Cloud hacking techniques

This mindmap includes information about the top methodologies used to hack the Cloud

Get Started. It's Free
or sign up with your email address
Cloud hacking techniques by Mind Map: Cloud hacking techniques

1. Specific Services

1.1. Storage

1.1.1. Providers

1.1.1.1. AWS: Simple Storage Service(s3)

1.1.1.2. Azure: Azure Storage

1.1.1.3. GCP: Google Cloud Storage

1.1.2. Common Modes

1.1.2.1. Anonymous Access

1.1.2.2. Authenticated Access

1.1.2.3. Restricted to Specific ID

1.1.3. Attack Surface

1.1.3.1. Anonymous access granted on bucket

1.1.3.2. Misconfigured write access for a resource

1.1.3.3. Restricted to auth user (any authenticated user)

1.1.3.4. Lax IAM Rules/Policies giving access to data

1.1.4. AWS Storage Buckets

1.1.4.1. Access AWS buckets

1.1.4.1.1. https://s3.amazonaws.com/bucket_name

1.1.4.1.2. https://<bucketname>.s3.amazonaws.com

1.1.4.2. Bucket Enumeration possible via difference in error messages

1.1.4.2.1. https://s3.amazonaws.com/bucket_name/

1.1.4.3. For REST style URL we now need region tagged

1.1.4.3.1. https://s3.<region>.amazonaws.com/<bucket_name>/

1.1.4.4. Tools

1.1.4.4.1. S3Scanner

1.1.4.4.2. Bucket-stream

1.1.4.4.3. CloudScraper

1.1.4.4.4. S3-inspector

1.1.4.4.5. Buckets.grayhatwarfare.com

1.1.5. Azure Storage Account

1.1.5.1. Azure storage can be accessed by

1.1.5.1.1. https://<storagename>.blob.core.windows.net/<container>

1.1.5.2. Container Content can be listed at

1.1.5.2.1. https://<storagename>.blob.core.windows.net/<container>?restype=container&comp=list

1.1.5.3. Container content can be directly read via web url

1.1.5.3.1. https://<storagename>.blob.core.windows.net/<container>/<file>

1.1.5.4. Contains

1.1.5.4.1. Blobs

1.1.5.4.2. Queues

1.1.5.4.3. Tables

1.1.5.4.4. Files

1.1.5.5. URLs

1.1.5.5.1. https://<accountname>.<service>.core.windows.net/?sv=2018-03-28&ss=bfqt&srt=sco&sp=rwdlacup&se=2019-09-30T17:13:23Z&st=2019-09-30T09:13:23Z&sip=88.208.222.83&spr=https&sig=LCoN4d%2B%2BZSzPtPO71fMS34k%2FhLf2Wjen9pzhlAGFfPU%3D

1.1.6. Tools

1.1.6.1. URL Scraper

1.1.6.1.1. Extracts out cloud URLs from HTML source of the website https://github.com/jordanpotti/CloudScraper

1.1.6.2. Bucket Enumeration

1.1.6.2.1. Cloud_enum: https://github.com/initstring/cloud_enum

1.2. Azure AD/Services

1.2.1. Azure AD

1.2.1.1. Authentication Method

1.2.1.1.1. PHS: (Password Hash Synchronization)

1.2.1.1.2. PTA: (Pass Through Authentication)

1.2.1.1.3. ADFS: (AD Federation Service)

1.2.1.2. Authenticated Enumeration

1.2.1.2.1. identites

1.2.1.2.2. Resources

1.2.1.2.3. Tools

1.2.1.3. unauthenticated Enumeration

1.2.1.3.1. Identify if Domain is part of AD

1.2.1.3.2. Discover Various Cloud Assets hosted on Azure

1.2.1.3.3. Enumerate Valid users via multiple API endpoints

1.2.1.4. Unauthenticated Recon

1.2.1.5. Gaining Foothold

1.2.1.5.1. Password Spray

1.2.1.6. Authenticated Recon

1.2.1.7. Abusing privileges

1.2.1.8. Lateral and Horizontal Escalation

1.2.2. Azure KeyVault

1.2.2.1. Secrets

1.2.2.1.1. tokens

1.2.2.1.2. passwords

1.2.2.1.3. Api Keys

1.2.2.2. Keys

1.2.2.2.1. encryption keys

1.2.2.3. Certificate

1.2.2.3.1. Public and private TLS/SSL certificates

1.2.3. Azure SQL Database

1.2.3.1. MS-SQL instance

1.2.3.2. Hosted under database.windows.net

1.3. AWS Cognito

1.3.1. User Pools

1.3.1.1. aws cognito-identity get-id --identity-pool-id 'region:pool_id'

