Cloud Providers Security
From pentestwiki.org
Contents
Microsoft Azure
MicroBurst: A PowerShell Toolkit for Attacking Azure https://github.com/NetSPI/MicroBurst
PS>
Import-Module .\MicroBurst.psm1
PS>
Get-Help Get-AzurePasswords
Amazon AWS
AWS S3 Bucket/Object Finder https://github.com/brianwarehime/inSp3ctor
Check buckets policies
$
for bucket in `aws s3 ls|awk '{print $3}'`; do echo "Bucket: $bucket"; aws s3api get-bucket-acl --bucket $bucket --query Grants[?Grantee.Type==\'Group\'].[Grantee.URI,Permission] --output text;aws s3api get-bucket-policy --bucket $bucket --output text 2>/dev/null; done
- Check S3 buckets:
$
aws s3 ls s3://mybucket --recursive --human-readable --summarize
Check without credentials:
$
aws s3 ls s3://$BUCKET/ --no-sign-request --region us-west-2
- Download a file:
$
aws --profile $PROFILE s3 cp s3://$BUCKET/$FILE .
- Check policies:
$
aws s3api get-object --bucket $BUCKET --key $FILE $FILE
$
aws s3api get-object-acl --bucket $BUCKET --key $FILE
$
aws s3api put-object --bucket $BUCKET --key $FILE --body $FILE
CHECK BUCKET_WRITE without writing:
# use this by: ./put-simulate.sh test-bucket/write.txt AWS_ACCESS_KEY_ID="***" AWS_SECRET_ACCESS_KEY="***" AWS_S3_BUCKET="$(echo "$1" | cut -d "/" -f1)" AWS_PATH="/$(echo "$1" | cut -d "/" -f2-)" date=$(date +"%a, %d %b %Y %T %z") acl="x-amz-acl:private" content_type='application/octet-stream' # we create a checksum of the word "yepp", but will upload a file with the content "nope". content_md5=$(openssl dgst -md5 -binary <(echo "yepp") | openssl enc -base64) string="PUT\n${content_md5}\n${content_type}\n${date}\n${acl}\n/${AWS_S3_BUCKET}${AWS_PATH}" signature=$(echo -en "${string}" | openssl sha1 -hmac "${AWS_SECRET_ACCESS_KEY}" -binary | base64) echo "PUT to S3 with invalid md5: ${AWS_S3_BUCKET}${AWS_PATH}" result=$(curl -s --insecure -X PUT --data "nope" \ -H "Host: ${AWS_S3_BUCKET}.s3.amazonaws.com" \ -H "Date: $date" \ -H "Content-Type: ${content_type}" \ -H "Content-MD5: ${content_md5}" \ -H "$acl" \ -H "Authorization: AWS ${AWS_ACCESS_KEY_ID}:${signature}" \ "https://${AWS_S3_BUCKET}.s3.amazonaws.com${AWS_PATH}") if [ "$(echo ${result} | grep 'The Content-MD5 you specified did not match what we received')" != "" ]; then echo "SUCCESS: ${AWS_S3_BUCKET}${AWS_PATH}" exit 0 fi echo "$result" exit 1
Open EC2 Snapshots
$
aws --profile $PROFILE ec2 describe-snapshots
or
$
aws --profile $PROFILE sts get-caller-identity
$
aws --profile $PROFILE ec2 describe-snapshots --owner-id $ID
To mount the snapshot:
$
aws --profile $PROFILE ec2 create-volume --availability-zone us-west-2a --region us-west-2 --snapshot-id $SID
Abusing instance metadata in a SSRF or internal attack
Internally access http://169.254.169.254/latest/meta-data/
Source: https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ec2-instance-metadata.html
AWS Subdomain Takeover
- Howto test it:
Use massdns and look for SERVFAIL or REFUSED subdomains.
Re-using AWS Elastic IPs
$
aws ec2 associate-address --instance-id $ID --public-ip $IP
- Howto test it:
List all DNS type A entries of a domain and check if all IPs are allocated.
Internal IPs in public domains
Must not be allowed:
- Section 5 RFC1918 https://tools.ietf.org/html/rfc1918
- IETF draft: https://tools.ietf.org/id/draft-ietf-dnsop-dontpublish-unreachable-03.txt
Check IAM and policies
$
aws --profile $PROFILE iam get-user
$
aws --profile $PROFILE iam list-attached-user-policies --user-name $USERNAME