WeirdAAL

WeirdAAL (AWS attack tool) is a Python-based security assessment framework for AWS environments that identifies misconfigured permissions, enumerates IAM principals, discovers exposed resources, and simulates AWS attack chains to find security gaps in AWS deployments.

Installation

Linux/Ubuntu

# Install from pip
pip install weirdaal

# Clone and install from source
git clone https://github.com/carnal0wnage/weirdAAL.git
cd weirdAAL
pip install -r requirements.txt
python setup.py install

# Quick setup with virtual environment
python3 -m venv weirdaal-env
source weirdaal-env/bin/activate
pip install weirdaal

macOS

# Install via pip
pip3 install weirdaal

# Install from source with Homebrew Python
brew install python3
git clone https://github.com/carnal0wnage/weirdAAL.git
cd weirdAAL
pip3 install -r requirements.txt

Prerequisites

# Install AWS CLI (required)
pip install awscli-v2

# Install boto3 (required for AWS API)
pip install boto3

# Install additional dependencies
pip install requests click pyyaml

AWS Configuration

# Configure AWS credentials (required before running WeirdAAL)
aws configure

# Or set environment variables
export AWS_ACCESS_KEY_ID="your-access-key"
export AWS_SECRET_ACCESS_KEY="your-secret-key"
export AWS_DEFAULT_REGION="us-east-1"

# Create credentials file
mkdir -p ~/.aws
cat > ~/.aws/credentials << 'EOF'
[default]
aws_access_key_id = YOUR_ACCESS_KEY
aws_secret_access_key = YOUR_SECRET_KEY

[profile-name]
aws_access_key_id = ANOTHER_KEY
aws_secret_access_key = ANOTHER_SECRET
EOF

