gitea-mirror/hacktricks-cloud
1
0
Fork 0
mirror of https://github.com/HackTricks-wiki/hacktricks-cloud.git synced 2025-12-27 05:03:31 -08:00
Code Issues Packages Projects Releases Wiki Activity

Translated ['src/README.md', 'src/banners/hacktricks-training.md', 'src/

Browse Source
This commit is contained in:
Translator
2024-12-31 20:29:08 +00:00
parent 2753c75e8b
commit 396dbafaf2
245 changed files with 9878 additions and 12609 deletions
Download Patch File Download Diff File Expand all files Collapse all files

214
src/pentesting-cloud/pentesting-cloud-methodology.md
View File

@@ -6,43 +6,42 @@
## Basic Methodology
Each cloud has its own peculiarities but in general there are a few **common things a pentester should check** when testing a cloud environment:
Elke wolk het sy eie eienaardighede, maar oor die algemeen is daar 'n paar **gemeenskaplike dinge wat 'n pentester moet nagaan** wanneer 'n wolkomgewing getoets word:
- **Benchmark checks**
- This will help you **understand the size** of the environment and **services used**
- It will allow you also to find some **quick misconfigurations** as you can perform most of this tests with **automated tools**
- **Services Enumeration**
- You probably won't find much more misconfigurations here if you performed correctly the benchmark tests, but you might find some that weren't being looked for in the benchmark test.
- This will allow you to know **what is exactly being used** in the cloud env
- This will help a lot in the next steps
- **Check exposed assets**
- This can be done during the previous section, you need to **find out everything that is potentially exposed** to the Internet somehow and how can it be accessed.
- Here I'm taking **manually exposed infrastructure** like instances with web pages or other ports being exposed, and also about other **cloud managed services that can be configured** to be exposed (such as DBs or buckets)
- Then you should check **if that resource can be exposed or not** (confidential information? vulnerabilities? misconfigurations in the exposed service?)
- **Check permissions**
- Here you should **find out all the permissions of each role/user** inside the cloud and how are they used
- Too **many highly privileged** (control everything) accounts? Generated keys not used?... Most of these check should have been done in the benchmark tests already
- If the client is using OpenID or SAML or other **federation** you might need to ask them for further **information** about **how is being each role assigned** (it's not the same that the admin role is assigned to 1 user or to 100)
- It's **not enough to find** which users has **admin** permissions "\*:\*". There are a lot of **other permissions** that depending on the services used can be very **sensitive**.
- Moreover, there are **potential privesc** ways to follow abusing permissions. All this things should be taken into account and **as much privesc paths as possible** should be reported.
- **Check Integrations**
- It's highly probably that **integrations with other clouds or SaaS** are being used inside the cloud env.
- For **integrations of the cloud you are auditing** with other platform you should notify **who has access to (ab)use that integration** and you should ask **how sensitive** is the action being performed.\
For example, who can write in an AWS bucket where GCP is getting data from (ask how sensitive is the action in GCP treating that data).
- For **integrations inside the cloud you are auditing** from external platforms, you should ask **who has access externally to (ab)use that integration** and check how is that data being used.\
For example, if a service is using a Docker image hosted in GCR, you should ask who has access to modify that and which sensitive info and access will get that image when executed inside an AWS cloud.
- **Benchmark kontroles**
- Dit sal jou help om **die grootte** van die omgewing en **dienste wat gebruik word** te **begryp**.
- Dit sal jou ook toelaat om 'n paar **vinnige miskonfigurasies** te vind, aangesien jy die meeste van hierdie toetse met **geoutomatiseerde gereedskap** kan uitvoer.
- **Dienste Enumerasie**
- Jy sal waarskynlik nie veel meer miskonfigurasies hier vind as jy die benchmark toetse korrek uitgevoer het nie, maar jy mag dalk sommige vind wat nie in die benchmark toets gesoek is nie.
- Dit sal jou toelaat om te weet **wat presies gebruik word** in die wolkomgewing.
- Dit sal baie help in die volgende stappe.
- **Kontroleer blootgestelde bates**
- Dit kan gedoen word tydens die vorige afdeling, jy moet **uitvind alles wat potensieel blootgestel is** aan die Internet op een of ander manier en hoe dit toegang kan verkry.
- Hier neem ek **handmatig blootgestelde infrastruktuur** soos instansies met webbladsye of ander poorte wat blootgestel word, en ook oor ander **wolkkontroleerde dienste wat geconfigureer kan word** om blootgestel te word (soos DB's of emmers).
- Dan moet jy nagaan **of daardie hulpbron blootgestel kan word of nie** (vertroulike inligting? kwesbaarhede? miskonfigurasies in die blootgestelde diens?).
