Hi all, In this post, we will discuss the various AWS Reconnaissance Tools used to recon and exploit AWS cloud accounts.

Let’s first look at the reasons due to which credentials get exposed:

  • Vulnerabilities in AWS hosted applications like SSRF (Server Side Request Forgery) and LFI (Local File Inclusion)

  • Code repositories such as Bitbucket and Github

  • AWS error messages such as access denied

  • Public EBS snapshots (EC2 -> Snapshots -> Public Snapshots)

  • Public AMIs (EC2 -> AMIs -> Public images)

  • RDS public snapshots (RDS -> Snapshots -> All Public Snapshots)

  • People looking for help online and end up copy-pasting complete info

  • Screenshots

  • Social Engineering 

Why do we need to enumerate IAM Permissions? 

The IAM Permission helps us understand what a user is allowed to do in an account. In order to exploit, we need to have maximum privilege possible to a user.

Different open-source tools to do the recon:

  • Enumerate-Iam
  • Pacu
  • AWS PWN
  • Nimbostratus

Let’s start with enumerate-iam

Enumerate-iam is an open-source AWS IAM User Enumeration Tool. This tool will help you find all the permission a user holds. It will do a brute force to APIs that are allowed by the IAM Policy. The author of this tool says This is a harmless tool. It will perform only get and list API calls. So, there won’t be any modification on the cloud account.

Enumerate-iam Installation:

git clone https://github.com/andresriancho/enumerate-iam.git

cd enumerate-iam/

pip install -r requirements.txt

 

Usage of Enumerate-iam: 

python enumerate-iam.py --access-key   --secret-key  

This tool will fire up and start enumerating all the IAM Permissions:

It will show all kinds of permissions user has:

 

Drawback of enumerate-iam tool is:

Sometimes it freezes after couple of API calls. Since AWS APIs are being updated continuously. We’ll need to manually synchronize APIs with this tool.

Steps to update API calls:

cd enumerate_iam/

git clone https://github.com/aws/aws-sdk-js.git

python generate_bruteforce_tests.py

rm -rf aws-sdk-js

More info on enumerate-iam:

Another similar but powerful tool – Pacu 

What is Pacu ?

Pacu is an Open source AWS exploitation framework developed by RhinoSecurityLabs. It is designed for Offensive security testing against AWS cloud environment. Pacu has a list of features that can exploit misconfiguration flaws. This tool currently supports a range of attacks, including user privilege escalation, backdooring of IAM users, attacking vulnerable Lambda functions, and much more.

Pacu Installation:

git clone https://github.com/RhinoSecurityLabs/pacu

cd pacu

bash install.sh

 

How to use Pacu:

python3 pacu.py

 
After it launches, You will need to provide a session name, after that you can add credential i.e., Access Key and Secret Access Key followed by set_keys command.

Commands:

list/ls                             List all modules

search [cat[egory]]   Search the list of available modules by name or category

help                                Display this page of information

help                   Display information about a module

whoami                              Display information regarding to the active access keys

data                                Display all data that is stored in this session.

data |proxy                Display all data for a specified service

services                            Display a list of services that have collected data

regions                             Display a list of all valid AWS regions

update_regions                      Run a script to update the regions database

set_regions […]  Set the default regions for this session.

run/exec               Execute a module

set_keys                            Add a set of AWS keys to the session

swap_keys                           Change the currently active AWS key to another key

exit/quit                           Exit Pacu

For checking modules, we can use ls or list command:

This will show all the list of features that Pacu currently supports

We can execute any command followed by run command. For example: run iam__bruteforce_permissions

This will try to bruteforce all the possible iam permissions of that user. 

Later, we can check every scrubbed data with command whoami

More info on Pacu: 

https://cloudsecops.com/pacbot-open-source-compliance-automation-tool/

Third tool is Nimbostratus

We already have a detailed article on it. Please do check it out here:

 

AWS PWN: 

AWS pwn is a package for penetration testing of AWS. It covers all the steps required to perform hacking.

Installation:
git clone https://github.com/dagrz/aws_pwn

cd aws_pwn

pip install -r requirements.txt

 

Information gathering: 

Available at cd reconnaissance/

  1. validate_iam_access_keys.py – Given a TSV file of access key + secret [+ session] combinations, checks access validity and returns identity information of the principal.
  2. validate_accounts.py – Given a text file of account ids and account aliases, checks for the existence of the account.
  3. validate_iam_principals.py – Given a text file of principals (e.g. user/admin, role/deploy), checks whether the principals exist in a given account.
  4. validate_s3_buckets.py – Given a text file with one word per line, checks whether the buckets exist and returns basic identifying information.

Privilege escalation: 

Available at cd elevation/

  1. add_iam_policy.py – Adds the administrator and all action policy to a given user, role, or group. Requires IAM putPolicy or attachPolicy privileges.
  2. assume_roles.py – Attempts to assume all roles (ARNs) in a file or provided by the list-roles API.
  3. bouncy_bouncy_cloudy_cloud.py – Bounces a given ec2 instance and rewrites its userData so that you can run arbitrary code or steal temporary instance profile credentials.
  4. dump_cloudformation_stack_descriptions.py – Retrieves the stack descriptions for every existing stack and every stack deleted in the last 90 days. Parameters in stack descriptions often contain passwords and other secrets.
  5. dump_instance_attributes.py – Goes through every EC2 instance in the account and retrieves the specified instance attributes. Most commonly used to retrieve userData, which tends to contain secrets.

Maintaining access: 

Available at cd persistence/

  1. rabbit_lambda – An example Lambda function that responds to user delete events by creating more copies of the deleted user.
  2. cli_lambda – A lambda function that acts as an aws cli proxy and doesn’t require credentials.
  3. backdoor_created_users_lambda – A lambda function that adds an access key to each newly created user.
  4. backdoor_created_roles_lambda – A lambda function that adds a trust relationship to each newly created role.
  5. backdoor_created_security_groups_lambda – A lambda function that adds a given inbound access rule to each newly created security group.
  6. backdoor_all_users.py – Adds an access key to every user in the account.
  7. backdoor_all_roles.py – Adds a trust relationship to each role in the account. Requires editing the file to set the role ARN.
  8. backdoor_all_security_groups.py – Adds a given inbound access rule to each security group in the account. Requires editing the file to set the rule.

Clearing Tracks: 

Available at cd stealth/

  1. disrupt_cloudtrail.py – This will attempt to remove cloudtrail logging in a specified way so that things might help you stay hidden after compromising an account.

Exploring the gathered data:

Available at  cd exploration/

  1. dump_account_data.sh – Calls a generic account-based read/list/get/describe functions and saves the data to a given location. Very noisy but great for a point in time snapshot. This will help you understand what you’ve pwned.

Link to AWS pwn here

Thank you for reading! – Setu Parimi & Manish Agrawal

Sign up for the blog directly here.

Check out our professional services here.

Feedback is welcome! For professional services, fan mail, hate mail, or whatever else, contact [email protected]com


Leave a Reply

Your email address will not be published. Required fields are marked *

%d bloggers like this: