Cloud Pentesting

My notes will be a bit hap-hazard until I get my head around pentesting the cloud

account

A formal relationship with AWS that is associated with all of the following:

  • The owner email address and password

  • The control of resources created under its umbrella

  • Payment for the AWS activity related to those resources

allow

One of two possible outcomes (the other is deny) when an IAM access policy is evaluated. When a user makes a request to AWS, AWS evaluates the request based on all permissions that apply to the user and then returns either allow or deny.

AssumeRolePolicy

A synonym for the Trust policy.

group

A collection of IAM users. You can use IAM groups to simplify specifying and managing permissions for multiple users.

NotAction

An advanced policy element that explicitly matches everything except the specified list of actions.

permission

A statement within a policy that allows or denies access to a particular resource. You can state any permission like this: "A has permission to do B to C." For example, Jane (A) has permission to read messages (B) from John's Amazon SQS queue (C). Whenever Jane sends a request to Amazon SQS to use John's queue, the service checks to see if she has permission. It further checks to see if the request satisfies the conditions John set forth in the permission.

policy

For IAM: A document defining permissions that apply to a user, group, or role; the permissions in turn determine what users can do in AWS. A policy typically allows access to specific actions, and can optionally grant that the actions are allowed for specific resources, like EC2 instances, Amazon S3 buckets, and so on. Policies can also explicitly deny access.

principal

The user, service, or account that receives permissions that are defined in a policy. The principal is A in the statement "A has permission to do B to C."

resource

An entity that users can work within AWS, such as an EC2 instance, an Amazon DynamoDB table, an Amazon S3 bucket, an IAM user, an AWS OpsWorks stack, and so on.

role

A tool for giving temporary access to AWS resources in your AWS account.

Trust policy

An IAM policy that is an inherent part of an IAM role. The trust policy specifies which principals are allowed to use the role. (Synonym for AssumeRolePolicy).

user

A person or application under an account that needs to make API calls to AWS products. Each user has a unique name within the AWS account, and a set of security credentials not shared with other users. These credentials are separate from the AWS account's security credentials. Each user is associated with one and only one AWS account.

versioning

Every object in Amazon S3 has a key and a version ID. Objects with the same key, but different version IDs can be stored in the same bucket. Versioning is enabled at the bucket layer using PUT Bucket versioning.

AWS Penetration Testing Checklist

1-Test for Unauthenticated Bucket Access

2-Test for Semi-Public Bucket access - Improper AC permission

3-Targeting and compromising AWS Access keys in git commit

4-Test for Extracting keys from an EC2 instance

5-Exploiting AWNS Security Misconfigurations

6-Testing to exploit EZ instance

7-Exploiting Internal AWS Services using Lambda backdoors

8-Test for Subdomain Takeover

9-Testing for AWS tam Privilege Escalation

10-Test for RCE attack

11-Test for AWS Role Enumeration(IAM)

12-Test for EC2 service to exploit privilege escalation

13-Test for AWS am enumeration : Bypassing CloudTratl Logging

14-Test for BitBuckted Server data for credentials in AWS

15-DNS rebinding to compromise the cloud environment

16-Test for Change of local windows / Linux logs

17-Test to Create jobs or serverless actions to add root certificates and ssh private keys to machines and users (such as AWS lambda)

18-Test to Create an additional interface / assign an IP address in target network / subnet on a compromised machine (ltke assigning a secondary private IPv4 address or interface to an AWS EC2 instance

19-Steal virtual machine images from storage accounts, analyze them for passwords, keys and certificates to access live systems (like VM VHD snapshots from storage accounts)

20-Test to Gain OS level access to Instances/VMs via workload management service privileges (AWS SSM)

21-Create systems management commands or abuse instance metadata for scheduled and triggered command and control (ANS systems manager, modify EC2 UserData to trigger a reverse shell)

22-Test to Run or deploy a workload with an assigned/passed service or role, export instance credentials for those privileges (such as EC2 passed role and meta credentials)

