Pentest Book
Search…
General

Tools

1
# Non provider specific and general purpose
2
# https://github.com/nccgroup/ScoutSuite
3
# https://github.com/SygniaLabs/security-cloud-scout
4
# https://github.com/initstring/cloud_enum
5
python3 cloud_enum.py -k companynameorkeyword
6
# https://github.com/cyberark/SkyArk
7
# https://github.com/SecurityFTW/cs-suite
8
cd /tmp
9
mkdir .aws
10
cat > .aws/config <<EOF
11
[default]
12
output = json
13
region = us-east-1
14
EOF
15
cat > .aws/credentials <<EOF
16
[default]
17
aws_access_key_id = XXXXXXXXXXXXXXX
18
aws_secret_access_key = XXXXXXXXXXXXXXXXXXXXXXXXX
19
EOF
20
docker run -v `pwd`/.aws:/root/.aws -v `pwd`/reports:/app/reports securityftw/cs-suite -env aws
21
# Dictionary
22
https://gist.github.com/BuffaloWill/fa96693af67e3a3dd3fb
23
24
Searching for bad configurations
25
26
No auditable items:
27
• DoS testing
28
• Intense fuzzing
29
• Phishing the cloud provider’s employees
30
• Testing other company’s assets
31
• Etc.
32
33
Audit policies:
34
35
# Azure
36
https://www.microsoft.com/en-us/msrc/pentest-rules-of-engagement
37
# Aws
38
https://aws.amazon.com/security/penetration-testing/
39
# GCP
40
https://support.google.com/cloud/answer/6262505?hl=en
41
Copied!

