-
Notifications
You must be signed in to change notification settings - Fork 709
Module Details
Downloads EBS snapshots
This module uses the EBS direct API to download specific snapshots to your computer. These can then be mounted and explored using either docker or vagrant. For more information on how to mount these snapshotssee https://github.com/RhinoSecurityLabs/dsnap#mounting-in-vagrant.
Creates copies of running RDS databases to access protected information
Creates a snapshot of all database instances, restores new database instances from those snapshots, and then changes the master password to allow access to the copied database. After the database has been created, the connection information is given. After interactions with the database are complete, the temporary resources are deleted. If there is an unexpected crash during the module's execution, the subsequent run of the module will attempt to clean up any leftover temporary resources.
Enumerate and dumps files from S3 buckets.
This module scans the current account for AWS buckets and prints/stores as much data as it can about each one. With no arguments, this module will enumerate all buckets the account has access to, then prompt you to download all files in the bucket or not. Use --names-only or --dl-names to change that. The files will be downloaded to ~/.local/share/pacu/sessions/[current_session_name]/downloads/s3__download_bucket/.
Enumerates EBS snapshots using a keyword, account ID, or wordlists.
This module will enumerate all the EBS snapshots across all regions, looking for snapshots that contain a specific keyword in their description, associated with a specific account ID, or match keywords/account IDs from wordlists. The results will be saved in the session's directory and printed to the console in the summary if there are 25 or fewer results.
Enumerates IAM roles in a separate AWS account, given the account ID.
This module takes in a valid AWS account ID and tries to enumerate existing IAM roles within that account. It does so by trying to update the AssumeRole policy document of the role that you pass into --role-name if passed or newlycreated role. For your safety, it updates the policy with an explicit deny against the AWS account/IAM role, so that no security holes are opened in your account during enumeration. NOTE: It is recommended to use personal AWS access keys for this script, as it will spam CloudTrail with "iam:UpdateAssumeRolePolicy" logs and a few "sts:AssumeRole" logs. The target account will not see anything in their logs though, unless you find a misconfigured role that allows you to assume it. The keys used must have the iam:UpdateAssumeRolePolicy permission on the role that you pass into --role-name to be able to identify a valid IAM role and the sts:AssumeRole permission to try and request credentials for any enumerated roles.
Enumerates IAM users in a separate AWS account, given the account ID.
This module takes in a valid AWS account ID and tries to enumerate existing IAM users within that account. It does so by trying to update the AssumeRole policy document of the role that you pass into --role-name. For your safety, it updates the policy with an explicit deny against the AWS account/IAM user, so that no security holes are opened in your account during enumeration. NOTE: It is recommended to use personal AWS access keys for this script, as it will spam CloudTrail with "iam:UpdateAssumeRolePolicy" logs. The target account will not see anything in their logs though! The keys used must have the iam:UpdateAssumeRolePolicy permission on the role that you pass into --role-name to be able to identify a valid IAM user.
Attempts to create an API Gateway key for any/all REST APIs that are defined.
This module automatically creates API keys for every available region. There is an included cleanup feature to remove old "Pacu" keys that are referenced by name.
Attacks user pool clients and identity pools by creating users and exploiting misconfigurations.
Attempts to retrieve IAM credentials from identity pools, create (or log in) a Cognito user with each user pool client, search and modify custom user attributes, assume extra user roles, and obtain IAM credentials at each step to facilitate privilege escalation. A standard attack on an external AWS account requires four arguments: username, password, and user pool client or identity pool (ideally both). An attack on the current Pacu session's AWS account requires two arguments: username and password. If no other arguments are specified, cognito__enum will first be run to populate the Cognito database.
Restores and attaches EBS volumes/snapshots to an EC2 instance of your choice.
This module will cycle through existing EBS volumes and create snapshots of them, then restore those snapshots and existing snapshots to new EBS volumes, which will then be attached to the supplied EC2 instance for you to mount. This will give you access to the files on the various volumes, where you can then look for sensitive information. Afterwards, it will cleanup the created volumes and snapshots by detaching them from your instance and removing them from the AWS account.
