Major Cloud Attack Methods

1. Weak IAM Misconfigurations and Role Escalation

1.1. Found by analyzing IAM policies to id roles with excessive permissions

1.1.1. Pacu (AWS exploitation framework) can help simulate attacks and id priv escalation paths

1.2. Tools

1.2.1. PACU

1.2.2. CloudMapper

1.2.3. WeirdAAL

1.2.4. IAM Vulnerable

2. Exploiting Cross-Account Roles and Trust Relationships -> cross-account roles can allow unauthorized access to another account’s resources.

3. Credential Hijacking

3.1. Password Spraying

3.2. Brute Force

3.3. Credential Stuffing

4. Exploiting Serverless Functions -

4.1. Analyze the code for vulnerabilities, perform injection attacks, or test function permissions using tools like AWS Lambda Security Scanner

4.1.1. lambda

4.1.1.1. executions fx by fx

4.1.1.2. exposed to internet API Gateway

4.2. > vulnerable to injection attacks, improper access controls, or excessive permissions.

5. Exposed Servies

5.1. AWS Cognito

5.1.1. User Pools

5.1.1.1. aws cognito-identity get-id --identity-pool-id 'region:pool_id'

5.1.2. Identity Pools

5.1.2.1. aws cognito-identity get-credentials-for-identity --identity-id 'Identity'

5.1.3. Attacks

5.1.3.1. Signup Allowed

5.1.3.1.1. aws cognito-idp sign-up --client-id <client_id> --username [email protected] --password P@ssw0rd1 --user-attributes Name="email",Value="[email protected]" Name="name",Value="user"

5.1.3.1.2. $ aws cognito-idp confirm-sign-up --client-id <client_id> [email protected] --confirmation-code XXXXX

5.1.3.1.3. Login

5.1.3.1.4. Get Credentials

5.1.3.2. Cognito Login

5.1.3.2.1. .idToken is a resultant localstorage items of interest Login can result in error as new user doesnt have profile

5.2. Azure AD/Services

5.2.1. Azure AD

5.2.1.1. Authentication Method

5.2.1.1.1. PHS: (Password Hash Synchronization)

5.2.1.1.2. PTA: (Pass Through Authentication)

5.2.1.1.3. ADFS: (AD Federation Service)

5.2.1.2. Authenticated Enumeration

5.2.1.2.1. identites

5.2.1.2.2. Resources

5.2.1.2.3. Tools

5.2.1.3. unauthenticated Enumeration

5.2.1.3.1. Identify if Domain is part of AD

5.2.1.3.2. Discover Various Cloud Assets hosted on Azure

5.2.1.3.3. Enumerate Valid users via multiple API endpoints

5.2.1.4. Unauthenticated Recon

5.2.1.5. Gaining Foothold

5.2.1.5.1. Password Spray

5.2.1.6. Authenticated Recon

5.2.1.7. Abusing privileges

5.2.1.8. Lateral and Horizontal Escalation

5.2.2. Azure KeyVault

5.2.2.1. Secrets

5.2.2.1.1. tokens

5.2.2.1.2. passwords

5.2.2.1.3. Api Keys

5.2.2.2. Keys

5.2.2.2.1. encryption keys

5.2.2.3. Certificate

5.2.2.3.1. Public and private TLS/SSL certificates

5.2.3. Azure SQL Database

5.2.3.1. MS-SQL instance

5.2.3.2. Hosted under database.windows.net

6. SSRF

6.1. IaaS

6.1.1. File uploaders, avatar fetchecers, RSS feed parsers, PDF gen svs

6.1.2. Import/Export Features

6.1.3. External APIs that let users input a URL

6.1.4. Exploit SSRF to grab sensitive info from AWS, Azure Cloud or Google Cloud metadata servioce

6.1.4.1. AWS

6.1.4.1.1. http://169.254.169.254/latest/meta-data/iam/security-credentials/

6.1.4.1.2. http://169.254.169.254/latest/meta-data/iam/security-credentials/<role-name>

6.1.4.2. Azure

6.1.4.2.1. curl -H "Metadata: true" "http://169.254.169.254/metadata/instance?api-version=2021-01-01 "

6.1.4.2.2. curl -H "Metadata: true" "http://169.254.169.254/metadata/identity/oauth2/token?api-version=2021-01-01&resource=https://management.azure.com/ "

6.1.4.3. Google Cloud

6.1.4.3.1. curl "http://metadata.google.internal/computeMetadata/v1/instance/ " -H "Metadata-Flavor: Google"

6.2. SaaS

6.2.1. Internal API and Admin interface

6.2.2. 3rd party integrations

6.2.3. intra-application SSRF

6.3. PaaS

6.3.1. Internal APIs and Servioces

6.3.2. Service bindings and cloud secrets

6.3.3. Metadata endpoint

6.3.3.1. Google cloud: http://169.254.169.254/computeMetadata/v1

7. Attacking Misconfigurations

7.1. Misconfigured Storage Buckets (S3 Buckets can expose sensitive data to public

7.1.1. AWS CLI, S3Scanner, Bucket Funder will find publically assible S3 bukets -> sensitive data or improper permissions

