Create Cloud-General.md

Cloud-General.md

@@ -0,0 +1,299 @@
+### Comparison
+![cloud](https://github.com/Mehdi0x90/Web_Hacking/assets/17106836/15ede78b-a1f4-4b85-8018-853727554de5)
+
+![cloud-2](https://github.com/Mehdi0x90/Web_Hacking/assets/17106836/4764a612-737d-4053-8649-55e5d33f72ba)
+
+## Recon
+```bash
+# PoC from Forward DNS dataset
+# This data is created by extracting domain names from a number of sources and then sending DNS queries for each domain.
+# https://opendata.rapid7.com/sonar.fdns_v2/
+cat CNAME-DATASET-NAME | pigz -dc | grep -E "\.azurewebsites\.com"
+cat CNAME-DATASET-NAME | pigz -dc | grep -E "\.s3\.amazonaws\.com"
+
+# https://github.com/99designs/clouddetect
+clouddetect -ip=151.101.1.68
+```
+
+**First step should be to determine what services are in use:**
+* More and more orgs are moving assets to the cloud one at a time
+* Many have limited deployment to cloud providers, but some have fully embraced the cloud and are using it for AD, production assets, security products, and more
+* Determine things like AD connectivity, mail gateways, web apps, file storage, etc.
+* Traditional host discovery still applies
+* After host discovery resolve all names, then perform whois
+
+
+**lookups to determine where they are hosted**
+* Microsoft, Amazon, Google IP space usually indicates cloud service usage
+   * More later on getting netblock information for each cloud service
+* MX records can show cloud-hosted mail providers
+* Certificate Transparency (crt.sh)
+* Monitors and logs digital certs
+* Creates a public, searchable log
+* Can help discover additional subdomains
+* More importantly… you can potentially find more Top Level Domains (TLD’s)!
+* Single cert can be scoped for multiple domains
+* Search (Google, Bing, Baidu, DuckDuckGo): `site:targetdomain.com -site:www.targetdomain.com`
+* Shodan.io and Censys.io zoomeye.org
+* Internet-wide portscans
+* Certificate searches
+* Shodan query examples:
+   * org:”Target Name”
+   * net:”CIDR Range”
+   * port:”443”
+* DNS Brute Forcing
+* Performs lookups on a list of potential subdomains
+* Make sure to use quality lists
+* SecLists: https://github.com/danielmiessler/SecLists/tree/master/Discovery/DNS
+* MX Records can help us identify cloud services in use
+   * O365 = target-domain.mail.protection.outlook.com
+   * G-Suite = google.com | googlemail.com
+   * Proofpoint = pphosted.com
+* If you find commonalities between subdomains try iterating names
+* Other Services
+   * HackerTarget https://hackertarget.com/
+   * ThreatCrowd  https://www.threatcrowd.org/
+   * DNSDumpster  https://dnsdumpster.com/
+   * ARIN Searches  https://whois.arin.net/ui/
+      * Search bar accepts wild cards “*”
+      * Great for finding other netblocks owned by the same organization
+* Azure Netblocks
+  * Public: https://www.microsoft.com/en-us/download/details.aspx?id=56519
+  * US Gov: http://www.microsoft.com/en-us/download/details.aspx?id=57063
+  * Germany: http://www.microsoft.com/en-us/download/details.aspx?id=57064
+  * China: http://www.microsoft.com/en-us/download/details.aspx?id=57062
+* AWS Netblocks
+    * https://ip-ranges.amazonaws.com/ip-ranges.json
+* GCP Netblocks
+   * Google made it complicated so there’s a script on the next page to get the current IP netblocks.
+* Box.com Usage
+    * Look for any login portals
+    * https://companyname.account.box.com
+    * Can find cached Box account data too 
+* Employees
+   * LinkedIn
+   * PowerMeta https://github.com/dafthack/PowerMeta
+   * FOCA https://github.com/ElevenPaths/FOCA
+   * hunter.io
+
+### Tools:
+* Recon-NG https://github.com/lanmaster53/recon-ng
+* OWASP Amass https://github.com/OWASP/Amass
+* Spiderfoot https://www.spiderfoot.net/
+* Gobuster https://github.com/OJ/gobuster
+* Sublist3r https://github.com/aboul3la/Sublist3r
+
+
+
+### Foothold:
+* Find ssh keys in shhgit.darkport.co.uk https://github.com/eth0izzle/shhgit
+* GitLeaks https://github.com/zricethezav/gitleaks
+* Gitrob https://github.com/michenriksen/gitrob
+* Truffle Hog https://github.com/dxa4481/truffleHog
+
+## Password attacks:
+* Password Spraying
+   * Trying one password for every user at an org to avoid account lockouts (Spring2020)
+* Most systems have some sort of lockout policy
+   * Example: 5 attempts in 30 mins = lockout
+* If we attempt to auth as each individual username one time every 30 mins we lockout nobody
+* Credential Stuffing
+   * Using previously breached credentials to attempt to exploit password reuse on corporate accounts
+* People tend to reuse passwords for multiple sites including corporate accounts
+* Various breaches end up publicly posted
+* Search these and try out creds
+* Try iterating creds
+
+
+## Web server explotation
+* Out-of-date web technologies with known vulns
+* SQL or command injection vulns
+* Server-Side Request Forgery (SSRF)
+* Good place to start post-shell:
+* Creds in the Metadata Service
+* Certificates
+* Environment variables
+* Storage accounts
+* Reused access certs as private keys on web servers
+   * Compromise web server
+   * Extract certificate with Mimikatz
+   * Use it to authenticate to Azure
+* Mimikatz can export “non-exportable” certificates:
+  * mimikatz# `crypto::capi`
+  * mimikatz# `privilege::debug`
+  * mimikatz# `crypto::cng`
+  * mimikatz# `crypto::certificates /systemstore:local_machine /store:my /export`
+
+## Phising
+* Phishing is still the #1 method of compromise
+* Target Cloud engineers, Developers, DevOps, etc.
