-
Notifications
You must be signed in to change notification settings - Fork 719
Module Details
Enumerates/bruteforces S3 buckets based on different parameters.
This module produces bucket name permutations based on a given name and a list of keywords. If bruteforcing, the keyword list is downloaded automatically from RhinoSecurityLabs, otherwise the module can refer to a user-supplied list of keywords. After the bucket name list is created, the combinations are tested and 2 lists of buckets are recorded: buckets that exist, and buckets that are listable.
Tries to get a confirmed list of permissions for the current user.
User permissions are obtained from the user, group the user belongs to, attached policies to the user, or attached policies to the group.
Downloads user data from EC2 instances.
EC2 information is downloaded to core/sessions/[session.name]/downloads/user_data.txt. Only User Data is obtained from this module. This information is basically a shell script that is provided for the instance to run when the instance is launched. The module contains a dependency on the enum_ec2 module which provides the list of ec2 instances to query against.
Restores and attaches EBS volumes/snapshots to an EC2 instance of your choice.
This module will cycle through existing EBS volumes and create snapshots of them, then restore those snapshots and existing snapshots to new EBS volumes, which will then be attached to the supplied EC2 instance for you to mount. This will give you access to the files on the various volumes, where you can then look for sensitive information. Afterwards, it will cleanup the created volumes and snapshots by detaching them from your instance and removing them from the AWS account.
Enumerates data About the account itself
Determines information about the AWS account itself.
Enumerates existing roles in other AWS accounts to try and gain access via misconfigurations.
This module takes in an AWS account ID and tries to enumerate role names within that account. If one is discovered and it is misconfigured to allow role-assumption from a wide group, it is possible to assume that role and gain access to that AWS account through this method. NOTE: This module is listed under the recon_enum_no_keys category because it is not recommended to use compromised keys to run this module. This module DOES require a set of AWS keys, but it will spam CloudTrail with "AssumeRole" logs, so it is suggested to use a personal account to run this. The keys you use should have the sts:AssumeRole permission on any resource ("*") to identify/assume misconfigured roles, but you will still be able to enumerate roles that exist without it.
Enumerates CodeBuild builds and projects while looking for sensitive data
This module enumerates all CodeBuild builds and projects, with the goal of finding sensitive information in the environment variables associated with each one, like passwords, secrets, or API keys.
Enumerates EBS volumes and snapshots and logs any without encryption.
Volumes and Snapshots are data stores for Elastic Beanstalk. Volumes are treated similarly to a physical hard drive that is swappable between machines and maintains its state separate from a specific EC2 instance. Snapshots are incremental backups of volumes and contain the updated data changes of a volume.
Gather data from EC2 instances
This module is designed to take a set of user keys and query relevant information to get a better understanding of the network architecture for a target's account. By default, all information is automatically received, but arguments can be passed to filter out specific results. Before any calls to AWS itself are ran, dryruns are performed to ensure that the user has the proper permissions to run the commands rather than failing during the module's execution.
Gather a list of EC2 instances without termination protection.
EC2 termination protection assigns an additional verification step before an instance can be deleted. This module scans all EC2 instances in the specified regions and checks each instance individually for the termination protection attribute.
Gather a list of Elastic Load Balancers and Elastic Load Balancers with logging disabled
This module is designed to gather a list of all elastic load balancers and store the data found in the Pacu database. Mulitple calls might be necessary, but the module ensures that all load balancers are stored in increments of 400. After all of the load balancers have been collected and stored in the database, each individual load balancer is checked and the load balancers that have logging disabled are stored in the database.
Enumerates Glue connections, crawlers, databases, development endpoints, and jobs.
Glue is an AWS service that builds and manages data warehouses. This module examines Glue for any possible security vulnerabilities. Connection information displays any relevant connection information from Glue to other data sources. Crawlers contain information on the databases they gather raw data from, their schedule, any schema information on the tables they crawl, and especially their targets. DevEndpoints contain information on Glue endpoints and their relevant network and authentication information. Database objects are also queried which contain descriptions and where they are located.
Enumerates IAM users in a separate AWS account, given the account ID.
This module takes in a valid AWS account ID and tries to enumerate existing IAM users within that account. It does so by trying to update the AssumeRole policy document of the role that you pass into --role-name. For your safety, it updates the policy with an explicit deny against the AWS account/IAM user, so that no security holes are opened in your account during enumeration. NOTE: It is recommended to use personal AWS access keys for this script, as it will spam CloudTrail with "iam:UpdateAssumeRolePolicy" logs. The target account will not see anything in their logs though! The keys used must have the iam:UpdateAssumeRolePolicy permission on the role that you pass into --role-name to be able to identify a valid IAM user.