7.2. Exposed management interfaces like AWS Mgmnt Console or Azure Portal with no or weak MFA

7.3. Tools

7.3.1. S3Scanner

7.3.2. AWS BucketDump

7.3.3. GCP Bucket Brute

7.3.4. Scoutsuite, CloudMapper, Prowler

7.3.5. CloudFox

7.3.5.1. Situational awareness, loot folder

7.3.6. CloudSploit

7.3.7. Prowler

8. Insecure Storage

8.1. Providers

8.1.1. AWS: Simple Storage Service(s3)

8.1.2. Azure: Azure Storage

8.1.3. GCP: Google Cloud Storage

8.2. Common Modes

8.2.1. Anonymous Access

8.2.2. Authenticated Access

8.2.3. Restricted to Specific ID

8.3. Attack Surface

8.3.1. Anonymous access granted on bucket

8.3.2. Misconfigured write access for a resource

8.3.3. Restricted to auth user (any authenticated user)

8.3.4. Lax IAM Rules/Policies giving access to data

8.4. AWS Storage Buckets

8.4.1. Access AWS buckets

8.4.1.1. https://s3.amazonaws.com/bucket_name

8.4.1.2. https://<bucketname>.s3.amazonaws.com

8.4.2. Bucket Enumeration possible via difference in error messages

8.4.2.1. https://s3.amazonaws.com/bucket_name/

8.4.3. For REST style URL we now need region tagged

8.4.3.1. https://s3.<region>.amazonaws.com/<bucket_name>/

8.4.4. Tools

8.4.4.1. S3Scanner

8.4.4.2. Bucket-stream

8.4.4.3. CloudScraper

8.4.4.4. S3-inspector

8.4.4.5. Buckets.grayhatwarfare.com

8.5. Azure Storage Account

8.5.1. Azure storage can be accessed by

8.5.1.1. https://<storagename>.blob.core.windows.net/<container>

8.5.2. Container Content can be listed at

8.5.2.1. https://<storagename>.blob.core.windows.net/<container>?restype=container&comp=list

8.5.3. Container content can be directly read via web url

8.5.3.1. https://<storagename>.blob.core.windows.net/<container>/<file>

8.5.4. Contains

8.5.4.1. Blobs

8.5.4.2. Queues

8.5.4.3. Tables

8.5.4.4. Files

8.5.5. URLs

8.5.5.1. https://<accountname>.<service>.core.windows.net/?sv=2018-03-28&ss=bfqt&srt=sco&sp=rwdlacup&se=2019-09-30T17:13:23Z&st=2019-09-30T09:13:23Z&sip=88.208.222.83&spr=https&sig=LCoN4d%2B%2BZSzPtPO71fMS34k%2FhLf2Wjen9pzhlAGFfPU%3D

8.6. Tools

8.6.1. URL Scraper

8.6.1.1. Extracts out cloud URLs from HTML source of the website https://github.com/jordanpotti/CloudScraper

8.6.2. Bucket Enumeration

8.6.2.1. Cloud_enum: https://github.com/initstring/cloud_enum

9. Containers

9.1. Kubernetes

9.1.1. Attack

9.1.1.1. Enumeration

9.1.1.1.1. List kubernetes details kubectl cluster-info

9.1.1.1.2. List all the resources kubectl get all || (Pods, namespaces, services)

9.1.1.1.3. Information about pod|service|deployment kubectl describe pod|service|deployment <name>

9.1.1.1.4. Runs an nginx as deployment kubectl run nginx --image=nginx

9.1.1.1.5. Creates a kubernetes resource kubectl create –f ./input_file.yaml

9.1.1.2. Attack surface

9.1.1.2.1. Token: /var/run/secrets/kuberenetes.io/serviceaccount/token

9.1.1.2.2. curl –sk https://192.168.99.101:10250/runningpods/

9.1.2. Nodes

9.1.2.1. Can be a virtual or Physical Machine

9.1.3. Kuberneteee Control Plane

9.1.3.1. Kube controller manager

9.1.3.1.1. Manages several controllers

9.1.3.2. Cloud controller manager

9.1.4. Tools

9.1.4.1. Kube Scheduler

9.1.4.2. Kube API Server (attacking interface) Runs Kubernetes API

9.1.4.3. kube-proxy

9.1.4.4. kubelet

9.1.4.5. kubectl

9.1.4.6. kubeadm

9.1.4.7. Labels - Labels for identifying pods

9.1.4.8. Proxy - A load balancer for pods

9.1.4.9. etcd - Metadata service (key-value store)

9.1.4.10. Replication Controller – Manage replication of pods

9.1.4.11. JWT OpenID Connect

9.2. Sources

9.2.1. Secrets

9.2.2. Tokens

9.2.3. Passwords

9.2.4. Source Code

9.2.5. Connection Strings

9.3. Write Access

9.3.1. Pull a docker image.

9.3.2. Update the code(backdoor)

9.3.3. Build and push the Image

9.4. Container escape attacks

9.5. Insecure Container Configs

9.6. Sources

9.6.1. Secrets

9.6.2. Tokens

9.6.3. Passwords

9.6.4. Source Code

9.6.5. Connection Strings