Friday, October 7, 2022
HomeHackerAutomating Situational Consciousness For Cloud Penetration Exams

Automating Situational Consciousness For Cloud Penetration Exams




CloudFox helps you achieve situational consciousness in unfamiliar cloud environments. It’s an open supply command line device created to assist penetration testers and different offensive safety professionals discover exploitable assault paths in cloud infrastructure.

CloudFox helps you reply the next widespread questions (and plenty of extra):

  • What areas is that this AWS account utilizing and roughly what number of sources are within the account?
  • What secrets and techniques are lurking in EC2 userdata or service particular atmosphere variables?
  • What actions/permissions does this [principal] have?
  • What roles trusts are overly permissive or enable cross-account assumption?
  • What endpoints/hostnames/IPs can I assault from an exterior start line (public web)?
  • What endpoints/hostnames/IPs can I assault from an inside start line (assumed breach inside the VPC)?
  • What filesystems can I probably mount from a compromised useful resource contained in the VPC?

Fast Begin

CloudFox is modular (you’ll be able to run one command at a time), however there may be an aws all-checks command that can run the opposite aws instructions for you with sane defaults:

cloudfox aws --profile [profile-name] all-checks

CloudFox is designed to be executed by a principal with restricted read-only permissions, but it surely’s function is that can assist you discover assault paths that may be exploited in simulated compromise eventualities (aka, goal based mostly penetration testing).

For the complete documentation please confer with our wiki.

Supported Cloud Suppliers

Supplier CloudFox Instructions
AWS 15
Azure 2 (alpha)
GCP Assist Deliberate
Kubernetes Assist Deliberate

Choice 1: Obtain the newest binary launch in your platform.

Choice 2: Set up Go, clone the CloudFox repository and compile from supply

# git clone https://github.com/BishopFox/cloudfox.git
...omitted for brevity...
# cd ./cloudfox
# go construct .
# ./cloudfox

AWS

  • AWS CLI put in
  • Helps AWS profiles, AWS atmosphere variables, or metadata retrieval (on an ec2 occasion)
  • A principal with one really useful insurance policies connected (described under)
  • Advisable connected insurance policies: SecurityAudit + CloudFox customized coverage

Further coverage notes (as of 09/2022):

Coverage Notes
CloudFox customized coverage Has an entire checklist of each permission cloudfox makes use of and nothing else
arn:aws:iam::aws:coverage/SecurityAudit Covers most cloudfox checks however is lacking newer companies or permissions like apprunner:*, grafana:*, lambda:GetFunctionURL, lightsail:GetContainerServices
arn:aws:iam::aws:coverage/job-function/ViewOnlyAccess Covers most cloudfox checks however is lacking newer companies or permissions like AppRunner:*, grafana:*, lambda:GetFunctionURL, lightsail:GetContainerServices – and can be lacking iam:SimulatePrincipalPolicy.
arn:aws:iam::aws:coverage/ReadOnlyAccess Solely lacking AppRunner, but in addition grants issues like “s3:Get*” which could be overly permissive.
arn:aws:iam::aws:coverage/AdministratorAccess It will work simply positive with CloudFox, however in case you had been handed this stage of entry as a penetration tester, that ought to in all probability be a discovering in itself 🙂

