Introduction: Pentesting AWS to Secure the Cloud
With the continued proliferation of Amazon Web Services (AWS), companies are continuing to move their technical assets to the cloud. With this paradigm shift comes new security challenges for both Sysadmin and DevOps teams. These aren’t just problems for the security-unaware, either. Even large enterprises – such as GoDaddy and Uber – have had major breaches from AWS configuration flaws.
This is where an authenticated AWS penetration test can help. By simulating a breach and providing an attacker with a set of ‘compromised’ AWS keys,the range of AWS services can fully vetted.
Several tools exist to aid in the scanning of AWS vulnerabilities, but focus on compliance requirements, rather than exploit potential.The offensive security community has a glaring need for a tool that provides a structured, comprehensive approach to pentesting AWS.
Pacu: A New Framework for AWS Exploitation
Pacu (named after a type of Piranha in the Amazon) is a comprehensive AWS security-testing toolkit designed for offensive security practitioners.
While several AWS security scanners currently serve as the proverbial “Nessus” of the cloud, Pacu is designed to be the Metasploit equivalent. Written in Python 3 with a modular architecture, Pacu has tools for every step of the pentesting process, covering the full cyber kill chain.
Pacu is the aggregation of all of the exploitation experience and research from our countless prior AWS red team engagements. Automating components of the assessment not only improves efficiency, but also allows our assessment team to be much more thorough in large environments.What used to take days to manually enumerate can be now be achieved in minutes.
The project has just concluded its private beta and has been officially released as an open source project on GitHub.
Technical Features
There are currently over 35 modules that range from reconnaissance, persistence, privilege escalation, enumeration, data exfiltration, log manipulation, and miscellaneous general exploitation.
Pacu can be used to compromise credentials, but its true potential lies in the post-compromise phase. However you get credentials — through phishing, web application vulnerabilities, password reuse, or other means — it is at this point that Pacu’s full feature set is realized.Among its long list of features, Pacu is capable of testing S3 bucket configuration and permission flaws, establishing access through Lambda backdoor functions, compromising EC2 instances, exfiltrating data, escalating privileges, and covering tracks by disrupting monitoring and logging, including CloudTrail, GuardDuty, and others.
A few of the most popular modules include:
- confirm_permissions – Enumerates a list of confirmed permissions for the current account
- privesc_scan – Abuses 20+ different privilege escalation methods to gain further access
- cloudtrail_csv_injection – Injects malicious formulas into CloudTrail CSV exports
- disrupt_monitoring – Targets GuardDuty, CloudTrail, Config, CloudWatch, and VPC to disrupt various monitoring and logging capabilities
- backdoor_users_[keys/passwords] – Establish backdoor account access by adding credentials to other IAM user accounts
- sysman_ec2_rce – Abuses the AWS Simple Systems Manager to try and gain root (Linux) or SYSTEM (Windows) level remote code execution on various EC2 instances
- backdoor_ec2_sec_groups – Adds backdoor rules to EC2 security groups to give you access to private services
Architecture
Pacu’s open source and modular architecture allows for easy auditing and community-driven improvement. A common syntax and data structure keeps modules easy to build and expand on – no need to specify AWS regions or make redundant permission checks between modules. A local SQLite database is used to manage and manipulate retrieved data, minimizing API calls (and associated logs).
Different sessions makes it simple to separate engagements/projects, so two users or companies are never conflated in the testing process. Reporting and attack auditing is also built into the framework; Pacu assists the documentation process through command logging and exporting, helping build a timeline for the testing process throughout an engagement.
To make it easy to contribute to, we’ve exposed a built-in API to developers to make many common actions more accessible. We also have full documentation in GitHub.
Installation and Setup
Pacu is officially supported in both macOS and Linux, and requires only Python 3.5+ and pip3 to install a handful of libraries.
Getting started is as simple as cloning the repository and running the included install script, which will check for and download all the necessary dependencies:
> git clone https://github.com/RhinoSecurityLabs/pacu> cd pacu> bash install.sh> python3 pacu.py
Starting Pacu:
> python3 pacu.py
After Pacu launches, you will be prompted to provide a session name, after which you can add your compromised credentials with the ‘set_keys’ command and begin running modules.
