Pinned Repositories
offensive-terraform.github.io
Offensive Terraform Website
terraform-aws-cross-account-persistence
Offensive Terraform module which creates an IAM role with trust relationship with attacker's AWS account and attaches managed IAM Policy to an IAM role.
terraform-aws-ebs-snapshot-publicly-exposed
Offensive Terraform module which copies publicly exposed EBS snapshot to us-east-1 region in attacker's AWS account and creates EBS volume from the copied EBS snapshot. After that, the module attaches and mounts the EBS volume to an EC2 instance. Finally, attacker can ssh into an EC2 instance and inspect a mounted volume "/usr/src/hack".
terraform-aws-ec2-instance-credential-exfiltration
Offensive Terraform module which creates EC2 instance and exfiltrate credential from Instance metadata to external URL.
terraform-aws-ec2-instance-reverse-shell
Offensive Terraform module which creates EC2 instance and reverse shell from an EC2 instance to attacker machine.
terraform-aws-ec2-kali-linux
Offensive Terraform module which creates Kali Linux from the AWS marketplace and installs cloud security tools (Pacu, Cloudsplaining, ScoutSuite).
terraform-aws-iam-create-user-persistence
Offensive Terraform module which creates IAM user, access key then attaches managed IAM Policy to an IAM user.
terraform-aws-lambda-function-credential-exfiltration
Offensive Terraform module which creates Lambda function with existing IAM role. The module invokes it automatically to exfiltrate AWS temporary credential from environment variables and send it back with response.
terraform-aws-rds-snapshot-publicly-exposed
Offensive Terraform module which creates RDS database from a publicly exposed RDS snapshot in attacker's AWS account. After that, attacker can connect to RDS database and inspect it.
terraform-aws-s3-subdomain-takeover
Offensive Terraform module which takes over a subdomain which has a CNAME record pointing to non-existing S3 bucket in target's Route53. The module creates a S3 bucket with a name as subdomain in the specific AWS region that CNAME record is pointing to. Also, it uploads a simple web page with "404 Page Not Found" text.
Offensive Terraform's Repositories
offensive-terraform/offensive-terraform.github.io
Offensive Terraform Website
offensive-terraform/terraform-aws-ec2-kali-linux
Offensive Terraform module which creates Kali Linux from the AWS marketplace and installs cloud security tools (Pacu, Cloudsplaining, ScoutSuite).
offensive-terraform/terraform-aws-ec2-instance-reverse-shell
Offensive Terraform module which creates EC2 instance and reverse shell from an EC2 instance to attacker machine.
offensive-terraform/terraform-aws-ebs-snapshot-publicly-exposed
Offensive Terraform module which copies publicly exposed EBS snapshot to us-east-1 region in attacker's AWS account and creates EBS volume from the copied EBS snapshot. After that, the module attaches and mounts the EBS volume to an EC2 instance. Finally, attacker can ssh into an EC2 instance and inspect a mounted volume "/usr/src/hack".
offensive-terraform/terraform-aws-cross-account-persistence
Offensive Terraform module which creates an IAM role with trust relationship with attacker's AWS account and attaches managed IAM Policy to an IAM role.
offensive-terraform/terraform-aws-lambda-function-credential-exfiltration
Offensive Terraform module which creates Lambda function with existing IAM role. The module invokes it automatically to exfiltrate AWS temporary credential from environment variables and send it back with response.
offensive-terraform/terraform-aws-rds-snapshot-publicly-exposed
Offensive Terraform module which creates RDS database from a publicly exposed RDS snapshot in attacker's AWS account. After that, attacker can connect to RDS database and inspect it.
offensive-terraform/terraform-aws-s3-subdomain-takeover
Offensive Terraform module which takes over a subdomain which has a CNAME record pointing to non-existing S3 bucket in target's Route53. The module creates a S3 bucket with a name as subdomain in the specific AWS region that CNAME record is pointing to. Also, it uploads a simple web page with "404 Page Not Found" text.
offensive-terraform/terraform-aws-iam-create-user-persistence
Offensive Terraform module which creates IAM user, access key then attaches managed IAM Policy to an IAM user.
offensive-terraform/terraform-aws-ec2-instance-credential-exfiltration
Offensive Terraform module which creates EC2 instance and exfiltrate credential from Instance metadata to external URL.
offensive-terraform/terraform-aws-ecs-credential-exfiltration