-
Notifications
You must be signed in to change notification settings - Fork 719
Module Details
Enumerates existing roles in other AWS accounts to try and gain access via misconfigurations.
This module takes in an AWS account ID and tries to enumerate role names within that account. If one is discovered and it is misconfigured to allow role-assumption from a wide group, it is possible to assume that role and gain access to that AWS account through this method. NOTE: This module is listed under the recon_enum_no_keys category because it is not recommended to use compromised keys to run this module. This module DOES require a set of AWS keys, but it will spam CloudTrail with "AssumeRole" logs, so it is suggested to use a personal account to run this. The keys you use should have the sts:AssumeRole permission on any resource ("*") to identify/assume misconfigured roles, but you will still be able to enumerate roles that exist without it.
Enumerates IAM users in a separate AWS account, given the account ID.
This module takes in a valid AWS account ID and tries to enumerate existing IAM users within that account. It does so by trying to update the AssumeRole policy document of the role that you pass into --role-name. For your safety, it updates the policy with an explicit deny against the AWS account/IAM user, so that no security holes are opened in your account during enumeration. NOTE: It is recommended to use personal AWS access keys for this script, as it will spam CloudTrail with "iam:UpdateAssumeRolePolicy" logs. The target account will not see anything in their logs though! The keys used must have the iam:UpdateAssumeRolePolicy permission on the role that you pass into --role-name to be able to identify a valid IAM user.
Enumerates/bruteforces S3 buckets based on different parameters.
This module searches across every AWS region for a variety of bucket names based on a domain name, subdomains, affixes given and more. Currently the tool will only present to you whether or not the bucket exists or if they are listable.
Enumerates data About the account itself.
Determines information about the AWS account itself.
Enumerates account spend by service.
Display what services the account uses and how much is spent. Data is pulled from CloudWatch metrics and the AWS/Billing Namespace.
Enumerates CodeBuild builds and projects while looking for sensitive data
This module enumerates all CodeBuild builds and projects, with the goal of finding sensitive information in the environment variables associated with each one, like passwords, secrets, or API keys.
Enumerates EBS volumes and snapshots and logs any without encryption.
This module will enumerate all of the Elastic Block Store volumes, snapshots, and snapshot permissions in the account and save the data to the current session. It will also note whether or not each volume/snapshot is encrypted, then write a list of the unencrypted volumes to ./sessions/[current_session_name]/downloads/unencrypted_ebs_volumes_[timestamp].csv and unencrypted snapshots to ./sessions/[current_session_name]/downloads/unencrypted_ebs_snapshots_[timestamp].csv in .CSV format.
Collects a list of EC2 instances without termination protection.
This module will check to see if EC2 instance termination protection is enabled for a set of instances. By default, this module will run against all instances. All instances with termination protection disabled will be written to a file at ./sessions/[current_session_name]/downloads/termination_protection_disabled_[timestamp].csv in .CSV format.
Downloads User Data from EC2 instances.
This module will take a list of EC2 instance IDs and request then download the User Data associated with each instance. All of the data will be saved to ./sessions/[session_name]/downloads/user_data.txt.
Enumerates a ton of relevant EC2 info.
The module is used to enumerate the following EC2 data from a set of regions on an AWS account: instances, security groups, elastic IP addresses, VPN customer gateways, dedicated hosts, network ACLs, NAT gateways, network interfaces, route tables, subnets, VPCs, and VPC endpoints. By default, all data will be enumerated, but if any arguments are passed in indicating what data to enumerate, only that specific data will be enumerated.
Enumerates Glue connections, crawlers, databases, development endpoints, and jobs.
This module enumerates all relevant data from AWS Glue, including connections, crawlers, databases, development endpoints, and jobs. By default, everything will be enumerated, but by passing available arguments, you can specify what data you want. For example, if any arguments are passed in, only the passed in arguments will be enumerated, but if either all or no arguments are passed in, everything will be enumerated.
Tries to get a confirmed list of permissions for the current (or all) user(s).
This module will attempt to use IAM APIs to enumerate a confirmed list of IAM permissions for the current user. This is done by checking attached and inline policies for the user and the groups they are in.
Enumerates users, roles, customer-managed policies, and groups.
This module requests the info for all users, roles, customer-managed policies, and groups in the account. If no arguments are supplied, it will enumerate all four, if any are supplied, it will enumerate those only.
Generates and downloads an IAM credential report.
This module tries to download a credential report for the AWS account, giving a lot of authentication history/info for users in the account. If it does not find a report, it will prompt you to generate one. The report is saved in ./sessions/[current_session_name]/downloads/get_credential_report_[current_time].csv
Captures vulnerabilties found when running a preconfigured inspector report.
