Cloud Providers Security
From pentestwiki.org
Contents
Microsoft Azure
MicroBurst: A PowerShell Toolkit for Attacking Azure https://github.com/NetSPI/MicroBurst
PS>Import-Module .\MicroBurst.psm1PS>Get-Help Get-AzurePasswords
Amazon AWS
AWS S3 Bucket/Object Finder https://github.com/brianwarehime/inSp3ctor
Check buckets policies
$for bucket in `aws s3 ls|awk '{print $3}'`; do echo "Bucket: $bucket"; aws s3api get-bucket-acl --bucket $bucket --query Grants[?Grantee.Type==\'Group\'].[Grantee.URI,Permission] --output text;aws s3api get-bucket-policy --bucket $bucket --output text 2>/dev/null; done
- Check S3 buckets:
$aws s3 ls s3://mybucket --recursive --human-readable --summarizeCheck without credentials:
$aws s3 ls s3://$BUCKET/ --no-sign-request --region us-west-2
- Download a file:
$aws --profile $PROFILE s3 cp s3://$BUCKET/$FILE .
- Check policies:
$aws s3api get-object --bucket $BUCKET --key $FILE $FILE$aws s3api get-object-acl --bucket $BUCKET --key $FILE$aws s3api put-object --bucket $BUCKET --key $FILE --body $FILE
CHECK BUCKET_WRITE without writing:
# use this by: ./put-simulate.sh test-bucket/write.txt
AWS_ACCESS_KEY_ID="***"
AWS_SECRET_ACCESS_KEY="***"
AWS_S3_BUCKET="$(echo "$1" | cut -d "/" -f1)"
AWS_PATH="/$(echo "$1" | cut -d "/" -f2-)"
date=$(date +"%a, %d %b %Y %T %z")
acl="x-amz-acl:private"
content_type='application/octet-stream'
# we create a checksum of the word "yepp", but will upload a file with the content "nope".
content_md5=$(openssl dgst -md5 -binary <(echo "yepp") | openssl enc -base64)
string="PUT\n${content_md5}\n${content_type}\n${date}\n${acl}\n/${AWS_S3_BUCKET}${AWS_PATH}"
signature=$(echo -en "${string}" | openssl sha1 -hmac "${AWS_SECRET_ACCESS_KEY}" -binary | base64)
echo "PUT to S3 with invalid md5: ${AWS_S3_BUCKET}${AWS_PATH}"
result=$(curl -s --insecure -X PUT --data "nope" \
-H "Host: ${AWS_S3_BUCKET}.s3.amazonaws.com" \
-H "Date: $date" \
-H "Content-Type: ${content_type}" \
-H "Content-MD5: ${content_md5}" \
-H "$acl" \
-H "Authorization: AWS ${AWS_ACCESS_KEY_ID}:${signature}" \
"https://${AWS_S3_BUCKET}.s3.amazonaws.com${AWS_PATH}")
if [ "$(echo ${result} | grep 'The Content-MD5 you specified did not match what we received')" != "" ]; then
echo "SUCCESS: ${AWS_S3_BUCKET}${AWS_PATH}"
exit 0
fi
echo "$result"
exit 1
Open EC2 Snapshots
$aws --profile $PROFILE ec2 describe-snapshotsor
$aws --profile $PROFILE sts get-caller-identity$aws --profile $PROFILE ec2 describe-snapshots --owner-id $ID
To mount the snapshot:
$aws --profile $PROFILE ec2 create-volume --availability-zone us-west-2a --region us-west-2 --snapshot-id $SID
Abusing instance metadata in a SSRF or internal attack
Internally access http://169.254.169.254/latest/meta-data/
Source: https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ec2-instance-metadata.html
AWS Subdomain Takeover
- Howto test it:
Use massdns and look for SERVFAIL or REFUSED subdomains.
Re-using AWS Elastic IPs
$aws ec2 associate-address --instance-id $ID --public-ip $IP
- Howto test it:
List all DNS type A entries of a domain and check if all IPs are allocated.
Internal IPs in public domains
Must not be allowed:
- Section 5 RFC1918 https://tools.ietf.org/html/rfc1918
- IETF draft: https://tools.ietf.org/id/draft-ietf-dnsop-dontpublish-unreachable-03.txt
Check IAM and policies
$aws --profile $PROFILE iam get-user
$aws --profile $PROFILE iam list-attached-user-policies --user-name $USERNAME