1.3.2. Identity Pools

1.3.2.1. aws cognito-identity get-credentials-for-identity --identity-id 'Identity'

1.3.3. Attacks

1.3.3.1. Signup Allowed

1.3.3.1.1. aws cognito-idp sign-up --client-id <client_id> --username [email protected] --password P@ssw0rd1 --user-attributes Name="email",Value="[email protected]" Name="name",Value="user"

1.3.3.1.2. $ aws cognito-idp confirm-sign-up --client-id <client_id> [email protected] --confirmation-code XXXXX

1.3.3.1.3. Login

1.3.3.1.4. Get Credentials

1.3.3.2. Cognito Login

1.3.3.2.1. .idToken is a resultant localstorage items of interest Login can result in error as new user doesnt have profile

1.4. Containers

1.4.1. Kubernetes

1.4.1.1. Attack

1.4.1.1.1. Enumeration

1.4.1.1.2. Attack surface

1.4.1.2. Nodes

1.4.1.2.1. Can be a virtual or Physical Machine

1.4.1.2.2. Containers

1.4.1.3. Kuberneteee Control Plane

1.4.1.3.1. Kube controller manager

1.4.1.3.2. Cloud controller manager

1.4.1.4. Tools

1.4.1.4.1. Kube Scheduler

1.4.1.4.2. Kube API Server (attacking interface) Runs Kubernetes API

1.4.1.4.3. kube-proxy

1.4.1.4.4. kubelet

1.4.1.4.5. kubectl

1.4.1.4.6. kubeadm

1.4.1.4.7. Labels - Labels for identifying pods

1.4.1.4.8. Proxy - A load balancer for pods

1.4.1.4.9. etcd - Metadata service (key-value store)

1.4.1.4.10. Replication Controller – Manage replication of pods

1.4.1.4.11. JWT OpenID Connect

1.4.2. Sources

1.4.2.1. Secrets

1.4.2.2. Tokens

1.4.2.3. Passwords

1.4.2.4. Source Code

1.4.2.5. Connection Strings

1.4.3. Write Access

1.4.3.1. Pull a docker image

1.4.3.2. Update the code(backdoor)

1.4.3.3. Build and push the Image

1.4.4. Pod - A group of containers, co-located on same host

1.4.5. like a software package

2. Enumeration

2.1. Asset Enumeration

2.1.1. Subdomains Enumeration

2.1.1.1. Target Domain

2.1.1.1.1. A record test IP

2.1.1.1.2. Tools

2.1.1.2. SaaS Service Providers

2.1.1.2.1. https://github.com/rbsec/dnscan

2.1.1.3. This Query Confirms if the Real domain is used in Azure curl -s "https://login.microsoftonline.com/getuserrealm.srf?login=[USERNAME]&xml=1" | grep -E --colour '<NameSpaceType>[^<]+</NameSpaceType>'

2.2. Username Enumeration

2.2.1. AWS Cloud APIs

2.2.2. Azure Cloud APIs

2.2.2.1. enum_azuread_users

2.2.2.1.1. enum_azuread_users victim.com users.txt

2.2.2.2. This Query Confirms if the domain is used in Azure curl -s -X POST https://login.microsoftonline.com/common/GetCredentialType -d ""{"Username":"USERNAME"}"" | jq -e '.IfExistsResult'

2.2.3. Credential Harvesting

3. Initial Access

3.1. Github

3.2. Phishing

3.3. Web application

3.4. Password reuse

3.5. OSINT

4. Exposed Services

4.1. Serverless Functions SaaS)

4.1.1. File Read

4.1.1.1. Path/Directory Traversal

4.1.1.1.1. file:///proc/self/environ

4.1.1.1.2. /etc/passwd

4.1.1.1.3. ../../../../../etc/passwd

4.1.1.1.4. ..%252f..%252f..%252f..%252f..%252f..%252f..%252f..%252fetc/passwd

4.1.1.1.5. \/etc\/passwd

4.1.1.1.6. ..././..././..././..././..././..././etc/passwd

4.1.1.1.7. writeups

4.1.1.2. XXE

4.1.1.2.1. http://169.254.169.254/latest/meta-data/identity-credentials/ec2/security-credentials/ec2-instance/

