Pentesting Mbinu za Cloud

Reading time: 12 minutes

Mbinu za Msingi

Kila mazingira ya mawingu yana sifa zake za kipekee lakini kwa ujumla kuna mambo kadhaa ya kawaida ambavyo pentester anapaswa kuangalia wakati wa kupima mazingira ya mawingu:

• Ukaguzi wa benchmark
• Hii itakusaidia kuelewa ukubwa wa mazingira na huduma zinazotumika
• Pia itakuwezesha kupata baadhi ya misconfigurations ya haraka kwa sababu unaweza kufanya sehemu kubwa ya vipimo hivi kwa kutumia zana za otomatiki
• Services Enumeration
• Pengine hutapata misconfigurations mingi zaidi hapa ikiwa ulifanya vizuri vipimo vya benchmark, lakini unaweza kupata baadhi ambayo havikutafutwa kwenye mtihani wa benchmark.
• Hii itakuwezesha kujua kinachotumika hasa ndani ya mazingira ya cloud
• Hii itasaidia sana katika hatua zinazofuata
• Angalia mali zilizo wazi
• Hii inaweza kufanywa wakati wa sehemu iliyotangulia, unatakiwa kubaini kila kitu kinachoweza kuwa wazi kwa Internet kwa namna fulani na jinsi kinavyoweza kufikiwa.
• Hapa ninamaanisha infrastructure iliyofunguliwa kwa mikono kama instances zenye web pages au port nyingine zilizo wazi, na pia kuhusu cloud managed services ambazo zinaweza kusanidiwa kufunguliwa (kama DBs au buckets)
• Kisha unapaswa kuangalia je rasilimali hiyo inaweza kufunguliwa au la (taarifa za siri? vulnerabilities? misconfigurations katika service iliyofunguliwa?)
• Angalia ruhusa
• Hapa unapaswa kubaini ruhusa zote za kila role/user ndani ya cloud na jinsi zinavyotumika
• Je kuna akaunti nyingi zenye highly privileged (zinaweza kudhibiti kila kitu)? Funguo zilizotengenezwa hazitumiwi?... Zaidi ya haya ukaguzi ulipaswa kufanywa tayari katika vipimo vya benchmark
• Ikiwa mteja anatumia OpenID au SAML au nyingine federation unaweza kuhitaji kuwauliza kwa taarifa zaidi kuhusu jinsi kila role inavyotengwa (si sawa role ya admin kuwekewa 1 user au 100)
• Si vya kutosha kutambua ni watumiaji gani wana ruhusa za admin ":". Kuna ruhusa nyingi nyingine ambazo kulingana na huduma zinazotumika zinaweza kuwa za nyeti.
• Zaidi ya hayo, kuna njia za potential privesc za kufuatilia kwa kutumia ruhusa. Mambo haya yote yanapaswa kuzingatiwa na itupe taratibu za privesc kadri iwezekanavyo kuripotiwa.
• Angalia Integrations
• Inawezekana sana kwamba integrations na mawingu mengine au SaaS zinatumika ndani ya mazingira ya cloud.
• Kwa integrations za cloud unazochunguza na platform nyingine unapaswa taarifa nani ana access ya (ab)use hiyo integration na unapaswa kuuliza je kitendo kinachofanywa ni kiasi gani nyeti.
  Kwa mfano, nani anaweza kuandika kwenye AWS bucket ambapo GCP inapata data kutoka (uliza jinsi kitendo kinavyoathiri GCP katika kushughulikia data hiyo).
• Kwa integrations ndani ya cloud unazochunguza kutoka platform za nje, unapaswa kuuliza nani ana access kwa nje ya (ab)use hiyo integration na angalia jinsi data hiyo inavyotumika.
  Kwa mfano, ikiwa service inatumia Docker image iliyohifadhiwa katika GCR, unapaswa kuuliza nani ana access ya kuibadilisha na ni taarifa zipi nyeti na access gani picha hiyo itaipata inapoendeshwa ndani ya AWS cloud.

Zana za Multi-Cloud

Kuna zana kadhaa ambazo zinaweza kutumika kujaribu mazingira tofauti ya mawingu. Hatua za usakinishaji na viungo vitaainishwa katika sehemu hii.

PurplePanda

Zana ya kutambua misconfigurations mbaya na privesc path katika mawingu na kati ya mawingu/SaaS.

