Rhino Security Labs

Strategic and Technical Blog

AWS

Pacu: The Open Source AWS Exploitation Framework

Introduction: Pentesting AWS to Secure the Cloud

With the continued proliferation of Amazon Web Services (AWS), companies are continuing to move their technical assets to the cloud. With this paradigm shift comes new security challenges for both Sysadmin and DevOps teams.  These aren’t just problems for the security-unaware, either.  Even large enterprises – such as GoDaddy and Uber – have had major breaches from AWS configuration flaws.

This is where an authenticated AWS penetration test can help.  By simulating a breach and providing an attacker with a set of ‘compromised’ AWS keys, the range of AWS services can fully vetted.

Several tools exist to aid in the scanning of AWS vulnerabilities, but focus on compliance requirements, rather than exploit potential.  The offensive security community has a glaring need for a tool that provides a structured, comprehensive approach to pentesting AWS.

Meet Pacu – The AWS Exploitation Framework.

Pacu: A New Framework for AWS Exploitation

Pacu (named after a type of Piranha in the Amazon) is a comprehensive AWS security-testing toolkit designed for offensive security practitioners.
While several AWS security scanners currently serve as the proverbial “Nessus” of the cloud, Pacu is designed to be the Metasploit equivalent. Written in Python 3 with a modular architecture, Pacu has tools for every step of the pentesting process, covering the full cyber kill chain.

Pacu is the aggregation of all of the exploitation experience and research from our countless prior AWS red team engagements.  Automating components of the assessment not only improves efficiency, but also allows our assessment team to be much more thorough in large environments.  What used to take days to manually enumerate can be now be achieved in minutes.

The project has just concluded its private beta and has been officially released as an open source project on GitHub.

Technical Features

There are currently over 35 modules that range from reconnaissance, persistence, privilege escalation, enumeration, data exfiltration, log manipulation, and miscellaneous general exploitation.

Pacu can be used to compromise credentials, but its true potential lies in the post-compromise phase. However you get credentials — through phishing, web application vulnerabilities, password reuse, or other means — it is at this point that Pacu’s full feature set is realized. Among its long list of features, Pacu is capable of testing S3 bucket configuration and permission flaws, establishing access through Lambda backdoor functions, compromising EC2 instances, exfiltrating data, escalating privileges, and covering tracks by disrupting monitoring and logging, including CloudTrail, GuardDuty, and others.

A few of the most popular modules include:

  • confirm_permissions – Enumerates a list of confirmed permissions for the current account
  • privesc_scan – Abuses 20+ different privilege escalation methods to gain further access
  • cloudtrail_csv_injection – Injects malicious formulas into CloudTrail CSV exports
  • disrupt_monitoring – Targets GuardDuty, CloudTrail, Config, CloudWatch, and VPC to disrupt various monitoring and logging capabilities
  • backdoor_users_[keys/passwords] – Establish backdoor account access by adding credentials to other IAM user accounts
  • sysman_ec2_rce – Abuses the AWS Simple Systems Manager to try and gain root (Linux) or SYSTEM (Windows) level remote code execution on various EC2 instances
  • backdoor_ec2_sec_groups – Adds backdoor rules to EC2 security groups to give you access to private services

Architecture

 

Pacu’s open source and modular architecture allows for easy auditing and community-driven improvement. A common syntax and data structure keeps modules easy to build and expand on – no need to specify AWS regions or make redundant permission checks between modules. A local SQLite database is used to manage and manipulate retrieved data, minimizing API calls (and associated logs).

Different sessions makes it simple to separate engagements/projects, so two users or companies are never conflated in the testing process. Reporting and attack auditing is also built into the framework; Pacu assists the documentation process through command logging and exporting, helping build a timeline for the testing process throughout an engagement.

To make it easy to contribute to, we’ve exposed a built-in API to developers to make many common actions more accessible. We also have full documentation in GitHub.

Installation and Setup

Pacu  is officially supported in both macOS and Linux, and requires only Python 3.5+ and pip3 to install a handful of libraries.

