The Open Source AWS Exploitation Framework – Pacu

Last Commit: 03/08/2019

The Open Source AWS Exploitation Framework – Pacu

Introduction

Pacu is an open source AWS exploitation framework for offensive security testing against cloud environments, created and maintained by Rhino Security Labs. It allows you to  exploit configuration flaws within an AWS account, using modules to easily expand its functionality. Current modules enables:

  • user privilege escalation, IAM users backdooring, attacking vulnerable Lambda functions, and so much more (see bellow).

The Open Source AWS Exploitation Framework – Pacu

Disclaimer: As with any penetration testing tool, it is your responsibility to get proper authorization before using Pacu outside of your own environment. Pacu is software that comes with absolutely no warranties whatsoever. By using Pacu, you take full responsibility for any and all outcomes that result. It is entirely your responsibility to ensure that how you use Pacu is compliant with the AWS Acceptable Use Policy.

Pacu: The Open Source AWS Exploitation Framework for testing security of AWS environments

Pacu is a CLI (command line interface) that provides a database and modules that allow cybersecurity professionals to easily provided assessments on AWS environments. It is a lightweight program, based on Python, that requires Python 3.5+ and pip3 only. Pacu is well-documented, so you’ll be able to quickly and easily make new modules on your own (Advanced Usage Wiki: cybersecurity researchers/developers/experts). It’s supported  in OSX and Linux operating systems.

Features:

  • Pacu has a bunch of plug-in modules (currently Pacu has 36 modules for executing AWS attacks) that helps you in: enumeration, privilege escalation, data exfiltration, service exploitation, and log manipulation.
  • It provides utilities to easily allow users and modules to store and reference access information and enumerated data found when engaging an AWS environment.
  • Common syntax and data structure keeps modules easy to build and expand on – no need to specify AWS regions or make redundant permission checks between modules.
  • Local SQLite database for managing and manipulating with retrieved data (minimizing API calls and associated logs).
  • Built-in reporting and attack auditing inside framework (command logging and exporting, testing process timeline).

Requirements:

  • Python 3.5+
  • pip3
  • all packages from requirements.txt

Pacu Install

Download zip file or clone it from the github repo:

$ git clone https://github.com/RhinoSecurityLabs/pacu.git

Then navigate to the Pacu directory:

$ cd pacu/

and run install.sh install script (it will automatically install all packages from requirements.txt):

$ bash install.sh
Note: If you do not meet the requirements to run Pacu, you will be notified.

Usage

To start Pacu, run the following:

$ python3 pacu.py

After first lunch, you’ll see message “database not found”, but it will be created automatically. You’ll be prompted to provide a session name, just name it to start. Set the AWS keys, and start running modules.

Basic Commands in Pacu

Run help to list all available commands:

Pacu command info:
    list/ls                             List all modules
    search [cat[egory]]                 Search the list of available modules by name or category
    help                                Display this page of information
    help                                Display information about a module
    whoami                              Display information regarding to the active access keys
    data                                Display all data that is stored in this session. Only fields
                                                  with values will be displayed
    data |proxy                         Display all data for a specified service or for PacuProxy
                                                  in this session
    services                            Display a list of services that have collected data in the
                                                  current session to use with the "data" command
    regions                             Display a list of all valid AWS regions
    update_regions                      Run a script to update the regions database to the newest
                                                  version
    set_regions  <region> [<region>...] Set the default regions for this session. These space-separated
                                                  regions will be used for modules where regions are required,
                                                  but not supplied by the user. The default set of regions is
                                                  every supported region for the service. Supply "all" to this
                                                  command to reset the region set to the default of all
                                                  supported regions
    run/exec                            Execute a module
    set_keys                            Add a set of AWS keys to the session and set them as the
                                                  default
    swap_keys                           Change the currently active AWS key to another key that has
                                                  previously been set for this session
    exit/quit                           Exit Pacu

Available modules

[Category: RECON_UNAUTH]

  • s3__bucket_finder
  • iam__enum_users
  • iam__enum_assume_role

[Category: ENUM]

  • inspector__get_reports
  • iam__bruteforce_permissions
  • iam__detect_honeytokens
  • iam__get_credential_report
  • lambda__enum
  • iam__enum_permissions
  • codebuild__enum
  • ec2__download_userdata
  • aws__enum_account
  • iam__enum_users_roles_policies
    _groups
  • aws__enum_spend
  • ebs__enum_volumes_snapshots
  • ec2__enum
  • glue__enum
  • ec2__check_termination_protection
  • lightsail__enum

[Category: ESCALATE]

  • iam__privesc_scan

[Category: LATERAL_MOVE]

  • cloudtrail__csv_injection
  • vpc__enum_lateral_movement

[Category: EXPLOIT]

  • ec2__startup_shell_script
  • api_gateway__create_api_keys
  • lightsail__generate_temp_access
  • ebs__explore_snapshots
  • systemsmanager__rce_ec2
  • lightsail__download_ssh_keys
  • lightsail__generate_ssh_keys

[Category: EXFIL]

  • s3__download_bucket
  • rds__explore_snapshots

[Category: PERSIST]

  • iam__backdoor_users_password
  • ec2__backdoor_ec2_sec_groups
  • iam__backdoor_assume_role
  • lambda__backdoor_new_roles
  • iam__backdoor_users_keys
  • lambda__backdoor_new_sec_groups
  • lambda__backdoor_new_users

[Category: EVADE]

  • guardduty__whitelist_ip
  • detection__enum_services
  • cloudwatch__download_logs
  • waf__enum
  • elb__enum_logging
  • cloudtrail__download_event_history
  • detection__disruption
Documentation Box
Download Box