⚠️ Overview

ec2linkfinder is an open-source penetration testing tool developed by Alisson Moretto (also known as AlissonMG) that automates the discovery of Amazon EC2 metadata endpoints, primarily used to exploit Server-Side Request Forgery (SSRF) vulnerabilities. First published on GitHub in 2018, it remains actively maintained by the security researcher and is commonly referenced in red-team toolkits and CTF challenges for cloud credential theft.

🔧 Technical Capabilities

The tool systematically probes for the classic AWS metadata IP 169.254.169.254 and associated path patterns such as /latest/meta-data/iam/security-credentials/, /user-data, and /latest/dynamic/instance-identity/. It supports both single URL and multi-URL batch scanning, extracting IAM role names and their temporary access keys, secret keys, and session tokens. ec2linkfinder also checks for the newer IMDSv2 protections by testing for token-based authentication requirements, and can optionally attempt to bypass simple waf or filter rules using different HTTP headers and request methods. The tool is written in Python with minimal dependencies, making it easy to deploy on any Linux-based attack host or within a cloud environment. It outputs discovered credentials in both raw text and structured JSON formats, allowing immediate use with AWS CLI tools or integration with other post-exploitation frameworks like Metasploit.

📜 History & Notable Incidents

ec2linkfinder gained traction after multiple high-profile SSRF vulnerabilities were disclosed in major cloud-based applications, such as the Capital One breach (2019) where an SSRF flaw allowed an attacker to fetch EC2 metadata and exfiltrate over 100 million customer records. While ec2linkfinder itself was not used in that incident, it became a go-to tool for penetration testers targeting similar misconfigurations. The tool’s GitHub repository has documented use in AWS penetration testing guides and is explicitly listed in the OWASP Testing Guide as a reference for cloud metadata enumeration. No specific CVEs are assigned to ec2linkfinder itself, as it is an exploitation tool rather than a vulnerability.

🔍 Detection Indicators

Requests generated by ec2linkfinder often include unusual HTTP headers like X-Forwarded-For and X-Forwarded-Host crafted to confuse load balancers, coupled with multiple repeated attempts to hit the same /latest resource with different encoding obfuscations (e.g., URL-encoded dots or double slashes). The User-Agent string typically mimics common browsers (e.g., Mozilla/5.0 ...) but may include custom strings like ec2linkfinder/1.0 in later versions. Behavioral fingerprints include sequential requests to /meta-data/, /security-credentials, and /user-data within milliseconds, often from a single IP with no prior legitimate traffic.

☠️ Risk & Impact

Successful exploitation via ec2linkfinder can lead to complete compromise of an AWS EC2 instance’s IAM role, granting the attacker access to all resources the role is permitted to use — including S3 buckets, DynamoDB tables, Lambda functions, and other cloud services. This lateral movement can result in data exfiltration, privilege escalation, and even full cloud account takeover if the compromised role has administrative policies attached. The tool is particularly dangerous in environments where IMDSv1 is still enabled, as no authentication token is required to retrieve credentials.

🛡️ Mitigation

ec2linkfinder is blocked immediately upon detection because its only purpose is to harvest cloud credentials via SSRF, posing an immediate and severe risk of data breach and lateral movement. Defenses include enforcing IMDSv2 with hop limits, disabling unnecessary metadata endpoints via IAM policies, and deploying web application firewalls that inspect for metadata IP patterns and SSRF payloads.

ⓘ Data Notice: The information presented above has been compiled from publicly available internet sources. Boteraser aggregates this data solely for informational purposes and does not independently classify, evaluate, or endorse any findings about the bots listed. The accuracy and completeness of this information is the sole responsibility of the original publishers. Boteraser and its operators accept no liability for any decisions made based on this data.