Stops and restarts EC2 instances to execute code.
This module will attempt to stop the chosen EC2 instances, store/display the User Data that is already set for each EC2 instance, update it with a shell script (.sh) of your choosing, then start the instances again. The shell script will be executed as root/SYSTEM every time the specific instances are booted up.
this module backdoors ECS Task Definitions to steal credentials
This module will enumerate a provided docker image and attempt to find a method to deliver a malicious shell script to the container.
Downloads Lightsails default SSH key pairs.
This module downloads the accounts default public and private SSH keys for AWS Lightsail.
Creates SSH keys for available regions in AWS Lightsail.
This module creates SSH keys that can be used to connect to Lightsail instances. New keys can be created, or a public key file can be passed to import a pre-existing key.
Creates temporary SSH keys for available instances in AWS Lightsail.
This module creates temporary SSH keys that can be used to connect to Lightsail instances, and downloads them into the session's download directory.
Tries to execute code as root/SYSTEM on EC2 instances.
This module tries to execute arbitrary code on EC2 instances as root/SYSTEM using EC2 Systems Manager. To do so, it will first try to enumerate EC2 instances that are running operating systems that have the Systems Manager agent installed by default. Then, it will attempt to find the Systems Manager IAM instance profile, or try to create it if it cannot find it. If successful, it will try to attach it to the instances enumerated earlier. Then it will use EC2 Run Command to execute arbitrary code on the EC2 instances as either root (Linux) or SYSTEM (Windows). Note: Linux targets will run the command using their default shell (bash/etc.) and Windows hosts will run the command using PowerShell, so be weary of that when trying to run the same command against both operating systems. NOTE: Sometimes Systems Manager Run Command can delay the results of a call by a random amount. I have experienced 15 minute delays before my command was executed on the target, so if this module successfully completes and it seems that your command did not execute like it was supposed to, then wait at least 15 minutes before trying again.
Resource Injection in CloudFormation Templates
Given an S3 bucket used for storing CloudFormation templates to be deployed this module will set up the S3 bucket notifications to trigger a lambda in another account when these templates are uploaded. This lambda will then inject an IAM admin role into the template, assuming this modification happens before the template is deployed, the user deploying is an admin, as well as deploys with the CAPABILITY_IAM permission (this more than likely the case) our IAM role will be deployed with the rest of the resources.
Currently, it takes just under a second for templates to be updated so this module will be most effective against deployment processes that have some delay between the upload and deploy steps. The CloudFormation console wizard is a good target for this, however, there may be other cases that work here as well.
After our IAM role is deployed it will have a trust role policy set up to allow AssumeRole from the IAM identity specified by the '--principal' argument, if this isn't specified the principal will be the root principal of the account used for the '--attacker-key' credentials.
The '--*-key' arguments should reference Pacu credentials set up through 'set_keys'. There are a few separate credentials needed for this module, these are described below.
This module is designed to make use of a secondary account where you have full access. This is where the lambda is deployed and it eliminates the need to have the permissions necessary in the target account to run lambda deploys. The credentials for this account should be specified with the '--attacker-key' argument.
The '--s3-access-key' should have GetObject, PutObject, PutBucketNotification, and GetBucketNotification permissions to the targeted S3 bucket. This credential will be used to set up notifications on the targeted S3 bucket as well as hardcoded in the lambda during deployment and used to read and write templates when triggered.
Optionally you can split the PutBucketNotification and GetBucketNotification permissions out into a separate key using '--s3-notifications-setup-key'. If this is not specified it's assumed that '--s3-access-key' has the necessary permissions.
A specific bucket can be targeted with the '--bucket' argument. If this is not specified Pacu will attempt to enumerate 'cf-template-*' buckets and prompt for the target bucket.
An IAM privilege escalation path finder and abuser.