23-Fingerprint server and application versions and frameworks, detect sensitive PI in application logs

24-Test for CV injection in ANS CloudTratl

25-Tested for AWS secrets accessible via meta-data

26-Attempt load balancer MiTM for session hijacking (elb) by cloud service configuration or load balancer instance compromise

27-Steal credentials from metadata of proxy or http forwarding servers (credentials in AWS meta 28-Steal cloud workload credentials (ANS metadata sts or Azure Linux Agent (waagent) folder credentials)

29-Steal credentials from or leverage privilege to operation of a cloud key service (aws kms, azure key vault

30-Alter data in datastore for fraudulent transactions or static website compromise (s3, rds, redshift)

31-Alter a serverless function, logic app or otherwise a business logic implementation for action on objective or escalation (ANS lambda orAzure logic apps)

32-Alter data in local sql or mysql databases

33-Operate in regions where logging is not enabled or disable global logging (like CloudTrail)

34-Alter log files in a non-validated log store or disable validation (like cloud trail log validation) 35-Tesed for Disable network traffic analysis / logging (VPC flowlogs)

36-Tesed for Disable cloud alerting to prevent detection and response (like cloudwatch alerts, GuardDuty, Security Hub, or Azure Security Center)

37-Tesed for Disable data store access logging to prevent detection and response (cloudtratn data access, s3 access logging, redshift user activity)

38-Alter log retention or damage the integrity of logs (s3 lifecycle, kms decryption cmk key deletton/role privilege lockout)

39-Process hooking, process injection, windows access token manipulation, leveraging misconfigured sudo capabilities

40-Test to Create or reset a login, access key or temporary credential belonging to a high privilege user (like tam: CreateAccesskey, sts or tam:UpdateLoginProftle)

41-Test to Change the default policy for a user or new users to include additional privileges (like setdefault-policy-verston) @ Tushar Verma

PACU

Pacu is an open-source AWS exploitation framework, designed for offensive security testing against cloud environments. Created and maintained by Rhino Security Labs, Pacu allows penetration testers to exploit configuration flaws within an AWS account, using modules to easily expand its functionality. Current modules enable a range of attacks, including user privilege escalation, backdooring of IAM users, attacking vulnerable Lambda functions, and much more.

python3 pacu.py
set_keys

Enumerate IAM entities using the iam__enum_users_roles_policies_groups

This is the future of pentesting in my opinion and there is not a lot of courses/material covering this area.

I'll endeavor to add updates when I know more.

CloudEnum

Multi-cloud OSINT tool. Enumerate public resources in AWS, Azure, and Google Cloud.

https://github.com/initstring/cloud_enum

What is Cloud Pen Testing and why is it different?

https://www.youtube.com/watch?v=lOhvIooWzOg&feature=youtu.be
sts get-caller-identity (whoami?)
iam list-groups-for-user (what groups am I a part of?)
iam list-group-policies (what policies are attached to those groups?)
iam get-policy (what statements compose these policies?)
iam get-policy-version (what statements compose these policies?)
iam list-user-policies (what are the inline policies for this user?)
iam get-user-policy (what statements compose these policies?)
iam list-attached-user-policies (what policies are attached to this user?)

Tools

actions2aws Assume AWS IAM roles from GitHub Actions workflows with no stored secrets. rpCheckup rpCheckup is an AWS resource policy security checkup tool that identifies public, external account access, intra-org account access, and private resources. policy-compliance-scan A GitHub action that scans Azure resources for policy violations.

iamlive Generate basic AWS IAM policies using client-side monitoring of calls made from the AWS CLI or SDKs. iam-role-enumeration Another way to enumerate AWS IAM users/roles without being authenticated to the victim account. cloudlist Cloudlist is a tool for listing Assets (Hostnames, IP Addresses) from multiple Cloud Providers. kctf kCTF is a Kubernetes-based infrastructure for CTF competitions.

Last updated