chmod 600 ~/.aws/credentials

Basic Enumeration

# Run IAM enumeration on default profile
weirdaal -p default

# Enumerate specific AWS profile
weirdaal -p production

# Enumerate all configured profiles
weirdaal --all-profiles

# List available modules
weirdaal --list-modules

# Show help
weirdaal --help

IAM Enumeration

# Enumerate IAM users and their permissions
weirdaal -m iam-users -p default

# List IAM roles and attached policies
weirdaal -m iam-roles -p default

# Get attached policies for user
weirdaal -m iam-user-policies -p default -u target-user

# List inline policies for role
weirdaal -m iam-role-inline-policies -p default

# Enumerate access keys
weirdaal -m iam-access-keys -p default

# List MFA devices
weirdaal -m iam-mfa -p default

# Get login profile information
weirdaal -m iam-login-profile -p default

EC2 Enumeration

# List all EC2 instances
weirdaal -m ec2-instances -p default -r us-east-1

# Get security group details
weirdaal -m ec2-security-groups -p default -r us-east-1

# List elastic IPs
weirdaal -m ec2-eips -p default -r us-east-1

# Enumerate key pairs
weirdaal -m ec2-keypairs -p default -r us-east-1

# Get VPC configuration
weirdaal -m ec2-vpcs -p default -r us-east-1

# List subnets
weirdaal -m ec2-subnets -p default -r us-east-1

# Get network ACLs
weirdaal -m ec2-nacls -p default -r us-east-1

S3 Enumeration

# List all S3 buckets
weirdaal -m s3-buckets -p default

# Check bucket permissions
weirdaal -m s3-bucket-acl -p default -b bucket-name

# List bucket contents
weirdaal -m s3-bucket-contents -p default -b bucket-name

# Check bucket policies
weirdaal -m s3-bucket-policy -p default -b bucket-name

# Enumerate bucket logging
weirdaal -m s3-bucket-logging -p default -b bucket-name

# Check versioning status
weirdaal -m s3-bucket-versioning -p default -b bucket-name

# List public buckets
weirdaal -m s3-public-buckets -p default

RDS Enumeration

# List RDS instances
weirdaal -m rds-instances -p default -r us-east-1

# Get RDS security group information
weirdaal -m rds-security-groups -p default -r us-east-1

# Enumerate RDS snapshots
weirdaal -m rds-snapshots -p default -r us-east-1

# Check RDS cluster information
weirdaal -m rds-clusters -p default -r us-east-1

# List parameter groups
weirdaal -m rds-parameter-groups -p default -r us-east-1

Lambda and Serverless

# List Lambda functions
weirdaal -m lambda-functions -p default -r us-east-1

# Get Lambda function details
weirdaal -m lambda-function-details -p default -r us-east-1 -f function-name

# Enumerate Lambda layers
weirdaal -m lambda-layers -p default -r us-east-1

# Get function environment variables
weirdaal -m lambda-env-vars -p default -r us-east-1 -f function-name

# List API Gateway APIs
weirdaal -m apigateway-apis -p default -r us-east-1

Secrets and Credentials

# List secrets in AWS Secrets Manager
weirdaal -m secretsmanager-secrets -p default -r us-east-1

# Get secret value (with permissions)
weirdaal -m secretsmanager-secret-value -p default -r us-east-1 -s secret-name

# Enumerate SSM parameters
weirdaal -m ssm-parameters -p default -r us-east-1

# Get parameter value
weirdaal -m ssm-parameter-value -p default -r us-east-1 -p parameter-name

# List CloudFormation stacks
weirdaal -m cloudformation-stacks -p default -r us-east-1

# Get stack resources
weirdaal -m cloudformation-stack-resources -p default -r us-east-1 -s stack-name

Advanced Enumeration

Attack Patterns and Privilege Escalation

# Enumerate privilege escalation paths
weirdaal -m privilege-escalation -p default

# Find inline policy privilege escalation
weirdaal -m inline-policy-priv-esc -p default

# Check for wildcard permissions
weirdaal -m wildcard-permissions -p default

# Find assume role permissions
weirdaal -m assume-role-perms -p default

# Enumerate cross-account access
weirdaal -m cross-account-roles -p default

Data Exfiltration Checks

# Find accessible S3 buckets for data theft
weirdaal -m s3-data-exfil -p default

# Check unencrypted RDS snapshots
weirdaal -m rds-unencrypted-snapshots -p default -r us-east-1

# Find publicly accessible EBS snapshots
weirdaal -m ebs-public-snapshots -p default -r us-east-1

# Enumerate publicly readable DynamoDB tables
weirdaal -m dynamodb-public-tables -p default -r us-east-1

# List unencrypted databases
weirdaal -m unencrypted-databases -p default -r us-east-1

Multi-Account Enumeration

# Assume role in different account
weirdaal -m assume-role -p default --role-arn arn:aws:iam::123456789:role/role-name

# Enumerate all accessible accounts
weirdaal -m accessible-accounts -p default

# Cross-account IAM enumeration
weirdaal -m cross-account-iam -p default

# List organization accounts
weirdaal -m org-accounts -p default

# Find organization policies
weirdaal -m org-policies -p default

Output and Reporting

# Generate JSON output
weirdaal -m iam-users -p default --output json > iam-users.json

# Generate CSV output
weirdaal -m ec2-instances -p default -r us-east-1 --output csv > instances.csv

# Generate HTML report
weirdaal -m all -p default --html-report assessment.html

# Save detailed logs
weirdaal -m iam-users -p default --loglevel DEBUG --logfile weirdaal.log

# Export findings to database
weirdaal -m all -p default --db-export sqlite://findings.db

Automation and Scripting

Python Integration

#!/usr/bin/env python3
import subprocess
import json
from typing import List, Dict

class WeirdAALRunner:
    def __init__(self, profile: str = 'default'):
        self.profile = profile

    def run_module(self, module: str, region: str = 'us-east-1') -> Dict:
        """Run WeirdAAL module and return JSON output"""
        cmd = ['weirdaal', '-m', module, '-p', self.profile,
               '-r', region, '--output', 'json']
        result = subprocess.run(cmd, capture_output=True, text=True)
        return json.loads(result.stdout) if result.returncode == 0 else {}

    def enumerate_all_regions(self, module: str) -> Dict:
        """Enumerate module across all AWS regions"""
        regions = ['us-east-1', 'us-west-2', 'eu-west-1', 'ap-southeast-1']
        results = {}
        for region in regions:
            results[region] = self.run_module(module, region)
        return results

    def find_exposed_resources(self) -> Dict:
        """Find all exposed/public resources"""
        findings = {}
        findings['public_s3'] = self.run_module('s3-public-buckets')
        findings['public_snapshots'] = self.run_module('ebs-public-snapshots')
        findings['public_rds'] = self.run_module('rds-public-instances')
        return findings