This module will scan for permission misconfigurations to see where privilege escalation will be possible. Available attack paths will be presented to the user and executed on if chosen. Warning: Due to the implementation in IAM policies, this module has a difficult time parsing "NotActions". If your user has any NotActions associated with them, it is recommended to manually verify the results of this module. NotActions are noted with a "!" preceeding the action when viewing the results of the "whoami" command. For more information on what NotActions are, visit the following link: https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_elements_notaction.html
Enumerate Information about the AWS Certificate Manager
This module is used to list and get information about ACM certificates, list expired certificates, and get info about private CAs which can generate certs. Expired certificates can provide an opportunity for takeover if domain has expired OR can be abused for client interaction as well. All certs, cert chains, CAs discovered is written to "downloads" folder in relevant 'sessions' folder
Enumerate API Gateway.
Enumerate API Gateway. For each API this module enumerates available routes, methods, API keys and client certificates. Results and Swagger definitions will be exported to the session download directory.
Enumerates data About the account itself.
Determines information about the AWS account itself.
Enumerates account spend by service.
Display what services the account uses and how much is spent. Data is pulled from CloudWatch metrics and the AWS/Billing Namespace.
Downloads all templates, parameters, and exports from CloudFormation Stacks.
Downloads all templates, parameters, and exports from CloudFormation Stacks. Looks for secrets in all and saves data to files.
Enumerates CodeBuild builds and projects while looking for sensitive data
This module enumerates all CodeBuild builds and projects, with the goal of finding sensitive information in the environment variables associated with each one, like passwords, secrets, or API keys.
Enumerates Cognito information in the current AWS account.
The module is used to enumerate the following Cognito data in the current AWS account: users, user pool clients, user pools and identity pools. By default, all data will be enumerated, but if any arguments are passed in indicating what data to enumerate, only that specified data will be enumerated.
Enumerates data from DynamoDB.
This module enumerates information about DynamoDB tables and can also attempt to dump the table values to a file.
Enumerates EBS volumes and snapshots and logs any without encryption.
This module will enumerate all of the Elastic Block Store volumes, snapshots, and snapshot permissions in the account and save the data to the current session. It will also note whether or not each volume/snapshot is encrypted, then write a list of the unencrypted volumes to ~/.local/share/pacu/sessions/[current_session_name]/downloads/unencrypted_ebs_volumes_[timestamp].csv and unencrypted snapshots to ~/.local/share/pacu/sessions/[current_session_name]/downloads/unencrypted_ebs_snapshots_[timestamp].csv in .CSV format.
Collects a list of EC2 instances without termination protection.
This module will check to see if EC2 instance termination protection is enabled for a set of instances. By default, this module will run against all instances. All instances with termination protection disabled will be written to a file at ~/.local/share/pacu/sessions/[current_session_name]/downloads/termination_protection_disabled_[timestamp].csv in .CSV format.
Downloads User Data from EC2 instances/launch templates.
This module will take a list of EC2 instance IDs and/or EC2 launch template IDs and request then download the User Data associated with each instance/template. All of the data will be saved to ~/.local/share/pacu/sessions/[session_name]/downloads/ec2_user_data/.
Enumerates a ton of relevant EC2 info.
The module is used to enumerate the following EC2 data from a set of regions on an AWS account: instances, security groups, elastic IP addresses, VPN customer gateways, dedicated hosts, network ACLs, NAT gateways, network interfaces, route tables, subnets, VPCs, and VPC endpoints. By default, all data will be enumerated, but if any arguments are passed in indicating what data to enumerate, only that specific data will be enumerated.
**Enumerates repostories and relevant images/tags **
This module enumerates information about all ECR images and repositories within Elastic Container Registry (ECR). It writes the JSON results found to "Downloads" folder within sessions folder
This module enumerates information from ECS
This module enumerates available information from ECS
Parses task definitions from ECS tasks
This module will pull task definitions for ECS clusters.
This module enumerates over EKS resources.
This module enumerates over EKS resources.
Enumerates Glue connections, crawlers, databases, development endpoints, and jobs.
