-
Notifications
You must be signed in to change notification settings - Fork 705
Home
Pacu is an AWS exploitation tool that provides tools for performing reconnaissance, automated exploitation of vulnerabilities, persistence, and log disruption.
$ git clone https://github.com/RhinoSecurityLabs/pacu
$ cd Pacu
$ pip install -r requirements.txt
More in-depth guide can be found here.
$ python pacu.py
Note: Upon launching Pacu for the first time, you will be asked to create a new session.
A tutorial can be found here.
If you are ever stuck, help
will bring up a list of commands that are available.
-
list
will list the available modules for the regions that were set in the current session. -
help module_name
will return the applicable help information for the specified module. -
run module_name
will run the specified module with its default parameters. -
run module_name --regions eu-west-1,us-west-1
will run the specified module against the eu-west-1 and us-west-1 regions (for modules that support the --regions argument)
Included with Pacu are some default modules. Full descriptions can be found here.
- buckethead_s3_enum
- Enumerates/bruteforces S3 buckets based on different parameters.
- confirm_permissions
- Tries to get a confirmed list of permissions for the current user.
- download_ec2_userdata
- Downloads user data from EC2 instances.
- enum_cloudtrails
- Enumerates CloudTrail trails, mainly for other modules.
- enum_ebs_volumes_snapshots
- Enumerates EBS volumes and snapshots and logs any without encryption.
- enum_ec2
- Enumerates a ton of relevant EC2 info.
- enum_ec2_termination_protection
- Collects a list of EC2 instances without termination protection.
- enum_elb_logging
- Collects a list of Elastic Load Balancers without access logging.
- enum_glue
- Enumerates Glue connections, crawlers, databases, development endpoints, and jobs.
- enum_monitoring
- Detects monitoring and logging capabilities.
- enum_users_roles_policies_groups
- Enumerates users, roles, customer-managed policies, and groups.
- get_credential_report
- Generates and downloads an IAM credential report.
- s3_bucket_dump
- Enumerate and dumps files from S3 buckets.
- add_ec2_startup_sh_script
- Stops and restarts EC2 instances to execute code.
- backdoor_ec2_sec_groups
- Adds backdoor rules to EC2 security groups.
- cloudtrail_csv_injection
- Inject malicious formulas/data into CloudTrail event history.
- download_lightsail_ssh_keys
- Downloads Lightsails default SSH key pairs.
- backdoor_assume_role
- Creates assume-role trust relationships between users and roles.
- privesc_scan
- An IAM privilege escalation path finder and abuser.
- backdoor_users_keys
- Adds API keys to other users.
- backdoor_users_password
- Adds a password to users without one.
- dl_cloudtrail_event_history
- Downloads CloudTrail event history to JSON files.
A key design philosophy for Pacu is the inclusion of modules with a standardized format to allow for simple, but powerful scripts that work well together, but can be customized to fit a developer's needs.
More information on module development can be found here.
Unfamaliar terms and specific terminology are located here.
- Home
- AWS Basics and Security
- User Information
- Developer Information
- Warnings and Disclaimers
- FAQ