# You need to install and run neo4j also
git clone https://github.com/carlospolop/PurplePanda
cd PurplePanda
python3 -m venv .
source bin/activate
python3 -m pip install -r requirements.txt
export PURPLEPANDA_NEO4J_URL="bolt://neo4j@localhost:7687"
export PURPLEPANDA_PWD="neo4j_pwd_4_purplepanda"
python3 main.py -h # Get help

export GOOGLE_DISCOVERY=$(echo 'google:
- file_path: ""

- file_path: ""
service_account_id: "some-sa-email@sidentifier.iam.gserviceaccount.com"' | base64)

python3 main.py -a -p google #Get basic info of the account to check it's correctly configured
python3 main.py -e -p google #Enumerate the env

Prowler

Inasaidia AWS, GCP & Azure. Angalia jinsi ya kusanidi kila mtoa huduma katika https://docs.prowler.cloud/en/latest/#aws

# Install
pip install prowler
prowler -v

# Run
prowler <provider>
# Example
prowler aws --profile custom-profile [-M csv json json-asff html]

# Get info about checks & services
prowler <provider> --list-checks
prowler <provider> --list-services

CloudSploit

AWS, Azure, Github, Google, Oracle, Alibaba

# Install
git clone https://github.com/aquasecurity/cloudsploit.git
cd cloudsploit
npm install
./index.js -h
## Docker instructions in github

## You need to have creds for a service account and set them in config.js file
./index.js --cloud google --config </abs/path/to/config.js>

ScoutSuite

AWS, Azure, GCP, Alibaba Cloud, Oracle Cloud Infrastructure

mkdir scout; cd scout
virtualenv -p python3 venv
source venv/bin/activate
pip install scoutsuite
scout --help
## Using Docker: https://github.com/nccgroup/ScoutSuite/wiki/Docker-Image

scout gcp --report-dir /tmp/gcp --user-account --all-projects
## use "--service-account KEY_FILE" instead of "--user-account" to use a service account

SCOUT_FOLDER_REPORT="/tmp"
for pid in $(gcloud projects list --format="value(projectId)"); do
echo "================================================"
echo "Checking $pid"
mkdir "$SCOUT_FOLDER_REPORT/$pid"
scout gcp --report-dir "$SCOUT_FOLDER_REPORT/$pid" --no-browser --user-account --project-id "$pid"
done

Steampipe

brew tap turbot/tap
brew install steampipe

# Install gcp plugin
steampipe plugin install gcp

# Use https://github.com/turbot/steampipe-mod-gcp-compliance.git
git clone https://github.com/turbot/steampipe-mod-gcp-compliance.git
cd steampipe-mod-gcp-compliance
# To run all the checks from the dashboard
steampipe dashboard
# To run all the checks from rhe cli
steampipe check all

FILEPATH="/tmp/gcp.spc"
rm -rf "$FILEPATH" 2>/dev/null

# Generate a json like object for each project
for pid in $(gcloud projects list --format="value(projectId)"); do
echo "connection \"gcp_$(echo -n $pid | tr "-" "_" )\" {
plugin  = \"gcp\"
project = \"$pid\"
}" >> "$FILEPATH"
done

# Generate the aggragator to call
echo 'connection "gcp_all" {
plugin      = "gcp"
type        = "aggregator"
connections = ["gcp_*"]
}' >> "$FILEPATH"

echo "Copy $FILEPATH in ~/.steampipe/config/gcp.spc if it was correctly generated"

# Install aws plugin
steampipe plugin install aws

# Modify the spec indicating in "profile" the profile name to use
nano ~/.steampipe/config/aws.spc

# Get some info on how the AWS account is being used
git clone https://github.com/turbot/steampipe-mod-aws-insights.git
cd steampipe-mod-aws-insights
steampipe dashboard

# Get the services exposed to the internet
git clone https://github.com/turbot/steampipe-mod-aws-perimeter.git
cd steampipe-mod-aws-perimeter
steampipe dashboard

# Run the benchmarks
git clone https://github.com/turbot/steampipe-mod-aws-compliance
cd steampipe-mod-aws-compliance
steampipe dashboard # To see results in browser
steampipe check all --export=/tmp/output4.json

cs-suite

AWS, GCP, Azure, DigitalOcean.
Inahitaji python2.7 na inaonekana haendelezwi.

Nessus

Nessus ina skani ya Audit Cloud Infrastructure inayounga mkono: AWS, Azure, Office 365, Rackspace, Salesforce. Inahitaji usanidi wa ziada katika Azure ili kupata Client Id.

cloudlist

Cloudlist ni zana ya multi-cloud kwa kupata Assets (Hostnames, IP Addresses) kutoka kwa Cloud Providers.

cd /tmp
wget https://github.com/projectdiscovery/cloudlist/releases/latest/download/cloudlist_1.0.1_macOS_arm64.zip
unzip cloudlist_1.0.1_macOS_arm64.zip
chmod +x cloudlist
sudo mv cloudlist /usr/local/bin

## For GCP it requires service account JSON credentials
cloudlist -config </path/to/config>

cartography

Cartography ni zana ya Python inayounganisha rasilimali za miundombinu na uhusiano kati yao katika muonekano wa grafu unaoeleweka unaoendeshwa na Neo4j database.

