Pentesting Cloud Methodology

Jifunze kuhusu kudukua AWS kutoka sifuri hadi shujaa na htARTE (Mtaalam wa Timu Nyekundu ya AWS ya HackTricks)!

Njia nyingine za kusaidia HackTricks:

Ikiwa unataka kuona kampuni yako ikionekana kwenye HackTricks au kupakua HackTricks kwa PDF Angalia MIPANGO YA KUJIUNGA!
Pata bidhaa rasmi za PEASS & HackTricks
Gundua Familia ya PEASS, mkusanyiko wetu wa NFTs ya kipekee
Jiunge na 💬 Kikundi cha Discord au kikundi cha telegram au tufuate kwenye Twitter 🐦 @hacktricks_live.
Shiriki mbinu zako za kudukua kwa kuwasilisha PRs kwa HackTricks na HackTricks Cloud repos za github.

Mbinu Msingi

Kila wingu lina sifa zake lakini kwa ujumla kuna mambo machache ya kawaida ambayo pentester anapaswa kuangalia wakati wa kufanya majaribio ya mazingira ya wingu:

Uchunguzi wa kipimo
Hii itakusaidia kuelewa ukubwa wa mazingira na huduma zinazotumiwa
Itakuruhusu pia kupata misconfigurations haraka kwani unaweza kufanya vipimo vingi vya haraka kwa kutumia zana za kiotomatiki
Uorodheshaji wa Huduma
Labda hautapata misconfigurations zaidi hapa ikiwa ulifanya vipimo vya kipimo kwa usahihi, lakini unaweza kupata baadhi ambazo hazikuangaliwa katika vipimo vya kipimo.
Hii itakuruhusu kujua ni nini hasa kinachotumiwa katika mazingira ya wingu
Hii itasaidia sana hatua zifuatazo
Angalia mali zilizofunuliwa
Hii inaweza kufanywa wakati wa sehemu iliyopita, unahitaji kugundua kila kitu kinachoweza kufunuliwa kwa njia fulani kwenye Mtandao na jinsi inavyoweza kufikiwa.
Hapa ninafikiria miundombinu iliyofunuliwa kwa mkono kama mifano na kurasa za wavuti au bandari zingine zilizofunuliwa, na pia kuhusu huduma zingine zilizosimamiwa na wingu ambazo zinaweza kusanidiwa kufunuliwa (kama vile DB au vikapu)
Kisha unapaswa kuangalia iwapo rasilimali hiyo inaweza kufunuliwa au la (habari za siri? mapungufu? misconfigurations katika huduma iliyofunuliwa?)
Angalia ruhusa
Hapa unapaswa kugundua ruhusa zote za kila jukumu/mtumiaji ndani ya wingu na jinsi zinavyotumiwa
Je, kuna akaunti nyingi zenye mamlaka kubwa (kudhibiti kila kitu)? Vizuwizi vilivyozalishwa visivyotumiwa?... Vipimo vingi vya hivi vingine vingeshafanywa katika vipimo vya kipimo tayari
Ikiwa mteja anatumia OpenID au SAML au federation nyingine unaweza kuwa unahitaji kuwauliza kwa habari zaidi kuhusu jinsi kila jukumu linavyopewa (si sawa kama jukumu la msimamizi linapewa mtumiaji 1 au 100)
Haitoshi kugundua ni watumiaji gani wana ruhusa za msimamizi "*:*". Kuna ruhusa nyingi zaidi ambazo kulingana na huduma zinazotumiwa zinaweza kuwa nyeti sana.
Zaidi ya hayo, kuna njia za privesc za uwezekano wa kufuata kwa kutumia ruhusa. Mambo haya yote yanapaswa kuzingatiwa na njia nyingi za privesc iwezekanavyo zinapaswa kuripotiwa.
Angalia Ushirikiano
Ni uwezekano mkubwa kwamba ushirikiano na mawingu au SaaS mengine yanatumika ndani ya mazingira ya wingu.
Kwa ushirikiano wa wingu unaoangaliwa na jukwaa lingine unapaswa kuwajulisha nani anaye na (kudanganya) ushirikiano huo na unapaswa kuuliza ni kiasi gani cha hisia inayofanywa. Kwa mfano, ni nani anayeweza kuandika kwenye kikapu cha AWS ambapo GCP inapata data (uliza ni kiasi gani cha hisia katika GCP inachukulia data hiyo).
Kwa ushirikiano ndani ya wingu unaoangaliwa kutoka majukwaa ya nje, unapaswa kuuliza nani anaye ufikiaji wa nje wa (kudanganya) ushirikiano huo na angalia jinsi data hiyo inavyotumiwa. Kwa mfano, ikiwa huduma inatumia picha ya Docker iliyohifadhiwa kwenye GCR, unapaswa kuuliza ni nani anaye ufikiaji wa kubadilisha hiyo na ni habari nyeti na ufikiaji gani utapata picha hiyo wakati inatekelezwa ndani ya wingu la AWS.