Pulls data related to Lambda Functions, source code, aliases, event source mappings, versions, tags, and policies.
This module gathers information related to Lambda functions including the function name and ARN. Other useful information enumerated includes a link to download the source for each function, aliases, event source mappings, versions, policies, and tags. The --all-versions flag can be set when running this module to pull all function versions instead of just the latest.
Looks for Network Plane lateral movement opportunities.
Looks for DirectConnect, VPN or VPC Peering to understand where you can go once you compromise an instance inside a VPC.
Examines Lightsail data fields and automatically enumerates them for all available regions.
This module gathers information related to Lightsail including active-names, blueprints, bundles, instances, key-pairs, operations, static-ips, disks, disk-snapshots, and load-balancers. By default, all fields are captured, otherwise they can be specified.
Detects monitoring and logging capabilities.
This module gathers information from AWS Shield(DDoS Protection), CloudTrail(Security Auditing), and GuardDuty(Log monitoring). If there is a Shield subscription in place, this module will collect data related to the length of the subscription and any protection limits. Cloud trail data includes relevant information including any S3 buckets where the logs are delivered, and whether the logs are checked for validation that they have not been tampered with. Any GuardDuty information would relate to detector IDs and their respective regions where they are active.
Enumerates permissions using brute force
This module will automatically run through all possible API calls in order to enumerate permissions without the use of IAM permissions.
Enumerates account spend by service.
Displays what services the account uses and how much is spent. Data is pulled from CloudWatch metrics and the AWS/Billing Namespace.
Enumerates users, roles, customer-managed policies, and groups.
This module collects information from all users, roles, custom policies, and groups. Only custom policies set by customers are captured, default AWS provided policies are skipped over.
Detects rules and rule groups for WAF.
This module will enumerate WAF. The enumerated data includes the rule groups, rules and matching sets for those rules. Global WAF settings are enumerated the same as each individually-configured region, but they are stored separately in the Pacu database.
Generates and downloads an IAM credential report.
The credential report is produced by AWS/IAM, the report is decoded by the module in a CSV format, and downloaded to the respective core/sessions/{session.name}/downloads folder. The fields contained include are user, arn, user password information, mfa status, access_key information, certification information, and more.
WARNING: This module will make changes to the AWS environment.
Enumerate and dumps files from S3 buckets.
This module downloads either, all files for a user's buckets, selected files in a given file with a format of filename.ext@bucketname separated by lines, or all files for every of the user's buckets. Great care must be taken when downloading files because terabytes of data could potentially be downloaded.
Files are downloaded at core/sessions/{session.name}/downloads/s3_dump/{bucket}/{s3_obj_key}.
File names are downloaded to core/sessions/{sesion.name}/downloads/s3_dump/s3_bucket_dump_file_names.txt
Captures vulnerabilties found when running a preconfigured inspector report
This module captures findings for reports in regions that support AWS Inspector. The optional argument --download-reports will automatically download any reports found into the session downloads directory under a folder named after the run id of the inspector report.
Stops and restarts EC2 instances to execute code as the root or SYSTEM user.
This module will attempt to stop the chosen EC2 instances, store/display the User Data that is already set for each EC2 instance, update it with a shell script (.sh) of your choosing, then start the instances again. The shell script will be executed as root/SYSTEM everytime the specific instances are booted up.
WARNING: This module will make changes to the AWS environment.
Adds backdoor rules to EC2 security groups.
This module adds rules to backdoor EC2 security groups. It attempts to open ingress port ranges from an IP of your choice.
WARNING: This module will make changes to the AWS environment.
Inject malicious formulas/data into CloudTrail event history.
This module will attempt to create a CloudTrail trail with a malicious Microsoft Excel and/or Google Sheets formula as the name as well as try to create an EC2 instance with the formula as the image ID. This is because a failed call won't work correctly. The failed events will be logged to CloudTrail's "Event history" page, where the past 90 days of API calls are listed. The logs can be exported to a .csv file, which due to the way that CloudTrail displays/exports the "Affected Resources" column, the formula we supply as a payload will attempt to execute. Payloads exist for both Microsoft Excel and Google Sheets. My blog post for this specific module is here: https://rhinosecuritylabs.com/aws/cloud-security-csv-injection-aws-cloudtrail/. Further reading can be found here: https://www.we45.com/2017/02/14/csv-injection-theres-devil-in-the-detail/ and here: http://georgemauer.net/2017/10/07/csv-injection.html
Attempts to create an API gateway key for a (or all) rest APIs that are defined.
