Web_Hacking/Cloud-General.md
2024-02-11 15:31:02 +03:30

300 lines
9.3 KiB
Markdown
Raw Blame History

This file contains ambiguous Unicode characters

This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.

### Comparison
![cloud](https://github.com/Mehdi0x90/Web_Hacking/assets/17106836/15ede78b-a1f4-4b85-8018-853727554de5)
![cloud-2](https://github.com/Mehdi0x90/Web_Hacking/assets/17106836/4764a612-737d-4053-8649-55e5d33f72ba)
## Recon
```bash
# PoC from Forward DNS dataset
# This data is created by extracting domain names from a number of sources and then sending DNS queries for each domain.
# https://opendata.rapid7.com/sonar.fdns_v2/
cat CNAME-DATASET-NAME | pigz -dc | grep -E "\.azurewebsites\.com"
cat CNAME-DATASET-NAME | pigz -dc | grep -E "\.s3\.amazonaws\.com"
# https://github.com/99designs/clouddetect
clouddetect -ip=151.101.1.68
```
**First step should be to determine what services are in use:**
* More and more orgs are moving assets to the cloud one at a time
* Many have limited deployment to cloud providers, but some have fully embraced the cloud and are using it for AD, production assets, security products, and more
* Determine things like AD connectivity, mail gateways, web apps, file storage, etc.
* Traditional host discovery still applies
* After host discovery resolve all names, then perform whois
**lookups to determine where they are hosted**
* Microsoft, Amazon, Google IP space usually indicates cloud service usage
* More later on getting netblock information for each cloud service
* MX records can show cloud-hosted mail providers
* Certificate Transparency (crt.sh)
* Monitors and logs digital certs
* Creates a public, searchable log
* Can help discover additional subdomains
* More importantly… you can potentially find more Top Level Domains (TLDs)!
* Single cert can be scoped for multiple domains
* Search (Google, Bing, Baidu, DuckDuckGo): `site:targetdomain.com -site:www.targetdomain.com`
* Shodan.io and Censys.io zoomeye.org
* Internet-wide portscans
* Certificate searches
* Shodan query examples:
* org:”Target Name”
* net:”CIDR Range”
* port:”443”
* DNS Brute Forcing
* Performs lookups on a list of potential subdomains
* Make sure to use quality lists
* SecLists: https://github.com/danielmiessler/SecLists/tree/master/Discovery/DNS
* MX Records can help us identify cloud services in use
* O365 = target-domain.mail.protection.outlook.com
* G-Suite = google.com | googlemail.com
* Proofpoint = pphosted.com
* If you find commonalities between subdomains try iterating names
* Other Services
* HackerTarget https://hackertarget.com/
* ThreatCrowd https://www.threatcrowd.org/
* DNSDumpster https://dnsdumpster.com/
* ARIN Searches https://whois.arin.net/ui/
* Search bar accepts wild cards “*”
* Great for finding other netblocks owned by the same organization
* Azure Netblocks
* Public: https://www.microsoft.com/en-us/download/details.aspx?id=56519
* US Gov: http://www.microsoft.com/en-us/download/details.aspx?id=57063
* Germany: http://www.microsoft.com/en-us/download/details.aspx?id=57064
* China: http://www.microsoft.com/en-us/download/details.aspx?id=57062
* AWS Netblocks
* https://ip-ranges.amazonaws.com/ip-ranges.json
* GCP Netblocks
* Google made it complicated so theres a script on the next page to get the current IP netblocks.
* Box.com Usage
* Look for any login portals
* https://companyname.account.box.com
* Can find cached Box account data too
* Employees
* LinkedIn
* PowerMeta https://github.com/dafthack/PowerMeta
* FOCA https://github.com/ElevenPaths/FOCA
* hunter.io
### Tools:
* Recon-NG https://github.com/lanmaster53/recon-ng
* OWASP Amass https://github.com/OWASP/Amass
* Spiderfoot https://www.spiderfoot.net/
* Gobuster https://github.com/OJ/gobuster
* Sublist3r https://github.com/aboul3la/Sublist3r
### Foothold:
* Find ssh keys in shhgit.darkport.co.uk https://github.com/eth0izzle/shhgit
* GitLeaks https://github.com/zricethezav/gitleaks
* Gitrob https://github.com/michenriksen/gitrob
* Truffle Hog https://github.com/dxa4481/truffleHog
## Password attacks:
* Password Spraying
* Trying one password for every user at an org to avoid account lockouts (Spring2020)
* Most systems have some sort of lockout policy
* Example: 5 attempts in 30 mins = lockout
* If we attempt to auth as each individual username one time every 30 mins we lockout nobody
* Credential Stuffing
* Using previously breached credentials to attempt to exploit password reuse on corporate accounts
* People tend to reuse passwords for multiple sites including corporate accounts
* Various breaches end up publicly posted
* Search these and try out creds
* Try iterating creds