Zana za Multi-Cloud

Kuna zana kadhaa zinazoweza kutumika kufanya majaribio kwenye mazingira tofauti ya wingu. Hatua za usakinishaji na viungo vitaelezwa katika sehemu hii.

PurplePanda

Zana ya kutambua mizunguko mibaya na njia za privesc katika mawingu na kati ya mawingu/SaaS.

# You need to install and run neo4j also
git clone https://github.com/carlospolop/PurplePanda
cd PurplePanda
python3 -m venv .
source bin/activate
python3 -m pip install -r requirements.txt
export PURPLEPANDA_NEO4J_URL="bolt://neo4j@localhost:7687"
export PURPLEPANDA_PWD="neo4j_pwd_4_purplepanda"
python3 main.py -h # Get help

Methodology

Reconnaissance:
- Google Dorks: Search for sensitive information exposed on Google.
- Subdomain Enumeration: Enumerate subdomains to discover potential entry points.
- Cloud Storage Enumeration: Identify publicly accessible storage buckets.
- GitHub Recon: Look for sensitive information leaked on GitHub repositories.
Enumeration:
- Service Enumeration: Identify services running on discovered subdomains.
- Bucket Enumeration: Enumerate files and folders within identified storage buckets.
- IAM User Enumeration: Identify IAM users and their permissions.
Exploitation:
- Insecure Buckets: Exploit misconfigured storage buckets.
- IAM Misconfigurations: Abuse misconfigured IAM permissions.
- SSRF: Exploit Server-Side Request Forgery vulnerabilities.
Post-Exploitation:
- Data Exfiltration: Steal sensitive data from compromised resources.
- Persistence: Maintain access to the compromised environment.
- Covering Tracks: Remove evidence of the attack.
Reporting:
- Document Findings: Detail all discovered vulnerabilities and exploited issues.
- Recommendations: Provide suggestions for improving the security posture.

export GOOGLE_DISCOVERY=$(echo 'google:
- file_path: ""

- file_path: ""
service_account_id: "some-sa-email@sidentifier.iam.gserviceaccount.com"' | base64)

python3 main.py -a -p google #Get basic info of the account to check it's correctly configured
python3 main.py -e -p google #Enumerate the env

Prowler

Inasaidia AWS, GCP & Azure. Angalia jinsi ya kusanidi kila mtoa huduma katika https://docs.prowler.cloud/en/latest/#aws

# Install
pip install prowler
prowler -v

# Run
prowler <provider>
# Example
prowler aws --profile custom-profile [-M csv json json-asff html]

# Get info about checks & services
prowler <provider> --list-checks
prowler <provider> --list-services

CloudSploit

AWS, Azure, Github, Google, Oracle, Alibaba

# Install
git clone https://github.com/aquasecurity/cloudsploit.git
cd cloudsploit
npm install
./index.js -h
## Docker instructions in github

