Introduction: Pentesting AWS to Secure the Cloud

With the continued proliferation of Amazon Web Services (AWS), companies are continuing to move their technical assets to the cloud. With this paradigm shift comes new security challenges for both Sysadmin and DevOps teams. These aren’t just problems for the security-unaware, either. Even large enterprises – such as GoDaddy and Uber – have had major breaches from AWS configuration flaws. This is where an authenticated AWS penetration test can help. By simulating a breach and providing an attacker with a set of ‘compromised’ AWS keys, the range of AWS services can fully vetted. Several tools exist to aid in the scanning of AWS vulnerabilities, but focus on compliance requirements, rather than exploit potential. The offensive security community has a glaring need for a tool that provides a structured, comprehensive approach to pentesting AWS. Meet Pacu – The AWS Exploitation Framework.

Pacu: A New Framework for AWS Exploitation

Pacu (named after a type of Piranha in the Amazon) is a comprehensive AWS security-testing toolkit designed for offensive security practitioners.

While several AWS security scanners currently serve as the proverbial “Nessus” of the cloud, Pacu is designed to be the Metasploit equivalent. Written in Python 3 with a modular architecture, Pacu has tools for every step of the pentesting process, covering the full cyber kill chain. Pacu is the aggregation of all of the exploitation experience and research from our countless prior AWS red team engagements. Automating components of the assessment not only improves efficiency, but also allows our assessment team to be much more thorough in large environments. What used to take days to manually enumerate can be now be achieved in minutes. The project has just concluded its private beta and has been officially released as an open source project on GitHub.

Technical Features

There are currently over 35 modules that range from reconnaissance, persistence, privilege escalation, enumeration, data exfiltration, log manipulation, and miscellaneous general exploitation. Pacu can be used to compromise credentials, but its true potential lies in the post-compromise phase. However you get credentials — through phishing, web application vulnerabilities, password reuse, or other means — it is at this point that Pacu’s full feature set is realized. Among its long list of features, Pacu is capable of testing S3 bucket configuration and permission flaws, establishing access through Lambda backdoor functions, compromising EC2 instances, exfiltrating data, escalating privileges, and covering tracks by disrupting monitoring and logging, including CloudTrail, GuardDuty, and others. A few of the most popular modules include: confirm_permissions – Enumerates a list of confirmed permissions for the current account

– Enumerates a list of confirmed permissions for the current account privesc_scan – Abuses 20+ different privilege escalation methods to gain further access

– Abuses 20+ different privilege escalation methods to gain further access cloudtrail_csv_injection – Injects malicious formulas into CloudTrail CSV exports

– Injects malicious formulas into CloudTrail CSV exports disrupt_monitoring – Targets GuardDuty, CloudTrail, Config, CloudWatch, and VPC to disrupt various monitoring and logging capabilities

– Targets GuardDuty, CloudTrail, Config, CloudWatch, and VPC to disrupt various monitoring and logging capabilities backdoor_users_[keys/passwords] – Establish backdoor account access by adding credentials to other IAM user accounts

– Establish backdoor account access by adding credentials to other IAM user accounts sysman_ec2_rce – Abuses the AWS Simple Systems Manager to try and gain root (Linux) or SYSTEM (Windows) level remote code execution on various EC2 instances

– Abuses the AWS Simple Systems Manager to try and gain root (Linux) or SYSTEM (Windows) level remote code execution on various EC2 instances backdoor_ec2_sec_groups – Adds backdoor rules to EC2 security groups to give you access to private services

Architecture

Pacu’s open source and modular architecture allows for easy auditing and community-driven improvement. A common syntax and data structure keeps modules easy to build and expand on – no need to specify AWS regions or make redundant permission checks between modules. A local SQLite database is used to manage and manipulate retrieved data, minimizing API calls (and associated logs). Different sessions makes it simple to separate engagements/projects, so two users or companies are never conflated in the testing process. Reporting and attack auditing is also built into the framework; Pacu assists the documentation process through command logging and exporting, helping build a timeline for the testing process throughout an engagement. To make it easy to contribute to, we’ve exposed a built-in API to developers to make many common actions more accessible. We also have full documentation in GitHub.

