Cloud Providers Security

From pentestwiki.org

Microsoft Azure

MicroBurst: A PowerShell Toolkit for Attacking Azure https://github.com/NetSPI/MicroBurst

PS>Import-Module .\MicroBurst.psm1
PS>Get-Help Get-AzurePasswords


Amazon AWS

AWS S3 Bucket/Object Finder https://github.com/brianwarehime/inSp3ctor

Check buckets policies

$for bucket in `aws s3 ls|awk '{print $3}'`; do echo "Bucket: $bucket"; aws s3api get-bucket-acl --bucket $bucket --query Grants[?Grantee.Type==\'Group\'].[Grantee.URI,Permission] --output text;aws s3api get-bucket-policy --bucket $bucket --output text 2>/dev/null; done


  • Check S3 buckets:
$aws s3 ls s3://mybucket --recursive --human-readable --summarize

Check without credentials:

$aws s3 ls s3://$BUCKET/ --no-sign-request --region us-west-2


  • Download a file:
$aws --profile $PROFILE s3 cp s3://$BUCKET/$FILE .



  • Check policies:
$aws s3api get-object --bucket $BUCKET --key $FILE $FILE
$aws s3api get-object-acl --bucket $BUCKET --key $FILE
$aws s3api put-object --bucket $BUCKET --key $FILE --body $FILE


CHECK BUCKET_WRITE without writing:

# use this by: ./put-simulate.sh test-bucket/write.txt 
AWS_ACCESS_KEY_ID="***"
AWS_SECRET_ACCESS_KEY="***"
AWS_S3_BUCKET="$(echo "$1" | cut -d "/" -f1)"
AWS_PATH="/$(echo "$1" | cut -d "/" -f2-)"
date=$(date +"%a, %d %b %Y %T %z")
acl="x-amz-acl:private"
content_type='application/octet-stream'

# we create a checksum of the word "yepp", but will upload a file with the content "nope".
content_md5=$(openssl dgst -md5 -binary <(echo "yepp") | openssl enc -base64)

string="PUT\n${content_md5}\n${content_type}\n${date}\n${acl}\n/${AWS_S3_BUCKET}${AWS_PATH}"
signature=$(echo -en "${string}" | openssl sha1 -hmac "${AWS_SECRET_ACCESS_KEY}" -binary | base64)
echo "PUT to S3 with invalid md5: ${AWS_S3_BUCKET}${AWS_PATH}"
result=$(curl -s --insecure -X PUT --data "nope" \
-H "Host: ${AWS_S3_BUCKET}.s3.amazonaws.com" \
-H "Date: $date" \
-H "Content-Type: ${content_type}" \
-H "Content-MD5: ${content_md5}" \
-H "$acl" \
-H "Authorization: AWS ${AWS_ACCESS_KEY_ID}:${signature}" \
"https://${AWS_S3_BUCKET}.s3.amazonaws.com${AWS_PATH}")

if [ "$(echo ${result} | grep 'The Content-MD5 you specified did not match what we received')" != "" ]; then
  echo "SUCCESS: ${AWS_S3_BUCKET}${AWS_PATH}"
  exit 0
fi
echo "$result"
exit 1

Open EC2 Snapshots

$aws --profile $PROFILE ec2 describe-snapshots

or

$aws --profile $PROFILE sts get-caller-identity
$aws --profile $PROFILE ec2 describe-snapshots --owner-id $ID


To mount the snapshot:

$aws --profile $PROFILE ec2 create-volume --availability-zone us-west-2a --region us-west-2 --snapshot-id $SID


Abusing instance metadata in a SSRF or internal attack

Internally access http://169.254.169.254/latest/meta-data/

Source: https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ec2-instance-metadata.html

AWS Subdomain Takeover

  • Howto test it:

Use massdns and look for SERVFAIL or REFUSED subdomains.

Re-using AWS Elastic IPs

$aws ec2 associate-address --instance-id $ID --public-ip $IP


  • Howto test it:

List all DNS type A entries of a domain and check if all IPs are allocated.

Internal IPs in public domains

Must not be allowed:


Check IAM and policies

$aws --profile $PROFILE iam get-user


$aws --profile $PROFILE iam list-attached-user-policies --user-name $USERNAME