The Open Source AWS Exploitation Framework – Pacu
Introduction
Pacu is an open source AWS exploitation framework for offensive security testing against cloud environments, created and maintained by Rhino Security Labs. It allows you to exploit configuration flaws within an AWS account, using modules to easily expand its functionality. Current modules enables:
- user privilege escalation, IAM users backdooring, attacking vulnerable Lambda functions, and so much more (see bellow).
Pacu: The Open Source AWS Exploitation Framework for testing security of AWS environments
Pacu is a CLI (command line interface) that provides a database and modules that allow cybersecurity professionals to easily provided assessments on AWS environments. It is a lightweight program, based on Python, that requires Python 3.5+ and pip3 only. Pacu is well-documented, so you’ll be able to quickly and easily make new modules on your own (Advanced Usage Wiki: cybersecurity researchers/developers/experts). It’s supported in OSX and Linux operating systems.
Features:
- Pacu has a bunch of plug-in modules (currently Pacu has 36 modules for executing AWS attacks) that helps you in: enumeration, privilege escalation, data exfiltration, service exploitation, and log manipulation.
- It provides utilities to easily allow users and modules to store and reference access information and enumerated data found when engaging an AWS environment.
- Common syntax and data structure keeps modules easy to build and expand on – no need to specify AWS regions or make redundant permission checks between modules.
- Local SQLite database for managing and manipulating with retrieved data (minimizing API calls and associated logs).
- Built-in reporting and attack auditing inside framework (command logging and exporting, testing process timeline).
Requirements:
Python 3.5+pip3- all packages from
requirements.txt
Pacu Install
Download zip file or clone it from the github repo:
$ git clone https://github.com/RhinoSecurityLabs/pacu.git
Then navigate to the Pacu directory:
$ cd pacu/
and run install.sh install script (it will automatically install all packages from requirements.txt):
$ bash install.sh
Usage
To start Pacu, run the following:
$ python3 pacu.py
After first lunch, you’ll see message “database not found”, but it will be created automatically. You’ll be prompted to provide a session name, just name it to start. Set the AWS keys, and start running modules.
Basic Commands in Pacu
Run help to list all available commands:
Pacu command info:
list/ls List all modules
search [cat[egory]] Search the list of available modules by name or category
help Display this page of information
help Display information about a module
whoami Display information regarding to the active access keys
data Display all data that is stored in this session. Only fields
with values will be displayed
data |proxy Display all data for a specified service or for PacuProxy
in this session
services Display a list of services that have collected data in the
current session to use with the "data" command
regions Display a list of all valid AWS regions
update_regions Run a script to update the regions database to the newest
version
set_regions <region> [<region>...] Set the default regions for this session. These space-separated
regions will be used for modules where regions are required,
but not supplied by the user. The default set of regions is
every supported region for the service. Supply "all" to this
command to reset the region set to the default of all
supported regions
run/exec Execute a module
set_keys Add a set of AWS keys to the session and set them as the
default
swap_keys Change the currently active AWS key to another key that has
previously been set for this session
exit/quit Exit Pacu
Available modules
[Category: RECON_UNAUTH]
- s3__bucket_finder
- iam__enum_users
- iam__enum_assume_role
[Category: ENUM]
- inspector__get_reports
- iam__bruteforce_permissions
- iam__detect_honeytokens
- iam__get_credential_report
- lambda__enum
- iam__enum_permissions
- codebuild__enum
- ec2__download_userdata
- aws__enum_account
- iam__enum_users_roles_policies
_groups - aws__enum_spend
- ebs__enum_volumes_snapshots
- ec2__enum
- glue__enum
- ec2__check_termination_protection
- lightsail__enum
[Category: ESCALATE]
- iam__privesc_scan
[Category: LATERAL_MOVE]
- cloudtrail__csv_injection
- vpc__enum_lateral_movement
[Category: EXPLOIT]
- ec2__startup_shell_script
- api_gateway__create_api_keys
- lightsail__generate_temp_access
- ebs__explore_snapshots
- systemsmanager__rce_ec2
- lightsail__download_ssh_keys
- lightsail__generate_ssh_keys
[Category: EXFIL]
- s3__download_bucket
- rds__explore_snapshots
[Category: PERSIST]
- iam__backdoor_users_password
- ec2__backdoor_ec2_sec_groups
- iam__backdoor_assume_role
- lambda__backdoor_new_roles
- iam__backdoor_users_keys
- lambda__backdoor_new_sec_groups
- lambda__backdoor_new_users
[Category: EVADE]
- guardduty__whitelist_ip
- detection__enum_services
- cloudwatch__download_logs
- waf__enum
- elb__enum_logging
- cloudtrail__download_event_history
- detection__disruption
