Pentesting Cloud Methodology
Mbinu Msingi
Kila wingu lina sifa zake lakini kwa ujumla kuna mambo machache ya kawaida ambayo pentester anapaswa kuangalia wakati wa kufanya majaribio ya mazingira ya wingu:
Uchunguzi wa kipimo
Hii itakusaidia kuelewa ukubwa wa mazingira na huduma zinazotumiwa
Itakuruhusu pia kupata misconfigurations haraka kwani unaweza kufanya vipimo vingi vya haraka kwa kutumia zana za kiotomatiki
Uorodheshaji wa Huduma
Labda hautapata misconfigurations zaidi hapa ikiwa ulifanya vipimo vya kipimo kwa usahihi, lakini unaweza kupata baadhi ambazo hazikuangaliwa katika vipimo vya kipimo.
Hii itakuruhusu kujua ni nini hasa kinachotumiwa katika mazingira ya wingu
Hii itasaidia sana hatua zifuatazo
Angalia mali zilizofunuliwa
Hii inaweza kufanywa wakati wa sehemu iliyopita, unahitaji kugundua kila kitu kinachoweza kufunuliwa kwa njia fulani kwenye Mtandao na jinsi inavyoweza kufikiwa.
Hapa ninafikiria miundombinu iliyofunuliwa kwa mkono kama mifano na kurasa za wavuti au bandari zingine zilizofunuliwa, na pia kuhusu huduma zingine zilizosimamiwa na wingu ambazo zinaweza kusanidiwa kufunuliwa (kama vile DB au vikapu)
Kisha unapaswa kuangalia iwapo rasilimali hiyo inaweza kufunuliwa au la (habari za siri? mapungufu? misconfigurations katika huduma iliyofunuliwa?)
Angalia ruhusa
Hapa unapaswa kugundua ruhusa zote za kila jukumu/mtumiaji ndani ya wingu na jinsi zinavyotumiwa
Je, kuna akaunti nyingi zenye mamlaka kubwa (kudhibiti kila kitu)? Vizuwizi vilivyozalishwa visivyotumiwa?... Vipimo vingi vya hivi vingine vingeshafanywa katika vipimo vya kipimo tayari
Ikiwa mteja anatumia OpenID au SAML au federation nyingine unaweza kuwa unahitaji kuwauliza kwa habari zaidi kuhusu jinsi kila jukumu linavyopewa (si sawa kama jukumu la msimamizi linapewa mtumiaji 1 au 100)
Haitoshi kugundua ni watumiaji gani wana ruhusa za msimamizi "*:*". Kuna ruhusa nyingi zaidi ambazo kulingana na huduma zinazotumiwa zinaweza kuwa nyeti sana.
Zaidi ya hayo, kuna njia za privesc za uwezekano wa kufuata kwa kutumia ruhusa. Mambo haya yote yanapaswa kuzingatiwa na njia nyingi za privesc iwezekanavyo zinapaswa kuripotiwa.
Angalia Ushirikiano
Ni uwezekano mkubwa kwamba ushirikiano na mawingu au SaaS mengine yanatumika ndani ya mazingira ya wingu.
Kwa ushirikiano wa wingu unaoangaliwa na jukwaa lingine unapaswa kuwajulisha nani anaye na (kudanganya) ushirikiano huo na unapaswa kuuliza ni kiasi gani cha hisia inayofanywa. Kwa mfano, ni nani anayeweza kuandika kwenye kikapu cha AWS ambapo GCP inapata data (uliza ni kiasi gani cha hisia katika GCP inachukulia data hiyo).
Kwa ushirikiano ndani ya wingu unaoangaliwa kutoka majukwaa ya nje, unapaswa kuuliza nani anaye ufikiaji wa nje wa (kudanganya) ushirikiano huo na angalia jinsi data hiyo inavyotumiwa. Kwa mfano, ikiwa huduma inatumia picha ya Docker iliyohifadhiwa kwenye GCR, unapaswa kuuliza ni nani anaye ufikiaji wa kubadilisha hiyo na ni habari nyeti na ufikiaji gani utapata picha hiyo wakati inatekelezwa ndani ya wingu la AWS.
Zana za Multi-Cloud
Kuna zana kadhaa zinazoweza kutumika kufanya majaribio kwenye mazingira tofauti ya wingu. Hatua za usakinishaji na viungo vitaelezwa katika sehemu hii.
Zana ya kutambua mizunguko mibaya na njia za privesc katika mawingu na kati ya mawingu/SaaS.
Methodology
Reconnaissance:
Google Dorks: Search for sensitive information exposed on Google.
Subdomain Enumeration: Enumerate subdomains to discover potential entry points.
Cloud Storage Enumeration: Identify publicly accessible storage buckets.
GitHub Recon: Look for sensitive information leaked on GitHub repositories.
Enumeration:
Service Enumeration: Identify services running on discovered subdomains.
Bucket Enumeration: Enumerate files and folders within identified storage buckets.
IAM User Enumeration: Identify IAM users and their permissions.
Exploitation:
Insecure Buckets: Exploit misconfigured storage buckets.
