WeirdAAL (AWS Attack Library) is one of my go-to tools when I get my hands on a set of AWS credentials during an engagement. Where pacu is more of a full exploitation framework, WeirdAAL is laser focused on one thing: figuring out what a set of credentials can actually do across every AWS service, fast.
I use it in combination with pacu regularly. WeirdAAL is great for the initial what do I have phase, and pacu takes over for the exploitation side once you know where the interesting permissions are.
https://github.com/carnal0wnage/weirdAAL
What It Does
WeirdAAL enumerates permissions by actually calling AWS APIs and seeing what sticks. It is not doing any guess work or policy parsing. It is making real calls and recording what succeeds. This matters because IAM policies in the real world are messy. Inline policies, SCPs, permission boundaries, resource-based policies: what is actually allowed is not always obvious from reading policy documents alone.
Getting Started
git clone https://github.com/carnal0wnage/weirdAAL
cd weirdAAL
pip3 install -r requirements.txt
cp env.txt .envEdit your .env file with your target credentials, then run enumeration against whatever services you want to check:
python3 weirdAAL.py -m ec2_recon -t my_session
python3 weirdAAL.py -m s3_recon -t my_session
python3 weirdAAL.py -m lambda_recon -t my_sessionThere is also a full recon option that sweeps everything at once, which is noisy but useful when stealth is not a priority.
Why I Like It
The output is clean and actionable. When you are on a timed engagement and you have credentials from a leaked env file or an API response, you do not want to sit there manually guessing at what to try next. WeirdAAL gives you a map. From there you know exactly where to focus: whether that is an over-permissioned Lambda execution role, an S3 bucket you should not be able to list, or an IAM path toward privilege escalation.
Worth having alongside pacu. They complement each other well.