Book a Demo!
CoCalc Logo Icon
StoreFeaturesDocsShareSupportNewsAboutPoliciesSign UpSign In
rapid7
GitHub Repository: rapid7/metasploit-framework
 Path: blob/master/modules/auxiliary/cloud/aws/enum_iam.rb
19715 views
1
##

2
# This module requires Metasploit: https://metasploit.com/download

3
# Current source: https://github.com/rapid7/metasploit-framework

4
##

5


6
require 'aws-sdk-iam'

7


8
class MetasploitModule < Msf::Auxiliary

9
  def initialize(info = {})

10
    super(

11
      update_info(

12
        info,

13
        'Name' => 'Amazon Web Services IAM credential enumeration',

14
        'Description' => %q{

15
          Provided AWS credentials, this module will call the authenticated

16
          API of Amazon Web Services to list all IAM credentials associated

17
          with the account

18
        },

19
        'Author' => ['Aaron Soto <[email protected]>'],

20
        'License' => MSF_LICENSE,

21
        'Notes' => {

22
          'Stability' => [CRASH_SAFE],

23
          'SideEffects' => [IOC_IN_LOGS],

24
          'Reliability' => []

25
        }

26
      )

27
    )

28


29
    register_options(

30
      [

31
        OptString.new('ACCESS_KEY_ID', [true, 'AWS Access Key ID (eg. "AKIAXXXXXXXXXXXXXXXX")', '']),

32
        OptString.new('SECRET_ACCESS_KEY', [true, 'AWS Secret Access Key (eg. "CA1+XXXXXXXXXXXXXXXXXXXXXX6aYDHHCBuLuV79")', ''])

33
      ]

34
    )

35
  end

36


37
  def handle_aws_errors(error)

38
    if error.class.module_parents.include?(Aws)

39
      fail_with(Failure::UnexpectedReply, error.message)

40
    else

41
      raise error

42
    end

43
  end

44


45
  def describe_iam_users(user)

46
    print_good "  User Name:       #{user.user_name}"

47
    print_good "  User ID:         #{user.user_id}"

48
    print_good "  Creation Date:   #{user.create_date}"

49
    print_good "  Tags:            #{user.tags}"

50
    print_good "  Groups:          #{user.group_list}"

51
    print_good "  SSH Pub Keys:    #{@iam.list_ssh_public_keys(user_name: user.user_name).ssh_public_keys}"

52


53
    policies = user.attached_managed_policies

54
    if policies.empty?

55
      print_good '  Policies:        []'

56
    else

57
      print_good "  Policies:        #{policies[0].policy_name}"

58
      policies[1..policies.length].each do |p|

59
        print_good "                   #{p.policy_name}"

60
      end

61
    end

62


63
    certs = @iam.list_signing_certificates(user_name: user.user_name).certificates

64
    if certs.empty?

65
      print_good '  Signing certs:   []'

66
    else

67
      print_good "  Signing certs:   #{certs[0].certificate_id} (#{certs[0].status})"

68
      certs[1..certs.length].each do |c|

69
        print_good "                   #{c.certificate_id} (#{c.status})"

70
      end

71
    end

72


73
    @users.each do |u|

74
      if u.user_name == user.user_name

75
        print_good "  Password Used:   #{u.password_last_used || '(Never)'}"

76
      end

77
    end

78


79
    keys = @iam.list_access_keys(user_name: user.user_name).access_key_metadata

80
    if keys.empty?

81
      print_good '  AWS Access Keys: []'

82
    else

83
      print_good "  AWS Access Keys: #{keys[0].access_key_id} (#{keys[0].status})"

84
      keys[1..keys.length].each do |k|

85
        print_good "                   #{k.access_key_id} (#{k.status})"

86
      end

87
    end

88


89
    begin

90
      console_login = @iam.get_login_profile(user_name: user.user_name).empty? ? 'Disabled' : 'Enabled'

91
      print_good "  Console login:   #{console_login}"

92
    rescue Aws::IAM::Errors::NoSuchEntity

93
      print_good '  Console login:   Disabled'

94
    end

95


96
    mfa = @iam.list_mfa_devices(user_name: user.user_name).mfa_devices

97
    mfa_enabled = mfa.empty? ? 'Disabled' : "Enabled on #{mfa[0].enable_date}"

98
    print_good "  Two-factor auth: #{mfa_enabled}"

99


100
    print_status ''

101
  end

102


103
  def run

104
    @iam = Aws::IAM::Client.new(

105
      region: 'us-west-1', # This is meaningless, but required.  Thanks AWS.

106
      access_key_id: datastore['ACCESS_KEY_ID'],

107
      secret_access_key: datastore['SECRET_ACCESS_KEY']

108
    )

109


110
    @users = @iam.list_users.users

111
    creds = @iam.get_account_authorization_details

112


113
    users = creds.user_detail_list

114
    if users.empty?

115
      print_status 'No users found.'

116
      return

117
    end

118


119
    print_good "Found #{users.count} users."

120
    users.each do |user|

121
      describe_iam_users(user)

122
    end

123
  rescue StandardError => e

124
    handle_aws_errors(e)

125
  end

126
end

127


128