This repository mainly focuses on various techniques, tools, frameworks and approach to perform offensive exploitation of AWS infrastructure, its various services and overall AWS cloud penetration testing. It gives an understanding of how to conduct reconnaissance within AWS in order to identify vulnerable services, finding misconfigurations and insecure configurations for various components, and how those vulnerabilities could be used by adversaries to gain unauthorized access.
1- Scout Scuite - an automated cloud security auditing tool.
2- Pacu - an AWS attack/exploitation framework (due to be demonstrated in DEFCON 2019).
Scout Suite is an automated cloud security auditing tool that helps to assess and identify security misconfigurations. It collects configuration data from the APIs that are exposed by cloud providers and produces a report that highlights potentially vulnerable configurations. The tool works across multiple cloud providers such as AWS, Azure, and Google Cloud Platform (GCP).
Scout2 is very useful as it allows for a quick assessment of the various security configuration issues within various AWS services and reports them on an easy-to-read dashboard. This helps to identify several low-hanging fruits that might otherwise take longer to detect.
To run the tool on our AWS infrastructure, we will have to set up an IAM user with specific permissions to configure the tool. Follow steps as below,
-
Create an IAM user and set access type to "Programmatic Access".
-
Set these two specific policies for the new IAM user, "ReadOnlyAccess" and "SecurityAudit".
-
Note down the "Access key ID" and the "Secret access key" credentials (as those will be required to configure the AWS CLI).
-
Run the AWS CLI tool and configure it with the credentials obtained previously,
aws configure
-
Installing scoutsuite now,
sudo pip install scoutsuiteAlternatively, download the tool from GitHub repository,
git clone https://github.com/nccgroup/ScoutSuite cd ScoutSuite sudo pip install -r requirements.txtTo verify if the tool is working fine
python Scout.py --help -
Our tool is now ready to run.
Simply run the following commands,
--> If installed using pip, use the following command:
Scout aws
--> If running the GitHub script, use this command:
python Scout.py aws
The tool will collect data from each and every AWS service, and then analyze the configurations. The tool will generate an HTML report that will be saved in the "scoutsuite-report" folder. If you have already run the tool on your Kali instance running on AWS, you can simply download the files using SCP/WinSCP.
Scout Suite also provides us with an option to audit an infrastructure using a custom ruleset instead of its default ruleset. This is very useful as each organization has its own business case in mind while setting up an AWS infrastructure. Using custom rulesets can help organizations customize the tool's assessments according to their needs.
We ran "Scout Suite" tool to identify potentially vulnerable configurations in an AWS infrastructure, and then analyse the report to understand how vulnerabilities are reported. We also talked about customized rulesets (within 'Additional' section) to tune the reports in accordance to an organization's need.
Pacu is an open-source 'offensive AWS exploitation framework', written by a small group of developers and researchers at Rhino Security Labs. Open source and available on GitHub under the BSD-3 license (https://github.com/RhinoSecurityLabs/pacu), Pacu and its modules are written in Python 3.
This assists us to perform attacks and enumeration of an environment without requiring the manual work of running multiple AWS command-line interface (CLI) commands over and over again across different environments.
a- "Git" is installed.
b- "Python 3" is installed.
c- "Pip 3" is installed.
Once the setup of above version control system, python and package installer manager is ensured, run below commands;
git clone https://github.com/RhinoSecurityLabs/pacu.git
cd pacu/ && bash install.sh
python3 pacu.py
As we run the command "python3 pacu.py", Pacu would create a new "settings.py" file and a local database file. Further, we need to set the session, aws credentials and key alias for our Pacu session to run efficiently and effectively.
--> What would you like to name this new session ?
AWSExploitation1
After that, Pacu CLI is launched,
Pacu (AWSExploitation1: No Keys Set) >
Use "set_keys" Pacu command to set the AWS credentails,
Pacu (AWSExploitation1: No Keys Set) > set_keys
Setting AWS Keys...
Press enter to keep the value currently stored.
Enter the letter C to clear the value, rather than set it.
If you enter an existing key_alias, that key's fields will be updated instead of added.
Key alias [None]: AWSExploitationUser
Access Key ID [None]: AKCDIF364RL7H34JJEUD
Secret access key [None]: X7dhC8Ukkw/j3KeIarjw9DOOnJ8wdXaiY10+nqke
Session token (Optional - for temp AWS keys only) [None]:
Keys saved to databse.
Pacu (AWSExploitation1: AWSExploitationUser) >
Pacu is essentially now setup and ready to go.
Pacu has a variety of CLI commands that allow for flexible customization and interaction with your current session and any available modules that Pacu offers.
list/ls
search
help
whoami
data
services
regions
update_regions
set_regions
run/exec
set_keys
swap_keys
import_keys
exit/quit/Ctrl+C
aws
proxy
PacuProxy is a cloud-oriented command and control framework, similar to "PowerShell Empire" and "Meterpreter" which are generally used during red-team engagements for offensive attack and exploitation purposes.
Once a server is compromised (such as an EC2 instance), due to misconfigurations, pacuProxy could be used as C2 channel to proxy all our Pacu traffic through the compromised instance. This allows us to use all the features that Pacu offers from our own computer, but all the traffic is routed through the compromised host. When an operations team looks at the logs and notices our malicious traffic, the compromised EC2 instance will show up as the source of the traffic, which will look a lot less suspicious than a random IP address they are unfamiliar with.
Example of PacuProxy module:
"systemsmanager__rce_ec2" module
Above module abuses the AWS Systems Manager service to try and execute code remotely on EC2 instances, automatically generate a one-line stager and execute that on the host, giving full control of it.
Use-case: "Stealing credentials from the EC2 metadata"
a- Run the module and it will make HTTP requests to the metadata service on that server.
b- Tries to fetch any credentials that might live there, and create a new set of keys within Pacu, using those credentials.
c- Now we are able to route all those requests through the compromised host
Note: It never alerts GuardDuty or anyone else that compromise has happened, even though everything is installed and being run on your own host machine.
Pacu offers several modules integrated together to conduct offensive pentest, security assessment and identification of various security misconfigurations within cloud environments, secifically AWS. It's an efficient and effective way to perform various attacks against AWS cloud infrastructures.
Disclaimer:
Initial knowledge-base and framework demonstration has been read, understod and taken from Rhino Security Labs, the developers of Pacu framework.