IAM Misconfigurations: Abuse misconfigured IAM permissions.
SSRF: Exploit Server-Side Request Forgery vulnerabilities.
Post-Exploitation:
Data Exfiltration: Steal sensitive data from compromised resources.
Persistence: Maintain access to the compromised environment.
Covering Tracks: Remove evidence of the attack.
Reporting:
Document Findings: Detail all discovered vulnerabilities and exploited issues.
Recommendations: Provide suggestions for improving the security posture.
Inasaidia AWS, GCP & Azure. Angalia jinsi ya kusanidi kila mtoa huduma katika https://docs.prowler.cloud/en/latest/#aws
AWS, Azure, Github, Google, Oracle, Alibaba
Methodology
Reconnaissance:
Google Dorks: Use specific Google Dorks to find information about the target.
Subdomain Enumeration: Enumerate subdomains using tools like Sublist3r, Subfinder, etc.
DNS Enumeration: Enumerate DNS records using tools like
dnsrecon
,dnsenum
, etc.Cloud Storage Enumeration: Identify publicly accessible buckets using tools like
gcs-scanner
.
Enumeration:
Service Enumeration: Identify services running on the target using tools like Nmap, Masscan, etc.
Web Enumeration: Enumerate web applications for vulnerabilities using tools like Nikto, Dirb, Gobuster, etc.
Vulnerability Assessment:
Cloud Service Misconfigurations: Check for misconfigurations in cloud services like IAM roles, bucket permissions, etc.
Web Application Vulnerabilities: Identify and exploit vulnerabilities in web applications.
Exploitation:
Cloud Service Exploitation: Exploit misconfigurations to gain access to cloud resources.
Web Application Exploitation: Exploit web application vulnerabilities to gain access to the system.
Post-Exploitation:
Maintain Access: Ensure persistent access to the compromised system.
Privilege Escalation: Elevate privileges to gain higher access levels.
Data Exfiltration: Extract sensitive data from the system.
Reporting:
Documentation: Document all findings, exploitation steps, and recommendations.
Reporting: Generate a detailed report for the client including the impact of vulnerabilities and remediation steps.
AWS, Azure, GCP, Alibaba Cloud, Oracle Cloud Infrastructure
Methodology
Reconnaissance: Gather information about the target GCP environment, such as subdomains, IP ranges, services running, etc.
Enumeration: Enumerate GCP resources, such as buckets, databases, VM instances, etc.
Vulnerability Scanning: Scan for vulnerabilities in the GCP environment using tools like Nmap, Nessus, or OpenVAS.
Exploitation: Exploit any identified vulnerabilities to gain access to the GCP resources.
Post-Exploitation: Maintain access to the GCP environment by creating backdoors, escalating privileges, etc.
Reporting: Document all findings, including vulnerabilities exploited, access gained, and recommendations for improving security.
Pakua na sakinisha Steampipe (https://steampipe.io/downloads). Au tumia Brew:
Methodology
Reconnaissance:
Google Dorks: Search for sensitive information exposed on Google.
Subdomain Enumeration: Enumerate subdomains to discover potential entry points.
Bucket Enumeration: Identify publicly accessible storage buckets.
Enumeration:
Service Enumeration: Identify services running on discovered subdomains.
Bucket Enumeration: Enumerate bucket contents for sensitive data.
Exploitation:
Insecure Buckets: Exploit misconfigured buckets to access sensitive data.
Service Exploitation: Exploit vulnerabilities in services to gain unauthorized access.
Post-Exploitation:
Data Exfiltration: Steal sensitive data from compromised resources.
Maintain Access: Establish persistence to maintain access to the compromised system.
Reporting:
Documentation: Record all findings, exploitation steps, and recommendations.
Risk Assessment: Evaluate the impact of vulnerabilities and provide recommendations for mitigation.
Kutathmini maarifa mengine ya GCP (yanayofaa kwa kuchambua huduma) tumia: https://github.com/turbot/steampipe-mod-gcp-insights
Kutathmini nambari ya Terraform ya GCP: https://github.com/turbot/steampipe-mod-terraform-gcp-compliance
Zaidi ya programu-jalizi za GCP za Steampipe: https://github.com/turbot?q=gcp
Kuangalia msimbo wa Terraform AWS: https://github.com/turbot/steampipe-mod-terraform-aws-compliance
Zaidi ya programu-jalizi za AWS za Steampipe: https://github.com/orgs/turbot/repositories?q=aws
AWS, GCP, Azure, DigitalOcean. Inahitaji python2.7 na inaonekana haijasasishwa.
Nessus
Nessus ina ukaguzi wa Utaratibu wa Miundombinu ya Cloud unaounga mkono: AWS, Azure, Office 365, Rackspace, Salesforce. Mipangilio ya ziada katika Azure inahitajika kupata Kitambulisho cha Mteja.
Cloudlist ni zana ya wingu nyingi kwa kupata Mali (majina ya mwenyeji, Anwani za IP) kutoka kwa Watoa Huduma za Wingu.
Ramani ni chombo cha Python ambacho hukusanya mali za miundombinu na uhusiano kati yao katika mtazamo wa grafu wa kina unaotumia database ya Neo4j.