Azure

  • Viewer or comparable permissions utilized.
Supplier Command Identify Description
AWS all-checks Run the entire different instructions utilizing cheap defaults. You may
nonetheless need to take a look at the non-default choices of every command, however
this can be a great spot to begin.
AWS access-keys Lists lively entry keys for all customers. Helpful for cross referencing a key you discovered with which in-scope account it belongs to.
AWS buckets Lists the buckets within the account and provides you useful instructions for inspecting them additional.
AWS ecr Checklist probably the most lately pushed picture URI from all repositories. Use
the loot file to drag chosen pictures down with docker/nerdctl for
inspection.
AWS endpoints Enumerates endpoints from varied companies. Scan these endpoints
from each an inside and exterior place to search for issues that
do not require authentication, are misconfigured, and so forth.
AWS env-vars Grabs the atmosphere variables from companies which have them (App
Runner, ECS, Lambda, Lightsail containers, Sagemaker are supported. If
you discover a delicate secret, use cloudfox iam-simulator AND pmapper to see who has entry to them.
AWS filesystems Enumerate the EFS and FSx filesystems that you just would possibly be capable of
mount with out creds (if in case you have the proper community entry). For instance,
that is helpful when you’ve got ec:RunInstance however not iam:PassRole.
AWS iam-simulator Like pmapper, however makes use of the IAM coverage simulator. It makes use of AWS’s
analysis logic, however notably, it does not take into account transitive entry by way of
privesc, which is why you must also at all times additionally use pmapper.
AWS cases Enumerates helpful data for EC2 Cases in all areas like
identify, public/non-public IPs, and occasion profiles. Generates loot information
you’ll be able to feed to nmap and different instruments for service enumeration.
AWS stock Achieve a tough understanding of measurement of the account and most popular areas.
AWS outbound-assumed-roles Checklist the roles which have been assumed by principals on this account.
This is a wonderful approach to discover outbound assault paths that lead into
different accounts.
AWS permissions Enumerates IAM permissions related to all customers and roles. Grep
this output to determine what permissions a selected principal has
somewhat than logging into the AWS console and painstakingly increasing
every coverage connected to the principal you’re investigating.
AWS principals Enumerates IAM customers and Roles so you’ve got the info at your fingertips.
AWS role-trusts Enumerates IAM function belief insurance policies so you’ll be able to search for overly
permissive function trusts or discover roles that belief a selected service.
AWS route53 Enumerate all information from all route53 managed zones. Use this for utility and repair enumeration.
AWS secrets and techniques Checklist secrets and techniques from SecretsManager and SSM. Search for attention-grabbing
secrets and techniques within the checklist after which see who has entry to them utilizing use cloudfox iam-simulator and/or pmapper.
Azure instances-map Enumerates helpful data for Compute cases in all accessible useful resource teams and subscriptions
Azure rbac-map Enumerates Position Assignments for all tenants

Wiki – Contribute

  • AWS – Add help for GovCloud and China areas
  • AWS – Add help for hardcoded area (which might override the default of trying in each area)

How does CloudFox examine with ScoutSuite, Prowler, Steampipe’s AWS Compliance Module, AWS Safety Hub, and so forth.

CloudFox does not create any alerts or findings, and
does not verify your atmosphere for compliance to a baseline or
benchmark. As an alternative, it merely allows you to be extra environment friendly throughout
your guide penetration testing actions. If offers you the data
you will probably must validate whether or not an assault path is feasible or
not.

Why do I see errors in some CloudFox instructions?

  • Providers that do not exist in all areas – CloudFox at present makes
    the identical API calls to each area. Nevertheless, not all areas help all
    companies. As an illustration, companies like Appstream and AWS Grafana are
    solely supported in a subset of the whole areas. Sooner or later, we plan
    to make CloudFox conscious of which companies run in every area.
  • You do not have permission – One more reason you would possibly see errors if
    you do not have permissions to make calls that CloudFox is making. Both
    as a result of the coverage does not enable it (e.g., SecurityAudit does not enable
    the entire permissions CloudFox wants. Or, it could be an SCP that’s
    blocking you.

You may at all times look within the ~/.cloudfox/cloudfox-error.log file to get extra data on errors.

  • SmogCloud – Inspiration for the endpoints command
  • SummitRoute’s AWS Exposable Sources – Inspiration for the endpoints command
  • Steampipe – We
    used steampipe to prototype many cloudfox instructions. Whereas CloudFox is
    laser centered on serving to cloud penetration testers, steampipe is a straightforward
    approach to question any and all your cloud sources.
  • Principal Mapper – Inspiration for, and a strongly really useful companion to the iam-simulator command
  • Cloudsplaining – Inspiration for the permissions command
  • ScoutSuite – Glorious cloud safety benchmark device. Supplied inspiration for the --userdata performance within the cases command, the permissions command, and plenty of others
  • Prowler – One other wonderful cloud safety benchmark device.
  • Pacu
    Glorious cloud penetration testing device. PACU has fairly just a few
    enumeration instructions much like CloudFox, and plenty of different instructions
    that automate exploitation duties (one thing that CloudFox avoids by
    design)
  • CloudMapper – Inspiration for the stock command and simply typically CloudFox as an entire



RELATED ARTICLES

LEAVE A REPLY

Please enter your comment!
Please enter your name here

- Advertisment -
Google search engine

Most Popular

Recent Comments