Skip to content
alexanderinsa edited this page Jun 26, 2018 · 33 revisions

Overview

Table of Contents

Description

Pacu is an AWS exploitation tool that provides tools for performing reconnaissance, automated exploitation of vulnerabilities, persistence, and log disruption.

Quick Start Guide

Requirements

Installation

$ git clone https://github.com/RhinoSecurityLabs/pacu
$ cd Pacu
$ pip install -r requirements.txt

More in-depth guide can be found here.

Getting Started

$ python pacu.py

Note: Upon launching Pacu for the first time, you will be asked to create a new session.

A tutorial can be found BROKEN.

Usage

If you are ever stuck, help will bring up a list of commands that are available. Output of help

Useful Commands

  • list will list the available modules for the regions that were set in the current session.
  • help module_name will return the applicable help information for the specified module.
  • run module_name will run the specified module with its default parameters.
  • run module_name --regions eu-west-1,us-west-1 will run the specified module against the eu-west-1 and us-west-1 regions (for modules that support the --regions argument)

Modules

Included with Pacu are some default modules. Full descriptions can be found here.

Recon

  • buckethead_s3_enum
    • Enumerates/bruteforces S3 buckets based on different parameters.
  • confirm_permissions
    • Tries to get a confirmed list of permissions for the current user.
  • download_ec2_userdata
    • Downloads user data from EC2 instances.
  • enum_cloudtrails
    • Enumerates CloudTrail trails, mainly for other modules.
  • enum_ebs_volumes_snapshots
    • Enumerates EBS volumes and snapshots and logs any without encryption.
  • enum_ec2
    • Enumerates a ton of relevant EC2 info.
  • enum_ec2_termination_protection
    • Collects a list of EC2 instances without termination protection.
  • enum_elb_logging
    • Collects a list of Elastic Load Balancers without access logging.
  • enum_glue
    • Enumerates Glue connections, crawlers, databases, development endpoints, and jobs.
  • enum_monitoring
    • Detects monitoring and logging capabilities.
  • enum_users_roles_policies_groups
    • Enumerates users, roles, customer-managed policies, and groups.
  • get_credential_report
    • Generates and downloads an IAM credential report.
  • s3_bucket_dump
    • Enumerate and dumps files from S3 buckets.

Post Exploitation

  • add_ec2_startup_sh_script
    • Stops and restarts EC2 instances to execute code.
  • backdoor_ec2_sec_groups
    • Adds backdoor rules to EC2 security groups.
  • cloudtrail_csv_injection
    • Inject malicious formulas/data into CloudTrail event history.
  • download_lightsail_ssh_keys
    • Downloads Lightsails default SSH key pairs.

Escalation

  • backdoor_assume_role
    • Creates assume-role trust relationships between users and roles.
  • privesc_scan
    • An IAM privilege escalation path finder and abuser.

Persistence

  • backdoor_users_keys
    • Adds API keys to other users.
  • backdoor_users_password
    • Adds a password to users without one.

Logging

  • dl_cloudtrail_event_history
    • Downloads CloudTrail event history to JSON files.

Module Development

A key design philosophy for Pacu is the inclusion of modules with a standardized format to allow for simple, but powerful scripts that work well together, but can be customized to fit a developer's needs.

More information on module development can be found here.

Glossary

Unfamaliar terms and specific terminology are located here.