This module captures findings for reports in regions that support AWS Inspector. The optional argument --download-reports will automatically download any reports found into the session downloads directory under a folder named after the run id of the inspector report.
Enumerates data from AWS Lambda.
This module pulls data related to Lambda Functions, source code, aliases, event source mappings, versions, tags, and policies.
Captures common data associated with Lightsail
This module examines Lightsail data fields and automatically enumerates them for all available regions. Available fields can be passed upon execution to only look at certain types of data. By default, all Lightsail fields will captured.
An IAM privilege escalation path finder and abuser.
This module will scan for permission misconfigurations to see where privilege escalation will be possible. Available attack paths will be presented to the user and executed on if chosen. Warning: Due to the implementation in IAM policies, this module has a difficult time parsing "NotActions". If your user has any NotActions associated with them, it is recommended to manually verify the results of this module. NotActions are noted with a "!" preceeding the action when viewing the results of the "whoami" command. For more information on what NotActions are, visit the following link: https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_elements_notaction.html
Inject malicious formulas/data into CloudTrail event history.
This module will attempt to create a CloudTrail trail with a malicious Microsoft Excel and/or Google Sheets formula as the name as well as try to create an EC2 instance with the formula as the image ID. This is because a failed call won't work correctly. The failed events will be logged to CloudTrail's "Event history" page, where the past 90 days of API calls are listed. The logs can be exported to a .csv file, which due to the way that CloudTrail displays/exports the "Affected Resources" column, the formula we supply as a payload will attempt to execute. Payloads exist for both Microsoft Excel and Google Sheets. My blog post for this specific module is here: https://rhinosecuritylabs.com/aws/cloud-security-csv-injection-aws-cloudtrail/. Further reading can be found here: https://www.we45.com/2017/02/14/csv-injection-theres-devil-in-the-detail/ and here: http://georgemauer.net/2017/10/07/csv-injection.html
Looks for Network Plane lateral movement opportunities.
Looks for DirectConnect, VPN or VPC Peering to understand where you can go once you compromise an instance inside a VPC.
Attempts to create an API Gateway key for any/all REST APIs that are defined.
This module automatically creates API keys for every available region. There is an included cleanup feature to remove old "Pacu" keys that are referenced by name.
Stops and restarts EC2 instances to execute code.
This module will attempt to stop the chosen EC2 instances, store/display the User Data that is already set for each EC2 instance, update it with a shell script (.sh) of your choosing, then start the instances again. The shell script will be executed as root/SYSTEM everytime the specific instances are booted up.
Downloads Lightsails default SSH key pairs.
This module downloads the accounts default public and private SSH keys for AWS Lightsail.
Creates SSH keys for available regions in AWS Lightsail.
This module creates SSH keys that can be used to connect to Lightsail instances. New keys can be created, or a public key file can be passed to import a pre-existing key.
Creates temporary SSH keys for available instances in AWS Lightsail.
This module creates temporary SSH keys that can be used to connect to Lightsail instances, and downloads them into the session's download directory.
Tries to execute code as root/SYSTEM on EC2 instances.
This module tries to execute arbitrary code on EC2 instances as root/SYSTEM using EC2 Systems Manager. To do so, it will first try to enumerate EC2 instances that are running operating systems that have the Systems Manager agent installed by default. Then, it will attempt to find the Systems Manager IAM instance profile, or try to create it if it cannot find it. If successful, it will try to attach it to the instances enumerated earlier. Then it will use EC2 Run Command to execute arbitrary code on the EC2 instances as either root (Linux) or SYSTEM (Windows). If PacuProxy is listening and no command argument is passed in, then by default, this module will execute a PacuProxy stager on the target hosts to get a PacuProxy agent to route commands through/give you shell access. Note: Linux targets will run the command using their default shell (bash/etc.) and Windows hosts will run the command using PowerShell, so be weary of that when trying to run the same command against both operating systems. NOTE: Sometimes Systems Manager Run Command can delay the results of a call by a random amount. I have experienced 15 minute delays before my command was executed on the target, so if this module successfully completes and it seems that your command did not execute like it was supposed to, then wait at least 15 minutes before trying again.
Creates assume-role trust relationships between users and roles.
This module creates a trust relationship between one or more user accounts and one or more roles in the account, allowing those users to assume those roles.
Adds backdoor rules to EC2 security groups.
This module adds rules to backdoor EC2 security groups. It attempts to open ingress port ranges from an IP of your choice.
