└── README.md


/README.md:
--------------------------------------------------------------------------------
  1 | # AWS Offensive Exploitation - Pentest
  2 | 
  3 | This repository mainly focuses on various techniques, tools, frameworks and approach to perform offensive exploitation of AWS infrastructure, its various services and overall AWS cloud penetration testing. It gives an understanding of how to conduct reconnaissance within AWS in order to identify vulnerable services, finding misconfigurations and insecure configurations for various components, and how those vulnerabilities could be used by adversaries to gain unauthorized access.
  4 | 
  5 | # Tools and Frameworks
  6 | 
  7 | 1- Scout Scuite - an automated cloud security auditing tool.
  8 | 
  9 | 2- Pacu - an AWS attack/exploitation framework (due to be demonstrated in DEFCON 2019).
 10 | 
 11 | # 1- Scout Suite
 12 | 
 13 | Scout Suite is an automated cloud security auditing tool that helps to assess and identify security misconfigurations. It collects configuration data from the APIs that are exposed by cloud providers and produces a report that highlights potentially vulnerable configurations. The tool works across multiple cloud providers such as AWS, Azure, and
 14 | Google Cloud Platform (GCP).
 15 | 
 16 | Scout2 is very useful as it allows for a quick assessment of the various security configuration issues within various AWS services and reports them on an easy-to-read dashboard. This helps to identify several low-hanging fruits that might otherwise take longer to detect.
 17 | 
 18 | # Configuring and running Scout Suite
 19 | 
 20 | To run the tool on our AWS infrastructure, we will have to set up an IAM user with specific permissions to configure the tool. Follow steps as below,
 21 | 
 22 | 1. Create an IAM user and set access type to "Programmatic Access".
 23 | 2. Set these two specific policies for the new IAM user, "ReadOnlyAccess" and "SecurityAudit".
 24 | 3. Note down the "Access key ID" and the "Secret access key" credentials (as those will be required to configure the AWS CLI).
 25 | 4. Run the AWS CLI tool and configure it with the credentials obtained previously,
 26 | 
 27 |    aws configure
 28 |    
 29 | 5. Installing scoutsuite now,
 30 | 
 31 |        sudo pip install scoutsuite
 32 |    
 33 |    Alternatively, download the tool from GitHub repository,
 34 |    
 35 |        git clone https://github.com/nccgroup/ScoutSuite
 36 |        cd ScoutSuite
 37 |        sudo pip install -r requirements.txt
 38 |    
 39 |    To verify if the tool is working fine
 40 |    
 41 |        python Scout.py --help
 42 |    
 43 | 6. Our tool is now ready to run.
 44 | 
 45 | # Running Scout Suite Tool
 46 | 
 47 | Simply run the following commands,
 48 | 
 49 | --> If installed using pip, use the following command:
 50 |     
 51 |     Scout aws
 52 |     
 53 | --> If running the GitHub script, use this command:
 54 |     
 55 |     python Scout.py aws
 56 |     
 57 | The tool will collect data from each and every AWS service, and then analyze the configurations. The tool will generate an HTML report that will be saved in the "scoutsuite-report" folder. If you have already run the tool on your Kali instance running on AWS, you can simply download the files using SCP/WinSCP.
 58 | 
 59 | # Additional
 60 | 
 61 | Scout Suite also provides us with an option to audit an infrastructure using a custom ruleset instead of its default ruleset. This is very useful as each organization has its own business case in mind while setting up an AWS infrastructure. Using custom rulesets can help organizations customize the tool's assessments according to their needs.
 62 | 
 63 | # Summary
 64 | 
 65 | We ran "Scout Suite" tool to identify potentially vulnerable configurations in an AWS infrastructure, and then analyse the report to understand how vulnerabilities are reported. We also talked about customized rulesets (within 'Additional' section) to tune the reports in accordance to an organization's need.
 66 | 
 67 | # 2- Pacu
 68 | 
 69 | Pacu is an open-source 'offensive AWS exploitation framework', written by a small group of developers and researchers at Rhino Security Labs. Open source and available on GitHub under the BSD-3 license (https://github.com/RhinoSecurityLabs/pacu), Pacu and its modules are written in Python 3.
 70 | 
 71 | This assists us to perform attacks and enumeration of an environment without requiring the manual work of running multiple AWS command-line interface (CLI) commands over and over again across different environments.
 72 | 
 73 | # Configure and Setup Pacu
 74 | 
 75 | # --> Pre-requisite:
 76 |     
 77 |       a- "Git" is installed.
