Yellow - Cloud
General Cloud
Cloud Basics and design
Cloud Computing for Science and Engineering - Ian Foster, Dennis B. Gannon (🚧 in process)
Designing Distributed Systems (account required)
Cloud Security and Hardening
SANS Cloud Security Checklist - Best practices and references for hardening your cloud infrastructure.
https://github.com/riskprofiler/CloudFrontier - Monitor the internet attack surface of various public cloud environments. Currently supports AWS, GCP, Azure, DigitalOcean and Oracle Cloud.
https://cloudsecdocs.com/ - Great page with tons of detail on cloud and container security
https://cloudsecwiki.com/ - Handy page with a few resources and hardening tips for cloud deployments.
Cloud Pen Testing
https://github.com/CyberSecurityUP/Awesome-Cloud-PenTest - Huge collection of different offensive cloud tools and resources.
https://hackingthe.cloud/ - Solid resource for cloud pentesting methodology and tooling.
https://github.com/dafthack/CloudPentestCheatsheets - This repository contains a collection of cheatsheets I have put together for tools related to pentesting organizations that leverage cloud providers.
Hacking: The next generation - Cloud Insecurity: Sharing the cloud with your enemy, pg. 121
Multi-Cloud Tools
Enumeration and Auditing
cloudfox - CloudFox helps you gain situational awareness in unfamiliar cloud environments. It’s an open source command line tool created to help penetration testers and other offensive security professionals find exploitable attack paths in cloud infrastructure.
cloud-enum - enumerates public resources matching user requested keywords in public clouds
ScoutSuite - Scout Suite is an open source multi-cloud security-auditing tool, which enables security posture assessment of cloud environments. Using the APIs exposed by cloud providers, Scout Suite gathers configuration data for manual inspection and highlights risk areas. Rather than going through dozens of pages on the web consoles, Scout Suite presents a clear view of the attack surface automatically.
SkyArk - SkyArk helps to discover, assess and secure the most privileged entities in Azure and AWS
PMapper - Principal Mapper (PMapper) is a script and library for identifying risks in the configuration of AWS Identity and Access Management (IAM) for an AWS account or an AWS organization. It models the different IAM Users and Roles in an account as a directed graph, which enables checks for privilege escalation and for alternate paths an attacker could take to gain access to a resource or action in AWS.
gitoops - GitOops is a tool to help attackers and defenders identify lateral movement and privilege escalation paths in GitHub organizations by abusing CI/CD pipelines and GitHub access controls.
cloudbrute - This package contains a tool to find a company (target) infrastructure, files, and apps on the top cloud providers
Offensive Frameworks
cloudsploit - CloudSploit by Aqua is an open-source project designed to allow detection of security risks in cloud infrastructure accounts, including: Amazon Web Services (AWS), Microsoft Azure, Google Cloud Platform (GCP), Oracle Cloud Infrastructure (OCI), and GitHub. These scripts are designed to return a series of potential misconfigurations and security risks.
serverless-prey - Serverless Prey is a collection of serverless functions (FaaS), that, once launched to a cloud environment and invoked, establish a TCP reverse shell, enabling the user to introspect the underlying container:
General Cloud Training Resources
Azure and O365 - The Microsoft Cloud Environment
Basics
Reference Docs
https://www.microsoft.com/en-us/msrc/pentest-rules-of-engagement - Azure Pentesting Rules of Engagement
https://azurerange.azurewebsites.net/ - Azure IP Ranges
https://www.cloudconformity.com/knowledge-base/azure/ - Azure Best Practices
Azure Tasks
Azure Training
The Developer’s Guide to Azure - Great free traing from Microsoft
Learn Azure in a Month of Lunches - Iain Foulds (PDF)
Azure for Architects, Third Edition (PDF) (email address or account required)
Azure Functions Succinctly, Syncfusion (PDF, Kindle) (email address requested, not required)
Azure CLI
Operator Handbook: Azure CLI - pg. 39
Misc Azure Commands
Find if target org has Azure AD
Insert the username of your target in the URL below.
Azure AD
https://aadinternals.com/osint/ - This Open-source Intelligence (OSINT) tool will extract openly available information for the given tenant. The tool is using APIs mentioned in my previous blog post and in MS Graph API documentation.
Sentinel - The Azure SIEM
Azure Sentinel and Jupyter Notebooks
KQL - Kusto Query Language and Azure Sentinel
Azure Defender
Azure Pentesting Guides
https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Methodology%20and%20Resources/Cloud%20-%20Azure%20Pentest.md - Huge collection of tools, commands, and methodology.
https://pentestbook.six2dez.com/enumeration/cloud/azure - Great personal gitbook with tools, commands and steps for enumerating and exploiting Azure.
https://github.com/LennonCMJ/pentest_script/blob/master/Azure_Testing.md - Guide and reference documents for testing Azure security.