Installation and Setup

Pacu is officially supported in both macOS and Linux, and requires only Python 3.5+ and pip3 to install a handful of libraries. Getting started is as simple as cloning the repository and running the included install script, which will check for and download all the necessary dependencies:

> git clone https://github.com/RhinoSecurityLabs/pacu > cd pacu > bash install.sh > python3 pacu.py

Starting Pacu:

> python3 pacu.py

After Pacu launches, you will be prompted to provide a session name, after which you can add your compromised credentials with the ‘set_keys’ command and begin running modules.

Core commands:

list/ls List all modules search [cat[egory]] <search term> Search the list of available modules by name or category help Display this page of information help <module name> Display information about a module whoami Display information regarding to the active access keys data Display all data that is stored in this session. data <service>|proxy Display all data for a specified service services Display a list of services that have collected data regions Display a list of all valid AWS regions update_regions Run a script to update the regions database set_regions <region> [<region>...] Set the default regions for this session. run/exec <module name> Execute a module set_keys Add a set of AWS keys to the session swap_keys Change the currently active AWS key to another key exit/quit Exit Pacu

Nearly all commands are auto-completed for ease of use. View the official Pacu GitHub wiki page for more detailed instructions and supporting documentation.

Demo: Pacu in Action

Watch Spencer Gietzen demonstrate Pacu at OWASP Seattle as he walks through a mock AWS penetration test: Simulating a post-compromise scenario beginning with a set of AWS keys, he is able to use Pacu to enumerate permissions, escalate privileges, establish persistence, and obtain remote code execution on an EC2 instance.

What's Next

Future Direction AWS Penetration Testing Book

While we encourage contributions from the open source community, Rhino’s Pacu development is expected to continue well into the future – both in the core platform and for the continuing range of modules.

Here are a few features we are planning on implementing in the future: Built-in safety net to prevent unintended harmful actions

Attack scripts to automate consecutive module execution paths

New database format using NoSQL (rather than the current SQLite database)

PinPoint SMS/email/mobile push abuse

S3 item interception and modification

Module development for RDS, Route 53, and CloudFormation This ongoing research into AWS security has also developed into a more formal structure as well. Published by Packt and authored by Rhino founder Benjamin Caudill, the book “Hands-On AWS Penetration Testing with Kali Linux” will be released in Feb 2019. Readers can expect a through walk-through of exploiting an AWS environment and its various services, as well as how to best leverage Pacu and Cloudgoat in the process.

Speaking Tour

Spencer will be giving many talks that introduce Pacu over the next few months, at the following list of security conventions: GrrCon – Grand rapids, MI – 2:30 PM Friday 9/7

– Grand rapids, MI – 2:30 PM Friday 9/7 iRespondCon – San Francisco, CA – Wednesday 9/12

– San Francisco, CA – Wednesday 9/12 BSides Idaho Falls – Idaho Falls, ID – Saturday 9/15

– Idaho Falls, ID – Saturday 9/15 SAINTCON – Provo, UT – 9/25-9/28

– Provo, UT – 9/25-9/28 CactusCon – Mesa, AZ – 9/28-9/29

– Mesa, AZ – 9/28-9/29 DerbyCon – Louisville, KY – 10/5-10/7

– Louisville, KY – 10/5-10/7 RhinoCon – Seattle, WA – TBA

– Seattle, WA – TBA Seattle CSA – Seattle, WA – Wednesday 10/24

– Seattle, WA – Wednesday 10/24 WildWestHackinFest – Deadwood, SD – 4 PM Friday 10/26 As we introduce Pacu to the wider community we will be actively seeking feedback and feature requests. We have created a dedicated Slack workspace for Pacu (and CloudGoat) development and welcome everyone to join the discussion. There is much more to come, including more documentation, new modules, and a host of other general news and announcements.

Conclusion