Guide to AWS Penetration Testing
Cloud security is an ever-evolving domain, and AWS, being a leader in cloud services, is often a target for penetration testers aiming to identify and mitigate security vulnerabilities. There are several tools designed specifically for AWS pentesting that can help security professionals assess the security posture of their AWS environments. This write-up covers four popular AWS pentesting tools: Pacu, ScoutSuite, Enumerate-IAM, and PMapper.
Pacu
Pacu is an open-source AWS exploitation framework designed for offensive security testing. It allows penetration testers to simulate real-world attack scenarios on AWS environments to identify security weaknesses.
Features:
Modular Design: Pacu has a modular architecture, enabling users to load specific modules for various tasks such as enumeration, privilege escalation, and exploitation.
Automation: Automates many of the tedious tasks associated with AWS penetration testing.
Credential Management: Handles multiple AWS credentials, making it easier to switch between different accounts.
Custom Modules: Users can develop and integrate custom modules to extend Pacu’s functionality.
While Pacu comes with loads of modules, below are some common modules.
Common Modules:
- Enum IAM: Enumerates IAM users, roles, policies, and groups.
- S3 Buckets: Identifies misconfigured S3 buckets and attempts to access their contents.
- Privilege Escalation: Identifies potential privilege escalation paths within the AWS environment.
- Lambda Backdoor: Deploys a backdoor in AWS Lambda functions.
Installation:
pip3 install -U pacu
Usage:
pacu
Create a new Session, and you are good to go.
set_keys
list
run aws__enum_account
console
ScoutSuite
ScoutSuite is an open-source multi-cloud security auditing tool that works with AWS, Azure, and GCP. It provides a comprehensive view of the security posture of cloud environments by leveraging the APIs of cloud services.
Features:
Cross-Cloud Support: Supports AWS, Azure, and GCP, making it versatile for multi-cloud environments.
Detailed Reports: Generates HTML reports that provide an in-depth analysis of the security configuration.
Agentless: Does not require the installation of agents within the cloud environment.
Key Capabilities:
- IAM Analysis: Assesses IAM configurations, identifying overly permissive roles and policies.
- Storage Services: Evaluate the security settings of S3 buckets, ensuring they are not publicly accessible.
- Network Configuration: Review security group rules and VPC configurations to identify potential misconfiguration.
- Logging and Monitoring: Checks the configuration of CloudTrail and CloudWatch to ensure proper logging and monitoring.
Installation:
pip3 install scoutsuite
Usage:
Set your AWS CLI profile If you haven’t.
aws --profile <profile-name> configure
scout aws --profile <profile-name> -f
Once the execution is complete, it will generate an HTML report that includes the findings and the Cloud account configuration.
You can go through each AWS component or service and filter the findings based on severity.
PMapper
PMapper is a tool for analyzing and visualizing AWS IAM permissions. It helps in understanding the complex relationships between IAM policies and the effective permissions they grant.
Features:
Graph-Based Analysis: Uses a graph-based approach to map IAM entities and their permissions.
Visualizations: Provides visual representations of IAM relationships and permissions, making it easier to identify potential security issues.
Policy Simulation: Simulates IAM policy evaluations to understand the impact of specific policies on permissions.
Query Language: Allows users to query the IAM graph to find specific relationships or misconfiguration.
Key Capabilities:
- IAM Graph Construction: Constructs a graph of IAM entities and their relationships based on the AWS account’s IAM policies.
- Risk Identification: Identifies high-risk permissions and potential privilege escalation paths.
- Interactive Queries: Users can interactively query the IAM graph to explore specific permissions and relationships.
- Effective Permissions: Determines the effective permissions of users and roles by simulating policy evaluations.
Installation:
git clone https://github.com/nccgroup/PMapper.git
cd PMapper
pip install .
If you encounter the error below when running pmapper, follow the guide.
The error is due to the change in the collections interface in Python 3. Open the highlighted file in your text editor and make the following changes. At the top of the file, change the import statement as follows:
from collections import Mapping, MutableMapping , OrderedDict
To this code.
from collections.abc import Mapping, MutableMapping
from collections import OrderedDict
Usage:
pmapper --profile <profile-name> graph create
Note that whichever IAM Role/User you use will need broad read-access to the account. The ReadOnlyAccess
managed policy will suffice.
Run a query to see who can make IAM Users.
pmapper --profile <profile-name> query ‘who can do iam:CreateUser’
Run the privilege escalation preset query.
pmapper --profile <profile-name> query "preset privesc *"
We can run queries to see who has access to what. For example, knowing that there’s an object named test.txt in the S3 bucket named writeup-bucket, we can run a query to see who in the account can access that object.
pmapper --account <account-id> query --with-resource-policy --resource-owner <account-id> 'who can do s3:GetObject with arn:aws:s3:::writeup-bucket/test.txt'
Enumerate-IAM
Enumerate-IAM is a tool designed to perform a detailed enumeration of AWS IAM users, roles, policies, and groups. It helps security professionals understand the permissions structure within an AWS account.
Features:
Detailed Enumeration: Provides comprehensive information about IAM entities and their permissions.
Policy Analysis: Analyzes IAM policies to identify overly permissive or misconfigured policies.
JSON Output: Outputs the results in JSON format, making it easy to integrate with other tools or processes.
Key Capabilities:
- User and Role Enumeration: Lists all IAM users and roles within an AWS account.
- Policy Extraction: Extracts and analyzes inline and managed policies.
- Group Enumeration: Lists all IAM groups and their associated users and policies.
- Effective Permissions: Determines the effective permissions of IAM users and roles.
Installation:
git clone https://github.com/andresriancho/enumerate-iam.git
cd enumerate-iam
pip install -r requirements.txt
Usage:
python enumerate-iam.py -h
python enumerate-iam.py --access-key <key-here> --secret-key <secret-here>
Conclusion
AWS penetration testing is a critical aspect of cloud security, and tools like Pacu, ScoutSuite, Enumerate-IAM, and PMapper provide valuable capabilities to security professionals.
Thank you for Reading.