This module enumerates all relevant data from AWS Glue, including connections, crawlers, databases, development endpoints, and jobs. By default, everything will be enumerated, but by passing available arguments, you can specify what data you want. For example, if any arguments are passed in, only the passed in arguments will be enumerated, but if either all or no arguments are passed in, everything will be enumerated.
List GuardDuty master account, and other accounts that are linked to GuardDuty which can provide us more lateral movement scope
This module list accounts that are linked to the current GuardDuty account which provides list of more accounts that we can laterally move into. The module also determines the master account that acts as the administration account for GuardDuty, and also any other accounts within the organization
Gets the guard-duty statistics and finding details from all Guard-duty detectors.
This module lists all the GuardDuty Findings available from the AWS console for each identified detector. It requires that pre-req module has been run first to ensure that all detectors for which findings need to be pulled have been populated. The results are written to ~/.local/share/pacu/sessions//guardduty/.
Enumerates permissions using brute force
This module will automatically run through all possible API calls of supported services in order to enumerate permissions without the use of the IAM API.
This module decodes an access key ID to get the AWS account ID. Based on: https://medium.com/@TalBeerySec/a-short-note-on-aws-key-id-f88cc4317489
This module decodes an access key ID to get the AWS account ID without making and AWS API calls. Based on: https://medium.com/@TalBeerySec/a-short-note-on-aws-key-id-f88cc4317489
Checks if the active set of keys are known to be honeytokens.
This module checks if the active set of keys are known to be honeytokens and in the process, it enumerates some identifying information about the keys. All of this is done without ever leaving a log in CloudTrail, because it uses AWS SNS for enumeration, which CloudTrail does not support. Note: Even if you know your keys are not honey keys, this module can be used to enumerate information like the account ID, user/role path, user/role name, and role session name if there is one.
Allows you to query enumerated user and role permissions.
This module allows you to query IAM permissions for users and roles and see what resources if any they have those permissions on. For example --query s3:get*,iam:create*.
Tries to get a confirmed list of permissions for the current (or all) user(s).
This module will attempt to use IAM APIs to enumerate a confirmed list of IAM permissions for users/roles in the account. By default, the owner of the active set of keys is targeted. This is done by checking attached and inline policies for the user and the groups they are in.
Enumerates users, roles, customer-managed policies, and groups.
This module requests the info for all users, roles, customer-managed policies, and groups in the account. If no arguments are supplied, it will enumerate all four, if any are supplied, it will enumerate those only.
Generates and downloads an IAM credential report.
This module tries to download a credential report for the AWS account, giving a lot of authentication history/info for users in the account. If it does not find a report, it will prompt you to generate one. The report is saved in ~/.local/share/sessions/[current_session_name]/downloads/get_credential_report_[current_time].csv
Captures vulnerabilities found when running a preconfigured inspector report.
This module captures findings for reports in regions that support AWS Inspector. The optional argument --download-reports will automatically download any reports found into the session downloads directory under a folder named after the run id of the inspector report.
Enumerates data from AWS Lambda.
This module pulls data related to Lambda Functions, source code, aliases, event source mappings, versions, tags, and policies.
Captures common data associated with Lightsail
This module examines Lightsail data fields and automatically enumerates them for all available regions. Available fields can be passed upon execution to only look at certain types of data. By default, all Lightsail fields will be captured.
List and describe brokers
This module will attempt to list and gather information from available brokers.
Enumerates AWS Organizations entities and shows tree of OUs and acounts at the end
Module tries to list a bunch of different organization resources like accounts, policies, etc. Also builds a nice graph at the end to visually see relationship between root, accounts, and organizational units. Note you need permissions to list each of these in order to make the tree. Also note that you might need to be the "manager" account (as opposed to a member) for some of these APIs to work.
Enumerates RDS instances
This module enumerates all relevant instances databases from AWS RDS of a given region, including databases master username, SGDB (engine), port and endpoints
Enumerates RDS snapshots and logs any without encryption.
