What if I told you there is a stealthy form of recon on AWS accounts that can potentially expose an account foothold without ever alerting the account owner? There is, or was, or still is, depending on how you look at it. The folks over at Rhino Security Labs developed a tool called Pacu some time ago which can do exactly that. Now Pacu is really a giant toolbox of AWS specific tools to really give AWS account owners a hard time. But specifically the two parts of the toolkit that really intrigued me were the user and role enumeration because of how they worked. You see they use "assume role" and "update assumed role policy" API calls from an existing account you control to determine if their are potentially wide open roles and users in other accounts you are not in control of. Potentially exposing users or roles with dangerously permissive assume role settings. The best part about this technique, it doesn’t leave logs in the targeted accounts.

pygo.py

...in a loop...

            current_policy_arn_to_probe = f"""{{
                "Version": "2012-10-17",
                "Statement": [
                {{
                            "Effect": "Deny",
                            "Principal": {{
                                    "AWS": "{role_arn}{word}"
                            }},
                            "Action": "sts:AssumeRole"
                }}
                ]
            }})"""

            # test each role in the wordlist for this account
            try:
                response = client.update_assume_role_policy(
                    PolicyDocument=current_policy_arn_to_probe, RoleName=word
                )

...

Now they released and blogged about these techniques and this tools several years ago, and I’ve been using them since. So I’m assuming at least internally that AWS looks out for this kind of thing and has their own alerting and automated response setup, so while stealthy against the target AWS certainly sees what is happening. Use at your own risk.

Pacu as a codebase itself is a large beast of a tooklbox and kind of difficult to work with. In the interest of working on these sorts of techniques and maybe refining them somewhat myself I’ve derived Pygo(Pacu is the biggest Piranha fish and Pygo’s are the smallest, fun with words eh?). Pacu is thousands of lines of code, but Pygo is less than 200(right now), so an easier thing to play with? Maybe.

It’s important to note this is only a few hours of banging out some Python. So just basically working, not even 0.0.1 really, but should be pretty simple to polish and play with if you are handy with Python. Also this uses the Rhino Security Labs modified BSD non-commercial license, not my normal MIT licensing preferences but I’ll change that when I have a hard enough refactor to move completely off any borrowed or closely inspired code (it’s already a 95% rewrite/refadctor).