Methodology

Reconnaissance:
- Google Dorks: Use specific Google Dorks to find information about the target.
- Subdomain Enumeration: Enumerate subdomains using tools like Sublist3r, Subfinder, etc.
- DNS Enumeration: Enumerate DNS records using tools like dnsrecon, dnsenum, etc.
- Cloud Storage Enumeration: Identify publicly accessible buckets using tools like gcs-scanner.
Enumeration:
- Service Enumeration: Identify services running on the target using tools like Nmap, Masscan, etc.
- Web Enumeration: Enumerate web applications for vulnerabilities using tools like Nikto, Dirb, Gobuster, etc.
Vulnerability Assessment:
- Cloud Service Misconfigurations: Check for misconfigurations in cloud services like IAM roles, bucket permissions, etc.
- Web Application Vulnerabilities: Identify and exploit vulnerabilities in web applications.
Exploitation:
- Cloud Service Exploitation: Exploit misconfigurations to gain access to cloud resources.
- Web Application Exploitation: Exploit web application vulnerabilities to gain access to the system.
Post-Exploitation:
- Maintain Access: Ensure persistent access to the compromised system.
- Privilege Escalation: Elevate privileges to gain higher access levels.
- Data Exfiltration: Extract sensitive data from the system.
Reporting:
- Documentation: Document all findings, exploitation steps, and recommendations.
- Reporting: Generate a detailed report for the client including the impact of vulnerabilities and remediation steps.

## You need to have creds for a service account and set them in config.js file
./index.js --cloud google --config </abs/path/to/config.js>

ScoutSuite

AWS, Azure, GCP, Alibaba Cloud, Oracle Cloud Infrastructure

mkdir scout; cd scout
virtualenv -p python3 venv
source venv/bin/activate
pip install scoutsuite
scout --help
## Using Docker: https://github.com/nccgroup/ScoutSuite/wiki/Docker-Image

Methodology

Reconnaissance: Gather information about the target GCP environment, such as subdomains, IP ranges, services running, etc.
Enumeration: Enumerate GCP resources, such as buckets, databases, VM instances, etc.
Vulnerability Scanning: Scan for vulnerabilities in the GCP environment using tools like Nmap, Nessus, or OpenVAS.
Exploitation: Exploit any identified vulnerabilities to gain access to the GCP resources.
Post-Exploitation: Maintain access to the GCP environment by creating backdoors, escalating privileges, etc.
Reporting: Document all findings, including vulnerabilities exploited, access gained, and recommendations for improving security.

scout gcp --report-dir /tmp/gcp --user-account --all-projects
## use "--service-account KEY_FILE" instead of "--user-account" to use a service account

SCOUT_FOLDER_REPORT="/tmp"
for pid in $(gcloud projects list --format="value(projectId)"); do
echo "================================================"
echo "Checking $pid"
mkdir "$SCOUT_FOLDER_REPORT/$pid"
scout gcp --report-dir "$SCOUT_FOLDER_REPORT/$pid" --no-browser --user-account --project-id "$pid"
done

Steampipe

Pakua na sakinisha Steampipe (https://steampipe.io/downloads). Au tumia Brew:

brew tap turbot/tap
brew install steampipe

Methodology

Reconnaissance:
- Google Dorks: Search for sensitive information exposed on Google.
- Subdomain Enumeration: Enumerate subdomains to discover potential entry points.
- Bucket Enumeration: Identify publicly accessible storage buckets.
Enumeration:
- Service Enumeration: Identify services running on discovered subdomains.
- Bucket Enumeration: Enumerate bucket contents for sensitive data.
Exploitation:
- Insecure Buckets: Exploit misconfigured buckets to access sensitive data.
- Service Exploitation: Exploit vulnerabilities in services to gain unauthorized access.
Post-Exploitation:
- Data Exfiltration: Steal sensitive data from compromised resources.
- Maintain Access: Establish persistence to maintain access to the compromised system.
Reporting:
- Documentation: Record all findings, exploitation steps, and recommendations.
- Risk Assessment: Evaluate the impact of vulnerabilities and provide recommendations for mitigation.

