Merge pull request Pennyw0rth#455 from dev-fortress/aws-credentials

NeffIsBack · web-flow · commit fde3de726e27 · 2025-06-16T13:49:06.000+02:00
New module: AWS Credentials Finder
diff --git a/nxc/modules/aws-credentials.py b/nxc/modules/aws-credentials.py
@@ -0,0 +1,48 @@
+class NXCModule:
+    """
+    Search for aws credentials files on linux and windows machines
+
+    Module by Fortress
+    """
+
+    name = "aws-credentials"
+    description = "Search for aws credentials files."
+    supported_protocols = ["ssh", "smb", "winrm"]
+    opsec_safe = True
+    multiple_hosts = True
+
+    def __init__(self):
+        self.search_path_linux = "'/home/' '/tmp/'"
+        self.search_path_win = "'C:\\Users\\', 'C:\\ProgramData\\AWSCLI\\', 'C:\\Temp\\'"
+
+    def options(self, context, module_options):
+        r"""
+        SEARCH_PATH_LINUX	Linux location where to search for aws credentials related files
+                                Default: "'/home/' '/tmp/'"
+
+        SEARCH_PATH_WIN		Windows locations where to search for aws credentials related files
+                                Default: "'C:\\Users\\', 'C:\\ProgramData\\AWSCLI\\', 'C:\\Temp\\'"
+        """
+        if "SEARCH_PATH_LINUX" in module_options:
+            self.search_path_linux = module_options["SEARCH_PATH_LINUX"]
+
+        if "SEARCH_PATH_WIN" in module_options:
+            self.search_path_win = module_options["SEARCH_PATH_WIN"]
+
+    def on_login(self, context, connection):
+        # search for aws_credentials-related files on linux systems
+        if "ssh" in context.protocol:
+            search_aws_creds_files_payload = f"find {self.search_path_linux} -type f  -name credentials -exec grep -l 'aws_' {{}} \\; 2>&1 | grep -v 'Permission denied$'"
+            search_aws_creds_files_cmd = f'/bin/bash -c "{search_aws_creds_files_payload}"'
+            output = connection.execute(search_aws_creds_files_cmd)
+        else:
+            # search for aws_credentials-related files on windows systems
+            # we have to exclude "Application Data" as this creates an infinite recursion, see: https://www.reddit.com/r/PowerShell/comments/17pctnv/symbolic_link_application_data_in_appdatalocal/
+            search_aws_creds_files_payload_win = f"Get-ChildItem -Path {self.search_path_win} -Recurse -Force -Include 'credentials' -ErrorAction SilentlyContinue | Where-Object {{ Select-String -Path $_.FullName -Pattern 'aws' -Quiet }} | Select-Object -ExpandProperty FullName"
+            search_aws_creds_files_cmd_win = f'powershell.exe "{search_aws_creds_files_payload_win}"'
+            output = connection.execute(search_aws_creds_files_cmd_win, True)
+
+        if output:
+            context.log.success("The following files were found:")
+            for line in output.splitlines():
+                context.log.highlight(line.rstrip())
diff --git a/nxc/protocols/winrm.py b/nxc/protocols/winrm.py
@@ -238,13 +238,10 @@ def hash_login(self, domain, username, ntlm_hash):
                 self.logger.fail(f"{self.domain}\\{self.username}:{process_secret(self.nthash)} {e!s}")
             return False
 
-    def execute(self, payload=None, get_output=True, shell_type="cmd"):
+    def execute(self, payload=None, get_output=False, shell_type="cmd"):
         if not payload:
             payload = self.args.execute
 
-        if self.args.no_output:
-            get_output = False
-
         try:
             result = self.conn.execute_cmd(payload, encoding=self.args.codec) if shell_type == "cmd" else self.conn.execute_ps(payload)
         except Exception as e:
@@ -260,13 +257,16 @@ def execute(self, payload=None, get_output=True, shell_type="cmd"):
             else:
                 self.logger.fail(f"Execute command failed, error: {e!s}")
         else:
+            if get_output:
+                return result[0]
             self.logger.success(f"Executed command (shell type: {shell_type})")
-            buf = StringIO(result[0]).readlines() if get_output else ""
-            for line in buf:
-                self.logger.highlight(line.strip())
+            if not self.args.no_output:
+                for line in StringIO(result[0]).readlines():
+                    self.logger.highlight(line.strip())
 
-    def ps_execute(self):
-        self.execute(payload=self.args.ps_execute, get_output=True, shell_type="powershell")
+    def ps_execute(self, payload=None, get_output=False):
+        command = payload if payload else self.args.ps_execute
+        self.execute(payload=command, get_output=get_output, shell_type="powershell")
 
     # Dos attack prevent:
     # if someboby executed "reg save HKLM\sam C:\windows\temp\sam" before, but didn't remove "C:\windows\temp\sam" file,
