# Pentesting

Prowler has some checks that analyse pentesting risks (Secrets, Internet Exposed, AuthN, AuthZ, and more).

## Detect Secrets

Prowler uses `detect-secrets` library to search for any secrets that are stores in plaintext within your environment.

The actual checks that have this functionality are the following:

- autoscaling\_find\_secrets\_ec2\_launch\_configuration
- awslambda\_function\_no\_secrets\_in\_code
- awslambda\_function\_no\_secrets\_in\_variables
- cloudformation\_stack\_outputs\_find\_secrets
- ec2\_instance\_secrets\_user\_data
- ec2\_launch\_template\_no\_secrets
- ecs\_task\_definitions\_no\_environment\_secrets
- ssm\_document\_secrets

To execute detect-secrets related checks, you can run the following command:

```console
prowler <provider> --categories secrets
```

## Internet Exposed Resources

Several checks analyse resources that are exposed to the Internet, these are:

1. apigateway\_restapi\_public

- appstream\_fleet\_default\_internet\_access\_disabled
- awslambda\_function\_not\_publicly\_accessible
- ec2\_ami\_public
- ec2\_ebs\_public\_snapshot
- ec2\_instance\_internet\_facing\_with\_instance\_profile
- ec2\_instance\_port\_X\_exposed\_to\_internet (where X is the port number)
- ec2\_instance\_public\_ip
- ec2\_networkacl\_allow\_ingress\_any\_port
- ec2\_securitygroup\_allow\_wide\_open\_public\_ipv4
- ec2\_securitygroup\_allow\_ingress\_from\_internet\_to\_any\_port
- ecr\_repositories\_not\_publicly\_accessible
- eks\_control\_plane\_endpoint\_access\_restricted
- eks\_endpoints\_not\_publicly\_accessible
- eks\_control\_plane\_endpoint\_access\_restricted
- eks\_endpoints\_not\_publicly\_accessible
- elbv2\_internet\_facing
- kms\_key\_not\_publicly\_accessible
- opensearch\_service\_domains\_not\_publicly\_accessible
- rds\_instance\_no\_public\_access
- rds\_snapshots\_public\_access
- s3\_bucket\_policy\_public\_write\_access
- s3\_bucket\_public\_access
- sagemaker\_notebook\_instance\_without\_direct\_internet\_access\_configured
- sns\_topics\_not\_publicly\_accessible
- sqs\_queues\_not\_publicly\_accessible
- network\_public\_ip\_shodan

To execute Internet-exposed related checks, you can run the following command:

```console
prowler <provider> --categories internet-exposed
```

### Shodan

Prowler allows you check if any public IPs in your Cloud environments are exposed in Shodan with the `-N`/`--shodan <shodan_api_key>` option:

For example, you can check if any of your AWS Elastic Compute Cloud (EC2) instances has an elastic IP exposed in Shodan:

```console
prowler aws -N/--shodan <shodan_api_key> -c ec2_elastic_ip_shodan
```

Also, you can check if any of your Azure Subscription has an public IP exposed in Shodan:

```console
prowler azure -N/--shodan <shodan_api_key> -c network_public_ip_shodan
```

And finally, you can check if any of your GCP projects has an public IP address exposed in Shodan:

```console
prowler gcp -N/--shodan <shodan_api_key> -c compute_public_address_shodan
```