Skip to content

Detailed Usage Guide

Jump to bottom
DmorattiRhino edited this page Feb 22, 2019 · 11 revisions

Table of Contents

Overview

Pacu is a command line interface that provides a database and modules that allow security professionals to easily provided assessments on AWS environments. A local sqlite database maintains data and Pacu provides utilities to easily allow users and modules to store and reference access information and enumerated data found when engaging an AWS environment. Modules are steadily written by Rhino Security Labs, and the open-source community ensuring that the latest set of modules is available to the public as soon as they are developed.

Setup

A session is a reference to data regarding a singular AWS account. Session data includes sets of access keys and any discovered resources and configurations. Access keys pairs are security credentials that provide programmatic access to an AWS environment. Each key pair can be added in Pacu allowing a user to easily switch between different levels of access while maintaining a consistent snapshot of the targeted AWS environment. Pacu uses the active set of credentials while running modules.

Configuring regions

By default, every supported region is used for each module when possible.

Supported regions can be found in Pacu by typing the regions command.

You can use set_regions to declare a specific set of regions to focus on in the current session. If you do choose to manually set target regions, Pacu will ignore any regions that are not supplied in that command. For example, if your target only uses AWS in us-east-1 and us-west-2, then you would enter set_regions us-east-1 us-west-2 and every module from there on out would only target us-east-1 and us-west-2. When listing modules using the ls or list commands, only modules that are applicable to the regions you set will show up.

Pacu comes with a service_regions.json file in the modules folder, but the update_regions command was added to ensure that the list is up to date. By running update_regions, Pacu will try to use pip3 (then pip if it fails, then it will ask you if that fails) to update the Python libraries boto3 and botocore. Then it will try to discover the path to where pip is storing libraries at so it can fetch the most up-to-date list of regions from the botocore folder.

Interacting with modules

  • ls or list will list the available modules for the regions that were set in the current session.
  • search x will search all modules and return modules that include x in their name.
  • help module_name will return the applicable help information for the specified module.
  • run module_name or exec module_name will run the specified module with its default parameters.
  • run module_name --regions eu-west-1,us-west-1 will run the specified module against the eu-west-1 and us-west-1 regions (for modules that support the --regions argument), regardless of what regions are set for the current session.

Using the AWS CLI

Pacu has integrated the AWS CLI into the list of supported commands. Any command that is run from within Pacu that starts with aws will be run in your local shell, so you can use the AWS CLI as required. This also means you can pipe that output into other commands such as jq to better format/parse it. This was added into Pacu to remove the need for multiple terminals open while attacking an environment, one for Pacu and one for the AWS CLI.

Example:

  • Pacu (Example:Example) > aws s3 ls will run the AWS CLI command aws s3 ls and list available buckets in the target account.

WARNING: The AWS CLI uses a different method of authentication than Pacu. This means that the AWS CLI will NOT use the active Pacu keys, unless you have specifically set that up with the aws configure command. It is recommended to use AWS CLI profiles to handle that kind of authentication.

Importing credentials from the AWS CLI

The import_keys command can be used to import credential profiles stored in ~/.aws/credentials into your active Pacu session. Keys will be imported with an alias equal to "imported-<PROFILE_NAME>".

Examples:

  • import_keys Demo will import the "Demo" profile from ~/.aws/credentials to Pacu with the alias "imported-Demo".
  • import_keys --all will import all profiles that are stored in ~/.aws/credentials to Pacu.

Other commands

  • set_keys will create a new set of AWS keys within the Pacu session and set them as the active set.
  • swap_keys will allow you to swap between sets of AWS keys stored in the current Pacu Session.
  • whoami will list information related to the AWS keys currently set as the default. This can include information such as what their username is, what keys are being used, what permissions the user has, and more.
  • data will return all data related to the current session. This includes data about the actual Pacu session as well as all of the collected AWS data over the duration of the session.
  • services will return a list of AWS services that have data currently stored in the active session.
  • data <service> will return all the data stored in the database for any service returned from the services command.
  • quit or exit will exit out of Pacu.
Clone this wiki locally