This module will enumerate all the RDS snapshots (including cluster snapshots) of the account and also snapshots that have been shared by other accounts to this account. It can also enumerate the snapshot permissions in the account and save the data to the current session. It will also note whether or not each snapshot is encrypted, then write a list of the unencrypted snapshots to ./sessions/[current_session_name]/downloads/unencrypted_rds_snapshots_[timestamp].csv in .CSV format. For written files, DB cluster snapshots will have a "(cluster)" added beside its identifier.
Enumerates Route53 hosted zones and query logging configurations
This module enumerates Route53 hosted zones across an account and correlates them with query logging configs for later use.
Enumerates and dumps secrets from AWS Secrets Manager and AWS parameter store
This module will enumerate secrets in AWS Secrets Manager and AWS Systems manager parameter store.
List and describe Simple Notification Service topics
This module will attempt to list and gather information from Simple Notification service topics.
Downloads all parameters and decrypted values from SSM.
This module downloads all Systems Manager parameters and their value from all regions.
Enumerates AWS Transfer Family SFTP/FTP and FTPS servers
This module enumerates all relevant servers from AWS Transfer Family of a given region
Adds backdoor rules to EC2 security groups.
This module adds rules to backdoor EC2 security groups. It attempts to open ingress port ranges from an IP of your choice.
Creates assume-role trust relationships between users and roles.
This module creates a trust relationship between one or more user accounts and one or more roles in the account, allowing those users to assume those roles.
Adds API keys to other users.
This module attempts to add an AWS API key to users in the account. If all users are going to be backdoored, if it has not already been run, this module will run "enum_users_roles_policies_groups" to fetch all of the users in the account.
Adds a password to users without one.
This module attempts to add a password to users in the account. If all users are going to be backdoored, if it has not already been run, this module will run "enum_users_roles_policies_groups" to fetch all of the users in the account. Passwords can not be added to user accounts that 1) have a password already or 2) have ever had a password, regardless if it has been used before or not. If the module detects that a user already has a password, they will be ignored.
Creates a Lambda function and CloudWatch Events rule to backdoor new IAM roles.
This module creates a new Lambda function and an accompanying CloudWatch Events rule that will trigger upon a new IAM role being created in the account. The function will automatically add the supplied ARN to the assume role policy document and exfiltrate the ARN of the role so you can assume it. The function and rule will always be created in us-east-1, as that is the only CloudWatch region that gets sent IAM events. Warning: Your backdoor will not execute if the account does not have an active CloudTrail trail in us-east-1.
Creates a Lambda function and CloudWatch Events rule to backdoor new EC2 security groups.
This module creates a new Lambda function and an accompanying CloudWatch Events rule that will trigger upon a new EC2 security group being created in the account. The function will automatically add a backdoor rule to that security group with your supplied IP address as the source. Warning: Your backdoor will not execute if the account does not have an active CloudTrail trail in the region it was deployed to.
Creates a Lambda function and CloudWatch Events rule to backdoor new IAM users.
This module creates a new Lambda function and an accompanying CloudWatch Events rule that will trigger upon a new IAM user being created in the account. The function will automatically add a set of access keys to the user and send them to the server you supplied. The function and rule will always be created in us-east-1, as that is the only CloudWatch region that gets sent IAM events. Warning: Your backdoor will not execute if the account does not have an active CloudTrail trail in us-east-1.
Downloads CloudTrail event history to JSON files.
This module will download the CloudTrail event history for each specified region in both JSON format to ~/.local/share/pacu/sessions/[current_session_name]/downloads/cloudtrail_[region]event_history[timestamp].json. Warning: This module can take a very long time to complete because the maximum events per API call is 50, when there could be tens or hundreds of thousands or more total events to download. A rough estimate is about 10000 events retrieved per five minutes.
Captures CloudWatch logs and downloads them to the session downloads folder
This module examines all logs for all regions and saves them as CSV files. By default, only events that were logged in the past 24 hours will be captured. Otherwise, they will be captured based on the passed time arguments. The files will be downloaded in a similar format to ~/.local/share/pacu/sessions/{session}/downloads/cloud_watch_logs/{timestamp}, with session being the active session, and timestamp being the start of this module's execution.