+* Two primary phishing techniques:
+   * Cred harvesting / session hijacking
+   * Remote workstation compromise w/ C2
+* Attack designed to steal creds and/or session cookies
+* Can be useful when security protections prevent getting shells
+* Email a link to a target employee pointing to cloned auth portal
+   * Examples: Microsoft Online (O365, Azure, etc.), G-Suite, AWS Console
+* They auth and get real session cookies… we get them too.
+
+## Phishing: Remote Access
+* Phish to compromise a user’s workstation
+* Enables many other options for gaining access to cloud resources
+* Steal access tokens from disk
+* Session hijack
+* Keylog
+* Web Config and App Config files
+   * Commonly found on pentests to include cleartext creds
+   * WebApps often need read/write access to cloud storage or DBs
+   * Web.config and app.config files might contain creds or access tokens
+   * Look for management cert and extract to pfx like publishsettings files
+   * Often found in root folder of webapp
+* Internal Code Repositories
+   * Gold mine for keys
+   * Find internal repos:
+      * A. Portscan internal web services (80, 443, etc.) then use EyeWitness to screenshot each service to quickly analyze
+      * B. Query AD for all hostnames, look for subdomains git, code, repo, bitbucket, gitlab, etc..
+   * Can use automated tools (gitleaks, trufflehog, gitrob) or use built-in search features
+      * Search for AccessKey, AKIA, id_rsa, credentials, secret, password, and token
+* Command history
+* The commands ran previously may indicate where to look
+* Sometimes creds get passed to the command line
+* Linux hosts command history is here:
+   * `~/.bash_history`
+* PowerShell command history is here:
+   * `%USERPROFILE%\AppData\Roaming\Microsoft\Windows\PowerShell\PSReadLine\ConsoleHost_history.txt`
+
+
+
+## Post-Compromise Recon
+* Who do we have access as?
+* What roles do we have?
+* Is MFA enabled?
+* What can we access (webapps, storage, etc.?)
+* Who are the admins?
+* How are we going to escalate to admin?
+* Any security protections in place (ATP, GuardDuty, etc.)?
+
+## Service metadata summary
+* AWS: http://169.254.169.254/metadata/v1/*
+* Google Cloud: http://metadata.google.internal/computeMetadata/v1/*
+* DigitalOcean: http://169.254.169.254/metadata/v1/*
+* Docker: http://127.0.0.1:2375/v1.24/containers/json
+* Kubernetes ETCD: http://127.0.0.1:2379/v2/keys/?recursive=true
+* Alibaba Cloud: http://100.100.100.200/latest/meta-data/*
+* Microsoft Azure: http://169.254.169.254/metadata/v1/*
+
+## Tools
+```bash
+# Non provider specific and general purpose
+# https://github.com/nccgroup/ScoutSuite
+# https://github.com/SygniaLabs/security-cloud-scout
+# https://github.com/initstring/cloud_enum
+python3 cloud_enum.py -k companynameorkeyword
+# https://github.com/cyberark/SkyArk
+# https://github.com/SecurityFTW/cs-suite
+    cd /tmp
+    mkdir .aws
+    cat > .aws/config <<EOF
+        [default]
+        output = json
+        region = us-east-1
+    EOF
+    cat > .aws/credentials <<EOF
+        [default]
+        aws_access_key_id = XXXXXXXXXXXXXXX
+        aws_secret_access_key = XXXXXXXXXXXXXXXXXXXXXXXXX
+    EOF
+    docker run -v `pwd`/.aws:/root/.aws -v `pwd`/reports:/app/reports securityftw/cs-suite -env aws
+
+# Dictionary
+https://gist.github.com/BuffaloWill/fa96693af67e3a3dd3fb
+
+Searching for bad configurations
+
+No auditable items:
+• DoS testing
+• Intense fuzzing
+• Phishing the cloud provider’s employees
+• Testing other company’s assets
+• Etc.
+```
+
+## Cloud Labs
+**AWS Labs** 
+* flaws.cloud 
+* flaws2.cloud 
+* https://github.com/OWASP/Serverless-Goat 
+* https://n0j.github.io/2017/10/02/aws-s3-ctf.html
+* https://github.com/RhinoSecurityLabs/cloudgoat 
+* https://github.com/appsecco/attacking-cloudgoat2 
+* https://github.com/m6a-UdS/dvca 
+* https://github.com/OWASP/DVSA 
+* https://github.com/nccgroup/sadcloud 
+* https://github.com/torque59/AWS-Vulnerable-Lambda
+* https://github.com/wickett/lambhack 
+* https://github.com/BishopFox/iam-vulnerable
+  
+**GCP Labs** 
+* http://thunder-ctf.cloud/ https://gcpgoat.joshuajebaraj.com/
+  
+**Azure Labs** 
+* https://github.com/azurecitadel/azure-security-lab
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+