Article by Nick Frichette.
Bypass GuardDuty Pentest Findings
When making AWS API requests on common penetration testing OS's GuardDuty will detect this and trigger a PenTest Finding.
This is caused by the user agent name that is passed in the API request. By modifying that we can prevent GuardDuty from detecting that we are operating from a "pentest" Linux distribution.
If your assessment requires you to remain undetected it's probably easier to leverage a "safe" OS like Ubuntu, Mac OS, or Windows.
To do this, identify the location of your
session.py in the
botocore package. For example, on a default Kali Linux install it can be found at
On line 456 (at the time of writing), you should see the following.
platform.release() are similar to
uname -o and
uname -r. On a stock Kali install it will generate the following values.
To get around this, modify the code and replace it with legitimate user agent strings like those found in Pacu. With this capability you can mask your user agent to look like anything you want. Even arbitrary values like below.