Attacking Azure AD
Offensive Techniques
Abusing Azure AD SSO with the Primary Refresh Token: Most corporate devices have Primary Refresh Tokens - long term tokens stored on your laptop or other AD connected resources - for Single Sign On (SSO) against on-prem and Azure AD connected resources. See Dirk-jan Mollema's blog goes over abusing these tokens, which you can access if you have code execution on a target or on your laptop that is Azure AD joined.
Attacking Azure Cloud Shell by Karl Fosaaen: Leveraging Azure Cloud Shell storage files with subscription contributor permissions to perform cross-account command execution and privilege escalation.
Nuking all Azure Resource Groups under all Azure Subscriptions by Kinnaird McQuade(@kmcquade3): How to abuse Azure Resource hierarchy and tenant-wide god-mode Service Principals to nuke an entire Azure environment.
Privilege Escalation and Lateral Movement on Azure by Hila Cohen (@hilaco10): some techniques for how a red team can gain a foothold in an Azure environment, escalate their privileges, and move laterally inside Azure infrastructure by using the Azure RBAC module and common Azure misconfigurations.
Privilege Escalation in Azure AD by Jan Geisbauer (@janvonkirchheim): a breakdown of how Azure security principals (aka Enterprise applications) vs application objects (aka application registrations) and their associated permissions can be abused to impersonate an application.
Privilege Escalation and Lateral Movement on Azure: some techniques for how a red team can gain a foothold in an Azure environment, escalate their privileges, and move laterally inside Azure infrastructure by using the Azure RBAC module and common Azure misconfigurations.
Operator Handbook: Azure_Exploit- pg. 44
Tools
Offensive
Recon and Enumeration
BlobHunter - An opensource tool for scanning Azure blob storage accounts for publicly opened blobs.
o365recon - Script to retrieve information via O365 with a valid cred
Get-AzureADPSPermissionGrants.ps1 - Lists delegated permission grants (OAuth2PermissionGrants) and application permissions grants (AppRoleAssignments) granted to an app.
Exploitation frameworks
PowerZure - PowerZure is a PowerShell project created to assess and exploit resources within Microsoft’s cloud platform, Azure. PowerZure was created out of the need for a framework that can both perform reconnaissance and exploitation of Azure, AzureAD, and the associated resources.
MicroBurst: A PowerShell Toolkit for Attacking Azure - MicroBurst includes functions and scripts that support Azure Services discovery, weak configuration auditing, and post exploitation actions such as credential dumping.
lava - Microsoft Azure Exploitation Framework
XMGoat - An open source tool with the purpose of teaching penetration testers, red teamers, security consultants, and cloud experts how to abuse different misconfigurations within the Azure environment. In this way, you learn about common Azure security issues.
Azure AD Exploitation tools
AADInternals - AADInternals is PowerShell module for administering Azure AD and Office 365
Stormspotter - Azure Red Team tool for graphing Azure and Azure Active Directory objects
ROADtools - ROADtools is a framework to interact with Azure AD.
adconnectdump - Azure AD Connect password extraction
TeamFiltration - TeamFiltration is a cross-platform framework for enumerating, spraying, exfiltrating, and backdooring O365 AAD accounts
For Password Spraying
First check if the accounts is valid. https://github.com/LMGsec/o365creeper
Perform password spraying attack: MailSniper - MailSniper is a penetration testing tool for searching through email in a Microsoft Exchange environment for specific terms (passwords, insider intel, network architecture information, etc.)
o365spray - o365spray ia a username enumeration and password spraying tool aimed at Microsoft Office 365 (O365).
Defensive
Logging and Alerting
Azure security logging and auditing: Azure provides a wide array of configurable security auditing and logging options to help you identify gaps in your security policies and mechanisms.
Azure Security Center - Alerts Reference Guide: This article lists the security alerts you might get from Azure Security Center and any Azure Defender plans you've enabled.
Security Auditing and Hardening
CRT - Crowdstrike Reporting Tool for Azure: This tool queries the following configurations in the Azure AD/O365 tenant which can shed light on hard-to-find permissions and configuration settings in order to assist organizations in securing these environments.
AzureADRecon - AzureADRecon is a tool which gathers information about the Azure Active Directory and generates a report which can provide a holistic picture of the current state of the target environment.
ROADTools - ROADtools is a framework to interact with Azure AD. It currently consists of a library (roadlib) and the ROADrecon Azure AD exploration tool.
azucar - Security auditing tool for Azure environments
AzureADAssessment - Tooling for assessing an Azure AD tenant state and configuration
DFIR
AzureHunter - A Cloud Forensics Powershell module to run threat hunting playbooks on data from Azure and O365
Sparrow - Sparrow.ps1 was created by CISA's Cloud Forensics team to help detect possible compromised accounts and applications in the Azure/m365 environment.
hawk - Powershell Based tool for gathering information related to O365 intrusions and potential Breaches
DFIR-O365RC - The DFIR-O365RC PowerShell module is a set of functions that allow the DFIR analyst to collect logs relevant for Office 365 Business Email Compromise investigations.
