Skip to content

Pentesting

Prowler has some checks that analyse pentesting risks (Secrets, Internet Exposed, AuthN, AuthZ and more).

Detect Secrets

Prowler uses detect-secrets library to search for any secrets that are stores in plaintext within your environment.

The actual checks that have this functionality are:

  • autoscaling_find_secrets_ec2_launch_configuration
  • awslambda_function_no_secrets_in_code
  • awslambda_function_no_secrets_in_variables
  • cloudformation_stack_outputs_find_secrets
  • ec2_instance_secrets_user_data
  • ec2_launch_template_no_secrets
  • ecs_task_definitions_no_environment_secrets
  • ssm_document_secrets

To execute detect-secrets related checks, you can run the following command:

prowler <provider> --categories secrets

Internet Exposed Resources

Several checks analyse resources that are exposed to the Internet, these are:

  1. apigateway_restapi_public
  2. appstream_fleet_default_internet_access_disabled
  3. awslambda_function_not_publicly_accessible
  4. ec2_ami_public
  5. ec2_ebs_public_snapshot
  6. ec2_instance_internet_facing_with_instance_profile
  7. ec2_instance_port_X_exposed_to_internet (where X is the port number)
  8. ec2_instance_public_ip
  9. ec2_networkacl_allow_ingress_any_port
  10. ec2_securitygroup_allow_wide_open_public_ipv4
  11. ec2_securitygroup_allow_ingress_from_internet_to_any_port
  12. ecr_repositories_not_publicly_accessible
  13. eks_control_plane_endpoint_access_restricted
  14. eks_endpoints_not_publicly_accessible
  15. eks_control_plane_endpoint_access_restricted
  16. eks_endpoints_not_publicly_accessible
  17. elbv2_internet_facing
  18. kms_key_not_publicly_accessible
  19. opensearch_service_domains_not_publicly_accessible
  20. rds_instance_no_public_access
  21. rds_snapshots_public_access
  22. s3_bucket_policy_public_write_access
  23. s3_bucket_public_access
  24. sagemaker_notebook_instance_without_direct_internet_access_configured
  25. sns_topics_not_publicly_accessible
  26. sqs_queues_not_publicly_accessible
  27. network_public_ip_shodan

...

To execute internet-exposed related checks, you can run the following command:

prowler <provider> --categories internet-exposed

Shodan

Prowler allows you check if any public IPs in your Cloud environments are exposed in Shodan with -N/--shodan <shodan_api_key> option:

For example, you can check if any of your AWS EC2 instances has an elastic IP exposed in shodan:

prowler aws -N/--shodan <shodan_api_key> -c ec2_elastic_ip_shodan
Also, you can check if any of your Azure Subscription has an public IP exposed in shodan:
prowler azure -N/--shodan <shodan_api_key> -c network_public_ip_shodan
And finally, you can check if any of your GCP projects has an public IP address exposed in shodan:
prowler gcp -N/--shodan <shodan_api_key> -c compute_public_address_shodan