{"id":4413,"date":"2024-09-15T20:25:28","date_gmt":"2024-09-15T18:25:28","guid":{"rendered":"https:\/\/andreas-klingler.de\/infosec\/?p=4413"},"modified":"2024-09-16T15:52:59","modified_gmt":"2024-09-16T13:52:59","slug":"pacu-aws-exploitation-framework","status":"publish","type":"post","link":"https:\/\/infosec.andreas-klingler.de\/?p=4413","title":{"rendered":"Pacu \u2014 <span class=\"caps\">AWS<\/span> exploitation framework"},"content":{"rendered":"\n<p class=\"wp-block-paragraph\"><a href=\"https:\/\/github.com\/RhinoSecurityLabs\/pacu\">Pacu<\/a> can be used to test an <span class=\"caps\">AWS<\/span> account. Setup:<\/p>\n\n\n\n<ol class=\"wp-block-list\">\n<li>Login via the <span class=\"caps\">AWS<\/span> cli and create\/reuse a pro\u00adfile:<br><code>aws configure --profile $profile<\/code><\/li>\n\n\n\n<li>Start pacu<\/li>\n\n\n\n<li>Import the access and secret key and oth\u00ader pro\u00adfile set\u00adtings from the <span class=\"caps\">AWS<\/span> <span class=\"caps\">CLI<\/span> with<br><code>import_keys $profile<\/code><\/li>\n<\/ol>\n\n\n\n<h2 class=\"wp-block-heading\">Unauthorized enumeration<\/h2>\n\n\n\n<p class=\"wp-block-paragraph\">Requires only an <span class=\"caps\">AWS<\/span> access key and secret key.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">Enu\u00admer\u00adate roles. Cre\u00adate a list with pos\u00adsi\u00adble roles to&nbsp;check.<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\">run iam__enum_roles --word-list \/tmp\/roles.txt --account-id $accountId<\/pre>\n\n\n\n<p class=\"wp-block-paragraph\">Enu\u00admer\u00adate users which belong to a (pre\u00advi\u00adous\u00adly found) role. Cre\u00adate also a list of pos\u00adsi\u00adble user&nbsp;names.<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\">run iam__enum_users --word-list \/tmp\/users.txt --role-name $role --account-id $accountId<\/pre>\n\n\n\n<p class=\"wp-block-paragraph\">Enu\u00admer\u00adate snap\u00adshots. $key\u00adword is some\u00adthing which is e.g. in a <span class=\"caps\">S3<\/span> buck\u00adet&nbsp;name.<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\">run ebs__enum_snapshots_unauth --keyword $keyword --account-id $accountId --account-id-wordlist $accountIdWordlist<\/pre>\n\n\n\n<h2 class=\"wp-block-heading\">Various<\/h2>\n\n\n\n<p class=\"wp-block-paragraph\">To see the whole response: Select the&nbsp;area:<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\">services<\/pre>\n\n\n\n<p class=\"wp-block-paragraph\">and then request the data from one&nbsp;area:<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\">data iam<\/pre>\n\n\n\n<p class=\"wp-block-paragraph\">To assume a pre\u00advi\u00adous\u00adly found role,&nbsp;use<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\">assume_role arn:aws:iam::$accountID:role\/$roleName<\/pre>\n","protected":false},"excerpt":{"rendered":"<p>Pacu can be used to test an <span class=\"caps\">AWS<\/span> account. Set\u00adup: Unau\u00adtho\u00adrized enu\u00admer\u00ada\u00adtion Requires only an <span class=\"caps\">AWS<\/span> access key and secret key. Enu\u00admer\u00adate roles. Cre\u00adate a list with pos\u00adsi\u00adble roles to&nbsp;check. run iam__enum_roles \u2013word-list \/tmp\/roles.txt \u2013account-id $accoun\u00adtId Enu\u00admer\u00adate users which belong to a (pre\u00advi\u00adous\u00adly found) role. Cre\u00adate also a list of pos\u00adsi\u00adble user&nbsp;names. run iam__enum_users \u2013word-list [\u2026]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"wp_typography_post_enhancements_disabled":false,"footnotes":""},"categories":[470],"tags":[287,304,509],"class_list":["post-4413","post","type-post","status-publish","format-standard","hentry","category-active-enum","tag-aws","tag-cloud","tag-pacu"],"_links":{"self":[{"href":"https:\/\/infosec.andreas-klingler.de\/index.php?rest_route=\/wp\/v2\/posts\/4413","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/infosec.andreas-klingler.de\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/infosec.andreas-klingler.de\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/infosec.andreas-klingler.de\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/infosec.andreas-klingler.de\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=4413"}],"version-history":[{"count":7,"href":"https:\/\/infosec.andreas-klingler.de\/index.php?rest_route=\/wp\/v2\/posts\/4413\/revisions"}],"predecessor-version":[{"id":4438,"href":"https:\/\/infosec.andreas-klingler.de\/index.php?rest_route=\/wp\/v2\/posts\/4413\/revisions\/4438"}],"wp:attachment":[{"href":"https:\/\/infosec.andreas-klingler.de\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=4413"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/infosec.andreas-klingler.de\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=4413"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/infosec.andreas-klingler.de\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=4413"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}