This module automatically creates API keys for every available region. There is an included cleanup feature to remove old "Pacu" keys that are referenced by name.
WARNING: This module will make changes to the AWS environment.
Downloads Lightsails default SSH key pairs.
This module downloads the accounts default public and private SSH keys for AWS Lightsail.
Creates SSH keys for available regions in AWS Lightsail.
This module creates SSH keys that can be used to connect to Lightsail instances. New keys can be created, or a public key file can be passed to import a pre-existing key.
WARNING: This module will make changes to the AWS environment.
Creates temporary SSH keys for available instances in AWS Lightsail.
This module creates temporary SSH keys that can be used to connect to Lightsail instances, and downloads them into the session's download directory.
WARNING: This module will make changes to the AWS environment.
Tries to execute code as root/SYSTEM on EC2 instances.
This module tries to execute arbitrary code on EC2 instances as root/SYSTEM using EC2 Systems Manager. To do so, it will first try to enumerate EC2 instances that are running operating systems that have the Systems Manager agent installed by default. Then, it will attempt to find the Systems Manager IAM instance profile, or try to create it if it cannot find it. If successful, it will try to attach it to the instances enumerated earlier. Then it will use EC2 Run Command to execute arbitrary code on the EC2 instances as either root (Linux) or SYSTEM (Windows). If PacuProxy is listening and no command argument is passed in, then by default, this module will execute a PacuProxy stager on the target hosts to get a PacuProxy agent to route commands through/give you shell access. Note: Linux targets will run the command using their default shell (bash/etc.) and Windows hosts will run the command using PowerShell, so be weary of that when trying to run the same command against both operating systems.
WARNING: This module will make changes to the AWS environment.
Creates assume-role trust relationships between users and roles.
This module creates a trust relationship between one or more user accounts and one or more roles in the account, allowing those users to assume those roles.',
WARNING: This module will make changes to the AWS environment.
An IAM privilege escalation path finder and abuser.
This module will scan for permission misconfigurations to see where privilege escalation will be possible. Available attack paths will be presented to the user and executed on if chosen.\n',
WARNING: This module will make changes to the AWS environment.
Adds API keys to other users.
This module attempts to add an AWS API key to users in the account. If all users are going to be backdoored, if it has not already been run, this module will run "enum_users_roles_policies_groups" to fetch all of the users in the account.
WARNING: This module will make changes to the AWS environment.
Adds a password to users without one.
This module attempts to add a password to users in the account. If all users are going to be backdoored, if it has not already been run, this module will run "enum_users_roles_policies_groups" to fetch all of the users in the account. Passwords can not be added to user accounts that 1) have a password already or 2) have ever had a password, regardless if it has been used before or not. If the module detects that a user already has a password, they will be ignored.
WARNING: This module will make changes to the AWS environment.
Downloads CloudTrail event history to JSON files.
This module will download the CloudTrail event history for each specified region in both JSON format to ./sessions/[current_session_name]/downloads/cloudtrail_[region]event_history[timestamp].json.
Downloads Cloudwatch logs to CSV files.
This module will download Cloudwatch logs for logs found in a given time period. ./sessions/[current_session_name]/downloads/cloud_watch_logs/[timestamp]/.
Disables, deletes, or minimizes various logging/monitoring services.
This module will take enumerated CloudTrail trails, GuardDuty detectors, various Config settings, CloudWatch alarms, and VPC flow logs and present you with the option of disabling or deleting each one. For CloudTrail, you also have the option of minimizing it. Minimizing a trail leaves it enabled, but changes all the settings to their very basic level. These changes include: removing the associated SNS topic, disabling global service event logging, disabling multi-regional log collection, disabling log file validation, and removing the associated CloudWatch log group/role. The idea of this is to minimize the amount of logging in the environment without calling dangerous APIs like disable or delete.
WARNING: This module will make changes to the AWS environment.
Adds an IP address to the list of trusted IPs in GuardDuty.
This module accepts a file containing IPv4 addresses and adds them to the GuardDuty list of trusted IPs to basically disable security alerts against these IPs. A remote file location is required for this list, as that is what the GuardDuty API requires. Note: This will not erase any existing GuardDuty findings, it will only prevent future findings related to the included IP addresses. WARNING: Only one list of trusted IP addresses is allowed per GuardDuty detector. This module will prompt you to delete an existing list if you would like, but doing so could have unintended bad consequences on the target AWS environment.
WARNING: This module will make changes to the AWS environment.
- Home
- AWS Basics and Security
- User Information
- Developer Information
- Warnings and Disclaimers
- FAQ