4.1.2. RCE

4.1.2.1. File Upload

4.1.2.2. SSTI

4.1.3. SSRF

4.1.3.1. Token Stealing

4.1.3.1.1. AWS doesn't expose metadata API to Lambda

4.1.3.1.2. Although aws stores values in environment variables

4.1.3.1.3. v1beta1 api level still allows non-headered query (until 30 Sep 2020)

4.2. Web Applications (IaaS, PaaS, CaaS)

4.2.1. Cross service credentials for pivoting

4.2.2. Metadata API

4.2.2.1. Google

4.2.2.1.1. http://metadata.google.internal/

4.2.2.2. Azure

4.2.2.2.1. curl -i -H Metadata:true %22http://169.254.169.254/metadata/identity/oauth2/token?api-version=2018-02-01%26resource=https://management.azure.com/%22

4.2.2.3. AWS

4.2.2.3.1. http://169.254.169.254/

4.2.3. Environment Variables

4.2.4. Access to other resources via role based access controls

4.3. Directly Exposed Services (IaaS)

5. Type of services

5.1. SaaS- Software as a service

5.1.1. Eg- office365 onedrive

5.2. FaaS- Function as a Service

5.2.1. Eg; Function App

5.3. Containers as a Service

5.3.1. Eg; Kubernetes Amazon EKS

5.4. PaaS- Platform as a Service

5.4.1. Eg; Azure portal Heroku

5.5. IaaS- Infrastructure as a Services

5.5.1. Eg; AWS Microsoft Azure

6. Post Exploitation

6.1. Enumeration

6.1.1. AWS

6.1.1.1. Tools

6.1.1.1.1. PACU

6.1.1.1.2. ScoutSuite

6.1.1.1.3. barq

6.1.1.1.4. AWS_SERVICE_ENUM

6.1.2. AZURE

6.1.2.1. Tools

6.1.2.1.1. powerzure

6.1.2.1.2. roadrecon

6.1.2.1.3. Stormspotter

6.1.2.1.4. AzureHound

6.1.2.1.5. 365-Stealer

6.1.3. GCP

6.1.3.1. GCP_SERVICE_ENUM

6.2. Abusing

6.2.1. Azure

6.2.1.1. Automation Accounts

6.2.1.2. Intune

6.2.1.3. Virtual Macine

6.2.1.4. App registration

6.2.1.5. Developments templates

6.2.1.6. Container Registery

6.2.1.7. Azure Devops

6.2.2. AWS

6.2.2.1. S3

6.2.2.2. EBS

6.2.2.3. EC2

6.2.2.4. ECR

6.2.2.5. ECS

7. AWS

7.1. AWS Organization

7.1.1. Multi-account architecture

7.1.2. Created by an account -> management acct -> this acct 'owns' the org

7.1.3. Orgs will create a role. The role will have a policy attached to it

7.2. Multi-account architecture

7.3. Created by an account -> management acct -> this acct 'owns' the org

7.4. Orgs will create a role. The role will have a policy attached to it

7.5. Created by an account -> management acct -> this acct 'owns' the org

7.6. Multi-account architecture

7.7. IAM-Identity and Access Management

7.7.1. AWS Acount Root User

7.7.2. IAM Users

7.7.2.1. Entity created to represent the person or app who uses it to interact with AWS

7.7.2.2. Permissions granted via group membership

7.7.2.3. Policies can be attached to users

7.7.3. Temporary Credentials

7.7.4. IAM Roles

7.7.5. Policies

7.7.5.1. IAM User Groups

7.7.5.1.1. Way to attach policies to multiple users

7.7.5.2. Resource Bucket Policies

7.7.5.3. Inline

7.7.5.4. Customer managed policies

7.7.5.5. AWS Management policies preconfigured by AWS

7.7.5.6. Identity based policy can be attached to user group so all users in the group get all the policy's permissions

7.7.5.7. Session Policy

7.7.6. Security Token Service (STS)

7.7.7. Identity Federation

7.7.7.1. login via google or facebook

7.7.8. IAM ID Prefixes

7.8. AWS Acount Root User

7.9. IAM Users

7.9.1. Entity created to represent the person or app who uses it to interact with AWS

7.9.2. Permissions granted via group membership

7.9.3. Policies can be attached to users

7.10. Entity created to represent the person or app who uses it to interact with AWS

7.11. Permissions granted via group membership

7.12. Policies can be attached to users

7.13. Temporary Credentials

7.14. IAM Roles

7.15. Policies

7.15.1. IAM User Groups

7.15.1.1. Way to attach policies to multiple users

