EC2 Metadata Extractor

October 16th at 6:27am

While performing a security assessment this last week I found that the applications ran in a containerized environment on AWS EC2 instances. The EC2 meta-data service was available to be queried from within these application containers (not a best practice) and exposes a rich array of information for any would-be attackers who can gain a shell into the container or cause the application to perform SSRF against the local metadata service endpoint.

I wanted a quick way to query all of the meta data and user-data exposed by the EC2 meta-data service and created this metadata extractor script.

What is this?

A shell script that can enumerate/walk the EC2 metadata service endpoint (http://169.254.169.254/latest).

How does it work?

The EC2 metadata service exposes a number of informative endpoints that can be used to learn about the EC2 instance like:

user data script
AWS Role assigned to the instance
Temporary AWS access credentials that let you interact with AWS as if you were the EC2 instance
Information exposure about IP addresses, hostnames, security groups, subnets, etc...

This script leverages wget to recursively list the http endpoints returned by the API. It walks through all 'subdirectories' to expose all nested endpoints.

What shells will it work with?

I targeted the script to work against the ASH shell that ships with busybox. It may work on bash or other shells, but has not been tested outside busybox.

Download / More information

The script is available for download from the ec2-metadata-extractor repository. It is Apache 2.0 licensed, enjoy!