# Usage
runner = WeirdAALRunner('production')
exposed = runner.find_exposed_resources()
print(json.dumps(exposed, indent=2))

Bash Automation

#!/bin/bash
# Comprehensive AWS security assessment

PROFILE="${1:-default}"
REPORT_DIR="aws-assessment-$(date +%Y%m%d)"
mkdir -p "$REPORT_DIR"

echo "[+] Starting AWS security assessment for profile: $PROFILE"

# IAM Assessment
echo "[*] Enumerating IAM principals..."
weirdaal -m iam-users -p $PROFILE --output json > "$REPORT_DIR/iam-users.json"
weirdaal -m iam-roles -p $PROFILE --output json > "$REPORT_DIR/iam-roles.json"
weirdaal -m iam-access-keys -p $PROFILE --output json > "$REPORT_DIR/access-keys.json"

# Permission Analysis
echo "[*] Analyzing permissions..."
weirdaal -m privilege-escalation -p $PROFILE --output json > "$REPORT_DIR/priv-esc.json"
weirdaal -m wildcard-permissions -p $PROFILE --output json > "$REPORT_DIR/wildcards.json"

# EC2 Assessment
for region in us-east-1 us-west-2 eu-west-1; do
    echo "[*] Scanning EC2 in $region..."
    weirdaal -m ec2-instances -p $PROFILE -r $region --output json > "$REPORT_DIR/ec2-$region.json"
    weirdaal -m ec2-security-groups -p $PROFILE -r $region --output json > "$REPORT_DIR/sg-$region.json"
done

# S3 Assessment
echo "[*] Analyzing S3 buckets..."
weirdaal -m s3-buckets -p $PROFILE --output json > "$REPORT_DIR/s3-buckets.json"
weirdaal -m s3-public-buckets -p $PROFILE --output json > "$REPORT_DIR/public-buckets.json"

# Data Exposure Check
echo "[*] Checking for data exposure..."
weirdaal -m s3-data-exfil -p $PROFILE --output json > "$REPORT_DIR/data-exfil.json"
weirdaal -m ebs-public-snapshots -p $PROFILE -r us-east-1 --output json > "$REPORT_DIR/public-snapshots.json"

# Secrets Check
echo "[*] Scanning for exposed secrets..."
weirdaal -m secretsmanager-secrets -p $PROFILE -r us-east-1 --output json > "$REPORT_DIR/secrets.json"
weirdaal -m ssm-parameters -p $PROFILE -r us-east-1 --output json > "$REPORT_DIR/ssm-params.json"

# Generate summary
echo "[+] Assessment complete. Results saved to $REPORT_DIR/"
echo "[*] Findings summary:"
find "$REPORT_DIR" -name "*.json" -exec echo "  - {}" \;

Real-World Workflows

Complete Security Assessment

# 1. Enumerate AWS account structure
weirdaal -m iam-users -p default --output json > users.json
weirdaal -m iam-roles -p default --output json > roles.json

# 2. Identify high-risk permissions
weirdaal -m wildcard-permissions -p default
weirdaal -m privilege-escalation -p default
weirdaal -m cross-account-roles -p default

# 3. Find exposed resources
weirdaal -m s3-public-buckets -p default
weirdaal -m ebs-public-snapshots -p default -r us-east-1
weirdaal -m rds-public-instances -p default -r us-east-1

# 4. Check credentials and secrets exposure
weirdaal -m iam-access-keys -p default
weirdaal -m secretsmanager-secrets -p default -r us-east-1

# 5. Multi-account analysis
weirdaal -m cross-account-iam -p default
weirdaal -m accessible-accounts -p default

# 6. Generate comprehensive report
weirdaal -m all -p default --html-report security-assessment.html

Post-Compromise Lateral Movement

# Enumerate assume role permissions
weirdaal -m assume-role-perms -p default

# Find cross-account roles
weirdaal -m cross-account-roles -p default

# Check federation setup
weirdaal -m saml-providers -p default

# Identify privilege escalation paths
weirdaal -m privilege-escalation -p default
weirdaal -m inline-policy-priv-esc -p default

