Hi all, In this post, we will discuss the various AWS Reconnaissance Tools used to recon and exploit AWS cloud accounts.
Let’s first look at the reasons due to which credentials get exposed:
-
Vulnerabilities in AWS hosted applications like SSRF (Server Side Request Forgery) and LFI (Local File Inclusion)
-
Code repositories such as Bitbucket and Github
-
AWS error messages such as access denied
-
Public EBS snapshots (EC2 -> Snapshots -> Public Snapshots)
-
Public AMIs (EC2 -> AMIs -> Public images)
-
RDS public snapshots (RDS -> Snapshots -> All Public Snapshots)
-
People looking for help online and end up copy-pasting complete info
-
Screenshots
-
Social Engineering
Why do we need to enumerate IAM Permissions?
The IAM Permission helps us understand what a user is allowed to do in an account. In order to exploit, we need to have maximum privilege possible to a user.
Different open-source tools to do the recon:
- Enumerate-Iam
- Pacu
- AWS PWN
- Nimbostratus
Let’s start with enumerate-iam
Enumerate-iam is an open-source AWS IAM User Enumeration Tool. This tool will help you find all the permission a user holds. It will do a brute force to APIs that are allowed by the IAM Policy. The author of this tool says This is a harmless tool. It will perform only get and list API calls. So, there won’t be any modification on the cloud account.
Enumerate-iam Installation:
git clone https://github.com/andresriancho/enumerate-iam.git
cd enumerate-iam/
pip install -r requirements.txt
Usage of Enumerate-iam:
python enumerate-iam.py --access-key --secret-key
It will show all kinds of permissions user has:
Drawback of enumerate-iam tool is:
Sometimes it freezes after couple of API calls. Since AWS APIs are being updated continuously. We’ll need to manually synchronize APIs with this tool.
Steps to update API calls:
cd enumerate_iam/
git clone https://github.com/aws/aws-sdk-js.git
python generate_bruteforce_tests.py
rm -rf aws-sdk-js
More info on enumerate-iam:
Another similar but powerful tool – Pacu
What is Pacu ?
Pacu is an Open source AWS exploitation framework developed by RhinoSecurityLabs. It is designed for Offensive security testing against AWS cloud environment. Pacu has a list of features that can exploit misconfiguration flaws. This tool currently supports a range of attacks, including user privilege escalation, backdooring of IAM users, attacking vulnerable Lambda functions, and much more.
Pacu Installation:
git clone https://github.com/RhinoSecurityLabs/pacu
cd pacu
bash install.sh
How to use Pacu:
python3 pacu.py

Commands:
list/ls List all modules
search [cat[egory]] Search the list of available modules by name or category
help Display this page of information
help Display information about a module
whoami Display information regarding to the active access keys
data Display all data that is stored in this session.
data |proxy Display all data for a specified service
services Display a list of services that have collected data
regions Display a list of all valid AWS regions
update_regions Run a script to update the regions database
set_regions […] Set the default regions for this session.
run/exec Execute a module
set_keys Add a set of AWS keys to the session
swap_keys Change the currently active AWS key to another key
exit/quit Exit Pacu
For checking modules, we can use ls or list command:
This will show all the list of features that Pacu currently supports
We can execute any command followed by run command. For example: run iam__bruteforce_permissions
This will try to bruteforce all the possible iam permissions of that user.
Later, we can check every scrubbed data with command whoami
More info on Pacu:
https://cloudsecops.com/pacbot-open-source-compliance-automation-tool/
Third tool is Nimbostratus:
We already have a detailed article on it. Please do check it out here:
AWS PWN:
AWS pwn is a package for penetration testing of AWS. It covers all the steps required to perform hacking.
Installation:git clone
https://github.com/dagrz/aws_pwn
cd aws_pwn
pip install -r requirements.txt
Information gathering:
Available at cd reconnaissance/
validate_iam_access_keys.py
– Given a TSV file of access key + secret [+ session] combinations, checks access validity and returns identity information of the principal.validate_accounts.py
– Given a text file of account ids and account aliases, checks for the existence of the account.validate_iam_principals.py
– Given a text file of principals (e.g. user/admin, role/deploy), checks whether the principals exist in a given account.validate_s3_buckets.py
– Given a text file with one word per line, checks whether the buckets exist and returns basic identifying information.
Privilege escalation:
Available at cd elevation/
add_iam_policy.py
– Adds the administrator and all action policy to a given user, role, or group. Requires IAM putPolicy or attachPolicy privileges.assume_roles.py
– Attempts to assume all roles (ARNs) in a file or provided by the list-roles API.bouncy_bouncy_cloudy_cloud.py
– Bounces a given ec2 instance and rewrites its userData so that you can run arbitrary code or steal temporary instance profile credentials.dump_cloudformation_stack_descriptions.py
– Retrieves the stack descriptions for every existing stack and every stack deleted in the last 90 days. Parameters in stack descriptions often contain passwords and other secrets.dump_instance_attributes.py
– Goes through every EC2 instance in the account and retrieves the specified instance attributes. Most commonly used to retrieve userData, which tends to contain secrets.
Maintaining access:
Available at cd persistence/
rabbit_lambda
– An example Lambda function that responds to user delete events by creating more copies of the deleted user.cli_lambda
– A lambda function that acts as an aws cli proxy and doesn’t require credentials.backdoor_created_users_lambda
– A lambda function that adds an access key to each newly created user.backdoor_created_roles_lambda
– A lambda function that adds a trust relationship to each newly created role.backdoor_created_security_groups_lambda
– A lambda function that adds a given inbound access rule to each newly created security group.backdoor_all_users.py
– Adds an access key to every user in the account.backdoor_all_roles.py
– Adds a trust relationship to each role in the account. Requires editing the file to set the role ARN.backdoor_all_security_groups.py
– Adds a given inbound access rule to each security group in the account. Requires editing the file to set the rule.
Clearing Tracks:
Available at cd stealth/
disrupt_cloudtrail.py
– This will attempt to remove cloudtrail logging in a specified way so that things might help you stay hidden after compromising an account.
Exploring the gathered data:
Available at cd exploration/
dump_account_data.sh
– Calls a generic account-based read/list/get/describe functions and saves the data to a given location. Very noisy but great for a point in time snapshot. This will help you understand what you’ve pwned.
Link to AWS pwn here:
Thank you for reading! – Setu Parimi & Manish Agrawal
Sign up for the blog directly here.
Check out our professional services here.
Feedback is welcome! For professional services, fan mail, hate mail, or whatever else, contact [email protected]
0 Comments