## Web server explotation
* Out-of-date web technologies with known vulns
* SQL or command injection vulns
* Server-Side Request Forgery (SSRF)
* Good place to start post-shell:
* Creds in the Metadata Service
* Certificates
* Environment variables
* Storage accounts
* Reused access certs as private keys on web servers
* Compromise web server
* Extract certificate with Mimikatz
* Use it to authenticate to Azure
* Mimikatz can export “non-exportable” certificates:
* mimikatz# `crypto::capi`
* mimikatz# `privilege::debug`
* mimikatz# `crypto::cng`
* mimikatz# `crypto::certificates /systemstore:local_machine /store:my /export`
## Phishing
* Phishing is still the #1 method of compromise
* Target Cloud engineers, Developers, DevOps, etc.
* Two primary phishing techniques:
* Cred harvesting / session hijacking
* Remote workstation compromise w/ C2
* Attack designed to steal creds and/or session cookies
* Can be useful when security protections prevent getting shells
* Email a link to a target employee pointing to cloned auth portal
* Examples: Microsoft Online (O365, Azure, etc.), G-Suite, AWS Console
* They auth and get real session cookies… we get them too.
## Phishing: Remote Access
* Phish to compromise a users workstation
* Enables many other options for gaining access to cloud resources
* Steal access tokens from disk
* Session hijack
* Keylog
* Web Config and App Config files
* Commonly found on pentests to include cleartext creds
* WebApps often need read/write access to cloud storage or DBs
* Web.config and app.config files might contain creds or access tokens
* Look for management cert and extract to pfx like publishsettings files
* Often found in root folder of webapp
* Internal Code Repositories
* Gold mine for keys
* Find internal repos:
* A. Portscan internal web services (80, 443, etc.) then use EyeWitness to screenshot each service to quickly analyze
* B. Query AD for all hostnames, look for subdomains git, code, repo, bitbucket, gitlab, etc..
* Can use automated tools (gitleaks, trufflehog, gitrob) or use built-in search features
* Search for AccessKey, AKIA, id_rsa, credentials, secret, password, and token
* Command history
* The commands ran previously may indicate where to look
* Sometimes creds get passed to the command line
* Linux hosts command history is here:
* `~/.bash_history`
* PowerShell command history is here:
* `%USERPROFILE%\AppData\Roaming\Microsoft\Windows\PowerShell\PSReadLine\ConsoleHost_history.txt`
## Post-Compromise Recon
* Who do we have access as?
* What roles do we have?
* Is MFA enabled?
* What can we access (webapps, storage, etc.?)
* Who are the admins?
* How are we going to escalate to admin?
* Any security protections in place (ATP, GuardDuty, etc.)?
## Service metadata summary
* AWS: http://169.254.169.254/metadata/v1/*
* Google Cloud: http://metadata.google.internal/computeMetadata/v1/*
* DigitalOcean: http://169.254.169.254/metadata/v1/*
* Docker: http://127.0.0.1:2375/v1.24/containers/json
* Kubernetes ETCD: http://127.0.0.1:2379/v2/keys/?recursive=true
* Alibaba Cloud: http://100.100.100.200/latest/meta-data/*
* Microsoft Azure: http://169.254.169.254/metadata/v1/*
## Tools
```bash
# Non provider specific and general purpose
# https://github.com/nccgroup/ScoutSuite
# https://github.com/SygniaLabs/security-cloud-scout
# https://github.com/initstring/cloud_enum
python3 cloud_enum.py -k companynameorkeyword
# https://github.com/cyberark/SkyArk
# https://github.com/SecurityFTW/cs-suite
cd /tmp
mkdir .aws
cat > .aws/config <<EOF
[default]
output = json
region = us-east-1
EOF
cat > .aws/credentials <<EOF
[default]
aws_access_key_id = XXXXXXXXXXXXXXX
aws_secret_access_key = XXXXXXXXXXXXXXXXXXXXXXXXX
EOF
docker run -v `pwd`/.aws:/root/.aws -v `pwd`/reports:/app/reports securityftw/cs-suite -env aws
# Dictionary
https://gist.github.com/BuffaloWill/fa96693af67e3a3dd3fb
Searching for bad configurations
No auditable items:
• DoS testing
• Intense fuzzing
• Phishing the cloud providers employees
• Testing other companys assets
• Etc.
```
## Cloud Labs
**AWS Labs**
* flaws.cloud
* flaws2.cloud
* https://github.com/OWASP/Serverless-Goat
* https://n0j.github.io/2017/10/02/aws-s3-ctf.html
* https://github.com/RhinoSecurityLabs/cloudgoat
* https://github.com/appsecco/attacking-cloudgoat2
* https://github.com/m6a-UdS/dvca
* https://github.com/OWASP/DVSA
* https://github.com/nccgroup/sadcloud
* https://github.com/torque59/AWS-Vulnerable-Lambda
* https://github.com/wickett/lambhack
* https://github.com/BishopFox/iam-vulnerable
**GCP Labs**
* http://thunder-ctf.cloud/ https://gcpgoat.joshuajebaraj.com/
**Azure Labs**
* https://github.com/azurecitadel/azure-security-lab