- **Kontroleer toestemmings**
- Hier moet jy **uitvind wat die toestemmings van elke rol/gebruiker** binne die wolk is en hoe dit gebruik word.
- Te **veel hoogs bevoorregte** (beheer alles) rekeninge? Gekreëerde sleutels wat nie gebruik word?... Die meeste van hierdie kontroles sou reeds in die benchmark toetse gedoen moes gewees het.
- As die kliënt OpenID of SAML of ander **federasie** gebruik, mag jy hulle moet vra vir verdere **inligting** oor **hoe elke rol toegeken word** (dit is nie dieselfde dat die admin rol aan 1 gebruiker of aan 100 toegeken word nie).
- Dit is **nie genoeg om te vind** watter gebruikers **admin** toestemmings het "\*:\*". Daar is baie **ander toestemmings** wat, afhangende van die dienste wat gebruik word, baie **sensitief** kan wees.
- Boonop is daar **potensiële privesc** maniere om te volg deur misbruik van toestemmings. Al hierdie dinge moet in ag geneem word en **so veel privesc paaie as moontlik** moet gerapporteer word.
- **Kontroleer Integrasies**
- Dit is hoogs waarskynlik dat **integrasies met ander wolke of SaaS** binne die wolkomgewing gebruik word.
- Vir **integrasies van die wolk wat jy oudit** met ander platforms moet jy **ken wie toegang het tot (mis)bruik van daardie integrasie** en jy moet vra **hoe sensitief** die aksie wat uitgevoer word is.\
Byvoorbeeld, wie kan skryf in 'n AWS-emmer waar GCP data van ontvang (vra hoe sensitief die aksie in GCP is wat daardie data hanteer).
- Vir **integrasies binne die wolk wat jy oudit** van eksterne platforms, moet jy vra **wie toegang het om (mis)bruik te maak van daardie integrasie** en kyk hoe daardie data gebruik word.\
Byvoorbeeld, as 'n diens 'n Docker-beeld gebruik wat in GCR gehos te is, moet jy vra wie toegang het om dit te wysig en watter sensitiewe inligting en toegang daardie beeld sal kry wanneer dit binne 'n AWS-wolk uitgevoer word.
## Multi-Cloud tools
There are several tools that can be used to test different cloud environments. The installation steps and links are going to be indicated in this section.
Daar is verskeie gereedskap wat gebruik kan word om verskillende wolkomgewings te toets. Die installasietappe en skakels sal in hierdie afdeling aangedui word.
### [PurplePanda](https://github.com/carlospolop/purplepanda)
A tool to **identify bad configurations and privesc path in clouds and across clouds/SaaS.**
'n Gereedskap om **slegte konfigurasies en privesc paaie in wolke en oor wolke/SaaS te identifiseer.**
{{#tabs }}
{{#tab name="Install" }}
```bash
# You need to install and run neo4j also
git clone https://github.com/carlospolop/PurplePanda
@@ -54,29 +53,25 @@ export PURPLEPANDA_NEO4J_URL="bolt://neo4j@localhost:7687"
export PURPLEPANDA_PWD="neo4j_pwd_4_purplepanda"
python3 main.py -h # Get help
```
{{#endtab }}
{{#tab name="GCP" }}
```bash
export GOOGLE_DISCOVERY=$(echo 'google:
- file_path: ""
- file_path: ""
service_account_id: "some-sa-email@sidentifier.iam.gserviceaccount.com"' | base64)
service_account_id: "some-sa-email@sidentifier.iam.gserviceaccount.com"' | base64)
python3 main.py -a -p google #Get basic info of the account to check it's correctly configured
python3 main.py -e -p google #Enumerate the env
```
{{#endtab }}
{{#endtabs }}
### [Prowler](https://github.com/prowler-cloud/prowler)
It supports **AWS, GCP & Azure**. Check how to configure each provider in [https://docs.prowler.cloud/en/latest/#aws](https://docs.prowler.cloud/en/latest/#aws)
Dit ondersteun **AWS, GCP & Azure**. Kyk hoe om elke verskaffer te konfigureer in [https://docs.prowler.cloud/en/latest/#aws](https://docs.prowler.cloud/en/latest/#aws)
```bash
# Install
pip install prowler
@@ -91,14 +86,12 @@ prowler aws --profile custom-profile [-M csv json json-asff html]
prowler <provider> --list-checks
prowler <provider> --list-services
```