Disables, deletes, or minimizes various logging/monitoring services.
This module will take enumerated CloudTrail trails, GuardDuty detectors, various Config settings, CloudWatch alarms, and VPC flow logs and present you with the option of disabling or deleting each one. For CloudTrail, you also have the option of minimizing it. Minimizing a trail leaves it enabled, but changes all the settings to their very basic level. These changes include: removing the associated SNS topic, disabling global service event logging, disabling multi-regional log collection, disabling log file validation, removing the associated CloudWatch log group/role, and disabling log file encryption. The idea of this is to minimize the amount of logging in the environment without calling dangerous APIs like disable or delete.
Detects monitoring and logging capabilities.
This module will enumerate the different logging and monitoring capabilities that have been implemented in the current AWS account. By default the module will enumerate all services that it supports, but by specifying the individual arguments, it is possible to target specific services. The supported services include CloudTrail, CloudWatch, Config, Shield, VPC, and GuardDuty. Not all regions contain support for AWS Config aggregators, so no attempts are made to obtain aggregators in unsupported regions. When a permission issue is detected for an action, future attempts to call that action will be skipped. If permissions to enumerate a service have all been invalidated, the enumeration of that service will stop for all subsequen regions and the module will continue execution.
Collects a list of Elastic Load Balancers without access logging.
This module will enumerate all EC2 Elastic Load Balancers and save their data to the current session, as well as write a list of ELBs with logging disabled to ~/.local/share/pacu/sessions/[current_session_name]/downloads/elbs_no_logs_[timestamp].csv.
Adds an IP address to the list of trusted IPs in GuardDuty.
This module accepts a file containing IPv4 addresses and adds them to the GuardDuty list of trusted IPs to basically disable security alerts against these IPs. A remote file location is required for this list, as that is what the GuardDuty API requires. Note: This will not erase any existing GuardDuty findings, it will only prevent future findings related to the included IP addresses. WARNING: Only one list of trusted IP addresses is allowed per GuardDuty detector. This module will prompt you to delete an existing list if you would like, but doing so could have unintended bad consequences on the target AWS environment.
Detects rules and rule groups for WAF.
This module will enumerate WAF. The enumerated data includes the rule groups, rules and matching sets for those rules. Global WAF settings are enumerated the same as each individually-configured region, but they are stored separately in the Pacu database.
Inject malicious formulas/data into CloudTrail event history.
This module will attempt to create a CloudTrail trail with a malicious Microsoft Excel and/or Google Sheets formula as the name as well as try to create an EC2 instance with the formula as the image ID. This is because a failed call won't work correctly. The failed events will be logged to CloudTrail's "Event history" page, where the past 90 days of API calls are listed. The logs can be exported to a .csv file, which due to the way that CloudTrail displays/exports the "Affected Resources" column, the formula we supply as a payload will attempt to execute. Payloads exist for both Microsoft Excel and Google Sheets. My blog post for this specific module is here: https://rhinosecuritylabs.com/aws/cloud-security-csv-injection-aws-cloudtrail/. Further reading can be found here: https://www.we45.com/2017/02/14/csv-injection-theres-devil-in-the-detail/ and here: http://georgemauer.net/2017/10/07/csv-injection.html
Tries to assume any roles in a member account in a given organization
This module accepts a list of AWS accounts and possible role names to try assuming all roles. You can choose to specify accounts/roles to run it against, or just running the module will use the default role in organizations on whatever accounts it can gain from a call to list_accounts. Note the caller MUST have AssumeRole rights for this module to work correctly.
Subscribe to a Simple Notification Service (SNS) topic
This module will attempt to subscribe to a topic (arn) via an email address.
Looks for Network Plane lateral movement opportunities.
Looks for DirectConnect, VPN or VPC Peering to understand where you can go once you compromise an instance inside a VPC.
- Home
- AWS Basics and Security
- User Information
- Developer Information
- Warnings and Disclaimers
- FAQ