Core commands:
list/ls List all modulessearch [cat[egory]] <search term> Search the list of available modules by name or categoryhelp Display this page of informationhelp <module name> Display information about a modulewhoami Display information regarding to the active access keysdata Display all data that is stored in this session.data <service>|proxy Display all data for a specified serviceservices Display a list of services that have collected dataregions Display a list of all valid AWS regionsupdate_regions Run a script to update the regions databaseset_regions <region> [<region>...] Set the default regions for this session.run/exec <module name> Execute a moduleset_keys Add a set of AWS keys to the sessionswap_keys Change the currently active AWS key to another keyexit/quit Exit Pacu
Nearly all commands are auto-completed for ease of use.
View the official Pacu GitHub wiki page for more detailed instructions and supporting documentation.
Demo: Pacu in Action
Watch Spencer Gietzen demonstrate Pacu at OWASP Seattle as he walks through a mock AWS penetration test:
Simulating a post-compromise scenario beginning with a set of AWS keys, he is able to use Pacu to enumerate permissions, escalate privileges, establish persistence, and obtain remote code execution on an EC2 instance.
What's Next
Future Direction
AWS Penetration Testing Book
While we encourage contributions from the open source community, Rhino’s Pacu development is expected to continue well into the future – both in the core platform and for the continuing range of modules.
Here are a few features we are planning on implementing in the future:
- Built-in safety net to prevent unintended harmful actions
- Attack scripts to automate consecutive module execution paths
- New database format using NoSQL (rather than the current SQLite database)
- PinPoint SMS/email/mobile push abuse
- S3 item interception and modification
- Module development for RDS, Route 53, and CloudFormation
This ongoing research into AWS security has also developed into a more formal structure as well.Published by Packt and authored by Rhino founder Benjamin Caudill, the book“Hands-On AWS Penetration Testing with Kali Linux” will be released in Feb 2019.
Readers can expect a through walk-through of exploiting an AWS environment and its various services, as well as how to best leverage Pacu and Cloudgoat in the process.
Speaking Tour
Spencer will be giving many talks that introduce Pacu over the next few months, at the following list of security conventions:
- GrrCon – Grand rapids, MI – 2:30 PM Friday 9/7
- iRespondCon – San Francisco, CA – Wednesday 9/12
- BSides Idaho Falls – Idaho Falls, ID – Saturday 9/15
- SAINTCON – Provo, UT – 9/25-9/28
- CactusCon – Mesa, AZ – 9/28-9/29
- DerbyCon – Louisville, KY – 10/5-10/7
- RhinoCon – Seattle, WA – TBA
- Seattle CSA – Seattle, WA – Wednesday 10/24
- WildWestHackinFest – Deadwood, SD – 4 PM Friday 10/26
As we introduce Pacu to the wider community we will be actively seeking feedback and feature requests.We have created a dedicated Slack workspace for Pacu (and CloudGoat) development and welcome everyone to join the discussion. There is much more to come, including more documentation, new modules, and a host of other general news and announcements.
Conclusion
Securing AWS through penetration testing has only become more topical over time. As companies continue to leverage AWS services to create and manage their infrastructure, Pacu can be become a core security tool in in the toolkit.
To that point,we welcome community feedback, feature requests, bugs. and general critiques for both Pacu and CloudGoat (the Vulnerable-by-Design AWS environment).
If you’re interested in contributing, please read our contribution guidelinesfor code conventions and git flow notes.
FAQs
What is pacu AWS? ›
Pacu is an open-source AWS exploitation framework, designed for offensive security testing against cloud environments. Created and maintained by Rhino Security Labs, Pacu allows penetration testers to exploit configuration flaws within an AWS account, using modules to easily expand its functionality.
What is pacu cyber security? ›Pacu (named after a type of Piranha in the Amazon) is a comprehensive AWS security-testing toolkit designed for offensive security practitioners. While several AWS security scanners currently serve as the proverbial “Nessus” of the cloud, Pacu is designed to be the Metasploit equivalent.
What is CloudGoat? ›CloudGoat is a “vulnerable by design” AWS deployment tool designed by Rhino Security Labs. It is used to deploy a vulnerable set of AWS resources. It is designed to teach and test cloud security penetration testing via issues commonly seen in real-life environments.
How does AWS ACL work? ›Each bucket and object has an ACL attached to it as a subresource. It defines which AWS accounts or groups are granted access and the type of access. When a request is received against a resource, Amazon S3 checks the corresponding ACL to verify that the requester has the necessary access permissions.
What is ingress and egress AWS? ›Egress means exiting the cloud. Ingress means entering the cloud.
