CloudFox helps you achieve situational consciousness in unfamiliar cloud environments. It’s an open supply command line device created to assist penetration testers and different offensive safety professionals discover exploitable assault paths in cloud infrastructure.
CloudFox helps you reply the next widespread questions (and plenty of extra):
- What areas is that this AWS account utilizing and roughly what number of sources are within the account?
- What secrets and techniques are lurking in EC2 userdata or service particular atmosphere variables?
- What actions/permissions does this [principal] have?
- What roles trusts are overly permissive or enable cross-account assumption?
- What endpoints/hostnames/IPs can I assault from an exterior start line (public web)?
- What endpoints/hostnames/IPs can I assault from an inside start line (assumed breach inside the VPC)?
- What filesystems can I probably mount from a compromised useful resource contained in the VPC?
Fast Begin
CloudFox is modular (you’ll be able to run one command at a time), however there may be an aws all-checks command that can run the opposite aws instructions for you with sane defaults:
cloudfox aws --profile [profile-name] all-checks
CloudFox is designed to be executed by a principal with restricted read-only permissions, but it surely’s function is that can assist you discover assault paths that may be exploited in simulated compromise eventualities (aka, goal based mostly penetration testing).
For the complete documentation please confer with our wiki.
Supported Cloud Suppliers
| Supplier | CloudFox Instructions |
|---|---|
| AWS | 15 |
| Azure | 2 (alpha) |
| GCP | Assist Deliberate |
| Kubernetes | Assist Deliberate |
Choice 1: Obtain the newest binary launch in your platform.
Choice 2: Set up Go, clone the CloudFox repository and compile from supply
# git clone https://github.com/BishopFox/cloudfox.git
...omitted for brevity...
# cd ./cloudfox
# go construct .
# ./cloudfox
AWS
- AWS CLI put in
- Helps AWS profiles, AWS atmosphere variables, or metadata retrieval (on an ec2 occasion)
- A principal with one really useful insurance policies connected (described under)
- Advisable connected insurance policies:
SecurityAudit+ CloudFox customized coverage
Further coverage notes (as of 09/2022):
| Coverage | Notes |
|---|---|
| CloudFox customized coverage | Has an entire checklist of each permission cloudfox makes use of and nothing else |
arn:aws:iam::aws:coverage/SecurityAudit |
Covers most cloudfox checks however is lacking newer companies or permissions like apprunner:*, grafana:*, lambda:GetFunctionURL, lightsail:GetContainerServices |
arn:aws:iam::aws:coverage/job-function/ViewOnlyAccess |
Covers most cloudfox checks however is lacking newer companies or permissions like AppRunner:*, grafana:*, lambda:GetFunctionURL, lightsail:GetContainerServices – and can be lacking iam:SimulatePrincipalPolicy. |
arn:aws:iam::aws:coverage/ReadOnlyAccess |
Solely lacking AppRunner, but in addition grants issues like “s3:Get*” which could be overly permissive. |
arn:aws:iam::aws:coverage/AdministratorAccess |
It will work simply positive with CloudFox, however in case you had been handed this stage of entry as a penetration tester, that ought to in all probability be a discovering in itself 🙂 |
Azure
- Viewer or comparable permissions utilized.