Methodology
Reconnaissance:
Google Dorks: Search for sensitive information exposed on Google.
Subdomain Enumeration: Enumerate subdomains to discover potential entry points.
Cloud Storage Enumeration: Identify publicly accessible storage buckets.
GitHub Recon: Look for sensitive information in GitHub repositories.
Enumeration:
Service Enumeration: Identify services running on discovered subdomains.
Bucket Enumeration: List files and folders in identified storage buckets.
IAM User Enumeration: Enumerate IAM users to identify potential targets.
Vulnerability Assessment:
Cloud Storage Misconfigurations: Check for misconfigured storage settings.
IAM Policy Misconfigurations: Look for overly permissive IAM policies.
Service Misconfigurations: Identify misconfigurations in cloud services.
Exploitation:
Data Exposure: Exploit misconfigured storage buckets to access sensitive data.
Privilege Escalation: Abuse overly permissive IAM policies to escalate privileges.
Service Exploitation: Exploit misconfigurations in cloud services to gain unauthorized access.
Post-Exploitation:
Maintain Access: Establish backdoors for persistent access.
Cover Tracks: Remove evidence of unauthorized access.
Pivot to Other Services: Move laterally within the cloud environment.
Reporting:
Document Findings: Detail all discovered vulnerabilities and exploited issues.
Recommendations: Provide recommendations for improving security posture.
Executive Summary: Summarize key findings and potential impact.
Starbase inakusanya mali na mahusiano kutoka kwa huduma na mifumo ikiwa ni pamoja na miundombinu ya wingu, programu za SaaS, udhibiti wa usalama, na zaidi katika mtazamo wa grafu ulio na msingi wa Neo4j database.
Methodology
Reconnaissance:
Google Dorks: Search for sensitive information exposed on Google.
Subdomain Enumeration: Enumerate subdomains to discover potential entry points.
Cloud Storage Enumeration: Identify publicly accessible storage buckets.
GitHub Recon: Look for sensitive information in GitHub repositories.
Enumeration:
Service Enumeration: Identify services running on discovered subdomains.
Bucket Enumeration: List files and folders in identified storage buckets.
IAM User Enumeration: Enumerate IAM users to identify potential targets.
Vulnerability Assessment:
Cloud Storage Misconfigurations: Check for misconfigured storage settings.
IAM Policy Analysis: Analyze IAM policies for potential misconfigurations.
Service Misconfigurations: Identify misconfigured services for exploitation.
Exploitation:
Data Exfiltration: Extract sensitive data from misconfigured storage buckets.
Privilege Escalation: Exploit misconfigured IAM policies for elevated privileges.
Service Exploitation: Exploit misconfigured services to gain access.
Post-Exploitation:
Maintain Access: Establish backdoors for persistent access.
Cover Tracks: Remove traces of the attack to remain undetected.
Data Manipulation: Modify or delete data to impact operations.
Reporting:
Document Findings: Record all discovered vulnerabilities and exploited data.
Recommendations: Provide suggestions for improving security posture.
Executive Summary: Summarize the assessment results for stakeholders.
Continuous Monitoring:
Alert Configuration: Set up alerts for suspicious activities.
Periodic Audits: Conduct regular audits to ensure ongoing security.
Incident Response Plan: Develop a plan to address security incidents effectively.
Gundua watumiaji walio na mamlaka zaidi katika mazingira yaliyosanidiwa ya AWS au Azure, ikiwa ni pamoja na AWS Shadow Admins. Inatumia powershell.
Chombo cha kutambua miundombinu ya kampuni (lengo), faili, na programu kwenye watoa huduma wakuu wa wingu (Amazon, Google, Microsoft, DigitalOcean, Alibaba, Vultr, Linode).
CloudFox ni chombo cha kutambua njia za mashambulizi zinazoweza kudukuliwa kwenye miundombinu ya wingu (kwa sasa inasaidia tu AWS & Azure na GCP inakuja).
Ni chombo cha uchambuzi kinachokusudiwa kufuatana na upenyaji wa kawaida.
Hakiumbi au kubadilisha data yoyote ndani ya mazingira ya wingu.
Orodha zaidi ya zana za usalama wa wingu
Google
GCP
pageGCP PentestingWorkspace
pageGWS - Workspace PentestingAWS
pageAWS PentestingAzure
pageAzure PentestingGrafu ya Shambulio
Stormspotter inasanidi "grafu ya shambulio" ya rasilimali katika usajili wa Azure. Inawezesha timu nyekundu na wapenyaji kufanya maono ya eneo la shambulio na fursa za kugeuka ndani ya mpangaji, na kuongeza kasi ya mabingwa wako kuelekeza na kuprioritize kazi ya majibu ya tukio haraka.
Office365
Unahitaji Global Admin au angalau Global Admin Reader (lakini kumbuka kuwa Global Admin Reader ni mdogo kidogo). Hata hivyo, vizuizi hivyo vinatokea katika moduli fulani za PS na vinaweza kuzuilika kwa kupata vipengele kupitia programu ya wavuti.
Last updated