Path: blob/master/modules/auxiliary/cloud/aws/enum_iam.rb
19715 views
##1# This module requires Metasploit: https://metasploit.com/download2# Current source: https://github.com/rapid7/metasploit-framework3##45require 'aws-sdk-iam'67class MetasploitModule < Msf::Auxiliary8def initialize(info = {})9super(10update_info(11info,12'Name' => 'Amazon Web Services IAM credential enumeration',13'Description' => %q{14Provided AWS credentials, this module will call the authenticated15API of Amazon Web Services to list all IAM credentials associated16with the account17},18'Author' => ['Aaron Soto <[email protected]>'],19'License' => MSF_LICENSE,20'Notes' => {21'Stability' => [CRASH_SAFE],22'SideEffects' => [IOC_IN_LOGS],23'Reliability' => []24}25)26)2728register_options(29[30OptString.new('ACCESS_KEY_ID', [true, 'AWS Access Key ID (eg. "AKIAXXXXXXXXXXXXXXXX")', '']),31OptString.new('SECRET_ACCESS_KEY', [true, 'AWS Secret Access Key (eg. "CA1+XXXXXXXXXXXXXXXXXXXXXX6aYDHHCBuLuV79")', ''])32]33)34end3536def handle_aws_errors(error)37if error.class.module_parents.include?(Aws)38fail_with(Failure::UnexpectedReply, error.message)39else40raise error41end42end4344def describe_iam_users(user)45print_good " User Name: #{user.user_name}"46print_good " User ID: #{user.user_id}"47print_good " Creation Date: #{user.create_date}"48print_good " Tags: #{user.tags}"49print_good " Groups: #{user.group_list}"50print_good " SSH Pub Keys: #{@iam.list_ssh_public_keys(user_name: user.user_name).ssh_public_keys}"5152policies = user.attached_managed_policies53if policies.empty?54print_good ' Policies: []'55else56print_good " Policies: #{policies[0].policy_name}"57policies[1..policies.length].each do |p|58print_good " #{p.policy_name}"59end60end6162certs = @iam.list_signing_certificates(user_name: user.user_name).certificates63if certs.empty?64print_good ' Signing certs: []'65else66print_good " Signing certs: #{certs[0].certificate_id} (#{certs[0].status})"67certs[1..certs.length].each do |c|68print_good " #{c.certificate_id} (#{c.status})"69end70end7172@users.each do |u|73if u.user_name == user.user_name74print_good " Password Used: #{u.password_last_used || '(Never)'}"75end76end7778keys = @iam.list_access_keys(user_name: user.user_name).access_key_metadata79if keys.empty?80print_good ' AWS Access Keys: []'81else82print_good " AWS Access Keys: #{keys[0].access_key_id} (#{keys[0].status})"83keys[1..keys.length].each do |k|84print_good " #{k.access_key_id} (#{k.status})"85end86end8788begin89console_login = @iam.get_login_profile(user_name: user.user_name).empty? ? 'Disabled' : 'Enabled'90print_good " Console login: #{console_login}"91rescue Aws::IAM::Errors::NoSuchEntity92print_good ' Console login: Disabled'93end9495mfa = @iam.list_mfa_devices(user_name: user.user_name).mfa_devices96mfa_enabled = mfa.empty? ? 'Disabled' : "Enabled on #{mfa[0].enable_date}"97print_good " Two-factor auth: #{mfa_enabled}"9899print_status ''100end101102def run103@iam = Aws::IAM::Client.new(104region: 'us-west-1', # This is meaningless, but required. Thanks AWS.105access_key_id: datastore['ACCESS_KEY_ID'],106secret_access_key: datastore['SECRET_ACCESS_KEY']107)108109@users = @iam.list_users.users110creds = @iam.get_account_authorization_details111112users = creds.user_detail_list113if users.empty?114print_status 'No users found.'115return116end117118print_good "Found #{users.count} users."119users.each do |user|120describe_iam_users(user)121end122rescue StandardError => e123handle_aws_errors(e)124end125end126127128