Listen to this Post
AWS Lambda functions often contain hardcoded secrets, misconfigurations, or excessive permissions that can lead to lateral movement, privilege escalation, or even internal network pivoting during penetration tests. Below is a practical guide to enumerating Lambda functions using AWS CLI and Pacu.
Video Reference: AWS Lambda Enumeration Guide
You Should Know:
1. Enumerating Lambda Functions with AWS CLI
Ensure you have AWS CLI configured with valid credentials.
List All Lambda Functions
aws lambda list-functions --region us-east-1
Extract Function Code
aws lambda get-function --function-name <FunctionName> --region us-east-1 --query 'Code.Location'
Download and Inspect the Code
wget -O lambda_code.zip "<DownloadURL>" unzip lambda_code.zip
Check Environment Variables for Secrets
aws lambda get-function-configuration --function-name <FunctionName> --region us-east-1 --query 'Environment.Variables'
Check Execution Role Permissions
aws iam get-role-policy --role-name <LambdaRoleName> --policy-name <PolicyName>
2. Using Pacu for Automated Lambda Enumeration
Pacu is an AWS exploitation framework.
Install Pacu
git clone https://github.com/RhinoSecurityLabs/pacu cd pacu pip3 install -r requirements.txt
Run Pacu and Enumerate Lambda Functions
python3 pacu.py set_keys <AWS_ACCESS_KEY> <AWS_SECRET_KEY> run lambda__enum
Exploit Misconfigured Lambda Functions
If a Lambda function has excessive permissions (e.g., iam:CreateUser), you can escalate privileges:
aws iam create-user --user-name AttackerUser
3. Extracting Hardcoded Secrets
Search for API keys, database credentials, or AWS keys in:
– Environment variables
– Function code
– Configuration files
Grep for Common Secrets
grep -r "AKIA" . grep -r "secret" . grep -r "password" .
What Undercode Say:
AWS Lambda functions are a goldmine for penetration testers. Misconfigurations and hardcoded secrets are rampant, making them a prime target for privilege escalation and lateral movement. Always check:
– Environment variables
– Execution role permissions
– Function code
– Logs (CloudWatch)
Automated tools like Pacu and manual AWS CLI checks are essential for thorough assessments.
Prediction:
As serverless adoption grows, misconfigured Lambda functions will remain a top attack vector. Expect more automated tools to emerge for detecting and exploiting these weaknesses.
Expected Output:
aws lambda list-functions --region us-east-1 aws lambda get-function --function-name VulnerableFunction --query 'Code.Location' wget -O lambda_code.zip "https://lambda-url.zip" unzip lambda_code.zip grep -r "AKIA" .
IT/Security Reporter URL:
Reported By: Tyler Ramsbey – Hackers Feeds
Extra Hub: Undercode MoN
Basic Verification: Pass ✅