# Install gcp plugin
steampipe plugin install gcp

# Use https://github.com/turbot/steampipe-mod-gcp-compliance.git
git clone https://github.com/turbot/steampipe-mod-gcp-compliance.git
cd steampipe-mod-gcp-compliance
# To run all the checks from the dashboard
steampipe dashboard
# To run all the checks from rhe cli
steampipe check all

Angalia Miradi Yote

Ili kuangalia miradi yote unahitaji kuzalisha faili ya gcp.spc ikionyesha miradi yote ya kupima. Unaweza tu kufuata maelekezo kutoka kwenye script ifuatayo

FILEPATH="/tmp/gcp.spc"
rm -rf "$FILEPATH" 2>/dev/null

# Generate a json like object for each project
for pid in $(gcloud projects list --format="value(projectId)"); do
echo "connection \"gcp_$(echo -n $pid | tr "-" "_" )\" {
plugin  = \"gcp\"
project = \"$pid\"
}" >> "$FILEPATH"
done

# Generate the aggragator to call
echo 'connection "gcp_all" {
plugin      = "gcp"
type        = "aggregator"
connections = ["gcp_*"]
}' >> "$FILEPATH"

echo "Copy $FILEPATH in ~/.steampipe/config/gcp.spc if it was correctly generated"

Kutathmini maarifa mengine ya GCP (yanayofaa kwa kuchambua huduma) tumia: https://github.com/turbot/steampipe-mod-gcp-insights

Kutathmini nambari ya Terraform ya GCP: https://github.com/turbot/steampipe-mod-terraform-gcp-compliance

Zaidi ya programu-jalizi za GCP za Steampipe: https://github.com/turbot?q=gcp

# Install aws plugin
steampipe plugin install aws

# Modify the spec indicating in "profile" the profile name to use
nano ~/.steampipe/config/aws.spc

# Get some info on how the AWS account is being used
git clone https://github.com/turbot/steampipe-mod-aws-insights.git
cd steampipe-mod-aws-insights
steampipe dashboard

# Get the services exposed to the internet
git clone https://github.com/turbot/steampipe-mod-aws-perimeter.git
cd steampipe-mod-aws-perimeter
steampipe dashboard

# Run the benchmarks
git clone https://github.com/turbot/steampipe-mod-aws-compliance
cd steampipe-mod-aws-compliance
steampipe dashboard # To see results in browser
steampipe check all --export=/tmp/output4.json

Kuangalia msimbo wa Terraform AWS: https://github.com/turbot/steampipe-mod-terraform-aws-compliance

Zaidi ya programu-jalizi za AWS za Steampipe: https://github.com/orgs/turbot/repositories?q=aws

cs-suite

AWS, GCP, Azure, DigitalOcean. Inahitaji python2.7 na inaonekana haijasasishwa.

Nessus

Nessus ina ukaguzi wa Utaratibu wa Miundombinu ya Cloud unaounga mkono: AWS, Azure, Office 365, Rackspace, Salesforce. Mipangilio ya ziada katika Azure inahitajika kupata Kitambulisho cha Mteja.

cloudlist

Cloudlist ni zana ya wingu nyingi kwa kupata Mali (majina ya mwenyeji, Anwani za IP) kutoka kwa Watoa Huduma za Wingu.

cd /tmp
wget https://github.com/projectdiscovery/cloudlist/releases/latest/download/cloudlist_1.0.1_macOS_arm64.zip
unzip cloudlist_1.0.1_macOS_arm64.zip
chmod +x cloudlist
sudo mv cloudlist /usr/local/bin

## For GCP it requires service account JSON credentials
cloudlist -config </path/to/config>

ramani

Ramani ni chombo cha Python ambacho hukusanya mali za miundombinu na uhusiano kati yao katika mtazamo wa grafu wa kina unaotumia database ya Neo4j.

# Installation
docker image pull ghcr.io/lyft/cartography
docker run --platform linux/amd64 ghcr.io/lyft/cartography cartography --help
## Install a Neo4j DB version 3.5.*

