Copy of Pacu

Rhino Security is a consultancy that specializes in cloud penetration testing and has done extensive work in looking at security issues in cloud environments like AWS. They have created an exploitation tool called Pacu that is designed to interoperate with the AWS API. The tool is written in Python and somewhat feels like Metasploit, but not exactly. It has over 35 modules for AWS environments and can manage multiple AWS profiles. The tool features components in reconnaissance, enumeration, mapping, privilege escalation, and even persistence modules. You can pull the tool from the following location: http://www.github.com/RhinoSecurityLabs/pacu. 39 h

Pacu has a battery of authenticated modules designed to perform enumeration in an AWS environment; some of these are noisier than others:

− iam__bruteforce_permissions will attempt to directly call all AWS API services without querying IAM to determine what rights you currently have

− ec2__enum, lambda__enum, codebuild__enum – these will attempt to enumerate assets in each of these services using the keys you currently have

Note that each of these actions may leave a log trail.

You may often have to get around a security control, and some of these controls are provided by Amazon itself.

The AWS threat detection service is called GuardDuty. The workarounds below either allow your IP address or remove all logging so that GuardDuty is blind

− guardduty__whitelist_ip: This module adds your IP address to the GuardDuty whitelist. This will make it so that all your traffic is allowed

− detection__disruption: This module will detect which logging configurations are available such as VPC Flow Logs, CloudTrail, and CloudWatch. It will then disable these configurations or bring them down to their most basic level to eliminate logging