General

Search…
General
Tools
1
# Non provider specific and general purpose
2
# https://github.com/nccgroup/ScoutSuite
3
# https://github.com/SygniaLabs/security-cloud-scout
4
# https://github.com/initstring/cloud_enum
5
python3 cloud_enum.py -k companynameorkeyword
6
# https://github.com/cyberark/SkyArk
7
# https://github.com/SecurityFTW/cs-suite
8
    cd /tmp
9
    mkdir .aws
10
    cat > .aws/config <<EOF
11
        [default]
12
        output = json
13
        region = us-east-1
14
    EOF
15
    cat > .aws/credentials <<EOF
16
        [default]
17
        aws_access_key_id = XXXXXXXXXXXXXXX
18
        aws_secret_access_key = XXXXXXXXXXXXXXXXXXXXXXXXX
19
    EOF
20
    docker run -v `pwd`/.aws:/root/.aws -v `pwd`/reports:/app/reports securityftw/cs-suite -env aws
21
​
22
# Dictionary
23
https://gist.github.com/BuffaloWill/fa96693af67e3a3dd3fb
24
​
25
Searching for bad configurations
26
​
27
No auditable items:
28
• DoS testing
29
• Intense fuzzing
30
• Phishing the cloud provider’s employees
31
• Testing other company’s assets
32
• Etc.
Copied!
Audit policies
Microsoft Cloud Penetration Testing Rules of Engagement
Penetration Testing - Amazon Web Services (AWS)
Amazon Web Services, Inc.
Cloud Security FAQ - Google Cloud Platform Console Help
Comparison table
Recon
1
# PoC from Forward DNS dataset
2
# This data is created by extracting domain names from a number of sources and then sending DNS queries for each domain.
3
# https://opendata.rapid7.com/sonar.fdns_v2/
4
cat CNAME-DATASET-NAME | pigz -dc | grep -E "\.azurewebsites\.com"
5
cat CNAME-DATASET-NAME | pigz -dc | grep -E "\.s3\.amazonaws\.com"
6
​
7
# https://github.com/99designs/clouddetect
8
clouddetect -ip=151.101.1.68
9
​
10
• First step should be to determine what services are in use
11
• More and more orgs are moving assets to the cloud one at a time
12
• Many have limited deployment to cloud providers, but some have fully embraced the cloud and are using it for AD, production assets, security products, and more
13
• Determine things like AD connectivity, mail gateways, web apps, file storage, etc.
14
• Traditional host discovery still applies
15
• After host discovery resolve all names, then perform whois
16
lookups to determine where they are hosted
17
• Microsoft, Amazon, Google IP space usually indicates cloud service usage
18
   ◇ More later on getting netblock information for each cloud service
19
• MX records can show cloud-hosted mail providers
20
• Certificate Transparency (crt.sh)
21
• Monitors and logs digital certs
22
• Creates a public, searchable log
23
• Can help discover additional subdomains
24
• More importantly… you can potentially find more Top Level Domains (TLD’s)!
25
• Single cert can be scoped for multiple domains
26
• Search (Google, Bing, Baidu, DuckDuckGo): site:targetdomain.com -site:www.targetdomain.com
27
• Shodan.io and Censys.io zoomeye.org
28
• Internet-wide portscans
29
• Certificate searches
30
• Shodan query examples:
31
   ◇ org:”Target Name”
32
   ◇ net:”CIDR Range”
33
   ◇ port:”443”
34
• DNS Brute Forcing
35
• Performs lookups on a list of potential subdomains
36
• Make sure to use quality lists
37
• SecLists: https://github.com/danielmiessler/SecLists/tree/master/Discovery/DNS
38
• MX Records can help us identify cloud services in use
39
   ◇ O365 = target-domain.mail.protection.outlook.com
40
   ◇ G-Suite = google.com | googlemail.com
41
   ◇ Proofpoint = pphosted.com
42
• If you find commonalities between subdomains try iterating names
43
•  Other Services
44
   ◇ HackerTarget https://hackertarget.com/
45
   ◇ ThreatCrowd  https://www.threatcrowd.org/
46
   ◇ DNSDumpster  https://dnsdumpster.com/
47
   ◇ ARIN Searches  https://whois.arin.net/ui/
48
      ▪ Search bar accepts wild cards “*”
49
      ▪ Great for finding other netblocks owned by the same organization
50
• Azure Netblocks
51
      ▪ Public: https://www.microsoft.com/en-us/download/details.aspx?id=56519
52
      ▪ US Gov: http://www.microsoft.com/en-us/download/details.aspx?id=57063
53
      ▪ Germany: http://www.microsoft.com/en-us/download/details.aspx?id=57064
54
      ▪ China: http://www.microsoft.com/en-us/download/details.aspx?id=57062
55
• AWS Netblocks
56
   ◇ https://ip-ranges.amazonaws.com/ip-ranges.json
57
• GCP Netblocks
58
   ◇ Google made it complicated so there’s a script on the next page to get the current IP netblocks.