Adds API keys to other users.
This module attempts to add an AWS API key to users in the account. If all users are going to be backdoored, if it has not already been run, this module will run "enum_users_roles_policies_groups" to fetch all of the users in the account.
Adds a password to users without one.
This module attempts to add a password to users in the account. If all users are going to be backdoored, if it has not already been run, this module will run "enum_users_roles_policies_groups" to fetch all of the users in the account. Passwords can not be added to user accounts that 1) have a password already or 2) have ever had a password, regardless if it has been used before or not. If the module detects that a user already has a password, they will be ignored.
Downloads CloudTrail event history to JSON files.
This module will download the CloudTrail event history for each specified region in both JSON format to ./sessions/[current_session_name]/downloads/cloudtrail_[region]event_history[timestamp].json. Warning: This module can take a very long time to complete because the maximum events per API call is 50, when there could be tens or hundreds of thousands or more total events to download. A rough estimate is about 10000 events retrieved per five minutes.
Captures CloudWatch logs and downloads them to the session downloads folder
This module examines all logs for all regions and saves them as CSV files. By default, only events that were logged in the past 24 hours will be captured. Otherwise, they will be captured based on the passed time arguments. The files will be downloaded in a similar format to pacu/sessions/{session}/downloads/cloud_watch_logs/{timestamp}, with session being the active session, and timestamp being the start of this module's execution.
Disables, deletes, or minimizes various logging/monitoring services.
This module will take enumerated CloudTrail trails, GuardDuty detectors, various Config settings, CloudWatch alarms, and VPC flow logs and present you with the option of disabling or deleting each one. For CloudTrail, you also have the option of minimizing it. Minimizing a trail leaves it enabled, but changes all the settings to their very basic level. These changes include: removing the associated SNS topic, disabling global service event logging, disabling multi-regional log collection, disabling log file validation, and removing the associated CloudWatch log group/role. The idea of this is to minimize the amount of logging in the environment without calling dangerous APIs like disable or delete.
Detects monitoring and logging capabilities.
This module will enumerate the different logging and monitoring capabilities that have been implemented in the current AWS account. By default the module will enumerate all services that it supports, but by specifying the individual arguments, it is possible to target specific services. The supported services include CloudTrail, CloudWatch, Config, Shield, VPC, and GuardDuty. Not all regions contain support for AWS Config aggregators, so no attempts are made to obtain aggregators in unsupported regions. When a permission issue is detected for an action, future attempts to call that action will be skipped. If permissions to enumerate a service have all been invalidated, the enumeration of that service will stop for all subsequen regions and the module will continue execution.
Collects a list of Elastic Load Balancers without access logging.
This module will enumerate all EC2 Elastic Load Balancers and save their data to the current session, as well as write a list of ELBs with logging disabled to ./sessions/[current_session_name]/downloads/elbs_no_logs_[timestamp].csv.
Adds an IP address to the list of trusted IPs in GuardDuty.
This module accepts a file containing IPv4 addresses and adds them to the GuardDuty list of trusted IPs to basically disable security alerts against these IPs. A remote file location is required for this list, as that is what the GuardDuty API requires. Note: This will not erase any existing GuardDuty findings, it will only prevent future findings related to the included IP addresses. WARNING: Only one list of trusted IP addresses is allowed per GuardDuty detector. This module will prompt you to delete an existing list if you would like, but doing so could have unintended bad consequences on the target AWS environment.
Detects rules and rule groups for WAF.
This module will enumerate WAF. The enumerated data includes the rule groups, rules and matching sets for those rules. Global WAF settings are enumerated the same as each individually-configured region, but they are stored separately in the Pacu database.
Restores and attaches EBS volumes/snapshots to an EC2 instance of your choice.
This module will cycle through existing EBS volumes and create snapshots of them, then restore those snapshots and existing snapshots to new EBS volumes, which will then be attached to the supplied EC2 instance for you to mount. This will give you access to the files on the various volumes, where you can then look for sensitive information. Afterwards, it will cleanup the created volumes and snapshots by detaching them from your instance and removing them from the AWS account.
Enumerate and dumps files from S3 buckets.
This module scans the current account for AWS buckets and prints/stores as much data as it can about each one. With no arguments, this module will enumerate all buckets the account has access to, then prompt you to download all files in the bucket or not. Use --names-only or --dl-names to change that. The files will be downloaded to ./sessions/[current_session_name]/downloads/dl_s3_bucket/.
- Home
- AWS Basics and Security
- User Information
- Developer Information
- Warnings and Disclaimers
- FAQ