aws/enum_s3 module can do:
msf6 auxiliary(cloud/aws/enum_s3) > show actions
Auxiliary actions:
Name Description
---- -----------
Evasion Options
Here is the full list of possible evasion options supported by the cloud/aws/enum_s3 auxiliary module in order to evade defenses (e.g. Antivirus, EDR, Firewall, NIDS etc.):
msf6 auxiliary(cloud/aws/enum_s3) > show evasion
Module evasion options:
Name Current Setting Required Description
---- --------------- -------- -----------
Go back to menu.
Error Messages
This module may fail with the following error messages:
Check for the possible causes from the code snippets below found in the module source code. This can often times help in identifying the root cause of the problem.
No buckets found.
Here is a relevant code snippet related to the "No buckets found." error message:
73: secret_access_key: datastore['SECRET_ACCESS_KEY']
74: )
75:
76: buckets = @s3.list_buckets.buckets
77: unless buckets.length > 0
78: print_status 'No buckets found.'
79: return
80: end
81:
82: print_good "Found #{buckets.count} buckets."
83: if region.nil?
Go back to menu.
Related Pull Requests
- #15493 Merged Pull Request: Rails 6.1 upgrade
- #11977 Merged Pull Request: AWS EC2, S3, and IAM Enumeration
Go back to menu.
See Also
Check also the following modules related to this module:
- auxiliary/admin/aws/aws_launch_instances
- auxiliary/cloud/aws/enum_ec2
- auxiliary/cloud/aws/enum_iam
- auxiliary/scanner/http/yaws_traversal
- exploit/unix/webapp/awstats_configdir_exec
- exploit/unix/webapp/awstats_migrate_exec
- exploit/unix/webapp/awstatstotals_multisort
- post/multi/escalate/aws_create_iam_user
- post/multi/gather/aws_ec2_instance_metadata
- post/multi/gather/aws_keys
- exploit/multi/kubernetes/exec
- auxiliary/cloud/kubernetes/enum_kubernetes
- auxiliary/gather/enum_dns
- auxiliary/scanner/http/enum_wayback
- exploit/windows/fileformat/mjm_coreplayer2011_s3m
- exploit/windows/fileformat/mjm_quickplayer_s3m
- exploit/windows/fileformat/vlc_modplug_s3m
- auxiliary/scanner/misc/rosewill_rxs3211_passwords
- exploit/linux/local/ntfs3g_priv_esc
- exploit/unix/webapp/nagios3_history_cgi
- exploit/unix/webapp/nagios3_statuswml_ping
- exploit/windows/browser/awingsoft_winds3d_sceneurl
Authors
- Aaron Soto <[email protected]>
Version
This page has been produced using Metasploit Framework version 6.1.27-dev. For more modules, visit the Metasploit Module Library.
Go back to menu.