59
• Box.com Usage
60
   ◇ Look for any login portals
61
      ▪ https://companyname.account.box.com
62
   ◇ Can find cached Box account data too 
63
• Employees
64
   ◇ LinkedIn
65
   ◇ PowerMeta https://github.com/dafthack/PowerMeta
66
   ◇ FOCA https://github.com/ElevenPaths/FOCA
67
   ◇ hunter.io
68
​
69
 Tools:
70
    • Recon-NG https://github.com/lanmaster53/recon-ng
71
    • OWASP Amass https://github.com/OWASP/Amass
72
    • Spiderfoot https://www.spiderfoot.net/
73
    • Gobuster https://github.com/OJ/gobuster
74
    • Sublist3r https://github.com/aboul3la/Sublist3r
75
​
76
Foothold:
77
• Find ssh keys in shhgit.darkport.co.uk https://github.com/eth0izzle/shhgit
78
• GitLeaks https://github.com/zricethezav/gitleaks
79
• Gitrob https://github.com/michenriksen/gitrob
80
• Truffle Hog https://github.com/dxa4481/truffleHog
81
​
82
Password attacks:
83
• Password Spraying
84
   ◇ Trying one password for every user at an org to avoid account lockouts (Spring2020)
85
• Most systems have some sort of lockout policy
86
   ◇ Example: 5 attempts in 30 mins = lockout
87
• If we attempt to auth as each individual username one time every 30 mins we lockout nobody
88
• Credential Stuffing
89
   ◇ Using previously breached credentials to attempt to exploit password reuse on corporate accounts
90
• People tend to reuse passwords for multiple sites including corporate accounts
91
• Various breaches end up publicly posted
92
• Search these and try out creds
93
• Try iterating creds
94
​
95
Web server explotation
96
• Out-of-date web technologies with known vulns
97
• SQL or command injection vulns
98
• Server-Side Request Forgery (SSRF)
99
• Good place to start post-shell:
100
• Creds in the Metadata Service
101
• Certificates
102
• Environment variables
103
• Storage accounts
104
• Reused access certs as private keys on web servers
105
   ◇ Compromise web server
106
   ◇ Extract certificate with Mimikatz
107
   ◇ Use it to authenticate to Azure
108
• Mimikatz can export “non-exportable” certificates:
109
    mimikatz# crypto::capi
110
    mimikatz# privilege::debug
111
    mimikatz# crypto::cng
112
    mimikatz# crypto::certificates /systemstore:local_machine /store:my /export
113
​
114
Phising
115
• Phishing is still the #1 method of compromise
116
• Target Cloud engineers, Developers, DevOps, etc.
117
• Two primary phishing techniques:
118
   ◇ Cred harvesting / session hijacking
119
   ◇ Remote workstation compromise w/ C2
120
• Attack designed to steal creds and/or session cookies
121
• Can be useful when security protections prevent getting shells
122
• Email a link to a target employee pointing to cloned auth portal
123
   ◇ Examples: Microsoft Online (O365, Azure, etc.), G-Suite, AWS Console
124
• They auth and get real session cookies… we get them too.
125
​
126
Phishing: Remote Access
127
• Phish to compromise a user’s workstation
128
• Enables many other options for gaining access to cloud resources
129
• Steal access tokens from disk
130
• Session hijack
131
• Keylog
132
• Web Config and App Config files
133
   ◇ Commonly found on pentests to include cleartext creds
134
   ◇ WebApps often need read/write access to cloud storage or DBs
135
   ◇ Web.config and app.config files might contain creds or access tokens
136
   ◇ Look for management cert and extract to pfx like publishsettings files
137
   ◇ Often found in root folder of webapp
138
• Internal Code Repositories
139
   ◇ Gold mine for keys
140
   ◇ Find internal repos:
141
      ▪ A. Portscan internal web services (80, 443, etc.) then use EyeWitness to screenshot each service to quickly analyze
142
      ▪ B. Query AD for all hostnames, look for subdomains git, code, repo, bitbucket, gitlab, etc..
143
   ◇ Can use automated tools (gitleaks, trufflehog, gitrob) or use built-in search features
144
      ▪ Search for AccessKey, AKIA, id_rsa, credentials, secret, password, and token
145
• Command history
146
• The commands ran previously may indicate where to look
147
• Sometimes creds get passed to the command line
148
• Linux hosts command history is here:
149
   ◇ ~/.bash_history
150
• PowerShell command history is here:
151
   ◇ %USERPROFILE%\AppData\Roaming\Microsoft\Windows\PowerShell\PSReadLine\ConsoleHost_history.txt
152
​
153
Post-Compromise Recon
154
• Who do we have access as?
155
• What roles do we have?
156
• Is MFA enabled?
157
• What can we access (webapps, storage, etc.?)
158
• Who are the admins?
159
• How are we going to escalate to admin?
160
• Any security protections in place (ATP, GuardDuty, etc.)?
161
​
162
Service metadata summary
163
AWS
164
http://169.254.169.254/metadata/v1/*
165
Google Cloud
166
http://metadata.google.internal/computeMetadata/v1/*
167
DigitalOcean 
168
http://169.254.169.254/metadata/v1/*
169
Docker 
170
http://127.0.0.1:2375/v1.24/containers/json
171
Kubernetes ETCD 
172
http://127.0.0.1:2379/v2/keys/?recursive=true
173
Alibaba Cloud
174
http://100.100.100.200/latest/meta-data/*
175
Microsoft Azure
176
http://169.254.169.254/metadata/v1/*
177
​
Copied!
Cloud Labs
AWS Labs 
flaws.cloud 
flaws2.cloud 
https://github.com/OWASP/Serverless-Goat 
https://n0j.github.io/2017/10/02/aws-s3-ctf.html
https://github.com/RhinoSecurityLabs/cloudgoat 
https://github.com/appsecco/attacking-cloudgoat2 
https://github.com/m6a-UdS/dvca 
https://github.com/OWASP/DVSA 
https://github.com/nccgroup/sadcloud 
https://github.com/torque59/AWS-Vulnerable-Lambda
https://github.com/wickett/lambhack 
https://github.com/BishopFox/iam-vulnerable 
GCP Labs 
http://thunder-ctf.cloud/ https://gcpgoat.joshuajebaraj.com/
Azure Labs 
https://github.com/azurecitadel/azure-security-lab
Enumeration - Previous
Cloud
Cloud Info Gathering
Last modified 4mo ago
Export as PDF
Copy link
Edit on GitHub
Contents