Recon

1
# PoC from Forward DNS dataset
2
# This data is created by extracting domain names from a number of sources and then sending DNS queries for each domain.
3
https://opendata.rapid7.com/sonar.fdns_v2/
4
cat CNAME-DATASET-NAME | pigz -dc | grep -E "\.azurewebsites\.com"
5
cat CNAME-DATASET-NAME | pigz -dc | grep -E "\.s3\.amazonaws\.com"
6
7
• First step should be to determine what services are in use
8
• More and more orgs are moving assets to the cloud one at a time
9
• Many have limited deployment to cloud providers, but some have fully embraced the cloud and are using it for AD, production assets, security products, and more
10
• Determine things like AD connectivity, mail gateways, web apps, file storage, etc.
11
• Traditional host discovery still applies
12
• After host discovery resolve all names, then perform whois
13
lookups to determine where they are hosted
14
• Microsoft, Amazon, Google IP space usually indicates cloud service usage
15
◇ More later on getting netblock information for each cloud service
16
• MX records can show cloud-hosted mail providers
17
• Certificate Transparency (crt.sh)
18
• Monitors and logs digital certs
19
• Creates a public, searchable log
20
• Can help discover additional subdomains
21
• More importantly… you can potentially find more Top Level Domains (TLD’s)!
22
• Single cert can be scoped for multiple domains
23
• Search (Google, Bing, Baidu, DuckDuckGo): site:targetdomain.com -site:www.targetdomain.com
24
• Shodan.io and Censys.io zoomeye.org
25
• Internet-wide portscans
26
• Certificate searches
27
• Shodan query examples:
28
◇ org:”Target Name”
29
◇ net:”CIDR Range”
30
◇ port:”443”
31
• DNS Brute Forcing
32
• Performs lookups on a list of potential subdomains
33
• Make sure to use quality lists
34
• SecLists: https://github.com/danielmiessler/SecLists/tree/master/Discovery/DNS
35
• MX Records can help us identify cloud services in use
36
◇ O365 = target-domain.mail.protection.outlook.com
37
◇ G-Suite = google.com | googlemail.com
38
◇ Proofpoint = pphosted.com
39
• If you find commonalities between subdomains try iterating names
40
• Other Services
41
◇ HackerTarget https://hackertarget.com/
42
◇ ThreatCrowd https://www.threatcrowd.org/
43
◇ DNSDumpster https://dnsdumpster.com/
44
◇ ARIN Searches https://whois.arin.net/ui/
45
▪ Search bar accepts wild cards “*”
46
▪ Great for finding other netblocks owned by the same organization
47
• Azure Netblocks
48
▪ Public: https://www.microsoft.com/en-us/download/details.aspx?id=56519
49
▪ US Gov: http://www.microsoft.com/en-us/download/details.aspx?id=57063
50
▪ Germany: http://www.microsoft.com/en-us/download/details.aspx?id=57064
51
▪ China: http://www.microsoft.com/en-us/download/details.aspx?id=57062
52
• AWS Netblocks
53
◇ https://ip-ranges.amazonaws.com/ip-ranges.json
54
• GCP Netblocks
55
◇ Google made it complicated so there’s a script on the next page to get the current IP netblocks.
56
• Box.com Usage
57
◇ Look for any login portals
58
▪ https://companyname.account.box.com
59
◇ Can find cached Box account data too
60
• Employees
61
◇ LinkedIn
62
◇ PowerMeta https://github.com/dafthack/PowerMeta
63
◇ FOCA https://github.com/ElevenPaths/FOCA
64
◇ hunter.io
65
66
Tools:
67
• Recon-NG https://github.com/lanmaster53/recon-ng
68
• OWASP Amass https://github.com/OWASP/Amass
69
• Spiderfoot https://www.spiderfoot.net/
70
• Gobuster https://github.com/OJ/gobuster
71
• Sublist3r https://github.com/aboul3la/Sublist3r
72
73
Foothold:
74
• Find ssh keys in shhgit.darkport.co.uk https://github.com/eth0izzle/shhgit
75
• GitLeaks https://github.com/zricethezav/gitleaks
76
• Gitrob https://github.com/michenriksen/gitrob
77
• Truffle Hog https://github.com/dxa4481/truffleHog
78
79
Password attacks:
80
• Password Spraying
81
◇ Trying one password for every user at an org to avoid account lockouts (Spring2020)
82
• Most systems have some sort of lockout policy
83
◇ Example: 5 attempts in 30 mins = lockout
84
• If we attempt to auth as each individual username one time every 30 mins we lockout nobody
85
• Credential Stuffing
86
◇ Using previously breached credentials to attempt to exploit password reuse on corporate accounts
87
• People tend to reuse passwords for multiple sites including corporate accounts
88
• Various breaches end up publicly posted
89
• Search these and try out creds
90
• Try iterating creds
91
92
Web server explotation
93
• Out-of-date web technologies with known vulns
94
• SQL or command injection vulns
95
• Server-Side Request Forgery (SSRF)
96
• Good place to start post-shell:
97
• Creds in the Metadata Service
98
• Certificates
99
• Environment variables
100
• Storage accounts
101
• Reused access certs as private keys on web servers
102
◇ Compromise web server
103
◇ Extract certificate with Mimikatz
104
◇ Use it to authenticate to Azure
105
• Mimikatz can export “non-exportable” certificates:
106
mimikatz# crypto::capi
107
mimikatz# privilege::debug
108
mimikatz# crypto::cng
109
mimikatz# crypto::certificates /systemstore:local_machine /store:my /export
110
111
Phising
112
• Phishing is still the #1 method of compromise
113
• Target Cloud engineers, Developers, DevOps, etc.
114
• Two primary phishing techniques:
115
◇ Cred harvesting / session hijacking
116
◇ Remote workstation compromise w/ C2
117
• Attack designed to steal creds and/or session cookies
118
• Can be useful when security protections prevent getting shells
119
• Email a link to a target employee pointing to cloned auth portal
120
◇ Examples: Microsoft Online (O365, Azure, etc.), G-Suite, AWS Console
121
• They auth and get real session cookies… we get them too.
122
123
Phishing: Remote Access
124
• Phish to compromise a user’s workstation
125
• Enables many other options for gaining access to cloud resources
126
• Steal access tokens from disk
127
• Session hijack
128
• Keylog
129
• Web Config and App Config files
130
◇ Commonly found on pentests to include cleartext creds
131
◇ WebApps often need read/write access to cloud storage or DBs
132
◇ Web.config and app.config files might contain creds or access tokens
133
◇ Look for management cert and extract to pfx like publishsettings files
134
◇ Often found in root folder of webapp
135
• Internal Code Repositories
136
◇ Gold mine for keys
137
◇ Find internal repos:
138
▪ A. Portscan internal web services (80, 443, etc.) then use EyeWitness to screenshot each service to quickly analyze
139
▪ B. Query AD for all hostnames, look for subdomains git, code, repo, bitbucket, gitlab, etc..
140
◇ Can use automated tools (gitleaks, trufflehog, gitrob) or use built-in search features
141
▪ Search for AccessKey, AKIA, id_rsa, credentials, secret, password, and token
142
• Command history
143
• The commands ran previously may indicate where to look
144
• Sometimes creds get passed to the command line
145
• Linux hosts command history is here:
146
◇ ~/.bash_history
147
• PowerShell command history is here:
148
◇ %USERPROFILE%\AppData\Roaming\Microsoft\Windows\PowerShell\PSReadLine\ConsoleHost_history.txt
149
150
Post-Compromise Recon
151
• Who do we have access as?
152
• What roles do we have?
153
• Is MFA enabled?
154
• What can we access (webapps, storage, etc.?)
155
• Who are the admins?
156
• How are we going to escalate to admin?
157
• Any security protections in place (ATP, GuardDuty, etc.)?
158
159
Service metadata summary
160
AWS
161
http://169.254.169.254/metadata/v1/*
162
Google Cloud
163
http://metadata.google.internal/computeMetadata/v1/*
164
DigitalOcean
165
http://169.254.169.254/metadata/v1/*
166
Docker
167
http://127.0.0.1:2375/v1.24/containers/json
168
Kubernetes ETCD
169
http://127.0.0.1:2379/v2/keys/?recursive=true
170
Alibaba Cloud
171
http://100.100.100.200/latest/meta-data/*
172
Microsoft Azure
173
http://169.254.169.254/metadata/v1/*
174
Copied!

Cloud Labs

1
AWS Labs
2
flaws.cloud
3
flaws2.cloud
4
https://github.com/OWASP/Serverless-Goat
5
https://n0j.github.io/2017/10/02/aws-s3-ctf.html
6
https://github.com/RhinoSecurityLabs/cloudgoat
7
https://github.com/appsecco/attacking-cloudgoat2
8
https://github.com/m6a-UdS/dvca
9
https://github.com/OWASP/DVSA
10
https://github.com/nccgroup/sadcloud
11
https://github.com/torque59/AWS-Vulnerable-Lambda
12
https://github.com/wickett/lambhack
13
https://github.com/BishopFox/iam-vulnerable
14
GCP Labs
15
http://thunder-ctf.cloud/
16
https://gcpgoat.joshuajebaraj.com/
17
18
Azure Labs
19
https://github.com/azurecitadel/azure-security-lab
Copied!
Last modified 1mo ago
Export as PDF
Copy link