 78 |       b- "Python 3" is installed.
 79 |       c- "Pip 3" is installed.
 80 | 
 81 | Once the setup of above version control system, python and package installer manager is ensured, run below commands;
 82 | 
 83 |       git clone https://github.com/RhinoSecurityLabs/pacu.git
 84 |       cd pacu/ && bash install.sh
 85 |       python3 pacu.py
 86 | 
 87 | # Running Pacu
 88 | 
 89 | As we run the command "python3 pacu.py", Pacu would create a new "settings.py" file and a local database file.
 90 | Further, we need to set the session, aws credentials and key alias for our Pacu session to run efficiently and effectively.
 91 | 
 92 | --> What would you like to name this new session ?
 93 | 
 94 |       AWSExploitation1
 95 | 
 96 | After that, Pacu CLI is launched,
 97 | 
 98 |       Pacu (AWSExploitation1: No Keys Set) >
 99 |       
100 | Use "set_keys" Pacu command to set the AWS credentails,
101 | 
102 |       Pacu (AWSExploitation1: No Keys Set) > set_keys
103 |       Setting AWS Keys...
104 |       Press enter to keep the value currently stored.
105 |       Enter the letter C to clear the value, rather than set it.
106 |       If you enter an existing key_alias, that key's fields will be updated instead of added.
107 |       
108 |       Key alias [None]: AWSExploitationUser
109 |       Access Key ID [None]: AKCDIF364RL7H34JJEUD
110 |       Secret access key [None]: X7dhC8Ukkw/j3KeIarjw9DOOnJ8wdXaiY10+nqke
111 |       Session token (Optional - for temp AWS keys only) [None]:
112 |       
113 |       Keys saved to databse.
114 |       
115 |       Pacu (AWSExploitation1: AWSExploitationUser) >
116 |       
117 | Pacu is essentially now setup and ready to go.
118 | 
119 | # Various Pacu Commands
120 | 
121 | Pacu has a variety of CLI commands that allow for flexible customization and interaction with your current session and any available modules that Pacu offers.
122 | 
123 |       list/ls
124 |       search
125 |       help
126 |       whoami
127 |       data
128 |       services
129 |       regions
130 |       update_regions
131 |       set_regions
132 |       run/exec
133 |       set_keys
134 |       swap_keys
135 |       import_keys
136 |       exit/quit/Ctrl+C
137 |       aws
138 |       proxy
139 | 
140 | # PacuProxy - C2C, offensive approach generally beyond the security posture of organizations
141 | 
142 | PacuProxy is a cloud-oriented command and control framework, similar to "PowerShell Empire" and "Meterpreter" which are generally used during red-team engagements for offensive attack and exploitation purposes.
143 | 
144 | Once a server is compromised (such as an EC2 instance), due to misconfigurations, pacuProxy could be used as C2 channel to proxy all our Pacu traffic through the compromised instance. This allows us to use all the features that Pacu offers from our
145 | own computer, but all the traffic is routed through the compromised host. When an operations team looks at the logs and notices our malicious traffic, the compromised EC2 instance will show up as the source of the traffic, which will look a lot less suspicious than a random IP address they are unfamiliar with.
146 | 
147 | Example of PacuProxy module:
148 |         
149 |       "systemsmanager__rce_ec2" module
150 | 
151 | Above module abuses the AWS Systems Manager service to try and execute code remotely on EC2 instances, automatically generate a one-line stager and execute that on the host, giving full control of it.
152 | 
153 | Use-case: "Stealing credentials from the EC2 metadata"
154 | 
155 |       a- Run the module and it will make HTTP requests to the metadata service on that server.
156 |       b- Tries to fetch any credentials that might live there, and create a new set of keys within Pacu, using those credentials.
157 |       c- Now we are able to route all those requests through the compromised host
158 |       
159 |       Note: It never alerts GuardDuty or anyone else that compromise has happened, even though everything is installed and being run on your own host machine.
160 | 
161 | # Summary
162 | 
163 | Pacu offers several modules integrated together to conduct offensive pentest, security assessment and identification of various security misconfigurations within cloud environments, secifically AWS.
164 | It's an efficient and effective way to perform various attacks against AWS cloud infrastructures.
165 | 
166 | 
167 | 
168 | Disclaimer:
169 | 
170 | Initial knowledge-base and framework demonstration has been read, understod and taken from Rhino Security Labs, the developers of Pacu framework.
171 | 


--------------------------------------------------------------------------------