
IMDSPOOF - Spoof AWS Metadata to Detect and Deceive Attackers
Share
IMDSPOOF is a powerful cyber deception tool designed to spoof the AWS Instance Metadata Service (IMDS).
It is specifically crafted for blue teams to detect and mislead attackers attempting to exploit AWS environments by accessing sensitive credentials from the IMDS endpoint
What Does IMDSPOOF Do?
Attackers often escalate privileges or move laterally in cloud environments by retrieving AWS access keys from the IMDS endpoint located at:
http://169.254.169.254/latest/meta-data/iam/security-credentials/<user>
IMDSPOOF intercepts traffic directed to this endpoint, rerouting it to a local web server that serves fake data. By inserting honey tokens into the spoofed IMDS response, blue teams can detect unauthorized access attempts and monitor attacker behavior.
Who Should Use IMDSPOOF?
IMDSPOOF is intended for blue teams managing AWS EC2 instances that are NOT actively using the IMDS service (version 1 or 2).
Key Use Case:
-
Tricking attackers into interacting with a fake IMDS service, making them believe they are accessing legitimate credentials.
Important Warning:
If your EC2 instance relies on the IMDS service, do not use IMDSPOOF, as it will disrupt functionality.
How to Set Up and Use IMDSPOOF
Prerequisites
1.An AWS EC2 instance.
2.iptables installed on the instance:
yum install iptables-services
3.Go programming language installed for compiling the tool.
Step 1: Compile and Run IMDS.go
1.Clone or download the IMDS.go source file.
2.Compile the Go code:
go build IMDS.go
3.Run the compiled binary:
./IMDS
Step 2: Redirect Traffic to IMDSPOOF
To redirect traffic from the legitimate IMDS endpoint to your local web server, use the following iptables command:
iptables -t nat -A OUTPUT -p tcp -d 169.254.169.254 --dport 80 -j DNAT --to-destination 127.0.0.1:54321
Step 3: Test the Setup
Run the following command to test whether spoofed credentials are being served:
curl http://169.254.169.254/latest/meta-data/iam/security-credentials/ec2-admin
You should see an output similar to this:
{
"Code": "Success",
"Message": "The request was successfully processed.",
"LastUpdated": "2023-11-22T03:33:51Z",
"Type": "AWS-HMAC",
"AccessKeyId": "InsertHoneyToken",
"SecretAccessKey": "InsertHoneyToken",
"Token": "HoneyToken",
"Expiration": "2023-11-22T09:33:51Z"
}
Customization
To make IMDSPOOF more convincing, modify the fake credentials returned by the tool:
1.Open IMDS.go and locate these variables at the top of the file:
var accessKey string = "InsertHoneyToken"
var secretAccessKey string = "InsertHoneyToken"
var token string = "IQoJb3Jpz2cXpQRkpVX3Uf////////////xMdLZHNjb<snip>"
2.Replace these placeholders with honey tokens.
Generating Honey Tokens:
-
Use Thinkst Canary's CanaryTokens to generate AWS credentials that trigger alerts when used.
-
Replace accessKey and secretAccessKey in IMDS.go with the generated values.
Running IMDSPOOF at Startup
To ensure IMDSPOOF runs automatically on instance boot, create a systemd service:
1.Create a new service file:
sudo vim /etc/systemd/system/IMDS.service
2.Add the following configuration:
[Unit]
Description=IMDSPOOF
After=multi-user.target
[Service]
Type=simple
ExecStart=/bin/IMDS
User=root
Restart=always
RestartSec=10
[Install]
WantedBy=multi-user.target
3.Move the compiled binary to /bin/:
sudo mv IMDS /bin/
4.Enable and start the service:
sudo systemctl enable IMDS
sudo systemctl start IMDS
5.Verify it is running correctly:
sudo systemctl status IMDS
Does It Work with SSRF Vulnerabilities?
Yes! Since IMDSPOOF manipulates iptables, it works even if traffic originates from an SSRF vulnerability in a web application hosted on your EC2 instance.
For example, if an attacker exploits SSRF to query http://169.254.169.254, they will receive fake credentials served by IMDSPOOF.
Reverting Changes
To stop using IMDSPOOF and restore normal functionality:
1.Stop the systemd service:
sudo systemctl stop IMDS
2.Disable it from running at startup:
sudo systemctl disable IMDS
3.Revert iptables changes:
iptables -t nat -D OUTPUT -p tcp -d 169.254.169.254 --dport 80 -j DNAT --to-destination 127.0.0.1:54321
Conclusion
IMDSPOOF is a valuable tool for blue teams looking to enhance their detection capabilities in AWS environments by deceiving attackers with fake metadata credentials and honey tokens.
By carefully setting up and customizing this tool, you can gain insights into potential breaches while protecting your cloud infrastructure from unauthorized access attempts. You can learn more and Download IMDSPOOF in GitHub.
Upgrade Your Cybersecurity Skills EHA: Learn 150+ Practical Cyber Security Courses Online With Life Time Access - Enroll Here