-
Notifications
You must be signed in to change notification settings - Fork 699
Home
Pacu is an AWS exploitation tool that provides tools for performing reconnaissance, automated exploitation of vulnerabilities, persistence, and log disruption.
$ git clone https://github.com/RhinoSecurityLabs/pacu
$ cd Pacu
$ pip3 install -r requirements.txt
More in-depth guide can be found here.
$ python pacu.py
Note: Upon launching Pacu for the first time, you will be asked to create a new session.
If you are ever stuck, help
will bring up a list of commands that are available.
-
list
will list the available modules for the regions that were set in the current session. -
help module_name
will return the applicable help information for the specified module. -
run module_name
will run the specified module with its default parameters. -
run module_name --regions eu-west-1,us-west-1
will run the specified module against the eu-west-1 and us-west-1 regions (for modules that support the --regions argument)
Included with Pacu are some default modules. Full descriptions can be found here.
buckethead_s3_enum - Enumerates/bruteforces S3 buckets based on different parameters.
confirm_permissions - Tries to get a confirmed list of permissions for the current user.
download_ec2_userdata - Downloads user data from EC2 instances.
enum_ebs_volumes_snapshots - Enumerates EBS volumes and snapshots and logs any without encryption.
enum_ec2 - Enumerates a ton of relevant EC2 info.
enum_ec2_termination_protection - Collects a list of EC2 instances without termination protection.
enum_elb_logging - Collects a list of Elastic Load Balancers without access logging.
enum_glue - Enumerates Glue connections, crawlers, databases, development endpoints, and jobs.
enum_monitoring - Detects monitoring and logging capabilities in CloudTrail, GuardDuty, and Shield.
enum_users_roles_policies_groups - Enumerates users, roles, customer-managed policies, and groups.
get_credential_report - Generates and downloads an IAM credential report.
s3_bucket_dump - Enumerate and dumps files from S3 buckets.
add_ec2_startup_sh_script - Stops and restarts EC2 instances to execute code as the root or SYSTEM user.
backdoor_ec2_sec_groups - Adds backdoor rules to EC2 security groups.
cloudtrail_csv_injection - Inject malicious formulas/data into CloudTrail event history.
download_lightsail_ssh_keys - Downloads Lightsails default SSH key pairs.
backdoor_assume_role - Creates assume-role trust relationships between users and roles.
privesc_scan - An IAM privilege escalation path finder and abuser.
backdoor_users_keys - Adds API keys to other users.
backdoor_users_password - Adds a password to users without one.
dl_cloudtrail_event_history - Downloads CloudTrail event history to JSON files.
disrupt_monitoring - Gives the option of disabling or deleting GuardDuty detectors and disabling, deleting, or minimizing CloudTrail trails.
A key design philosophy for Pacu is the inclusion of modules with a standardized format to allow for simple, but powerful scripts that work well together, but can be customized to fit a developer's needs.
More information on module development can be found here.
Unfamaliar terms and specific terminology are located here.
- Home
- AWS Basics and Security
- User Information
- Developer Information
- Warnings and Disclaimers
- FAQ