What are the 3 main pillars of cyber security? ›When we discuss data and information, we must consider the CIA triad. The CIA triad refers to an information security model made up of the three main components: confidentiality, integrity and availability.
What does ACC stand for in Cyber Security? ›Glossary of cyber security terms. Term. Meaning. access control.
How do I run ScoutSuite? ›There are three steps to get started: Generate a read-only administrative access token. Create a named profile for the AWS CLI. Install and run ScoutSuite.
What is TerraGoat? ›TerraGoat is a learning and training project that demonstrates how common configuration errors can find their way into production cloud environments.
What is a ACL used for? ›An access control list (ACL) contains rules that grant or deny access to certain digital environments. There are two types of ACLs: Filesystem ACLs━filter access to files and/or directories. Filesystem ACLs tell operating systems which users can access the system, and what privileges the users are allowed.
Is ACL better than firewall? ›
Unlike Firewalls, ACLs are features on Routers and Layer 3 devices. Further, ACLs (Standard or extended) can perform traffic control upto Layer 4 i.e. ports and protocols while Firewalls can reach upto Layer 7 (Application Layer) of OSI model.
What are the 3 drivers of ACL execution? ›The sequence is ROLES first, then condition, then script.
What is difference between ingress and egress? ›Ingress can refer to both the act of entering or to an entryway (an entrance) itself. Egress refers to both the act of exiting or to an exit itself. In astronomy, they're used in a more specific way relating to heavenly bodies (like planets) entering into or emerging from an eclipse.
Does AWS charge for ingress or egress? ›Ingress and response traffic are free. If the two microservices are in different AZs, the ingress and egress from the source microservice will be billable at $0.01 per GB.
How can AWS avoid egress charges? ›Serving Content via Amazon CloudFront
A simple way to overcome the data egress challenge is to put this CDN service in front of your website. This way, you take advantage of the fact that it's free to move data from Amazon EC2 and Amazon S3 to Amazon CloudFront.
- Critical infrastructure security.
- Application security.
- Network security.
- Cloud security.
- Internet of Things (IoT) security.
- Confidentiality: The degree of confidentiality determines the secrecy of the information. ...
- Authentication: Authentication is the mechanism to identify the user or system or the entity. ...
- Integrity: ...
- Non-Repudiation: ...
- Access control: ...
- Availability:
In general, Information Security professionals suggest that protecting sensitive data requires a combination of people, processes, polices, and technologies.
What are the 7 types of cyber security? ›- Network Security. Most attacks occur over the network, and network security solutions are designed to identify and block these attacks. ...
- Cloud Security. ...
- Endpoint Security. ...
- Mobile Security. ...
- IoT Security. ...
- Application Security. ...
- Zero Trust.
- Mission-Critical Assets. This is data that is absolutely critical to protect. ...
- Data Security. ...
- Endpoint Security. ...
- Application Security. ...
- Network Security. ...
- Perimeter Security. ...
- The Human Layer.
What is Level 5 in security? ›
Level 5 is considered an advanced or progressive cyber security posture, and seeks to reduce the risk of Advanced Persistent Threats (APTs).
Does ACC have cyber security? ›ACC's cyber security solutions help organizations run more securely by securely connecting people with the information and resources they need while ensuring data security, compliance and secure mobile communications.
What does SC stand for in security? ›Security Check (SC) Enhanced Security Check (eSC) Developed Vetting (DV)
What is ScoutSuite? ›Scout Suite is an open-source cloud security-auditing tool. It queries the cloud API to gather configuration data. Based on configuration data gathered, ScoutSuite shows security issues and risks present in your infrastructure.
What is Scout suite used for? ›Scout Suite is an open source multi-cloud security-auditing tool, which enables security posture assessment of cloud environments. Using the APIs exposed by cloud providers, Scout Suite gathers configuration data for manual inspection and highlights risk areas.
How do I use ScoutSuite for GCP? ›- Configure the cloud shell to use the appropriate User Account credentials ( gcloud init command to use a new account or gcloud config set account <account> to use an existing account)
- Obtain access credentials to run Scout with: gcloud auth application-default login.
- Run Scout with the --user-account flag.
- Ensure all data stored in the RDS is not publicly accessible.
- Ensure no hardcoded AWS access key and secret key exists in EC2 user data.
- Ensure no security groups allow ingress from 0.0. ...
- Ensure no hardcoded AWS access key and secret key exists in lambda environment.
