Loot Extraction - baeziy/AWSault GitHub Wiki

Loot Extraction

Loot extraction is Phase 4 of --godeep. It actively retrieves secret values and credentials from AWS services.

Overview

While the security audit detects that secrets exist, the loot extractor reads them. This is the phase that actually pulls credential values out of AWS.

awsault --godeep

Important note

This phase makes read calls that access actual secret values:

  • secretsmanager:GetSecretValue — reads secret contents
  • ssm:GetParameter with WithDecryption=True — decrypts SecureString parameters

These are the only non-passive calls AWSault makes. Only run this against accounts you have explicit written permission to test.

Loot sources

AWSault extracts credentials from 7 sources, all running concurrently (5 threads by default).

1. Secrets Manager

API calls: list_secrets (paginated) → get_secret_value for each secret

What it pulls:

  • Secret name and ARN
  • Description
  • Last changed date
  • Actual secret value (SecretString or SecretBinary)
  • Whether the value was readable

Secrets Manager is the most common place for database passwords, API keys, and service credentials.

2. SSM Parameter Store

API calls: describe_parameters (paginated) → get_parameter with WithDecryption=True

What it pulls:

  • Parameter name
  • Parameter type (String, StringList, SecureString)
  • Description
  • Last modified date
  • Decrypted parameter value (including SecureString types)

SSM parameters often contain connection strings, feature flags with embedded credentials, and deployment secrets.

3. Lambda Environment Variables

API calls: list_functions (paginated)

What it pulls:

  • Function name
  • Runtime
  • All environment variables (key-value pairs)

Lambda env vars frequently contain database credentials, API keys, third-party service tokens, and internal service URLs with embedded auth.

4. EC2 User Data

API calls: describe_instances (paginated) → describe_instance_attribute for each instance

What it pulls:

  • Instance ID
  • Instance state
  • Decoded user data script (base64 decoded automatically)

User data scripts are bootstrap scripts that run when an instance launches. They often contain hardcoded passwords, API keys, database connection strings, and SSH keys used for initial setup.

5. ECS Task Definitions

API calls: list_task_definitions (paginated, capped at 50) → describe_task_definition for each

What it pulls:

  • Task definition name
  • Container name
  • Environment variables (key-value pairs)
  • Secret references (name → ARN mappings pointing to Secrets Manager or SSM)

6. CodeBuild Projects

API calls: list_projectsbatch_get_projects

What it pulls:

  • Project name
  • Environment variables with name, value, and type
  • Variable types include PLAINTEXT, PARAMETER_STORE, and SECRETS_MANAGER

CodeBuild env vars often contain deployment credentials, container registry auth, and CI/CD secrets.

7. CloudFormation Stacks

API calls: describe_stacks (paginated)

What it pulls:

  • Stack name and status
  • Stack outputs (key-value pairs — often contain endpoints, ARNs, generated passwords)
  • Stack parameters (key-value pairs — may contain passwords and connection info passed during deployment)

Concurrency

All 7 loot extractors run in parallel using a thread pool with 5 workers. Each extractor is independent — if one fails (permission denied), the others continue.

Output

Loot items appear in:

Terminal

A summary table showing each source and how many items were found:

SecretsManager    3 items (2 readable)
SSM Parameters    7 items (7 readable)
Lambda Env Vars   4 functions with env vars
EC2 User Data     2 instances with user data

Reports

  • HTML — dedicated Loot tab with collapsible items showing full JSON data. Each item shows a READABLE/DENIED badge.
  • CSV — flat rows with source, name, and readable status
  • JSON — full structured data under the loot key

What to look for

After extraction, focus on:

  1. Database credentials — connection strings, passwords in Secrets Manager or SSM
  2. API keys — third-party service tokens in Lambda env vars or CodeBuild
  3. AWS credentials — access keys embedded in user data scripts or env vars (indicates credential mismanagement)
  4. Internal service URLs — endpoints with embedded auth tokens
  5. Private keys — SSH or TLS keys in user data or parameters