Methodology

Reconnaissance:
- Google Dorks: Search for sensitive information exposed on Google.
- Subdomain Enumeration: Enumerate subdomains to discover potential entry points.
- Cloud Storage Enumeration: Identify publicly accessible storage buckets.
- GitHub Recon: Look for sensitive information in GitHub repositories.
Enumeration:
- Service Enumeration: Identify services running on discovered subdomains.
- Bucket Enumeration: List files and folders in identified storage buckets.
- IAM User Enumeration: Enumerate IAM users to identify potential targets.
Vulnerability Assessment:
- Cloud Storage Misconfigurations: Check for misconfigured storage settings.
- IAM Policy Misconfigurations: Look for overly permissive IAM policies.
- Service Misconfigurations: Identify misconfigurations in cloud services.
Exploitation:
- Data Exposure: Exploit misconfigured storage buckets to access sensitive data.
- Privilege Escalation: Abuse overly permissive IAM policies to escalate privileges.
- Service Exploitation: Exploit misconfigurations in cloud services to gain unauthorized access.
Post-Exploitation:
- Maintain Access: Establish backdoors for persistent access.
- Cover Tracks: Remove evidence of unauthorized access.
- Pivot to Other Services: Move laterally within the cloud environment.
Reporting:
- Document Findings: Detail all discovered vulnerabilities and exploited issues.
- Recommendations: Provide recommendations for improving security posture.
- Executive Summary: Summarize key findings and potential impact.

docker run --platform linux/amd64 \
--volume "$HOME/.config/gcloud/application_default_credentials.json:/application_default_credentials.json" \
-e GOOGLE_APPLICATION_CREDENTIALS="/application_default_credentials.json" \
-e NEO4j_PASSWORD="s3cr3t" \
ghcr.io/lyft/cartography  \
--neo4j-uri bolt://host.docker.internal:7687 \
--neo4j-password-env-var NEO4j_PASSWORD \
--neo4j-user neo4j


# It only checks for a few services inside GCP (https://lyft.github.io/cartography/modules/gcp/index.html)
## Cloud Resource Manager
## Compute
## DNS
## Storage
## Google Kubernetes Engine
### If you can run starbase or purplepanda you will get more info

starbase

Starbase inakusanya mali na mahusiano kutoka kwa huduma na mifumo ikiwa ni pamoja na miundombinu ya wingu, programu za SaaS, udhibiti wa usalama, na zaidi katika mtazamo wa grafu ulio na msingi wa Neo4j database.

# You are going to need Node version 14, so install nvm following https://tecadmin.net/install-nvm-macos-with-homebrew/
npm install --global yarn
nvm install 14
git clone https://github.com/JupiterOne/starbase.git
cd starbase
nvm use 14
yarn install
yarn starbase --help
# Configure manually config.yaml depending on the env to analyze
yarn starbase setup
yarn starbase run

# Docker
git clone https://github.com/JupiterOne/starbase.git
cd starbase
cp config.yaml.example config.yaml
# Configure manually config.yaml depending on the env to analyze
docker build --no-cache -t starbase:latest .
docker-compose run starbase setup
docker-compose run starbase run

Methodology

Reconnaissance:
- Google Dorks: Search for sensitive information exposed on Google.
- Subdomain Enumeration: Enumerate subdomains to discover potential entry points.
- Cloud Storage Enumeration: Identify publicly accessible storage buckets.
- GitHub Recon: Look for sensitive information in GitHub repositories.
Enumeration:
- Service Enumeration: Identify services running on discovered subdomains.
- Bucket Enumeration: List files and folders in identified storage buckets.
- IAM User Enumeration: Enumerate IAM users to identify potential targets.
Vulnerability Assessment:
- Cloud Storage Misconfigurations: Check for misconfigured storage settings.
- IAM Policy Analysis: Analyze IAM policies for potential misconfigurations.
- Service Misconfigurations: Identify misconfigured services for exploitation.
Exploitation:
- Data Exfiltration: Extract sensitive data from misconfigured storage buckets.
- Privilege Escalation: Exploit misconfigured IAM policies for elevated privileges.
- Service Exploitation: Exploit misconfigured services to gain access.
Post-Exploitation:
- Maintain Access: Establish backdoors for persistent access.
- Cover Tracks: Remove traces of the attack to remain undetected.
- Data Manipulation: Modify or delete data to impact operations.
Reporting:
- Document Findings: Record all discovered vulnerabilities and exploited data.
- Recommendations: Provide suggestions for improving security posture.
- Executive Summary: Summarize the assessment results for stakeholders.
Continuous Monitoring:
- Alert Configuration: Set up alerts for suspicious activities.
- Periodic Audits: Conduct regular audits to ensure ongoing security.
- Incident Response Plan: Develop a plan to address security incidents effectively.

