-
Notifications
You must be signed in to change notification settings - Fork 719
Module Details
Enumerates/bruteforces S3 buckets based on different parameters.
This module produces bucket name permutations based on a given name and a list of keywords. If bruteforcing, the keyword list is downloaded automatically from RhinoSecurityLabs, otherwise the module can refer to a user-supplied list of keywords. After the bucket name list is created, the combinations are tested and 2 lists of buckets are recorded: buckets that exist, and buckets that are listable.
Tries to get a confirmed list of permissions for the current user.
User permissions are obtained from the user, group the user belongs to, attached policies to the user, or attached policies to the group.
Downloads user data from EC2 instances.
EC2 information is downloaded to core/sessions/[session.name]/downloads/user_data.txt. Only User Data is obtained from this module. This information is basically a shell script that is provided for the instance to run when the instance is launched. The module contains a dependency on the enum_ec2 module which provides the list of ec2 instances to query against.
Enumerates EBS volumes and snapshots and logs any without encryption.
Volumes and Snapshots are data stores for Elastic Beanstalk. Volumes are treated similarly to a physical hard drive that is swappable between machines and maintains its state separate from a specific EC2 instance. Snapshots are incremental backups of volumes and contain the updated data changes of a volume.
Gather data from EC2 instances
This module is designed to take a set of user keys and query relevant information to get a better understanding of the network architecture for a target's account. By default, all information is automatically received, but arguments can be passed to filter out specific results. Before any calls to AWS itself are ran, dryruns are performed to ensure that the user has the proper permissions to run the commands rather than failing during the module's execution.
Gather a list of EC2 instances without termination protection.
EC2 termination protection assigns an additional verification step before an instance can be deleted. This module scans all EC2 instances in the specified regions and checks each instance individually for the termination protection attribute.
Gather a list of Elastic Load Balancers and Elastic Load Balancers with logging disabled
This module is designed to gather a list of all elastic load balancers and store the data found in the Pacu database. Mulitple calls might be necessary, but the module ensures that all load balancers are stored in increments of 400. After all of the load balancers have been collected and stored in the database, each individual load balancer is checked and the load balancers that have logging disabled are stored in the database.
Enumerates Glue connections, crawlers, databases, development endpoints, and jobs.
Glue is an AWS service that builds and manages data warehouses. This module examines Glue for any possible security vulnerabilities. Connection information displays any relevant connection information from Glue to other data sources. Crawlers contain information on the databases they gather raw data from, their schedule, any schema information on the tables they crawl, and especially their targets. DevEndpoints contain information on Glue endpoints and their relevant network and authentication information. Database objects are also queried which contain descriptions and where they are located.
Pulls data related to Lambda Functions, source code, aliases, event source mappings, versions, tags, and policies.
This module gathers information related to Lambda functions including the function name and ARN. Other useful information enumerated includes a link to download the source for each function, aliases, event source mappings, versions, policies, and tags. The --all-versions flag can be set when running this module to pull all function versions instead of just the latest.
Detects monitoring and logging capabilities.
This module gathers information from AWS Shield(DDoS Protection), CloudTrail(Security Auditing), and GuardDuty(Log monitoring). If there is a Shield subscription in place, this module will collect data related to the length of the subscription and any protection limits. Cloud trail data includes relevant information including any S3 buckets where the logs are delivered, and whether the logs are checked for validation that they have not been tampered with. Any GuardDuty information would relate to detector IDs and their respective regions where they are active.
Enumerates users, roles, customer-managed policies, and groups.
This module collects information from all users, roles, custom policies, and groups. Only custom policies set by customers are captured, default AWS provided policies are skipped over.
Generates and downloads an IAM credential report.
The credential report is produced by AWS/IAM, the report is decoded by the module in a CSV format, and downloaded to the respective core/sessions/{session.name}/downloads folder. The fields contained include are user, arn, user password information, mfa status, access_key information, certification information, and more.
Enumerate and dumps files from S3 buckets.
This module downloads either, all files for a user's buckets, selected files in a given file with a format of filename.ext@bucketname separated by lines, or all files for every of the user's buckets. Great care must be taken when downloading files because terabytes of data could potentially be downloaded.
Files are downloaded at core/sessions/{session.name}/downloads/s3_dump/{bucket}/{s3_obj_key}.
File names are downloaded to core/sessions/{sesion.name}/downloads/s3_dump/s3_bucket_dump_file_names.txt
Captures vulnerabilties found when running a preconfigured inspector report
This module captures findings for reports in regions that support AWS Inspector. The optional argument --download-reports will automatically download any reports found into the session downloads directory under a folder named after the run id of the inspector report.