Azure-AD-Incident-Response-PowerShell-Module - The Azure Active Directory Incident Response PowerShell module provides a number of tools, developed by the Azure Active Directory Product Group in conjunction with the Microsoft Detection and Response Team (DART), to assist in compromise response.
AWS - Amazon Cloud Services
Basics
Reference Docs
https://ip-ranges.amazonaws.com/ip-ranges.json - AWS IP Ranges
amazon-ec2-user-guide - The open source version of the Amazon EC2 User Guide for Linux.
AWS Well-Architected Framework (PDF, HTML)
Best practices and hardening
https://www.cloudconformity.com/knowledge-base/aws/ - AWS Best Pratices
Operator Handbook: AWS Terms- pg. 35
AWS CLI
Operator Handbook: AWS CLI - pg. 20
AWS Pentesting Guides
Operator Handbook: AWS Tips and tricks- pg. 20
The Hacker Playbook 3: Cloud Recon and Enumeration - pg. 37
AWS Services and their Attack Surfaces
AWS Service | Attack Surface |
---|---|
EC2 | EC2 does in fact have a public attack surface similar to traditional physical infrastructure. Vulnerabilities that affect the OS will manifest exactly as they would on their hardware based counterpart. Things start to differ when you deal with anything that interacts with the local network or system. A vulnerability allowing command execution may allow an attacker to move laterally if configured with STS. Access tokens may also be stolen with SSRF vulnerabilities by reaching out to metadata IP addresses. More information: EC2 Pentesting in Depth |
S3 | S3 requires careful consideration for bucket-level and object-level permissions. The S3 bucket itself can grant permissions to ‘Everyone’ or ‘Authenticated Users’. The ‘Authenticated Users’ permissions will grant access to all AWS users. Because of this a pentester must check both anonymous permissions as well as semi-public permissions with their own access tokens. More information: S3 Pentesting in Depth |
ELB/ALB | Did you know an ELB can introduce HTTP Request Smuggling? This commonly overlooked configuration can allow attackers to inject requests into other user’s sessions. |
SNS/SQS | Misconfigured topics or queues can allow unauthorized users to subscribe to topics or push messages to queues. Testing of this can be done with the AWS CLI. |
RDS/Aurora/Redshift | Databases on AWS are relatively straightforward, although a penetration test should check for databases configured with public access. |
EBS | EBS volumes can be made publicly available. The AWS CLI can be used to verify if EBS snapshots are publicly accessible. |
Cognito Authentication | An AWS pentest should determine if the Cognito configuration is appropriate for intended application behavior. This includes checking for self-signups, and enabling advanced security. |
Tools
Offensive Tools
Enumeration and scanning
Bucket_finder - Tool for finding and exploiting Amazon buckets.
bucket-stream - Find interesting Amazon S3 Buckets by watching certificate transparency logs.
S3Scanner - Scan for open S3 buckets and dump the contents
Offensive Frameworks
PACU - Pacu is an open-source AWS exploitation framework, designed for offensive security testing against cloud environments.
Operator Handbook: Pacu- pg. 31
Nimbostratus - Tools for fingerprinting and exploiting Amazon cloud infrastructures.
Operator Handbook: Nimbostratus - pg. 30
weirdAAL - WeirdAAL (AWS Attack Library)
Defensive tools
Arsenal of AWS Tools - Tool collection of cloud security researcher Toni de la Fuente
aws-security-toolbox - The above toolkit but in a portable docker container
aws-forensic-tools - Forensic toolkit made by the same researcher
Security Assessment and Hardening
Cloudsplaining - Cloudsplaining is an AWS IAM Security Assessment tool that identifies violations of least privilege and generates a risk-prioritized report.
Prowler - Prowler is a security tool to perform AWS security best practices assessments, audits, incident response, continuous monitoring, hardening and forensics readiness.
cloudsploit - Cloud Security Posture Management (CSPM)
cloudmapper - CloudMapper helps you analyze your Amazon Web Services (AWS) environments.
cloudtracker - CloudTracker helps you find over-privileged IAM users and roles by comparing CloudTrail logs with current IAM policies.
aws-recon - Multi-threaded AWS inventory collection tool with a focus on security-relevant resources and metadata.
review-security-groups - A small set of scripts to summarize AWS Security Groups, and generate visualizations of the rules.
cloudtrail2sightings - Convert cloudtrail data to MITRE ATT&CK Sightings
DFIR
aws_ir - Python installable command line utility for mitigation of host and key compromises.
acquire-aws-ec2 - Handy script for capturing EC2 instances in IR scenarios
https://www.chrisfarris.com/post/aws-ir/ - Incident Response in AWS
Threat Hunting
https://github.com/schwartz1375/aws - Repo for threat hunting in AWS.
AWS Training
Gcloud
Guides and Reference
https://support.google.com/cloud/answer/6262505?hl=en - Google rules on pentesting
Operator Handbook: GCP CLI - pg. 70
Operator Handbook: GCP Exploit - pg. 75
Last updated