--- title: 'Pentesting' --- Prowler has some checks that analyse pentesting risks (Secrets, Internet Exposed, AuthN, AuthZ, and more). ## Detect Secrets Prowler uses `detect-secrets` library to search for any secrets that are stores in plaintext within your environment. The actual checks that have this functionality are the following: - autoscaling\_find\_secrets\_ec2\_launch\_configuration - awslambda\_function\_no\_secrets\_in\_code - awslambda\_function\_no\_secrets\_in\_variables - cloudformation\_stack\_outputs\_find\_secrets - ec2\_instance\_secrets\_user\_data - ec2\_launch\_template\_no\_secrets - ecs\_task\_definitions\_no\_environment\_secrets - ssm\_document\_secrets To execute detect-secrets related checks, you can run the following command: ```console prowler --categories secrets ``` ## Internet Exposed Resources Several checks analyse resources that are exposed to the Internet, these are: 1. apigateway\_restapi\_public - appstream\_fleet\_default\_internet\_access\_disabled - awslambda\_function\_not\_publicly\_accessible - ec2\_ami\_public - ec2\_ebs\_public\_snapshot - ec2\_instance\_internet\_facing\_with\_instance\_profile - ec2\_instance\_port\_X\_exposed\_to\_internet (where X is the port number) - ec2\_instance\_public\_ip - ec2\_networkacl\_allow\_ingress\_any\_port - ec2\_securitygroup\_allow\_wide\_open\_public\_ipv4 - ec2\_securitygroup\_allow\_ingress\_from\_internet\_to\_any\_port - ecr\_repositories\_not\_publicly\_accessible - eks\_control\_plane\_endpoint\_access\_restricted - eks\_endpoints\_not\_publicly\_accessible - eks\_control\_plane\_endpoint\_access\_restricted - eks\_endpoints\_not\_publicly\_accessible - elbv2\_internet\_facing - kms\_key\_not\_publicly\_accessible - opensearch\_service\_domains\_not\_publicly\_accessible - rds\_instance\_no\_public\_access - rds\_snapshots\_public\_access - s3\_bucket\_policy\_public\_write\_access - s3\_bucket\_public\_access - sagemaker\_notebook\_instance\_without\_direct\_internet\_access\_configured - sns\_topics\_not\_publicly\_accessible - sqs\_queues\_not\_publicly\_accessible - network\_public\_ip\_shodan To execute Internet-exposed related checks, you can run the following command: ```console prowler --categories internet-exposed ``` ### Shodan Prowler can check whether any public IPs in cloud environments are exposed in Shodan using the `-N`/`--shodan` option. #### Using the Environment Variable (Recommended) Set the `SHODAN_API_KEY` environment variable to avoid exposing the API key in process listings and shell history: ```console export SHODAN_API_KEY= ``` Then run Prowler with the `--shodan` flag (no value needed): ```console prowler aws --shodan -c ec2_elastic_ip_shodan ``` ```console prowler azure --shodan -c network_public_ip_shodan ``` ```console prowler gcp --shodan -c compute_public_address_shodan ``` #### Using the CLI Flag Alternatively, pass the API key directly on the command line: ```console prowler aws --shodan -c ec2_elastic_ip_shodan ``` Passing secret values directly on the command line exposes them in process listings and shell history. Prowler CLI displays a warning when this pattern is detected. Use the `SHODAN_API_KEY` environment variable instead.