7.15.2. Resource Bucket Policies

7.15.3. Inline

7.15.4. Customer managed policies

7.15.5. AWS Management policies preconfigured by AWS

7.15.6. Identity based policy can be attached to user group so all users in the group get all the policy's permissions

7.15.7. Session Policy

7.16. IAM User Groups

7.16.1. Way to attach policies to multiple users

7.17. Way to attach policies to multiple users

7.18. Resource Bucket Policies

7.19. Inline

7.20. Customer managed policies

7.21. AWS Management policies preconfigured by AWS

7.22. Identity based policy can be attached to user group so all users in the group get all the policy's permissions

7.23. Session Policy

7.24. Security Token Service (STS)

7.25. Identity Federation

7.25.1. login via google or facebook

7.26. login via google or facebook

7.27. IAM ID Prefixes

7.28. AWS Privlege Escalation Techniques

7.28.1. STS

7.28.2. SSM

7.28.3. S3

7.28.4. Lambda

7.28.4.1. iam:PassRole, lambda:CreateFunction, lambda:Incoke Function, lambda:InvokeFunctionURL

7.28.5. KMS

7.28.6. IAM

7.28.7. ECS

7.28.7.1. iam:PassRole, esc:RunTask

7.28.8. EC2

7.28.8.1. iam:PassRole, ec2:RunInstances

7.29. STS

7.30. SSM

7.31. S3

7.32. Lambda

7.32.1. iam:PassRole, lambda:CreateFunction, lambda:Incoke Function, lambda:InvokeFunctionURL

7.33. KMS

7.34. IAM

7.35. ECS

7.35.1. iam:PassRole, esc:RunTask

7.36. iam:PassRole, esc:RunTask

7.37. EC2

7.37.1. iam:PassRole, ec2:RunInstances

7.38. iam:PassRole, ec2:RunInstances

7.39. CLI Authentication

7.39.1. Secret Access Key ID

7.39.2. Access Key ID

7.40. Secret Access Key ID

7.41. Access Key ID

7.42. AWS Basic Info

7.42.1. Accounts

7.42.2. Organization Units

7.42.3. Service Control Policy

7.42.4. ARN

7.43. Accounts

7.44. Organization Units

7.45. Service Control Policy

7.46. ARN

7.47. Orgs will create a role. The role will have a policy attached to it

7.48. AWS

7.48.1. AWS Organization

7.48.1.1. Multi-account architecture

7.48.1.2. Created by an account -> management acct -> this acct 'owns' the org

7.48.1.3. Orgs will create a role. The role will have a policy attached to it

7.48.2. Created by an account -> management acct -> this acct 'owns' the org

7.48.3. Multi-account architecture

7.48.4. IAM-Identity and Access Management

7.48.4.1. AWS Acount Root User

7.48.4.2. IAM Users

7.48.4.2.1. Entity created to represent the person or app who uses it to interact with AWS

7.48.4.2.2. Permissions granted via group membership

7.48.4.2.3. Policies can be attached to users

7.48.4.3. Temporary Credentials

7.48.4.4. IAM Roles

7.48.4.5. Policies

7.48.4.5.1. IAM User Groups

7.48.4.5.2. Resource Bucket Policies

7.48.4.5.3. Inline

7.48.4.5.4. Customer managed policies

7.48.4.5.5. AWS Management policies preconfigured by AWS

7.48.4.5.6. Identity based policy can be attached to user group so all users in the group get all the policy's permissions

7.48.4.5.7. Session Policy

7.48.4.6. Security Token Service (STS)

7.48.4.7. Identity Federation

7.48.4.7.1. login via google or facebook

7.48.4.8. IAM ID Prefixes

7.48.5. AWS Privlege Escalation Techniques

7.48.5.1. STS

7.48.5.2. SSM

7.48.5.3. S3

7.48.5.4. Lambda

7.48.5.4.1. iam:PassRole, lambda:CreateFunction, lambda:Incoke Function, lambda:InvokeFunctionURL

7.48.5.5. KMS

7.48.5.6. IAM

7.48.5.7. ECS

7.48.5.7.1. iam:PassRole, esc:RunTask

7.48.5.8. EC2

7.48.5.8.1. iam:PassRole, ec2:RunInstances

7.48.6. CLI Authentication

7.48.6.1. Secret Access Key ID

7.48.6.2. Access Key ID

7.48.7. AWS Basic Info

7.48.7.1. Accounts

7.48.7.2. Organization Units

7.48.7.3. Service Control Policy

7.48.7.4. ARN

7.48.8. Orgs will create a role. The role will have a policy attached to it