Skip to content
alexanderinsa edited this page Jun 26, 2018 · 33 revisions

Overview

Table of Contents

Description

Pacu is an AWS exploitation tool that provides tools for performing reconnaissance, automated exploitation of vulnerabilities, persistence, and log disruption.

Quick Start Guide

Requirements

Installation

$ git clone https://github.com/RhinoSecurityLabs/pacu
$ cd Pacu
$ pip3 install -r requirements.txt

More in-depth guide can be found here.

Getting Started

$ python pacu.py

Note: Upon launching Pacu for the first time, you will be asked to create a new session.

Usage

If you are ever stuck, help will bring up a list of commands that are available.

Useful Commands

  • list will list the available modules for the regions that were set in the current session.
  • help module_name will return the applicable help information for the specified module.
  • run module_name will run the specified module with its default parameters.
  • run module_name --regions eu-west-1,us-west-1 will run the specified module against the eu-west-1 and us-west-1 regions (for modules that support the --regions argument)

Modules

Included with Pacu are some default modules. Full descriptions can be found here.

Recon

buckethead_s3_enum - Enumerates/bruteforces S3 buckets based on different parameters.

confirm_permissions - Tries to get a confirmed list of permissions for the current user.

download_ec2_userdata - Downloads user data from EC2 instances.

enum_ebs_volumes_snapshots - Enumerates EBS volumes and snapshots and logs any without encryption.

enum_ec2 - Enumerates a ton of relevant EC2 info.

enum_ec2_termination_protection - Collects a list of EC2 instances without termination protection.

enum_elb_logging - Collects a list of Elastic Load Balancers without access logging.

enum_glue - Enumerates Glue connections, crawlers, databases, development endpoints, and jobs.

enum_monitoring - Detects monitoring and logging capabilities.

enum_users_roles_policies_groups - Enumerates users, roles, customer-managed policies, and groups.

get_credential_report - Generates and downloads an IAM credential report.

s3_bucket_dump - Enumerate and dumps files from S3 buckets.

Post Exploitation

add_ec2_startup_sh_script - Stops and restarts EC2 instances to execute code.

backdoor_ec2_sec_groups - Adds backdoor rules to EC2 security groups.

cloudtrail_csv_injection - Inject malicious formulas/data into CloudTrail event history.

download_lightsail_ssh_keys - Downloads Lightsails default SSH key pairs.

Escalation

backdoor_assume_role - Creates assume-role trust relationships between users and roles.

privesc_scan - An IAM privilege escalation path finder and abuser.

Persistence

backdoor_users_keys - Adds API keys to other users.

backdoor_users_password - Adds a password to users without one.

Logging

dl_cloudtrail_event_history - Downloads CloudTrail event history to JSON files.


Module Development

A key design philosophy for Pacu is the inclusion of modules with a standardized format to allow for simple, but powerful scripts that work well together, but can be customized to fit a developer's needs.

More information on module development can be found here.

Glossary

Unfamaliar terms and specific terminology are located here.