-
Notifications
You must be signed in to change notification settings - Fork 704
Detailed Usage Guide
Pacu is a command line interface that provides a database and modules that allow security professionals to easily provided assessments on AWS environments. A local sqlite database maintains data and Pacu provides utilities to easily allow users and modules to store and reference access information and enumerated data found when engaging an AWS environment. Modules are steadily written by Rhino Security Labs, and the open-source community ensuring that the latest set of modules is available to the public as soon as they are developed.
A session is a reference to data regarding a singular AWS account. Session data includes sets of access keys and any discovered resources and configurations. Access keys pairs are security credentials that provide programmatic access to an AWS environment. Each key pair can be added in Pacu allowing a user to easily switch between different levels of access while maintaining a consistent snapshot of the targeted AWS environment. Pacu uses the active set of credentials while running modules.
By default, every supported region is used for each module when possible.
Supported regions can be found in Pacu by typing the regions
command.
You can use set_regions
to declare a specific set of regions to focus on in the current session. If you do choose to manually set target regions, Pacu will ignore any regions that are not supplied in that command. For example, if your target only uses AWS in us-east-1 and us-west-2, then you would enter set_regions us-east-1 us-west-2
and every module from there on out would only target us-east-1 and us-west-2. When listing modules using the ls
or list
commands, only modules that are applicable to the regions you set will show up.
Pacu comes with a service_regions.json file in the modules folder, but the update_regions
command was added to ensure that the list is up to date. By running update_regions
, Pacu will try to use pip3 (then pip if it fails, then it will ask you if that fails) to update the Python libraries boto3 and botocore. Then it will try to discover the path to where pip is storing libraries at so it can fetch the most up-to-date list of regions from the botocore folder.
-
ls
orlist
will list the available modules for the regions that were set in the current session. -
search x
will search all modules and return modules that includex
in their name. -
help module_name
will return the applicable help information for the specified module. -
run module_name
orexec module_name
will run the specified module with its default parameters. -
run module_name --regions eu-west-1,us-west-1
will run the specified module against the eu-west-1 and us-west-1 regions (for modules that support the --regions argument), regardless of what regions are set for the current session.
Pacu has integrated the AWS CLI into the list of supported commands. Any command that is run from within Pacu that starts with aws
will be run in your local shell, so you can use the AWS CLI as required. This also means you can pipe that output into other commands such as jq
to better format/parse it. This was added into Pacu to remove the need for multiple terminals open while attacking an environment, one for Pacu and one for the AWS CLI.
Example:
-
Pacu (Example:Example) > aws s3 ls
will run the AWS CLI commandaws s3 ls
and list available buckets in the target account.
WARNING: The AWS CLI uses a different method of authentication than Pacu. This means that the AWS CLI will NOT use the active Pacu keys, unless you have specifically set that up with the aws configure
command. It is recommended to use AWS CLI profiles to handle that kind of authentication.
The import_keys
command can be used to import credential profiles stored in ~/.aws/credentials
into your active Pacu session. Keys will be imported with an alias equal to "imported-<PROFILE_NAME>".
Examples:
-
import_keys Demo
will import the "Demo" profile from~/.aws/credentials
to Pacu with the alias "imported-Demo". -
import_keys --all
will import all profiles that are stored in~/.aws/credentials
to Pacu.
-
set_keys
will create a new set of AWS keys within the Pacu session and set them as the active set. -
swap_keys
will allow you to swap between sets of AWS keys stored in the current Pacu Session. -
whoami
will list information related to the AWS keys currently set as the default. This can include information such as what their username is, what keys are being used, what permissions the user has, and more. -
data
will return all data related to the current session. This includes data about the actual Pacu session as well as all of the collected AWS data over the duration of the session. -
services
will return a list of AWS services that have data currently stored in the active session. -
data <service>
will return all the data stored in the database for any service returned from theservices
command. -
quit
orexit
will exit out of Pacu.
- Home
- AWS Basics and Security
- User Information
- Developer Information
- Warnings and Disclaimers
- FAQ