mirror of
https://github.com/prowler-cloud/prowler.git
synced 2026-07-04 19:21:51 +00:00
117 lines
4.0 KiB
Plaintext
117 lines
4.0 KiB
Plaintext
---
|
|
title: 'Pentesting'
|
|
---
|
|
|
|
Prowler has some checks that analyse pentesting risks (Secrets, Internet Exposed, AuthN, AuthZ, and more).
|
|
|
|
## Detect Secrets
|
|
|
|
Prowler scans for secrets stored in plaintext within the audited environment using [Kingfisher](https://github.com/mongodb/kingfisher), an open-source secret-scanning engine. By default these scans run fully offline, so no data leaves the audited environment. Discovered secrets can optionally be validated against the provider APIs to confirm whether they are live — see [Validating Discovered Secrets](/user-guide/cli/tutorials/configuration_file#validating-discovered-secrets).
|
|
|
|
The checks with this functionality are the following.
|
|
|
|
AWS:
|
|
|
|
- autoscaling\_find\_secrets\_ec2\_launch\_configuration
|
|
- awslambda\_function\_no\_secrets\_in\_code
|
|
- awslambda\_function\_no\_secrets\_in\_variables
|
|
- cloudformation\_stack\_outputs\_find\_secrets
|
|
- cloudwatch\_log\_group\_no\_secrets\_in\_logs
|
|
- codebuild\_project\_no\_secrets\_in\_variables
|
|
- ec2\_instance\_secrets\_user\_data
|
|
- ec2\_launch\_template\_no\_secrets
|
|
- ecs\_task\_definitions\_no\_environment\_secrets
|
|
- glue\_etl\_jobs\_no\_secrets\_in\_arguments
|
|
- ssm\_document\_secrets
|
|
- stepfunctions\_statemachine\_no\_secrets\_in\_definition
|
|
|
|
OpenStack:
|
|
|
|
- compute\_instance\_metadata\_sensitive\_data
|
|
- blockstorage\_volume\_metadata\_sensitive\_data
|
|
- blockstorage\_snapshot\_metadata\_sensitive\_data
|
|
- objectstorage\_container\_metadata\_sensitive\_data
|
|
|
|
To execute the secret-scanning checks, run the following command:
|
|
|
|
```console
|
|
prowler <provider> --categories secrets
|
|
```
|
|
|
|
## Internet Exposed Resources
|
|
|
|
Several checks analyse resources that are exposed to the Internet, these are:
|
|
|
|
1. apigateway\_restapi\_public
|
|
|
|
- appstream\_fleet\_default\_internet\_access\_disabled
|
|
- awslambda\_function\_not\_publicly\_accessible
|
|
- ec2\_ami\_public
|
|
- ec2\_ebs\_public\_snapshot
|
|
- ec2\_instance\_internet\_facing\_with\_instance\_profile
|
|
- ec2\_instance\_port\_X\_exposed\_to\_internet (where X is the port number)
|
|
- ec2\_instance\_public\_ip
|
|
- ec2\_networkacl\_allow\_ingress\_any\_port
|
|
- ec2\_securitygroup\_allow\_wide\_open\_public\_ipv4
|
|
- ec2\_securitygroup\_allow\_ingress\_from\_internet\_to\_any\_port
|
|
- ecr\_repositories\_not\_publicly\_accessible
|
|
- eks\_control\_plane\_endpoint\_access\_restricted
|
|
- eks\_endpoints\_not\_publicly\_accessible
|
|
- eks\_control\_plane\_endpoint\_access\_restricted
|
|
- eks\_endpoints\_not\_publicly\_accessible
|
|
- elbv2\_internet\_facing
|
|
- kms\_key\_not\_publicly\_accessible
|
|
- opensearch\_service\_domains\_not\_publicly\_accessible
|
|
- rds\_instance\_no\_public\_access
|
|
- rds\_snapshots\_public\_access
|
|
- s3\_bucket\_policy\_public\_write\_access
|
|
- s3\_bucket\_public\_access
|
|
- sagemaker\_notebook\_instance\_without\_direct\_internet\_access\_configured
|
|
- sns\_topics\_not\_publicly\_accessible
|
|
- sqs\_queues\_not\_publicly\_accessible
|
|
- network\_public\_ip\_shodan
|
|
|
|
To execute Internet-exposed related checks, you can run the following command:
|
|
|
|
```console
|
|
prowler <provider> --categories internet-exposed
|
|
```
|
|
|
|
### Shodan
|
|
|
|
Prowler can check whether any public IPs in cloud environments are exposed in Shodan using the `-N`/`--shodan` option.
|
|
|
|
#### Using the Environment Variable (Recommended)
|
|
|
|
Set the `SHODAN_API_KEY` environment variable to avoid exposing the API key in process listings and shell history:
|
|
|
|
```console
|
|
export SHODAN_API_KEY=<shodan_api_key>
|
|
```
|
|
|
|
Then run Prowler with the `--shodan` flag (no value needed):
|
|
|
|
```console
|
|
prowler aws --shodan -c ec2_elastic_ip_shodan
|
|
```
|
|
|
|
```console
|
|
prowler azure --shodan -c network_public_ip_shodan
|
|
```
|
|
|
|
```console
|
|
prowler gcp --shodan -c compute_public_address_shodan
|
|
```
|
|
|
|
#### Using the CLI Flag
|
|
|
|
Alternatively, pass the API key directly on the command line:
|
|
|
|
```console
|
|
prowler aws --shodan <shodan_api_key> -c ec2_elastic_ip_shodan
|
|
```
|
|
|
|
<Warning>
|
|
Passing secret values directly on the command line exposes them in process listings and shell history. Prowler CLI displays a warning when this pattern is detected. Use the `SHODAN_API_KEY` environment variable instead.
|
|
</Warning>
|