## Config for GCP
### Check out: https://github.com/JupiterOne/graph-google-cloud/blob/main/docs/development.md
### It requires service account credentials

integrations:
-
name: graph-google-cloud
instanceId: testInstanceId
directory: ./.integrations/graph-google-cloud
gitRemoteUrl: https://github.com/JupiterOne/graph-google-cloud.git
config:
SERVICE_ACCOUNT_KEY_FILE: '{Check https://github.com/JupiterOne/graph-google-cloud/blob/main/docs/development.md#service_account_key_file-string}'
PROJECT_ID: ""
FOLDER_ID: ""
ORGANIZATION_ID: ""
CONFIGURE_ORGANIZATION_PROJECTS: false

storage:
engine: neo4j
config:
username: neo4j
password: s3cr3t
uri: bolt://localhost:7687
#Consider using host.docker.internal if from docker

SkyArk

Gundua watumiaji walio na mamlaka zaidi katika mazingira yaliyosanidiwa ya AWS au Azure, ikiwa ni pamoja na AWS Shadow Admins. Inatumia powershell.

Import-Module .\SkyArk.ps1 -force
Start-AzureStealth

# in the Cloud Console
IEX (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/cyberark/SkyArk/master/AzureStealth/AzureStealth.ps1')
Scan-AzureAdmins

Kuvamia Kwa Wingu

Chombo cha kutambua miundombinu ya kampuni (lengo), faili, na programu kwenye watoa huduma wakuu wa wingu (Amazon, Google, Microsoft, DigitalOcean, Alibaba, Vultr, Linode).

Mawingu ya Kuchunguza

CloudFox ni chombo cha kutambua njia za mashambulizi zinazoweza kudukuliwa kwenye miundombinu ya wingu (kwa sasa inasaidia tu AWS & Azure na GCP inakuja).
Ni chombo cha uchambuzi kinachokusudiwa kufuatana na upenyaji wa kawaida.
Hakiumbi au kubadilisha data yoyote ndani ya mazingira ya wingu.

Orodha zaidi ya zana za usalama wa wingu

https://github.com/RyanJarv/awesome-cloud-sec

Google

GCP

pageGCP Pentesting

Workspace

pageGWS - Workspace Pentesting

AWS

pageAWS Pentesting

Azure

pageAzure Pentesting

Grafu ya Shambulio

Stormspotter inasanidi "grafu ya shambulio" ya rasilimali katika usajili wa Azure. Inawezesha timu nyekundu na wapenyaji kufanya maono ya eneo la shambulio na fursa za kugeuka ndani ya mpangaji, na kuongeza kasi ya mabingwa wako kuelekeza na kuprioritize kazi ya majibu ya tukio haraka.

Office365

Unahitaji Global Admin au angalau Global Admin Reader (lakini kumbuka kuwa Global Admin Reader ni mdogo kidogo). Hata hivyo, vizuizi hivyo vinatokea katika moduli fulani za PS na vinaweza kuzuilika kwa kupata vipengele kupitia programu ya wavuti.

Jifunze kuhusu kudukua AWS kutoka sifuri hadi shujaa na htARTE (Mtaalamu wa Timu Nyekundu wa AWS wa HackTricks)!

Njia nyingine za kusaidia HackTricks:

Ikiwa unataka kuona kampuni yako ikitangazwa kwenye HackTricks au kupakua HackTricks kwa PDF Angalia MIPANGO YA KUJIUNGA!
Pata bidhaa rasmi za PEASS & HackTricks
Gundua Familia ya PEASS, mkusanyiko wetu wa NFTs ya kipekee
Jiunge na 💬 Kikundi cha Discord au kikundi cha telegram au tufuate kwenye Twitter 🐦 @hacktricks_live.
Shiriki mbinu zako za kudukua kwa kuwasilisha PRs kwa HackTricks na HackTricks Cloud github repos.

PreviousTODO NextKubernetes Pentesting

Last updated 2 months ago