# Find accessible accounts
weirdaal -m accessible-accounts -p default

# Assume identified roles for further access
aws sts assume-role --role-arn arn:aws:iam::TARGET-ACCOUNT:role/ROLE-NAME --role-session-name assessment

Continuous Compliance Monitoring

#!/bin/bash
# Run weekly compliance assessment

PROFILE="production"
BACKUP_DIR="compliance-backups"
CURRENT_ASSESSMENT="current-assessment.json"
BASELINE="baseline.json"

mkdir -p "$BACKUP_DIR"

# Run assessment
weirdaal -m all -p $PROFILE --output json > "$CURRENT_ASSESSMENT"

# Backup previous assessment
if [ -f "$BASELINE" ]; then
    cp "$BASELINE" "$BACKUP_DIR/baseline-$(date +%s).json"
fi

# Compare with baseline
if [ -f "$BASELINE" ]; then
    diff -u "$BASELINE" "$CURRENT_ASSESSMENT" > changes.diff
    if [ -s changes.diff ]; then
        echo "Compliance changes detected!"
        cat changes.diff
    fi
fi

# Update baseline
cp "$CURRENT_ASSESSMENT" "$BASELINE"

Best Practices and Security Considerations

Assessment Safety

• Always get written authorization before running assessments
• Use separate AWS profiles for testing vs production
• Run initial scans with read-only IAM roles
• Test in non-production environments first
• Document all findings and access attempts
• Follow responsible disclosure practices
• Clean up any created resources after assessment

Operational Security

• Rotate AWS credentials regularly
• Use IAM roles instead of long-term access keys when possible
• Enable CloudTrail logging during assessments
• Monitor CloudWatch logs for suspicious activity
• Use MFA for sensitive AWS accounts
• Implement resource-based policies to restrict access
• Schedule assessments during maintenance windows

Data Handling

• Protect enumeration results (contains sensitive architecture details)
• Encrypt exports and reports in transit and at rest
• Securely delete temporary files after assessment
• Use secure, authenticated storage for findings
• Implement proper access controls for assessment reports
• Consider data retention policies for compliance

Best Assessment Practices

• Start with least-privilege scans before escalating
• Document baseline AWS configurations before testing
• Compare current state against security benchmarks
• Use multiple modules to cross-validate findings
• Correlate findings from different sources
• Prioritize findings by impact and likelihood
• Create remediation plans based on severity

Troubleshooting

Common Issues

Credentials Not Working

# Verify AWS credentials are configured
aws sts get-caller-identity

# Check credential file format
cat ~/.aws/credentials

# Test with specific profile
weirdaal -p profile-name --output json > test.json

Module Execution Failures

# Run with verbose logging
weirdaal -m iam-users -p default --verbose --loglevel DEBUG

# Check IAM permissions for current principal
aws iam list-user-policies --user-name username

# Test API connectivity
aws ec2 describe-instances --region us-east-1 --max-results 1

Permission Denied Errors

# View current principal
aws sts get-caller-identity

# Check attached policies
aws iam list-attached-user-policies --user-name username

# Check inline policies
aws iam list-user-policies --user-name username

# Get policy details
aws iam get-user-policy --user-name username --policy-name policy-name

Region-Specific Issues

# List available regions
aws ec2 describe-regions --output json

# Run assessment across all regions
for region in $(aws ec2 describe-regions --query 'Regions[*].RegionName' --output text); do
    weirdaal -m ec2-instances -p default -r $region --output json > "ec2-$region.json"
done

Debug Commands

# Check module availability
weirdaal --list-modules

# Dry-run module without changes
weirdaal -m iam-users -p default --dry-run

# Test connectivity to AWS
weirdaal -m test-connectivity -p default

# Validate AWS credentials
weirdaal -m validate-credentials -p default

# Get version information
weirdaal --version

# Enable debug output
weirdaal -m iam-users -p default --debug

# Check configuration
weirdaal --show-config

References

• WeirdAAL GitHub
• AWS Security Best Practices
• IAM Best Practices
• AWS Security Documentation
• OWASP Cloud Security
• AWS Well-Architected Security Pillar

---

Last updated: 2026-03-30