Pentest Book
Ask or search…
Comment on page



# Non provider specific and general purpose
python3 -k companynameorkeyword
cd /tmp
mkdir .aws
cat > .aws/config <<EOF
output = json
region = us-east-1
cat > .aws/credentials <<EOF
aws_access_key_id = XXXXXXXXXXXXXXX
docker run -v `pwd`/.aws:/root/.aws -v `pwd`/reports:/app/reports securityftw/cs-suite -env aws
# Dictionary
Searching for bad configurations
No auditable items:
• DoS testing
• Intense fuzzing
• Phishing the cloud provider’s employees
• Testing other company’s assets
• Etc.

Audit policies

Comparison table


# PoC from Forward DNS dataset
# This data is created by extracting domain names from a number of sources and then sending DNS queries for each domain.
cat CNAME-DATASET-NAME | pigz -dc | grep -E "\.azurewebsites\.com"
cat CNAME-DATASET-NAME | pigz -dc | grep -E "\.s3\.amazonaws\.com"
clouddetect -ip=
• First step should be to determine what services are in use
• More and more orgs are moving assets to the cloud one at a time
• Many have limited deployment to cloud providers, but some have fully embraced the cloud and are using it for AD, production assets, security products, and more
• Determine things like AD connectivity, mail gateways, web apps, file storage, etc.
• Traditional host discovery still applies
• After host discovery resolve all names, then perform whois
lookups to determine where they are hosted
• Microsoft, Amazon, Google IP space usually indicates cloud service usage
◇ More later on getting netblock information for each cloud service
• MX records can show cloud-hosted mail providers
• Certificate Transparency (
• Monitors and logs digital certs
• Creates a public, searchable log
• Can help discover additional subdomains
• More importantly… you can potentially find more Top Level Domains (TLD’s)!
• Single cert can be scoped for multiple domains
• Search (Google, Bing, Baidu, DuckDuckGo):
• and
• Internet-wide portscans
• Certificate searches
• Shodan query examples:
◇ org:”Target Name”
◇ net:”CIDR Range”
◇ port:”443”
• DNS Brute Forcing
• Performs lookups on a list of potential subdomains
• Make sure to use quality lists
• SecLists:
• MX Records can help us identify cloud services in use
◇ O365 =
◇ G-Suite = |
◇ Proofpoint =
• If you find commonalities between subdomains try iterating names
• Other Services
◇ HackerTarget
◇ ThreatCrowd
◇ DNSDumpster
◇ ARIN Searches
▪ Search bar accepts wild cards “*”
▪ Great for finding other netblocks owned by the same organization
• Azure Netblocks
▪ Public:
▪ US Gov:
▪ Germany:
▪ China:
• AWS Netblocks
• GCP Netblocks
◇ Google made it complicated so there’s a script on the next page to get the current IP netblocks.
• Usage
◇ Look for any login portals
◇ Can find cached Box account data too
• Employees
◇ LinkedIn
◇ PowerMeta
• Recon-NG
• OWASP Amass
• Spiderfoot
• Gobuster
• Sublist3r
• Find ssh keys in
• GitLeaks
• Gitrob
• Truffle Hog
Password attacks:
• Password Spraying
◇ Trying one password for every user at an org to avoid account lockouts (Spring2020)
• Most systems have some sort of lockout policy
◇ Example: 5 attempts in 30 mins = lockout
• If we attempt to auth as each individual username one time every 30 mins we lockout nobody
• Credential Stuffing
◇ Using previously breached credentials to attempt to exploit password reuse on corporate accounts
• People tend to reuse passwords for multiple sites including corporate accounts
• Various breaches end up publicly posted
• Search these and try out creds
• Try iterating creds
Web server explotation
• Out-of-date web technologies with known vulns
• SQL or command injection vulns
• Server-Side Request Forgery (SSRF)
• Good place to start post-shell:
• Creds in the Metadata Service
• Certificates
• Environment variables
• Storage accounts
• Reused access certs as private keys on web servers
◇ Compromise web server
◇ Extract certificate with Mimikatz
◇ Use it to authenticate to Azure
• Mimikatz can export “non-exportable” certificates:
mimikatz# crypto::capi
mimikatz# privilege::debug
mimikatz# crypto::cng
mimikatz# crypto::certificates /systemstore:local_machine /store:my /export
• Phishing is still the #1 method of compromise
• Target Cloud engineers, Developers, DevOps, etc.
• Two primary phishing techniques:
◇ Cred harvesting / session hijacking
◇ Remote workstation compromise w/ C2
• Attack designed to steal creds and/or session cookies
• Can be useful when security protections prevent getting shells
• Email a link to a target employee pointing to cloned auth portal
◇ Examples: Microsoft Online (O365, Azure, etc.), G-Suite, AWS Console
• They auth and get real session cookies… we get them too.
Phishing: Remote Access
• Phish to compromise a user’s workstation
• Enables many other options for gaining access to cloud resources
• Steal access tokens from disk
• Session hijack
• Keylog
• Web Config and App Config files
◇ Commonly found on pentests to include cleartext creds
◇ WebApps often need read/write access to cloud storage or DBs
◇ Web.config and app.config files might contain creds or access tokens
◇ Look for management cert and extract to pfx like publishsettings files
◇ Often found in root folder of webapp
• Internal Code Repositories
◇ Gold mine for keys
◇ Find internal repos:
▪ A. Portscan internal web services (80, 443, etc.) then use EyeWitness to screenshot each service to quickly analyze
▪ B. Query AD for all hostnames, look for subdomains git, code, repo, bitbucket, gitlab, etc..
◇ Can use automated tools (gitleaks, trufflehog, gitrob) or use built-in search features
▪ Search for AccessKey, AKIA, id_rsa, credentials, secret, password, and token
• Command history
• The commands ran previously may indicate where to look
• Sometimes creds get passed to the command line
• Linux hosts command history is here:
◇ ~/.bash_history
• PowerShell command history is here:
◇ %USERPROFILE%\AppData\Roaming\Microsoft\Windows\PowerShell\PSReadLine\ConsoleHost_history.txt
Post-Compromise Recon
• Who do we have access as?
• What roles do we have?
• Is MFA enabled?
• What can we access (webapps, storage, etc.?)
• Who are the admins?
• How are we going to escalate to admin?
• Any security protections in place (ATP, GuardDuty, etc.)?
Service metadata summary
Google Cloud*
Kubernetes ETCD
Alibaba Cloud*
Microsoft Azure*

Cloud Labs

  • AWS Labs
  • GCP Labs
  • Azure Labs
Last modified 1yr ago