### [CloudSploit](https://github.com/aquasecurity/cloudsploit)
AWS, Azure, Github, Google, Oracle, Alibaba
{{#tabs }}
{{#tab name="Install" }}
{{#tab name="Installeer" }}
```bash
# Install
git clone https://github.com/aquasecurity/cloudsploit.git
@@ -107,16 +100,13 @@ npm install
./index.js -h
## Docker instructions in github
```
{{#endtab }}
{{#tab name="GCP" }}
```bash
## You need to have creds for a service account and set them in config.js file
./index.js --cloud google --config </abs/path/to/config.js>
```
{{#endtab }}
{{#endtabs }}
@@ -125,8 +115,7 @@ npm install
AWS, Azure, GCP, Alibaba Cloud, Oracle Cloud Infrastructure
{{#tabs }}
{{#tab name="Install" }}
{{#tab name="Installeer" }}
```bash
mkdir scout; cd scout
virtualenv -p python3 venv
@@ -135,42 +124,36 @@ pip install scoutsuite
scout --help
## Using Docker: https://github.com/nccgroup/ScoutSuite/wiki/Docker-Image
```
{{#endtab }}
{{#tab name="GCP" }}
```bash
scout gcp --report-dir /tmp/gcp --user-account --all-projects
## use "--service-account KEY_FILE" instead of "--user-account" to use a service account
SCOUT_FOLDER_REPORT="/tmp"
for pid in $(gcloud projects list --format="value(projectId)"); do
echo "================================================"
echo "Checking $pid"
mkdir "$SCOUT_FOLDER_REPORT/$pid"
scout gcp --report-dir "$SCOUT_FOLDER_REPORT/$pid" --no-browser --user-account --project-id "$pid"
echo "================================================"
echo "Checking $pid"
mkdir "$SCOUT_FOLDER_REPORT/$pid"
scout gcp --report-dir "$SCOUT_FOLDER_REPORT/$pid" --no-browser --user-account --project-id "$pid"
done
```
{{#endtab }}
{{#endtabs }}
### [Steampipe](https://github.com/turbot)
{{#tabs }}
{{#tab name="Install" }}
Download and install Steampipe ([https://steampipe.io/downloads](https://steampipe.io/downloads)). Or use Brew:
{{#tab name="Installeer" }}
Laai Steampipe af en installeer dit ([https://steampipe.io/downloads](https://steampipe.io/downloads)). Of gebruik Brew:
```
brew tap turbot/tap
brew install steampipe
```
{{#endtab }}
{{#tab name="GCP" }}
```bash
# Install gcp plugin
steampipe plugin install gcp
@@ -183,13 +166,11 @@ steampipe dashboard
# To run all the checks from rhe cli
steampipe check all
```
<details>
<summary>Check all Projects</summary>
In order to check all the projects you need to generate the `gcp.spc` file indicating all the projects to test. You can just follow the indications from the following script
<summary>Kontroleer alle Projekte</summary>
Om al die projekte te kontroleer, moet jy die `gcp.spc` lêer genereer wat al die projekte aandui wat getoets moet word. Jy kan net die aanwysings van die volgende skrif volg.
```bash
FILEPATH="/tmp/gcp.spc"
rm -rf "$FILEPATH" 2>/dev/null
@@ -197,32 +178,30 @@ rm -rf "$FILEPATH" 2>/dev/null
# Generate a json like object for each project
for pid in $(gcloud projects list --format="value(projectId)"); do
echo "connection \"gcp_$(echo -n $pid | tr "-" "_" )\" {
plugin = \"gcp\"
project = \"$pid\"
plugin = \"gcp\"
project = \"$pid\"
}" >> "$FILEPATH"
done
# Generate the aggragator to call
echo 'connection "gcp_all" {
plugin = "gcp"
type = "aggregator"
connections = ["gcp_*"]
plugin = "gcp"
type = "aggregator"
connections = ["gcp_*"]
}' >> "$FILEPATH"
echo "Copy $FILEPATH in ~/.steampipe/config/gcp.spc if it was correctly generated"
```
</details>
To check **other GCP insights** (useful for enumerating services) use: [https://github.com/turbot/steampipe-mod-gcp-insights](https://github.com/turbot/steampipe-mod-gcp-insights)
Om **ander GCP insigte** te kontroleer (nuttig vir die opspoor van dienste) gebruik: [https://github.com/turbot/steampipe-mod-gcp-insights](https://github.com/turbot/steampipe-mod-gcp-insights)
To check Terraform GCP code: [https://github.com/turbot/steampipe-mod-terraform-gcp-compliance](https://github.com/turbot/steampipe-mod-terraform-gcp-compliance)