| Supplier | Command Identify | Description |
|---|---|---|
| AWS | all-checks | Run the entire different instructions utilizing cheap defaults. You may nonetheless need to take a look at the non-default choices of every command, however this can be a great spot to begin. |
| AWS | access-keys | Lists lively entry keys for all customers. Helpful for cross referencing a key you discovered with which in-scope account it belongs to. |
| AWS | buckets | Lists the buckets within the account and provides you useful instructions for inspecting them additional. |
| AWS | ecr | Checklist probably the most lately pushed picture URI from all repositories. Use the loot file to drag chosen pictures down with docker/nerdctl for inspection. |
| AWS | endpoints | Enumerates endpoints from varied companies. Scan these endpoints from each an inside and exterior place to search for issues that do not require authentication, are misconfigured, and so forth. |
| AWS | env-vars | Grabs the atmosphere variables from companies which have them (App Runner, ECS, Lambda, Lightsail containers, Sagemaker are supported. If you discover a delicate secret, use cloudfox iam-simulator AND pmapper to see who has entry to them. |
| AWS | filesystems | Enumerate the EFS and FSx filesystems that you just would possibly be capable of mount with out creds (if in case you have the proper community entry). For instance, that is helpful when you’ve got ec:RunInstance however not iam:PassRole. |
| AWS | iam-simulator | Like pmapper, however makes use of the IAM coverage simulator. It makes use of AWS’s analysis logic, however notably, it does not take into account transitive entry by way of privesc, which is why you must also at all times additionally use pmapper. |
| AWS | cases | Enumerates helpful data for EC2 Cases in all areas like identify, public/non-public IPs, and occasion profiles. Generates loot information you’ll be able to feed to nmap and different instruments for service enumeration. |
| AWS | stock | Achieve a tough understanding of measurement of the account and most popular areas. |
| AWS | outbound-assumed-roles | Checklist the roles which have been assumed by principals on this account. This is a wonderful approach to discover outbound assault paths that lead into different accounts. |
| AWS | permissions | Enumerates IAM permissions related to all customers and roles. Grep this output to determine what permissions a selected principal has somewhat than logging into the AWS console and painstakingly increasing every coverage connected to the principal you’re investigating. |
| AWS | principals | Enumerates IAM customers and Roles so you’ve got the info at your fingertips. |
| AWS | role-trusts | Enumerates IAM function belief insurance policies so you’ll be able to search for overly permissive function trusts or discover roles that belief a selected service. |
| AWS | route53 | Enumerate all information from all route53 managed zones. Use this for utility and repair enumeration. |
| AWS | secrets and techniques | Checklist secrets and techniques from SecretsManager and SSM. Search for attention-grabbing secrets and techniques within the checklist after which see who has entry to them utilizing use cloudfox iam-simulator and/or pmapper. |
| Azure | instances-map | Enumerates helpful data for Compute cases in all accessible useful resource teams and subscriptions |
| Azure | rbac-map | Enumerates Position Assignments for all tenants |
- AWS – Add help for GovCloud and China areas
- AWS – Add help for hardcoded area (which might override the default of trying in each area)
How does CloudFox examine with ScoutSuite, Prowler, Steampipe’s AWS Compliance Module, AWS Safety Hub, and so forth.
CloudFox does not create any alerts or findings, and
does not verify your atmosphere for compliance to a baseline or
benchmark. As an alternative, it merely allows you to be extra environment friendly throughout
your guide penetration testing actions. If offers you the data
you will probably must validate whether or not an assault path is feasible or
not.
Why do I see errors in some CloudFox instructions?
- Providers that do not exist in all areas – CloudFox at present makes
the identical API calls to each area. Nevertheless, not all areas help all
companies. As an illustration, companies like Appstream and AWS Grafana are
solely supported in a subset of the whole areas. Sooner or later, we plan
to make CloudFox conscious of which companies run in every area. - You do not have permission – One more reason you would possibly see errors if
you do not have permissions to make calls that CloudFox is making. Both
as a result of the coverage does not enable it (e.g., SecurityAudit does not enable
the entire permissions CloudFox wants. Or, it could be an SCP that’s
blocking you.
You may at all times look within the ~/.cloudfox/cloudfox-error.log file to get extra data on errors.
- SmogCloud – Inspiration for the
endpointscommand - SummitRoute’s AWS Exposable Sources – Inspiration for the
endpointscommand - Steampipe – We
used steampipe to prototype many cloudfox instructions. Whereas CloudFox is
laser centered on serving to cloud penetration testers, steampipe is a straightforward
approach to question any and all your cloud sources. - Principal Mapper – Inspiration for, and a strongly really useful companion to the
iam-simulatorcommand - Cloudsplaining – Inspiration for the
permissionscommand - ScoutSuite – Glorious cloud safety benchmark device. Supplied inspiration for the
--userdataperformance within thecasescommand, thepermissionscommand, and plenty of others - Prowler – One other wonderful cloud safety benchmark device.
- Pacu –
Glorious cloud penetration testing device. PACU has fairly just a few
enumeration instructions much like CloudFox, and plenty of different instructions
that automate exploitation duties (one thing that CloudFox avoids by
design) - CloudMapper – Inspiration for the
stockcommand and simply typically CloudFox as an entire
