Cloud vs On-Prem
Getting a Shell
Once you get a shell, you can query the metadata service (in AWS).
Things To Consider
What are you allowed to test? Check each cloud provider's rules before testing. Refrain from: DoS, intense fuzzing, phishing cloud providers, testing other company's assets. Report platform vulnerabilities to cloud platforms.
Find Authentication Points (APIs, certificates, MFA, etc.)
Azure: Password Hash Synchronization
Azure AD Connect Service constantly synchronizes AD passwords to cloud. This allows users to directly authenticate to Azure services like O365 with their internal domain credential.
Azure: Pass-Through Authentication
Credentials only stored on prem. On-prem agent validates authentication requests to Azure AD (no creds stored in cloud).
Azure: Active Directory Federation Services
Federated trust between Azure and on-prem ADFS server
Azure: Certificate-based Authentication
Client certs for authentication to API. Certificates are managed in legacy Azure Service Management (impossible to know who created a cert).
Azure: Access Tokens
Authenticate to Azure with oAuth tokens, which may be re-used on other MS endpoints. Desktop CLI tools that can be used to auth store access to tokens on disk.
AWS: Progammatic Access - Access + Secret Keys
SecretAccessKey and Access Key ID for authenticating via scripts and CLI.
AWS: Management Console Access
Asset Discovery (find what services are in use)
Examples: AD connectivity, mail gateways, web apps, file storage, etc. (traditional host discovery still applies).
Use Whois to determine where they are hosted. (Microsoft, Amazon, Google IP space usually indicates cloud service).
Can show cloud-hosted mail providers (also proofpoint). O365 - target-domain.mail.protection.outlook.com. G-Suite - google.com | googlemail.com. Proofpoint - pphosted.com.
recon-NG, OWASP Amass, spiderfoot, gobuster, sublist3r.
Use Google (or whatever dorks)
Monitors/Logs Digital certificates. Cert.sh allows search of certificate transparency logs. Check out ctfr.py.
massscan, Shodan.io, Censys.io
DNS Brute Forcing
Be creative, use good lists.
Compare Footprint to Cloud Netblocks
Azure (https://www.microsoft.com/en-us/download/details.aspx?id=ID: Public 56519, US Gov 57063, Germany 57064, China 57062. AWS Netblocks - https://ip-ranges.amazonaws.com/ip-ranges.json. Google Netblocks (change often and there is a Google script for that).
O365 Usage (check 1)
Authenticate with target domain name.
O365 Usage (check 2)
https://email@example.com&xml=1 (federated = ADFS, isfederated=true) | https://firstname.lastname@example.org?Protocol=Autodiscoverv1
Google Cloud Mail Usage
Sign in to google with the account and if you're prompted for a password, you're good.
AWS S3 Buckets
Web Application Pentests... in scope!
stands for Amazon Simple Storage Service (https://bucketname.s3.amazonaws.com | https://s3-[region].amazonaws.com/OrgName)
Data in Public Azure Blobs
Data in Public Google Storage Buckets
Cloud_Enum @initstring, scans all three cloud services for buckets and enumerates.
AWS Exploitation Framework (Rhino Security)
Import Keys into AWS CLI
sudo aws configure
List all Modules
pacu> run s3__bucket_finder -d glitchcloud
List AWS S3 Bucket
pacu> aws s3 ls s3://glitchcloud
Download AWS S3 Bucket
pacu> aws s3 sync s3://glitchcloud s3-files-dir (https://glitchcloud.s3.amazonaws.com/index.html)
Data in Public Azure Blogs
Microburst (NetSPI), Invoke-EnumerateAzureBlobs
Data in Public Google Storage Buckets Cloud_enum from @initstring.
Secrets in GitHub Repos
Microsoft Online (Azure/O365)
POST /common/oauth2/token HTTP/1.1 Accept: application/json Content Type: application/x www form urlencoded Host: login.microsoftonline.com Content Length: 195 Expect: 100 continue Connection: close resource=https%3A%2F%2Fgraph.windows.net&client_id=1b730954 1685 4b74 9bfd dac224a7b894&client_info=1&grant_type= password&username =user%40targetdomain.com&passwor d=Winter2020&scope= openid
Azure Password Protection
Prevents users from picking certain words/seasons/company names.
Azure Smart Lockout
Locks out auth attempts whenever brute force or spray attempts are detected (bypassed with https://www.github.com/ustayready/fireprox + MSOLSpray)
Cloud Engineers, Developers, DevOps
Credential Harvesting, Session Hijacking
2FA Session Hijack
Use Evilginx2 and Modlishka. Hijack Session? Move fast.
Silently inject events into target calendars w/reminder
Web Server Exploitation
Creds in Metadata service, certificates, environment variables, storage accounts.
Steal Access Tokens
On a web server, look in ~/.config/gcloud/credentials.db
Cloud Keys in Files
debug\publish" is a .cspkg file (unzip + win)
Azure Publish Settings files
.publishsettings may contain Base64-encoded ManagementCertificate (no password)
Web Config & App Config Files
Include cleartext credentials & frequently need read/write access to cloud storage or DBs.
Steal Access Tokes (.azure file)
Check %USERPROFILE%\.azure\ for authentication tokens. Also search .json context files and for "TokenCache.dat"
AWS vs Azure vs Google Cloud Platform
An Organization can be an Azure tenant and have Azure users without any subscriptions. Subscriptions are basically like software licenses.
Management Groups >> Subscriptions >> Resource Groups >> Resources
Azure - User Information (Roles)
Built-In Roles include Owner, Contributor, Reader, User Access Administrator
Get current user's role assignment
Enumerate All Users and Groups
Get-MSolUser -All; Get-MSolGroup -All; Get-MSolGroupMember -GroupObjectId
How to automate tasks in Azure. Get-AzAutomationAccount; Get-AzAutomationRunbook -AutomationAccountName
Export an Azure Runbook
-ResourceGroupName -Name -OutputFolder .\Desktop\
User Powershell's Get-Credential
$cred = Get-Credential
Azure Privilege Escalation
O365 customer? That service sets up 200+ service principals (ex. Microsoft Graph, SharePoint, etc). If you have an application administrator account, it can change passwords for service principals that has more privileges.