Enumerates CodeBuild builds and projects while looking for sensitive data
This module enumerates all CodeBuild builds and projects, with the goal of finding sensitive information in the environment variables associated with each one, like passwords, secrets, or API keys.
Stops and restarts EC2 instances to execute code as the root or SYSTEM user.
This module will attempt to stop the chosen EC2 instances, store/display the User Data that is already set for each EC2 instance, update it with a shell script (.sh) of your choosing, then start the instances again. The shell script will be executed as root/SYSTEM everytime the specific instances are booted up.
WARNING: This module will make changes to the AWS environment.
Adds backdoor rules to EC2 security groups.
This module adds rules to backdoor EC2 security groups. It attempts to open ingress port ranges from an IP of your choice.
WARNING: This module will make changes to the AWS environment.
Inject malicious formulas/data into CloudTrail event history.
This module will attempt to create a CloudTrail trail with a malicious Microsoft Excel and/or Google Sheets formula as the name as well as try to create an EC2 instance with the formula as the image ID. This is because a failed call won't work correctly. The failed events will be logged to CloudTrail's "Event history" page, where the past 90 days of API calls are listed. The logs can be exported to a .csv file, which due to the way that CloudTrail displays/exports the "Affected Resources" column, the formula we supply as a payload will attempt to execute. Payloads exist for both Microsoft Excel and Google Sheets. My blog post for this specific module is here: https://rhinosecuritylabs.com/aws/cloud-security-csv-injection-aws-cloudtrail/. Further reading can be found here: https://www.we45.com/2017/02/14/csv-injection-theres-devil-in-the-detail/ and here: http://georgemauer.net/2017/10/07/csv-injection.html
Downloads Lightsails default SSH key pairs.
This module downloads the accounts default public and private SSH keys for AWS Lightsail.
Tries to execute code as root/SYSTEM on EC2 instances.
This module tries to execute arbitrary code on EC2 instances as root/SYSTEM using EC2 Systems Manager. To do so, it will first try to enumerate EC2 instances that are running operating systems that have the Systems Manager agent installed by default. Then, it will attempt to find the Systems Manager IAM instance profile, or try to create it if it cannot find it. If successful, it will try to attach it to the instances enumerated earlier. Then it will use EC2 Run Command to execute arbitrary code on the EC2 instances as either root (Linux) or SYSTEM (Windows). If PacuProxy is listening and no command argument is passed in, then by default, this module will execute a PacuProxy stager on the target hosts to get a PacuProxy agent to route commands through/give you shell access. Note: Linux targets will run the command using their default shell (bash/etc.) and Windows hosts will run the command using PowerShell, so be weary of that when trying to run the same command against both operating systems.
Creates assume-role trust relationships between users and roles.
This module creates a trust relationship between one or more user accounts and one or more roles in the account, allowing those users to assume those roles.',
WARNING: This module will make changes to the AWS environment.
An IAM privilege escalation path finder and abuser.
This module will scan for permission misconfigurations to see where privilege escalation will be possible. Available attack paths will be presented to the user and executed on if chosen.\n',
WARNING: This module will make changes to the AWS environment.
Adds API keys to other users.
This module attempts to add an AWS API key to users in the account. If all users are going to be backdoored, if it has not already been run, this module will run "enum_users_roles_policies_groups" to fetch all of the users in the account.
WARNING: This module will make changes to the AWS environment.
Adds a password to users without one.
This module attempts to add a password to users in the account. If all users are going to be backdoored, if it has not already been run, this module will run "enum_users_roles_policies_groups" to fetch all of the users in the account. Passwords can not be added to user accounts that 1) have a password already or 2) have ever had a password, regardless if it has been used before or not. If the module detects that a user already has a password, they will be ignored.
WARNING: This module will make changes to the AWS environment.
Downloads CloudTrail event history to JSON files.
This module will download the CloudTrail event history for each specified region in both JSON format to ./sessions/[current_session_name]/downloads/cloudtrail_[region]event_history[timestamp].json.
Gives the option of disabling or deleting GuardDuty detectors and disabling, deleting, or minimizing CloudTrail trails.
This module will take enumerated CloudTrail trails and GuardDuty detectors and present you with the option of disabling or deleting each one. For CloudTrail, you also have the option of minimizing it. Minimizing a trail leaves it enabled, but changes all the settings to their very basic level. These changes include: removing the associated SNS topic, disabling global service event logging, disabling multi-regional log collection, disabling log file validation, and removing the associated CloudWatch log group/role. The idea of this is to minimize the amount of logging in the environment without calling dangerous APIs like disable or delete.
WARNING: This module will make changes to the AWS environment.
- Home
- AWS Basics and Security
- User Information
- Developer Information
- Warnings and Disclaimers
- FAQ