🔗 You can contact me on the following platforms:
LinkedIn - https://www.linkedin.com/in/segev-eliezer/
YouTube - https://www.youtube.com/channel/UCSumP9z5Rzquqih-jpusTOQ
Web - https://0xd4y.com

AWSealion is a CLI tool designed to work as a plugin for the AWS CLI to be used by pentesters and security enthusiasts in both professional and CTF settings, however it can also be used by developers and security engineers to speed up their work. This tool helps in staying stealthy during red team and pentesting engagements to ensure that your attacking footprint is as small as possible in an AWS environment.

AWSealion works through not allowing the same API call to be run twice, allowing user-agent customization on a per-engagement and per-profile basis, saving the output of all API calls, and much more. Furthermore, the AWSealion tool creates an organized file structure which the user can easily reference, ensuring that you do not drift away from your commands.

This tool is meant to be used for legal purposes only. Misuse of this tool is strictly prohibited.

• Detects duplicate commands and reads the output of the API call from memory rather than passing the command to the AWS API
• User-agent customization on a per-engagement and per-profile basis
• Saves the output of all API calls
• Allows enumeration of multiple regions via the --regions and --all-regions arguments

git clone https://github.com/0xd4y/AWSealion
cd AWSealion
bash install.sh
source ~/.bashrc

• Profile user agent takes precendence over engagement user agent

The user agent is determined by the session.py file in the botocore package. By modifying the session.py file to read the user agent from a txt file on the local system, it is possible to change one's AWS API user agent. This allows the user to stay stealthy even when conducting API calls from a pentesting distro, therefore bypassing GuardDuty's Pentest: findings. AWSealion is configured to retrieve user agent information from ~/.awsealion/user-agent.txt. The data in this user-agent file is constantly updated depending on the user agent set for the profile making the call, or the currently set engagement.

A user agent set for a profile takes precedence over a user agent set for an engagement.

When configuring a user agent for an engagement, the engagement's user agent is applied to all profile in a set engagement unless a profile has an assigned specific user agent.

If the installation script does not work, this is likely due to the script not finding where your installed session.py file is. Therefore, you must find where this file is located, and input the following code right before the return base line:

try:
    with open(os.getenv("HOME") + "/.awsealion/user_agent.txt","r") as user_agent_file:
        user_agent = user_agent_file.read().strip()
        user_agent_file.close()
        if len(user_agent) != 0:
            base = user_agent
except Exception:
    pass

• This code reads from the user_agent.txt file and uses it as the user agent for the API call.

This user agents file was added to give the user some quick and easy access to some example user agents. This file was taken from the Pacu tool created by RhinoSecurityLabs. All credits to this specific file go to RhinoSecurityLabs.