Hooper Labs

Cloud Pentesting



<a href="https://twitter.com/dafthack">@dafthack</a>

Cloud Pentest Authorization

Cloud vs On-Prem

Getting a Shell

Once you get a shell, you can query the metadata service (in AWS).

Things To Consider

What are you allowed to test?
Check each cloud provider's rules before testing.
Refrain from: DoS, intense fuzzing, phishing cloud providers, testing other company's assets.
Report platform vulnerabilities to cloud platforms.

Cloud Authentication Methods

First Step

Find Authentication Points (APIs, certificates, MFA, etc.)


Azure: Password Hash Synchronization

Azure AD Connect Service constantly synchronizes AD passwords to cloud. This allows users to directly authenticate to Azure services like O365 with their internal domain credential.

Azure: Pass-Through Authentication

Credentials only stored on prem. On-prem agent validates authentication requests to Azure AD (no creds stored in cloud).

Azure: Active Directory Federation Services

Federated trust between Azure and on-prem ADFS server

Azure: Certificate-based Authentication

Client certs for authentication to API. Certificates are managed in legacy Azure Service Management (impossible to know who created a cert).

Azure: Access Tokens

Authenticate to Azure with oAuth tokens, which may be re-used on other MS endpoints. Desktop CLI tools that can be used to auth store access to tokens on disk.

AWS: Progammatic Access - Access + Secret Keys

SecretAccessKey and Access Key ID for authenticating via scripts and CLI.

AWS: Management Console Access

GoogleAuthentication Methods


Asset Discovery (find what services are in use)

Examples: AD connectivity, mail gateways, web apps, file storage, etc. (traditional host discovery still applies).


Use Whois to determine where they are hosted. (Microsoft, Amazon, Google IP space usually indicates cloud service).

MX Records

Can show cloud-hosted mail providers (also proofpoint). O365 - target-domain.mail.protection.outlook.com. G-Suite - google.com | googlemail.com. Proofpoint - pphosted.com.


recon-NG, OWASP Amass, spiderfoot, gobuster, sublist3r.

Search Engines

Use Google (or whatever dorks)

Certificate Transparency

Monitors/Logs Digital certificates. Cert.sh allows search of certificate transparency logs. Check out ctfr.py.

Internet-Wide Scans

massscan, Shodan.io, Censys.io

DNS Brute Forcing

Be creative, use good lists.

Compare Footprint to Cloud Netblocks

Azure (https://www.microsoft.com/en-us/download/details.aspx?id=ID: Public 56519, US Gov 57063, Germany 57064, China 57062. AWS Netblocks - https://ip-ranges.amazonaws.com/ip-ranges.json. Google Netblocks (change often and there is a Google script for that).

O365 Usage (check 1)

Authenticate with target domain name.

O365 Usage (check 2)

https://login.microsoftonline.com/getuserrealm.srf?login=username@company.com&xml=1 (federated = ADFS, isfederated=true) | https://outlook.office265.com/autodiscover/autodiscover.json/v1.0/test@company.com?Protocol=Autodiscoverv1

Google Cloud Mail Usage

Sign in to google with the account and if you're prompted for a password, you're good.

AWS S3 Buckets

Web Application Pentests... in scope!

Exploiting Misconfigured Cloud Assets

S3 Buckets

stands for Amazon Simple Storage Service (https://bucketname.s3.amazonaws.com | https://s3-[region].amazonaws.com/OrgName)

Data in Public Azure Blobs


Data in Public Google Storage Buckets

Cloud_Enum @initstring, scans all three cloud services for buckets and enumerates.

AWS Exploitation Framework (Rhino Security)


Import Keys into AWS CLI

sudo aws configure

List all Modules

pacu> list

Run Module

pacu> run s3__bucket_finder -d glitchcloud

List AWS S3 Bucket

pacu> aws s3 ls s3://glitchcloud

Download AWS S3 Bucket

pacu> aws s3 sync s3://glitchcloud s3-files-dir (https://glitchcloud.s3.amazonaws.com/index.html)

Data in Public Azure Blogs

Microburst (NetSPI), Invoke-EnumerateAzureBlobs

Gaining a Foothold

Secrets in GitHub Repos


Password Spraying

Microsoft Online (Azure/O365)

POST /common/oauth2/token HTTP/1.1
Accept: application/json
Content Type: application/x www form urlencoded
Host: login.microsoftonline.com
Content Length: 195
Expect: 100 continue
Connection: close
resource=https%3A%2F%2Fgraph.windows.net&client_id=1b730954 1685 4b74 9bfd
dac224a7b894&client_info=1&grant_type= password&username =user%40targetdomain.com&passwor
d=Winter2020&scope= openid

Azure Password Protection

Prevents users from picking certain words/seasons/company names.

Azure Smart Lockout

Locks out auth attempts whenever brute force or spray attempts are detected (bypassed with https://www.github.com/ustayready/fireprox + MSOLSpray)



Cloud Engineers, Developers, DevOps


Credential Harvesting, Session Hijacking

2FA Session Hijack

Use Evilginx2 and Modlishka. Hijack Session? Move fast.

Phishing G-Suite

Silently inject events into target calendars w/reminder

Post-Compromise Recon

Web Server Exploitation

Creds in Metadata service, certificates, environment variables, storage accounts.

Steal Access Tokens

On a web server, look in ~/.config/gcloud/credentials.db

Cloud Keys in Files


Azure Publish Settings files

.publishsettings may contain Base64-encoded ManagementCertificate (no password)

Web Config & App Config Files

Include cleartext credentials & frequently need read/write access to cloud storage or DBs.

Steal Access Tokes (.azure file)

Check %USERPROFILE%.azure\ for authentication tokens. Also search .json context files and for "TokenCache.dat"

Difference Between Cloud Services

AWS vs Azure vs Google Cloud Platform

</pre><img src="img/cloudservices.png"><pre>

Azure Subscriptions

An Organization can be an Azure tenant and have Azure users without any subscriptions. Subscriptions are basically like software licenses.

Azure Hierarchy

Management Groups >> Subscriptions >> Resource Groups >> Resources

Azure - User Information (Roles)

Built-In Roles include Owner, Contributor, Reader, User Access Administrator

Get current user's role assignment


Enumerate All Users and Groups

Get-MSolUser -All; Get-MSolGroup -All; Get-MSolGroupMember -GroupObjectId <GUID> | gl

Azure Runbooks

How to automate tasks in Azure. Get-AzAutomationAccount; Get-AzAutomationRunbook -AutomationAccountName <name> -ResourceGroupName <groupname>

Export an Azure Runbook

Export-AzAutomationRunbook -AutomationAccountName <name> -ResourceGroupName <name> -Name <name> -OutputFolder .\Desktop\

User Powershell's Get-Credential

$cred = Get-Credential

Azure Privilege Escalation

O365 customer? That service sets up 200+ service principals (ex. Microsoft Graph, SharePoint, etc). If you have an application administrator account, it can change passwords for service principals that has more privileges.

Cloud Server Administration

Export EC2 Instance as VMDK

aws ec2 create-instance-export-task --instance-id i-0ea3fb1f63fd5d3ec --target-environment vmware --export-to-s3-task "file://C:\Temp\aws.json"