IMDSPOOF - Spoof AWS Metadata to Detect and Deceive Attackers

IMDSPOOF - Spoof AWS Metadata to Detect and Deceive Attackers

IMDSPOOF is a powerful cyber deception tool designed to spoof the AWS Instance Metadata Service (IMDS).

It is specifically crafted for blue teams to detect and mislead attackers attempting to exploit AWS environments by accessing sensitive credentials from the IMDS endpoint

What Does IMDSPOOF Do?

Attackers often escalate privileges or move laterally in cloud environments by retrieving AWS access keys from the IMDS endpoint located at:

http://169.254.169.254/latest/meta-data/iam/security-credentials/<user>

IMDSPOOF intercepts traffic directed to this endpoint, rerouting it to a local web server that serves fake data. By inserting honey tokens into the spoofed IMDS response, blue teams can detect unauthorized access attempts and monitor attacker behavior.

Who Should Use IMDSPOOF?

IMDSPOOF is intended for blue teams managing AWS EC2 instances that are NOT actively using the IMDS service (version 1 or 2).

Key Use Case:

  • Tricking attackers into interacting with a fake IMDS service, making them believe they are accessing legitimate credentials.

Important Warning:

If your EC2 instance relies on the IMDS service, do not use IMDSPOOF, as it will disrupt functionality.

How to Set Up and Use IMDSPOOF

Prerequisites

1.An AWS EC2 instance.

2.iptables installed on the instance:

yum install iptables-services

3.Go programming language installed for compiling the tool.

Step 1: Compile and Run IMDS.go

1.Clone or download the IMDS.go source file.

2.Compile the Go code:

go build IMDS.go

3.Run the compiled binary:

./IMDS

Step 2: Redirect Traffic to IMDSPOOF

To redirect traffic from the legitimate IMDS endpoint to your local web server, use the following iptables command:

iptables -t nat -A OUTPUT -p tcp -d 169.254.169.254 --dport 80 -j DNAT --to-destination 127.0.0.1:54321

Step 3: Test the Setup

Run the following command to test whether spoofed credentials are being served:

curl http://169.254.169.254/latest/meta-data/iam/security-credentials/ec2-admin

You should see an output similar to this:

{

  "Code": "Success",

  "Message": "The request was successfully processed.",

  "LastUpdated": "2023-11-22T03:33:51Z",

  "Type": "AWS-HMAC",

  "AccessKeyId": "InsertHoneyToken",

  "SecretAccessKey": "InsertHoneyToken",

  "Token": "HoneyToken",

  "Expiration": "2023-11-22T09:33:51Z"

}

Customization

To make IMDSPOOF more convincing, modify the fake credentials returned by the tool:

1.Open IMDS.go and locate these variables at the top of the file:

var accessKey string = "InsertHoneyToken"

var secretAccessKey string = "InsertHoneyToken"

var token string = "IQoJb3Jpz2cXpQRkpVX3Uf////////////xMdLZHNjb<snip>"

2.Replace these placeholders with honey tokens.

Generating Honey Tokens:

  • Use Thinkst Canary's CanaryTokens to generate AWS credentials that trigger alerts when used.

  • Replace accessKey and secretAccessKey in IMDS.go with the generated values.

Running IMDSPOOF at Startup

To ensure IMDSPOOF runs automatically on instance boot, create a systemd service:

1.Create a new service file:

sudo vim /etc/systemd/system/IMDS.service

2.Add the following configuration:

[Unit]

Description=IMDSPOOF

After=multi-user.target


[Service]

Type=simple

ExecStart=/bin/IMDS

User=root

Restart=always

RestartSec=10


[Install]

WantedBy=multi-user.target

3.Move the compiled binary to /bin/:

sudo mv IMDS /bin/

4.Enable and start the service:

sudo systemctl enable IMDS

sudo systemctl start IMDS

5.Verify it is running correctly:

sudo systemctl status IMDS

Does It Work with SSRF Vulnerabilities?

Yes! Since IMDSPOOF manipulates iptables, it works even if traffic originates from an SSRF vulnerability in a web application hosted on your EC2 instance.

For example, if an attacker exploits SSRF to query http://169.254.169.254, they will receive fake credentials served by IMDSPOOF.

Reverting Changes

To stop using IMDSPOOF and restore normal functionality:

1.Stop the systemd service:

sudo systemctl stop IMDS

2.Disable it from running at startup:

sudo systemctl disable IMDS

3.Revert iptables changes:

iptables -t nat -D OUTPUT -p tcp -d 169.254.169.254 --dport 80 -j DNAT --to-destination 127.0.0.1:54321

Conclusion

IMDSPOOF is a valuable tool for blue teams looking to enhance their detection capabilities in AWS environments by deceiving attackers with fake metadata credentials and honey tokens.

By carefully setting up and customizing this tool, you can gain insights into potential breaches while protecting your cloud infrastructure from unauthorized access attempts. You can learn more and Download IMDSPOOF in GitHub.

Upgrade Your Cybersecurity Skills EHA: Learn 150+ Practical Cyber Security Courses Online With Life Time Access - Enroll Here

Back to blog