Bishop Fox launched CloudFox, a command-line safety device to assist penetration testers and safety practitioners discover potential assault paths inside their cloud infrastructure.
The primary inspiration for CloudFox was to create one thing like PowerView for cloud infrastructure, Bishop Fox consultants Seth Artwork and Carlos Vendramini wrote in a weblog submit saying the device. PowerView, a PowerShell device used to realize community situational consciousness in Lively Listing environments, offers penetration testers with the power to enumerate the machine and the Home windows Area.
For instance, Artwork and Vendramini described how CloudFox could possibly be used to automate numerous duties penetration testers would carry out as a part of an engagement, equivalent to in search of credentials related to Amazon Relational Database Service (RDS), monitoring down the precise database occasion related to these credentials, and figuring out the customers who’ve entry to these credentials. In that state of affairs, Artwork and Vendramini famous that CloudFox can be utilized to know who — whether or not particular customers or consumer teams — may probably exploit that misconfiguration (on this case, the uncovered RDS credentials) and perform an assault (equivalent to stealing knowledge from the database).
The device presently solely helps Amazon Net Companies, however help for Azure, Google Cloud Platform, and Kubernetes is on the roadmap, the corporate mentioned.
Bishop Fox created a customized coverage to make use of with the Safety Auditor coverage in Amazon Net Companies that grants CloudFox all the mandatory permissions. All CloudFox instructions are read-only, that means that executing them won’t change something within the cloud atmosphere.
“You possibly can relaxation assured that nothing will likely be created, deleted, or up to date,” Artwork and Vendramini wrote.
- stock: work out which areas are used within the goal account and supply the tough measurement of the account by counting the variety of sources in every service.
- endpoints: enumerates service endpoints for a number of companies on the identical time. Output might be fed into different instruments equivalent to Aquatone, gowitness, gobuster, and ffuf.
- cases: generates an inventory of all private and non-private IP addresses related to the Amazon Elastic Compute Cloud (EC2) cases with names and occasion profiles. Output can be utilized as enter for nmap.
- access-keys: returns an inventory of lively entry keys for all customers. This listing can be helpful for cross-referencing a key to determine which in-scope account the important thing belongs to.
- buckets: identifies the buckets within the account. There are different instructions that can be utilized to examine the buckets additional.
- secrets and techniques: lists secrets and techniques from AWS Secrets and techniques Supervisor and AWS Methods Supervisor (SSM). This listing may also be used to cross-reference secrets and techniques to seek out out who has entry to them.
“Discovering assault paths in advanced cloud environments might be troublesome and time consuming,” Artwork and Vendramini wrote, noting that almost all instruments to investigate cloud environments deal with safety baseline compliance. “Our main viewers is penetration testers, however we predict CloudFox will likely be helpful for all cloud safety practitioners.”
