intro to AWS PENTESTING (with Pacu)

Video Description

In this video, you’re going to learn how to ethically hack AWS cloud environments that you have explicit permissions for so that you can find exploitable vulnerabilities in your own AWS accounts or for your clients as a pentester, before the threat actors do. I’m going to show you step-by-step how to use an open-source tool called Pacu which is used for AWS pentesting and ethical offensive security so that you can follow along with me. Policy shown in the video for you to copy/paste: { "Version": "2012-10-17", "Statement": [ { "Sid": "VisualEditor1", "Effect": "Allow", "Action": "s3:*", "Resource": "arn:aws:s3:::cybr-pacu-lab-example" }, { "Sid": "Statement1", "Effect": "Allow", "Action": [ "iam:Get*", "iam:List*", "iam:Put*", "iam:AttachRolePolicy", "iam:SimulateCustomPolicy", "iam:SimulatePrincipalPolicy" ], "Resource": "*" } ] } 💬 Chat with me Discord: https://cybr.com/discord Website: https://cybr.com LinkedIn: https://www.linkedin.com/in/christophelimpalair/ Twitter: https://twitter.com/christophelimp 🔗 Links mentioned in the video: - Pacu: https://github.com/RhinoSecurityLabs/pacu - AWS: https://aws.amazon.com/ - 🧪 Cybr Hands-On Labs: https://cybr.com/labs 🎓 Courses - Introduction to AWS Security: https://cybr.com/courses/introduction-to-aws-security/ - Injection Attacks The Free Guide: https://cybr.com/courses/injection-attacks-the-free-guide/ 🚨 Disclaimer This video is strictly for educational purposes and to teach you how you can detect and mitigate this threat from your or your employer's AWS enviroments. Learning about ethical hacking and penetration testing is an important way of protecting ourselves against threat actors. Also, not all pentesting actions are allowed on the AWS platform as per the AWS ToS, however, what we demonstrate in this video is allowed and perfectly fine. For more details, refer to this page: https://aws.amazon.com/security/penetration-testing/ ⏱ Timestampts: 00:00 - 00:13 - Introduction 00:14 - 00:31 - Disclaimer 00:32 - 00:46 - About Pacu 00:47 - 01:00 - AWS account setup 01:01 - 01:39 - Installing Pacu 01:40 - 02:16 - Running Pacu 02:17 - 02:46 - About access keys 02:47 - 03:09 - Use test environments! 03:10 - 03:30 - Creating an AWS user 03:31 - 04:14 - Creating user policies 04:15 - 04:29 - Adding the policy to our user 04:30 - 05:08 - Creating our access key 05:09 - 05:45 - Adding the keys to Pacu 05:46 - 06:24 - Pacu modules 06:25 - 06:37 - run iam__enum_permissions 06:38 - 07:00 - whoami 07:01 - 08:04 - run iam__privesc_scan 08:05 - 08:21 - Confirming admin permissions via Pacu 08:22 - 08:34 - Confirming admin permissions via console 08:35 - 09:36 - Detailed explanation of the vulnerability 09:37 - 09:53 - Explanation of how Pacu pulled this off 09:54 - 10:18 - Learning IAM is important! 10:19 - 10:34 - Learn more about AWS security 10:35 - 10:40 - More AWS Security courses coming! 10:41 - 11:00 - Cybr Labs are coming! 11:01 - 11:05 - Outro #awssecurity #cloudsecurity #cloudpentesting #pentesting #pentester #securityassessment #opensource #cybersecurity #aws