在Python中解密Windows EC2密码

Question

在Python中解密Windows EC2密码

4

我想启动一个Windows EC2实例并使用Python编程获取管理员密码。我知道可以使用CLI完成此操作，但我更喜欢本地解密以避免通过互联网发送我的私钥。

aws ec2 get-password-data --instance-id i-0d4d8273cadcae0a0 --priv-launch-key .ssh/elliott2.pem

阅读了Cryptodome文档后，我尝试了以下方式：

import boto3
from Crypto.PublicKey import RSA
from Crypto.Cipher import PKCS1_OAEP

ec2 = boto3.resource('ec2', 'us-west-2')
i = ec2.Instance('i-028dee2acb533fc59')

encrypted_str = i.password_data()['PasswordData']
with open('mykey.pem') as fp:
  key = RSA.importKey(fp.read())

cipher = PKCS1_OAEP.new(key)
print(cipher.decrypt(enc_str))

这会导致出现错误：

Traceback (most recent call last):
  File "test.py", line 14, in <module>
    print(cipher.decrypt(encrypted_str))
  File "/Users/elliott/Library/Python/3.8/lib/python/site-packages/Crypto/Cipher/PKCS1_OAEP.py", line 167, in decrypt
    raise ValueError("Ciphertext with incorrect length.")
ValueError: Ciphertext with incorrect length.

我认为cipherkey必须恰好为256字节。但是密码数据长度超过了这个限制，所以我不确定该怎么办。

- Elliott B

你确定 i.password_data()['PasswordData'] 不是 '' 吗？我遇到了同样的问题，后来发现我启动 EC2 实例时没有使用密钥对，所以一开始就没有密码。 - Mathieu Dhondt

请注意，如果您在启动EC2实例时没有选择密钥对，或者EC2实例的密码尚未生成，则password_data()将返回空字符串。有关更多信息，请参见此处。 - Shane Bishop

@ShaneBishop 你尝试打印 encrypted_str 看看是否获取了密码了吗？ - Abhinav Mathur

@AbhinavMathur，既然我为这个问题创建了悬赏，实际上我已经找到了自己的解决方案：https://dev59.com/kHUOtIcB2Jgan1zntDOB#72410935 - Shane Bishop

我无法将我的问题关闭为这个问题的重复，因为这个问题并没有被接受或赞同的答案。但是，一旦我能够在我的问题上接受答案，那么就可以投票将此问题关闭为我的重复。 - Shane Bishop

2个回答

网页内容由stack overflow 提供, 点击上面的

可以查看英文原文，
原文链接

- Cloud-Destro · Answer 1

晚了点，但可能有帮助。

from Crypto.PublicKey import RSA
from Crypto.Cipher import AES, PKCS1_v1_5

def decrypt(ciphertext, keyfile = PEM_FILE ):
    input = open(keyfile)
    key = RSA.importKey(input.read())
    input.close()
    cipher = PKCS1_v1_5.new(key)
    plaintext = cipher.decrypt(ciphertext, None)
    return plaintext

- Ramkrushna Patra · Answer 2

使用Python Boto获取解密的EC2 Windows实例管理员密码

AWS_EC2_ACCESS_ID='AKIA**********'
AWS_EC2_SECRET_KEY = 'mh83**************'
PEM_FILE = os.path.expanduser('D:\\abc\\scripts\\s\\test.pem')

### Get Windows Admin password of the newly created AWS instance
import boto.ec2
from Crypto.Cipher import PKCS1_v1_5
from Crypto.PublicKey import RSA

access_key = AWS_EC2_ACCESS_ID
secret_key = AWS_EC2_SECRET_KEY
pem_file_loc = PEM_FILE

def decrypt(ciphertext, keyfile = pem_file_loc ):
   input = open(keyfile)
   key = RSA.importKey(input.read())
   input.close()
   cipher = PKCS1_v1_5.new(key)
   plaintext = cipher.decrypt(ciphertext, None)
   return plaintext

def get_ec2_instance_secur_info(region='us-west-2',instance_name=''):
ec2_conn = boto.ec2.connect_to_region(region,
            aws_access_key_id=access_key,
            aws_secret_access_key=secret_key)

# Get all instance
reservations = ec2_conn.get_all_reservations()

# Get all the instances and search for the instance based on the provided Tag - Name
for reservation in reservations:    
    for instance in reservation.instances:
        if instance_name == instance.tags['Name']:
            # Get the encrypted password and decrypt
            password = decrypt(ec2_conn.get_password_data(instance.id).decode('base64'))
            return {'instance':instance,'ec2_conn':ec2_conn,'private_ip':instance.private_ip_address,'pwd':password}

# Looks like there are no instance with the provided Tag - Name
print instance_name + ' is not found'

instance_name = 'new-instance-name-tag' node = get_ec2_instance_secur_info(instance_name = instance_name) print node