A modular AWS enumeration tool for penetration testing and security auditing.
This tool uses boto3 to list and enumerate services like IAM, EC2, S3, Lambda, RDS, and more.
- Retrieve AWS account ID from an access key
- List IAM users and groups
- Brute-force usernames for a specified AWS account ID
- List customer-managed IAM roles and policies
- List inline and attached policies for users, groups, and roles
- Brute-force role names for a specified AWS account ID
- List EC2 instances
- List EBS volumes and snapshots
- List public EBS snapshots for a given AWS account ID
- Identify RDS databases
- List Cognito user pools
- List SSM parameters, Macie findings, and Secrets Manager secrets
- List Lambda functions, retrieve configurations, and attempt invocation
- Download Lambda function code
- List S3 buckets, check for public access, and download bucket contents
- Brute-force AWS account ID if a public S3 bucket is found or provided
- List Elastic Beanstalk applications
- List CodeCommit repositories and their branches
- Clone the repo or unzip the archive.
- Install dependencies:
pip install -r requirements.txt-
Fill in
enum_config.jsonwith AWS credentials and region:Below is a sample file. Note that not all fields are required, some are optional.
{
"victim_access_key": "AKIA******",
"victim_secret_access_key": "iupVt*********",
"victim_session_token": "",
"victim_buckets": ["mega-big-tech"],
"victim_aws_account_ID": "78501******",
"victim_regions": ["us-east-1","us-east-2"],
"attacker_access_key": "AKIAVIE**********",
"attacker_secret_access_key": "k6UqaX*********",
"attacker_region": "us-east-1",
"attacker_IAM_role_name": "IAM*****",
"attacker_S3_role_arn": "arn:aws:iam::36*******:role/s3enum******",
"user_name_wordlist": "./wordlists/pacu_usernames_word_list.txt",
"start_username_brute_force": false,
"role_name_wordlist": "./wordlists/pacu_role_names_word_list.txt",
"start_role_name_brute_force": false
}- Create S3 Role on your AWS account as outlined in S3_Role.md
- Create IAM Role on your AWS account as outlined in IAM_Role.md
Note: Only tested on Linux and WSL in Windows.
Run the enumerator:
python3 awsraid.pyRun the enumerator and output to file:
python3 awsraid.py | tee >(sed 's/\x1b\[[0-9;]*m//g' > output.txt)If the script successfully downloaded S3 bucket objects and Lambda function code,
you will find the files in the ./LOOT directory, located in the script’s base directory.
- Expand coverage by adding more AWS services and security checks!
- Add the option to specify an output file.
- Add multi-threading
- Add better situational exception handling