Once you get a shell, you can query the metadata service (in AWS).
What are you allowed to test? Check each cloud provider's rules before testing. Refrain from: DoS, intense fuzzing, phishing cloud providers, testing other company's assets. Report platform vulnerabilities to cloud platforms.
Find Authentication Points (APIs, certificates, MFA, etc.)
Azure AD Connect Service constantly synchronizes AD passwords to cloud. This allows users to directly authenticate to Azure services like O365 with their internal domain credential.
Credentials only stored on prem. On-prem agent validates authentication requests to Azure AD (no creds stored in cloud).
Federated trust between Azure and on-prem ADFS server
Client certs for authentication to API. Certificates are managed in legacy Azure Service Management (impossible to know who created a cert).
Authenticate to Azure with oAuth tokens, which may be re-used on other MS endpoints. Desktop CLI tools that can be used to auth store access to tokens on disk.
SecretAccessKey and Access Key ID for authenticating via scripts and CLI.
Examples: AD connectivity, mail gateways, web apps, file storage, etc. (traditional host discovery still applies).
Use Whois to determine where they are hosted. (Microsoft, Amazon, Google IP space usually indicates cloud service).
Can show cloud-hosted mail providers (also proofpoint). O365 - target-domain.mail.protection.outlook.com. G-Suite - google.com | googlemail.com. Proofpoint - pphosted.com.
recon-NG, OWASP Amass, spiderfoot, gobuster, sublist3r.
Use Google (or whatever dorks)
Monitors/Logs Digital certificates. Cert.sh allows search of certificate transparency logs. Check out ctfr.py.
massscan, Shodan.io, Censys.io
Be creative, use good lists.
Azure (https://www.microsoft.com/en-us/download/details.aspx?id=ID: Public 56519, US Gov 57063, Germany 57064, China 57062. AWS Netblocks - https://ip-ranges.amazonaws.com/ip-ranges.json. Google Netblocks (change often and there is a Google script for that).
Authenticate with target domain name.
https://firstname.lastname@example.org&xml=1 (federated = ADFS, isfederated=true) | https://email@example.com?Protocol=Autodiscoverv1
Sign in to google with the account and if you're prompted for a password, you're good.
Web Application Pentests... in scope!
Cloud_Enum @initstring, scans all three cloud services for buckets and enumerates.
sudo aws configure
pacu> run s3__bucket_finder -d glitchcloud
pacu> aws s3 ls s3://glitchcloud
pacu> aws s3 sync s3://glitchcloud s3-files-dir (https://glitchcloud.s3.amazonaws.com/index.html)
Microburst (NetSPI), Invoke-EnumerateAzureBlobs
POST /common/oauth2/token HTTP/1.1 Accept: application/json Content Type: application/x www form urlencoded Host: login.microsoftonline.com Content Length: 195 Expect: 100 continue Connection: close resource=https%3A%2F%2Fgraph.windows.net&client_id=1b730954 1685 4b74 9bfd dac224a7b894&client_info=1&grant_type= password&username =user%40targetdomain.com&passwor d=Winter2020&scope= openid
Prevents users from picking certain words/seasons/company names.
Locks out auth attempts whenever brute force or spray attempts are detected (bypassed with https://www.github.com/ustayready/fireprox + MSOLSpray)
Cloud Engineers, Developers, DevOps
Credential Harvesting, Session Hijacking
Use Evilginx2 and Modlishka. Hijack Session? Move fast.
Silently inject events into target calendars w/reminder
Creds in Metadata service, certificates, environment variables, storage accounts.
On a web server, look in ~/.config/gcloud/credentials.db
.publishsettings may contain Base64-encoded ManagementCertificate (no password)
Include cleartext credentials & frequently need read/write access to cloud storage or DBs.
Check %USERPROFILE%.azure\ for authentication tokens. Also search .json context files and for "TokenCache.dat"
An Organization can be an Azure tenant and have Azure users without any subscriptions. Subscriptions are basically like software licenses.
Management Groups >> Subscriptions >> Resource Groups >> Resources
Built-In Roles include Owner, Contributor, Reader, User Access Administrator
Get-MSolUser -All; Get-MSolGroup -All; Get-MSolGroupMember -GroupObjectId <GUID> | gl
How to automate tasks in Azure. Get-AzAutomationAccount; Get-AzAutomationRunbook -AutomationAccountName <name> -ResourceGroupName <groupname>
Export-AzAutomationRunbook -AutomationAccountName <name> -ResourceGroupName <name> -Name <name> -OutputFolder .\Desktop\
$cred = Get-Credential
O365 customer? That service sets up 200+ service principals (ex. Microsoft Graph, SharePoint, etc). If you have an application administrator account, it can change passwords for service principals that has more privileges.
aws ec2 create-instance-export-task --instance-id i-0ea3fb1f63fd5d3ec --target-environment vmware --export-to-s3-task "file://C:\Temp\aws.json"