Scanning IaC involves checking templates, files, and modules and their variables against known policies. Policy violations occur when proper settings are either missing on variables, or the settings are incorrectly set. Because IaC is often cloud-agnostic, you may be dealing with hundreds of policies to check against.
What is Terraform compliance? ›Terraform-Compliance is a lightweight, security and compliance-focused test framework for Terraform to enable the negative testing capability for your infrastructure as code (IaC). With this compliance framework, we can ensure that the implemented Terraform code follows security standards and your own custom standards.
› Cybersecurity ›What is a Cyber Security Architecture?
What is Layered Security & How Does it Defend Your Network?
What Is Layered Cybersecurity?
What does pacu stand for in a hospital? ›
POST-ANESTHESIA CARE UNIT. After receiving anesthesia for a surgery or procedure, a patient is sent to the PACU to recover and wake up. The PACU is a critical care unit where the patient's vital signs are closely observed, pain management begins, and fluids are given.
What is egress rule in AWS? ›All. [EC2-VPC only] Adds the specified egress rules to a security group for use with a VPC. An outbound rule permits instances to send traffic to the specified destination IPv4 or IPv6 CIDR address ranges, or to the specified destination security groups for the same VPC.
What is GRC in AWS? ›Governance, Risk, and Compliance (GRC) is a structured way to align IT with business goals while managing risks and meeting all industry and government regulations. It includes tools and processes to unify an organization's governance and risk management with its technological innovation and adoption.
What is AWS cfm? ›The Cloud Financial Management (CFM) Peer Connect is a peer-focused interactive virtual event, providing AWS customers an environment to have an unbiased, open exchange of ideas and best practices relating to transforming your business with cost transparency, control, forecasting, and optimization.
What is Phase 3 in PACU? ›Phase 3 is ongoing care for patients needing extended observation and intervention after phase 1 or 2, such as a 23-hour observation unit or in-hospital unit. Nursing care continues until the patient completely recovers from anesthesia and surgery and is ready for self-care.
How many phases are in the PACU? ›Phase I and II care — PACU care is typically divided into two phases. Phase I emphasizes ensuring the patient's full recovery from anesthesia and return of vital signs to near baseline.
What are the phases of PACU? ›The postanesthesia period may be separated into three levels of care: Phase I, Phase II, and Extended Care. 5 Each phase of recovery may occur in one PACU or in multiple locations, which may include the patient's room (see Table 1).
Does AWS charge for ingress or egress? ›Ingress and response traffic are free. If the two microservices are in different AZs, the ingress and egress from the source microservice will be billable at $0.01 per GB.
How much does AWS charge for egress? ›| Public Cloud | Typical Data Egress Charge (per GB) | Cost to move 100 TB, per month |
|---|---|---|
| Azure | $0.08 | $7,000 |
| AWS | $0.02 | $2,000 |
| Google Cloud Platform | $0.11 | $8,000 |
| Oracle | Free up to 10TB | $850 to $5,000 |
Security groups are stateful. For example, if you send a request from an instance, the response traffic for that request is allowed to reach the instance regardless of the inbound security group rules. Responses to allowed inbound traffic are allowed to leave the instance, regardless of the outbound rules.
What are the types of GRC? ›
There are three main components of GRC: ► Governance — Aligning processes and actions with the organization's business goals. ► Risk — Identifying and addressing all of the organization's risks. ► Compliance — Ensuring all activities meet legal and regulatory requirements.
What are GRC tools? ›Governance, risk management and compliance software (GRC Software) is a means for publicly-held enterprises to manage IT-related operations that require regulation and ensure they are meeting compliance and risk standards.
Why do we need GRC tool? ›GRC management tools provide a fully customizable approach to identify, measure, and remediate risk across the business while ensuring compliance with internal rules and external regulations.
What is AWS cost optimization? ›AWS enables you to take control of cost and continuously optimize your spend, while building modern, scalable applications to meet your needs. AWS's breadth of services and pricing options offer the flexibility to effectively manage your costs and still keep the performance and capacity you require.
What are the four levels of AWS Premium Support? ›Developer, Business, Enterprise, Enterprise On-Ramp. AWS Support.
Is AWS a lambda IaC? ›To help you start right with serverless, AWS has added a Create application experience to the Lambda console. This enables you to create serverless applications from ready-to-use sample applications, which follow these best practices: Use infrastructure as code (IaC) for defining application resources.
› Cloud Security ›