Getting started is as simple as cloning the repository and running the included install script, which will check for and download all the necessary dependencies:

> git clone https://github.com/RhinoSecurityLabs/pacu
> cd pacu
> bash install.sh
> python3 pacu.py

Starting Pacu:

> python3 pacu.py

After Pacu launches, you will be prompted to provide a session name, after which you can add your compromised credentials with the  ‘set_keys’ command and begin running modules.

Core commands:

list/ls                             List all modules
search [cat[egory]] <search term>   Search the list of available modules by name or category
help                                Display this page of information
help <module name>                  Display information about a module
whoami                              Display information regarding to the active access keys
data                                Display all data that is stored in this session.
data <service>|proxy                Display all data for a specified service
services                            Display a list of services that have collected data
regions                             Display a list of all valid AWS regions
update_regions                      Run a script to update the regions database
set_regions <region> [<region>...]  Set the default regions for this session.
run/exec <module name>              Execute a module
set_keys                            Add a set of AWS keys to the session
swap_keys                           Change the currently active AWS key to another key
exit/quit                           Exit Pacu

Nearly all commands are auto-completed for ease of use.

View the official Pacu GitHub wiki page for more detailed instructions and supporting documentation.

Demo: Pacu in Action

Watch Spencer Gietzen demonstrate Pacu at OWASP Seattle as he walks through a mock AWS penetration test:

Simulating a post-compromise scenario beginning with a set of  AWS keys, he is able to use Pacu to enumerate permissions, escalate privileges, establish persistence, and obtain remote code execution on an EC2 instance.

What's Next

Future Direction

AWS Penetration Testing Book

While we encourage contributions from the open source community, Rhino’s Pacu development is expected to continue well into the future –  both in the core platform and for the continuing range of modules.
Here are a few features we are planning on implementing in the future:

  • Built-in safety net to prevent unintended harmful actions
  • Attack scripts to automate consecutive module execution paths
  • New database format using NoSQL (rather than the current SQLite database)
  • PinPoint SMS/email/mobile push abuse
  • S3 item interception and modification
  • Module development for RDS, Route 53, and CloudFormation

This ongoing research into AWS security has also developed into a more formal structure as well.  Published by Packt and authored by Rhino founder Benjamin Caudill, the book “Hands-On AWS Penetration Testing with Kali Linux” will be released in Feb 2019.

Readers can expect a through walk-through of exploiting an AWS environment and its various services, as well as how to best leverage Pacu and Cloudgoat in the process.

Speaking Tour

Spencer will be giving many talks that introduce Pacu over the next few months, at the following list of security conventions:

  • GrrCon – Grand rapids, MI – 2:30 PM Friday 9/7
  • iRespondCon – San Francisco, CA – Wednesday 9/12
  • BSides Idaho Falls – Idaho Falls, ID – Saturday 9/15
  • SAINTCON – Provo, UT – 9/25-9/28
  • CactusCon – Mesa, AZ – 9/28-9/29
  • DerbyCon – Louisville, KY – 10/5-10/7
  • RhinoCon – Seattle, WA – TBA
  • Seattle CSA – Seattle, WA – Wednesday 10/24
  • WildWestHackinFest – Deadwood, SD – 4 PM Friday 10/26

As we introduce Pacu to the wider community we will be actively seeking feedback and feature requests. We have created a dedicated Slack workspace for Pacu (and CloudGoat) development and welcome everyone to join the discussion. There is much more to come, including more documentation, new modules, and a host of other general news and announcements.

Conclusion

Securing AWS through penetration testing has only become more topical over time.  As companies continue to leverage AWS services to create and manage their infrastructure, Pacu can be become a core security tool in in the toolkit.

To that point, we welcome community feedback, feature requests, bugs. and general critiques for both Pacu and CloudGoat (the Vulnerable-by-Design AWS environment).

If you’re interested in contributing, please read our contribution guidelines for code conventions and git flow notes.