# Installation
docker image pull ghcr.io/lyft/cartography
docker run --platform linux/amd64 ghcr.io/lyft/cartography cartography --help
## Install a Neo4j DB version 3.5.*

docker run --platform linux/amd64 \
--volume "$HOME/.config/gcloud/application_default_credentials.json:/application_default_credentials.json" \
-e GOOGLE_APPLICATION_CREDENTIALS="/application_default_credentials.json" \
-e NEO4j_PASSWORD="s3cr3t" \
ghcr.io/lyft/cartography  \
--neo4j-uri bolt://host.docker.internal:7687 \
--neo4j-password-env-var NEO4j_PASSWORD \
--neo4j-user neo4j


# It only checks for a few services inside GCP (https://lyft.github.io/cartography/modules/gcp/index.html)
## Cloud Resource Manager
## Compute
## DNS
## Storage
## Google Kubernetes Engine
### If you can run starbase or purplepanda you will get more info

starbase

Starbase hukusanya rasilimali na uhusiano kutoka kwa huduma na mifumo ikijumuisha miundombinu ya wingu, programu za SaaS, vidhibiti vya usalama, na mengine katika muonekano wa grafu unaoeleweka unaoungwa mkono na hifadhidata ya Neo4j.

# You are going to need Node version 14, so install nvm following https://tecadmin.net/install-nvm-macos-with-homebrew/
npm install --global yarn
nvm install 14
git clone https://github.com/JupiterOne/starbase.git
cd starbase
nvm use 14
yarn install
yarn starbase --help
# Configure manually config.yaml depending on the env to analyze
yarn starbase setup
yarn starbase run

# Docker
git clone https://github.com/JupiterOne/starbase.git
cd starbase
cp config.yaml.example config.yaml
# Configure manually config.yaml depending on the env to analyze
docker build --no-cache -t starbase:latest .
docker-compose run starbase setup
docker-compose run starbase run

## Config for GCP
### Check out: https://github.com/JupiterOne/graph-google-cloud/blob/main/docs/development.md
### It requires service account credentials

integrations:
- name: graph-google-cloud
instanceId: testInstanceId
directory: ./.integrations/graph-google-cloud
gitRemoteUrl: https://github.com/JupiterOne/graph-google-cloud.git
config:
SERVICE_ACCOUNT_KEY_FILE: "{Check https://github.com/JupiterOne/graph-google-cloud/blob/main/docs/development.md#service_account_key_file-string}"
PROJECT_ID: ""
FOLDER_ID: ""
ORGANIZATION_ID: ""
CONFIGURE_ORGANIZATION_PROJECTS: false

storage:
engine: neo4j
config:
username: neo4j
password: s3cr3t
uri: bolt://localhost:7687
#Consider using host.docker.internal if from docker

SkyArk

Gundua watumiaji wenye vibali vya juu zaidi katika mazingira ya AWS au Azure yaliyoskaniwa, ikiwa ni pamoja na AWS Shadow Admins. Inatumia powershell.

Import-Module .\SkyArk.ps1 -force
Start-AzureStealth

# in the Cloud Console
IEX (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/cyberark/SkyArk/master/AzureStealth/AzureStealth.ps1')
Scan-AzureAdmins

Cloud Brute

Chombo cha kutafuta miundombinu ya kampuni (lengo), mafaili, na apps kwenye watoa huduma wakubwa wa cloud (Amazon, Google, Microsoft, DigitalOcean, Alibaba, Vultr, Linode).

CloudFox

• CloudFox ni chombo cha kutafuta exploitable attack paths katika miundombinu ya cloud (kwa sasa inasaidia tu AWS & Azure; GCP itakuja hivi karibuni).
• Ni chombo cha enumeration kinachokusudiwa kukamilisha pentesting ya manual.
• Haiundii wala hubadilisha data yoyote ndani ya mazingira ya cloud.

Orodha zaidi za zana za usalama za cloud

• https://github.com/RyanJarv/awesome-cloud-sec

Google

GCP

GCP Pentesting

Workspace

GWS - Workspace Pentesting

AWS

AWS Pentesting

Azure

Azure Pentesting

Grafu ya Shambulio

Stormspotter huunda “attack graph” ya rasilimali katika Azure subscription. Inawawezesha red teams na pentesters kuona attack surface na fursa za pivot ndani ya tenant, na huwapa defenders nguvu ya ziada kupanga na kuipa kipaumbele kazi za incident response haraka.

Office365

Unahitaji Global Admin au angalau Global Admin Reader (lakini kumbuka kuwa Global Admin Reader ni mdogo kidogo). Hata hivyo, vikwazo hivyo vinaonekana katika baadhi ya PS modules na vinaweza kuepukika kwa kufikia vipengele kupitia programu ya wavuti.