Web_Hacking/Cloud-General.md
2024-02-11 15:31:02 +03:30

9.3 KiB
Raw Blame History

Comparison

cloud

cloud-2

Recon

# PoC from Forward DNS dataset
# This data is created by extracting domain names from a number of sources and then sending DNS queries for each domain.
# https://opendata.rapid7.com/sonar.fdns_v2/
cat CNAME-DATASET-NAME | pigz -dc | grep -E "\.azurewebsites\.com"
cat CNAME-DATASET-NAME | pigz -dc | grep -E "\.s3\.amazonaws\.com"

# https://github.com/99designs/clouddetect
clouddetect -ip=151.101.1.68

First step should be to determine what services are in use:

  • More and more orgs are moving assets to the cloud one at a time
  • Many have limited deployment to cloud providers, but some have fully embraced the cloud and are using it for AD, production assets, security products, and more
  • Determine things like AD connectivity, mail gateways, web apps, file storage, etc.
  • Traditional host discovery still applies
  • After host discovery resolve all names, then perform whois

lookups to determine where they are hosted

Tools:

Foothold:

Password attacks:

  • Password Spraying
    • Trying one password for every user at an org to avoid account lockouts (Spring2020)
  • Most systems have some sort of lockout policy
    • Example: 5 attempts in 30 mins = lockout
  • If we attempt to auth as each individual username one time every 30 mins we lockout nobody
  • Credential Stuffing
    • Using previously breached credentials to attempt to exploit password reuse on corporate accounts
  • People tend to reuse passwords for multiple sites including corporate accounts
  • Various breaches end up publicly posted
  • Search these and try out creds
  • Try iterating creds

Web server explotation

  • Out-of-date web technologies with known vulns
  • SQL or command injection vulns
  • Server-Side Request Forgery (SSRF)
  • Good place to start post-shell:
  • Creds in the Metadata Service
  • Certificates
  • Environment variables
  • Storage accounts
  • Reused access certs as private keys on web servers
    • Compromise web server
    • Extract certificate with Mimikatz
    • Use it to authenticate to Azure
  • Mimikatz can export “non-exportable” certificates:
    • mimikatz# crypto::capi
    • mimikatz# privilege::debug
    • mimikatz# crypto::cng
    • mimikatz# crypto::certificates /systemstore:local_machine /store:my /export

Phishing

  • Phishing is still the #1 method of compromise
  • Target Cloud engineers, Developers, DevOps, etc.
  • Two primary phishing techniques:
    • Cred harvesting / session hijacking
    • Remote workstation compromise w/ C2
  • Attack designed to steal creds and/or session cookies
  • Can be useful when security protections prevent getting shells
  • Email a link to a target employee pointing to cloned auth portal
    • Examples: Microsoft Online (O365, Azure, etc.), G-Suite, AWS Console
  • They auth and get real session cookies… we get them too.

Phishing: Remote Access

  • Phish to compromise a users workstation
  • Enables many other options for gaining access to cloud resources
  • Steal access tokens from disk
  • Session hijack
  • Keylog
  • Web Config and App Config files
    • Commonly found on pentests to include cleartext creds
    • WebApps often need read/write access to cloud storage or DBs
    • Web.config and app.config files might contain creds or access tokens
    • Look for management cert and extract to pfx like publishsettings files
    • Often found in root folder of webapp
  • Internal Code Repositories
    • Gold mine for keys
    • Find internal repos:
      • A. Portscan internal web services (80, 443, etc.) then use EyeWitness to screenshot each service to quickly analyze
      • B. Query AD for all hostnames, look for subdomains git, code, repo, bitbucket, gitlab, etc..
    • Can use automated tools (gitleaks, trufflehog, gitrob) or use built-in search features
      • Search for AccessKey, AKIA, id_rsa, credentials, secret, password, and token
  • Command history
  • The commands ran previously may indicate where to look
  • Sometimes creds get passed to the command line
  • Linux hosts command history is here:
    • ~/.bash_history
  • PowerShell command history is here:
    • %USERPROFILE%\AppData\Roaming\Microsoft\Windows\PowerShell\PSReadLine\ConsoleHost_history.txt

Post-Compromise Recon

  • Who do we have access as?
  • What roles do we have?
  • Is MFA enabled?
  • What can we access (webapps, storage, etc.?)
  • Who are the admins?
  • How are we going to escalate to admin?
  • Any security protections in place (ATP, GuardDuty, etc.)?

Service metadata summary

Tools

# Non provider specific and general purpose
# https://github.com/nccgroup/ScoutSuite
# https://github.com/SygniaLabs/security-cloud-scout
# https://github.com/initstring/cloud_enum
python3 cloud_enum.py -k companynameorkeyword
# https://github.com/cyberark/SkyArk
# https://github.com/SecurityFTW/cs-suite
    cd /tmp
    mkdir .aws
    cat > .aws/config <<EOF
        [default]
        output = json
        region = us-east-1
    EOF
    cat > .aws/credentials <<EOF
        [default]
        aws_access_key_id = XXXXXXXXXXXXXXX
        aws_secret_access_key = XXXXXXXXXXXXXXXXXXXXXXXXX
    EOF
    docker run -v `pwd`/.aws:/root/.aws -v `pwd`/reports:/app/reports securityftw/cs-suite -env aws

# Dictionary
https://gist.github.com/BuffaloWill/fa96693af67e3a3dd3fb

Searching for bad configurations

No auditable items:
• DoS testing
• Intense fuzzing
• Phishing the cloud providers employees
• Testing other companys assets
• Etc.

Cloud Labs

AWS Labs

GCP Labs

Azure Labs