AWS Reconnaissance Tools

Hi all, In this post, we will discuss the various AWS Reconnaissance Tools used to recon and exploit AWS cloud accounts.

Let’s first look at the reasons due to which credentials get exposed:

• Vulnerabilities in AWS hosted applications like SSRF (Server Side Request Forgery) and LFI (Local File Inclusion)

• Code repositories such as Bitbucket and Github

• AWS error messages such as access denied

• Public EBS snapshots (EC2 -> Snapshots -> Public Snapshots)

• Public AMIs (EC2 -> AMIs -> Public images)

• RDS public snapshots (RDS -> Snapshots -> All Public Snapshots)

• People looking for help online and end up copy-pasting complete info

• Screenshots

• Social Engineering 

Why do we need to enumerate IAM Permissions? 

The IAM Permission helps us understand what a user is allowed to do in an account. In order to exploit, we need to have maximum privilege possible to a user.

Different open-source tools to do the recon:

• Enumerate-Iam
• Pacu
• AWS PWN
• Nimbostratus

Let’s start with enumerate-iam

Enumerate-iam is an open-source AWS IAM User Enumeration Tool. This tool will help you find all the permission a user holds. It will do a brute force to APIs that are allowed by the IAM Policy. The author of this tool says This is a harmless tool. It will perform only get and list API calls. So, there won’t be any modification on the cloud account.

Enumerate-iam Installation:

git clone https://github.com/andresriancho/enumerate-iam.git

cd enumerate-iam/

pip install -r requirements.txt

 

Usage of Enumerate-iam: 

python enumerate-iam.py --access-key   --secret-key  

This tool will fire up and start enumerating all the IAM Permissions:

It will show all kinds of permissions user has:

 

Drawback of enumerate-iam tool is:

Sometimes it freezes after couple of API calls. Since AWS APIs are being updated continuously. We’ll need to manually synchronize APIs with this tool.

Steps to update API calls:

cd enumerate_iam/


git clone https://github.com/aws/aws-sdk-js.git

python generate_bruteforce_tests.py

rm -rf aws-sdk-js

More info on enumerate-iam:

Another similar but powerful tool – Pacu 

What is Pacu ?

Pacu is an Open source AWS exploitation framework developed by RhinoSecurityLabs. It is designed for Offensive security testing against AWS cloud environment. Pacu has a list of features that can exploit misconfiguration flaws. This tool currently supports a range of attacks, including user privilege escalation, backdooring of IAM users, attacking vulnerable Lambda functions, and much more.

Pacu Installation:

git clone https://github.com/RhinoSecurityLabs/pacu

cd pacu

bash install.sh

 

How to use Pacu:

python3 pacu.py

 

After it launches, You will need to provide a session name, after that you can add credential i.e., Access Key and Secret Access Key followed by set_keys command.

Commands:

list/ls                             List all modules

search [cat[egory]]   Search the list of available modules by name or category

help                                Display this page of information

help                   Display information about a module

whoami                              Display information regarding to the active access keys

data                                Display all data that is stored in this session.

data |proxy                Display all data for a specified service

services                            Display a list of services that have collected data

regions                             Display a list of all valid AWS regions

update_regions                      Run a script to update the regions database

set_regions […]  Set the default regions for this session.

run/exec               Execute a module

set_keys                            Add a set of AWS keys to the session

swap_keys                           Change the currently active AWS key to another key

exit/quit                           Exit Pacu

For checking modules, we can use ls or list command:

This will show all the list of features that Pacu currently supports

We can execute any command followed by run command. For example: run iam__bruteforce_permissions

This will try to bruteforce all the possible iam permissions of that user. 

Later, we can check every scrubbed data with command whoami

More info on Pacu: 

https://cloudsecops.com/pacbot-open-source-compliance-automation-tool/

Third tool is Nimbostratus: 

We already have a detailed article on it. Please do check it out here:

 

AWS PWN: 

AWS pwn is a package for penetration testing of AWS. It covers all the steps required to perform hacking.

Installation:
git clone https://github.com/dagrz/aws_pwn

cd aws_pwn

pip install -r requirements.txt

 

Information gathering: 

Available at cd reconnaissance/

1. validate_iam_access_keys.py – Given a TSV file of access key + secret [+ session] combinations, checks access validity and returns identity information of the principal.
2. validate_accounts.py – Given a text file of account ids and account aliases, checks for the existence of the account.
3. validate_iam_principals.py – Given a text file of principals (e.g. user/admin, role/deploy), checks whether the principals exist in a given account.
4. validate_s3_buckets.py – Given a text file with one word per line, checks whether the buckets exist and returns basic identifying information.

Privilege escalation: 

Available at cd elevation/

1. add_iam_policy.py – Adds the administrator and all action policy to a given user, role, or group. Requires IAM putPolicy or attachPolicy privileges.
2. assume_roles.py – Attempts to assume all roles (ARNs) in a file or provided by the list-roles API.
3. bouncy_bouncy_cloudy_cloud.py – Bounces a given ec2 instance and rewrites its userData so that you can run arbitrary code or steal temporary instance profile credentials.
4. dump_cloudformation_stack_descriptions.py – Retrieves the stack descriptions for every existing stack and every stack deleted in the last 90 days. Parameters in stack descriptions often contain passwords and other secrets.
5. dump_instance_attributes.py – Goes through every EC2 instance in the account and retrieves the specified instance attributes. Most commonly used to retrieve userData, which tends to contain secrets.

Maintaining access: 

Available at cd persistence/

1. rabbit_lambda – An example Lambda function that responds to user delete events by creating more copies of the deleted user.
2. cli_lambda – A lambda function that acts as an aws cli proxy and doesn’t require credentials.
3. backdoor_created_users_lambda – A lambda function that adds an access key to each newly created user.
4. backdoor_created_roles_lambda – A lambda function that adds a trust relationship to each newly created role.
5. backdoor_created_security_groups_lambda – A lambda function that adds a given inbound access rule to each newly created security group.
6. backdoor_all_users.py – Adds an access key to every user in the account.
7. backdoor_all_roles.py – Adds a trust relationship to each role in the account. Requires editing the file to set the role ARN.
8. backdoor_all_security_groups.py – Adds a given inbound access rule to each security group in the account. Requires editing the file to set the rule.

Clearing Tracks: 

Available at cd stealth/

1. disrupt_cloudtrail.py – This will attempt to remove cloudtrail logging in a specified way so that things might help you stay hidden after compromising an account.

Exploring the gathered data:

Available at  cd exploration/

1. dump_account_data.sh – Calls a generic account-based read/list/get/describe functions and saves the data to a given location. Very noisy but great for a point in time snapshot. This will help you understand what you’ve pwned.

Link to AWS pwn here: 

Thank you for reading! – Setu Parimi & Manish Agrawal

Sign up for the blog directly here.

Check out our professional services here.

Feedback is welcome! For professional services, fan mail, hate mail, or whatever else, contact [email protected]