pacu: an open-source AWS exploitation framework

What is Pacu?

Pacu is an open-source AWS exploitation framework, designed for offensive security testing against cloud environments. Created and maintained by Rhino Security Labs, Pacu allows penetration testers to exploit configuration flaws within an AWS account, using modules to easily expand its functionality. Current modules enable a range of attacks, including user privilege escalation, backdooring of IAM users, attacking vulnerable Lambda functions, and much more.

Feature

There are currently over 35 modules that range from reconnaissance, persistence, privilege escalation, enumeration, data exfiltration, log manipulation, and miscellaneous general exploitation.

Pacu can be used to compromise credentials, but its true potential lies in the post-compromise phase. However you get credentials — through phishing, web application vulnerabilities, password reuse, or other means — it is at this point that Pacu’s full feature set is realized. Among its long list of features, Pacu is capable of testing S3 bucket configuration and permission flaws, establishing access through Lambda backdoor functions, compromising EC2 instances, exfiltrating data, escalating privileges, and covering tracks by disrupting monitoring and logging, including CloudTrail, GuardDuty, and others.

A few of the most popular modules include:

• confirm_permissions – Enumerates a list of confirmed permissions for the current account
• privesc_scan – Abuses 20+ different privilege escalation methods to gain further access
• cloudtrail_csv_injection – Injects malicious formulas into CloudTrail CSV exports
• disrupt_monitoring – Targets GuardDuty, CloudTrail, Config, CloudWatch, and VPC to disrupt various monitoring and logging capabilities
• backdoor_users_[keys/passwords] – Establish backdoor account access by adding credentials to other IAM user accounts
• sysman_ec2_rce – Abuses the AWS Simple Systems Manager to try and gain root (Linux) or SYSTEM (Windows) level remote code execution on various EC2 instances
• backdoor_ec2_sec_groups – Adds backdoor rules to EC2 security groups to give you access to private services

Architecture

Pacu’s open-source and modular architecture allows for easy auditing and community-driven improvement. A common syntax and data structure keep modules easy to build and expand on – no need to specify AWS regions or make redundant permission checks between modules. A local SQLite database is used to manage and manipulate retrieved data, minimizing API calls (and associated logs).

Different sessions make it simple to separate engagements/projects, so two users or companies are never conflated in the testing process. Reporting and attack auditing is also built into the framework; Pacu assists the documentation process through command logging and exporting, helping build a timeline for the testing process throughout an engagement.

Install & Use

Copyright (C) 2018 Rhino Security Labs, Inc.