Hi all, In this post, we will discuss the various AWS Reconnaissance Tools used to recon and exploit AWS cloud accounts.
Let’s first look at the reasons due to which credentials get exposed:
Vulnerabilities in AWS hosted applications like SSRF (Server Side Request Forgery) and LFI (Local File Inclusion)
Code repositories such as Bitbucket and Github
AWS error messages such as access denied
Public EBS snapshots (EC2 -> Snapshots -> Public Snapshots)
Public AMIs (EC2 -> AMIs -> Public images)
RDS public snapshots (RDS -> Snapshots -> All Public Snapshots)
People looking for help online and end up copy-pasting complete info
Why do we need to enumerate IAM Permissions?
The IAM Permission helps us understand what a user is allowed to do in an account. In order to exploit, we need to have maximum privilege possible to a user.
Different open-source tools to do the recon:
- AWS PWN
Let’s start with enumerate-iam
Enumerate-iam is an open-source AWS IAM User Enumeration Tool. This tool will help you find all the permission a user holds. It will do a brute force to APIs that are allowed by the IAM Policy. The author of this tool says This is a harmless tool. It will perform only get and list API calls. So, there won’t be any modification on the cloud account.
git clone https://github.com/andresriancho/enumerate-iam.git
pip install -r requirements.txt
Usage of Enumerate-iam:
python enumerate-iam.py --access-key --secret-key
It will show all kinds of permissions user has:
Drawback of enumerate-iam tool is:
Sometimes it freezes after couple of API calls. Since AWS APIs are being updated continuously. We’ll need to manually synchronize APIs with this tool.
Steps to update API calls:
git clone https://github.com/aws/aws-sdk-js.git
rm -rf aws-sdk-js
More info on enumerate-iam:
Another similar but powerful tool – Pacu
What is Pacu ?
Pacu is an Open source AWS exploitation framework developed by RhinoSecurityLabs. It is designed for Offensive security testing against AWS cloud environment. Pacu has a list of features that can exploit misconfiguration flaws. This tool currently supports a range of attacks, including user privilege escalation, backdooring of IAM users, attacking vulnerable Lambda functions, and much more.
git clone https://github.com/RhinoSecurityLabs/pacu
How to use Pacu:
list/ls List all modules
search [cat[egory]] Search the list of available modules by name or category
help Display this page of information
help Display information about a module
whoami Display information regarding to the active access keys
data Display all data that is stored in this session.
data |proxy Display all data for a specified service
services Display a list of services that have collected data
regions Display a list of all valid AWS regions
update_regions Run a script to update the regions database
set_regions […] Set the default regions for this session.
run/exec Execute a module
set_keys Add a set of AWS keys to the session
swap_keys Change the currently active AWS key to another key
exit/quit Exit Pacu
For checking modules, we can use ls or list command:
This will show all the list of features that Pacu currently supports
We can execute any command followed by run command. For example:
This will try to bruteforce all the possible iam permissions of that user.
Later, we can check every scrubbed data with command
More info on Pacu:
Third tool is Nimbostratus:
We already have a detailed article on it. Please do check it out here:
AWS pwn is a package for penetration testing of AWS. It covers all the steps required to perform hacking.
pip install -r requirements.txt
validate_iam_access_keys.py– Given a TSV file of access key + secret [+ session] combinations, checks access validity and returns identity information of the principal.
validate_accounts.py– Given a text file of account ids and account aliases, checks for the existence of the account.
validate_iam_principals.py– Given a text file of principals (e.g. user/admin, role/deploy), checks whether the principals exist in a given account.
validate_s3_buckets.py– Given a text file with one word per line, checks whether the buckets exist and returns basic identifying information.
add_iam_policy.py– Adds the administrator and all action policy to a given user, role, or group. Requires IAM putPolicy or attachPolicy privileges.
assume_roles.py– Attempts to assume all roles (ARNs) in a file or provided by the list-roles API.
bouncy_bouncy_cloudy_cloud.py– Bounces a given ec2 instance and rewrites its userData so that you can run arbitrary code or steal temporary instance profile credentials.
dump_cloudformation_stack_descriptions.py– Retrieves the stack descriptions for every existing stack and every stack deleted in the last 90 days. Parameters in stack descriptions often contain passwords and other secrets.
dump_instance_attributes.py– Goes through every EC2 instance in the account and retrieves the specified instance attributes. Most commonly used to retrieve userData, which tends to contain secrets.
rabbit_lambda– An example Lambda function that responds to user delete events by creating more copies of the deleted user.
cli_lambda– A lambda function that acts as an aws cli proxy and doesn’t require credentials.
backdoor_created_users_lambda– A lambda function that adds an access key to each newly created user.
backdoor_created_roles_lambda– A lambda function that adds a trust relationship to each newly created role.
backdoor_created_security_groups_lambda– A lambda function that adds a given inbound access rule to each newly created security group.
backdoor_all_users.py– Adds an access key to every user in the account.
backdoor_all_roles.py– Adds a trust relationship to each role in the account. Requires editing the file to set the role ARN.
backdoor_all_security_groups.py– Adds a given inbound access rule to each security group in the account. Requires editing the file to set the rule.
disrupt_cloudtrail.py– This will attempt to remove cloudtrail logging in a specified way so that things might help you stay hidden after compromising an account.
Exploring the gathered data:
dump_account_data.sh– Calls a generic account-based read/list/get/describe functions and saves the data to a given location. Very noisy but great for a point in time snapshot. This will help you understand what you’ve pwned.
Link to AWS pwn here:
Sign up for the blog directly here.
Check out our professional services here.
Feedback is welcome! For professional services, fan mail, hate mail, or whatever else, contact [email protected]