Om Terraform GCP kode te kontroleer: [https://github.com/turbot/steampipe-mod-terraform-gcp-compliance](https://github.com/turbot/steampipe-mod-terraform-gcp-compliance)
More GCP plugins of Steampipe: [https://github.com/turbot?q=gcp](https://github.com/turbot?q=gcp)
Meer GCP plugins van Steampipe: [https://github.com/turbot?q=gcp](https://github.com/turbot?q=gcp)
{{#endtab }}
{{#tab name="AWS" }}
```bash
# Install aws plugin
steampipe plugin install aws
@@ -246,29 +225,27 @@ cd steampipe-mod-aws-compliance
steampipe dashboard # To see results in browser
steampipe check all --export=/tmp/output4.json
```
Om Terraform AWS kode te kontroleer: [https://github.com/turbot/steampipe-mod-terraform-aws-compliance](https://github.com/turbot/steampipe-mod-terraform-aws-compliance)
To check Terraform AWS code: [https://github.com/turbot/steampipe-mod-terraform-aws-compliance](https://github.com/turbot/steampipe-mod-terraform-aws-compliance)
More AWS plugins of Steampipe: [https://github.com/orgs/turbot/repositories?q=aws](https://github.com/orgs/turbot/repositories?q=aws)
Meer AWS-inproppe van Steampipe: [https://github.com/orgs/turbot/repositories?q=aws](https://github.com/orgs/turbot/repositories?q=aws)
{{#endtab }}
{{#endtabs }}
### [~~cs-suite~~](https://github.com/SecurityFTW/cs-suite)
AWS, GCP, Azure, DigitalOcean.\
It requires python2.7 and looks unmaintained.
Dit vereis python2.7 en lyk ononderhou.
### Nessus
Nessus has an _**Audit Cloud Infrastructure**_ scan supporting: AWS, Azure, Office 365, Rackspace, Salesforce. Some extra configurations in **Azure** are needed to obtain a **Client Id**.
Nessus het 'n _**Audit Cloud Infrastructure**_ skandering wat ondersteun: AWS, Azure, Office 365, Rackspace, Salesforce. Sommige ekstra konfigurasies in **Azure** is nodig om 'n **Client Id** te verkry.
### [**cloudlist**](https://github.com/projectdiscovery/cloudlist)
Cloudlist is a **multi-cloud tool for getting Assets** (Hostnames, IP Addresses) from Cloud Providers.
Cloudlist is 'n **multi-cloud hulpmiddel om Bate** (Gasname, IP Adresse) van Cloud Verskaffers te verkry.
{{#tabs }}
{{#tab name="Cloudlist" }}
```bash
cd /tmp
wget https://github.com/projectdiscovery/cloudlist/releases/latest/download/cloudlist_1.0.1_macOS_arm64.zip
@@ -276,46 +253,40 @@ unzip cloudlist_1.0.1_macOS_arm64.zip
chmod +x cloudlist
sudo mv cloudlist /usr/local/bin
```
{{#endtab }}
{{#tab name="Second Tab" }}
{{#tab name="Tweede Tab" }}
```bash
## For GCP it requires service account JSON credentials
cloudlist -config </path/to/config>
```
{{#endtab }}
{{#endtabs }}
### [**cartography**](https://github.com/lyft/cartography)
Cartography is a Python tool that consolidates infrastructure assets and the relationships between them in an intuitive graph view powered by a Neo4j database.
Cartography is 'n Python-gereedskap wat infrastruktuur bates en die verhoudings tussen hulle in 'n intuïtiewe grafiekweergave saamvoeg, aangedryf deur 'n Neo4j-databasis.
{{#tabs }}
{{#tab name="Install" }}
```bash
# Installation
docker image pull ghcr.io/lyft/cartography
docker run --platform linux/amd64 ghcr.io/lyft/cartography cartography --help
## Install a Neo4j DB version 3.5.*
```
{{#endtab }}
{{#tab name="GCP" }}
```bash
docker run --platform linux/amd64 \
--volume "$HOME/.config/gcloud/application_default_credentials.json:/application_default_credentials.json" \
-e GOOGLE_APPLICATION_CREDENTIALS="/application_default_credentials.json" \
-e NEO4j_PASSWORD="s3cr3t" \
ghcr.io/lyft/cartography \
--neo4j-uri bolt://host.docker.internal:7687 \
--neo4j-password-env-var NEO4j_PASSWORD \
--neo4j-user neo4j
--volume "$HOME/.config/gcloud/application_default_credentials.json:/application_default_credentials.json" \
-e GOOGLE_APPLICATION_CREDENTIALS="/application_default_credentials.json" \
-e NEO4j_PASSWORD="s3cr3t" \
ghcr.io/lyft/cartography \
--neo4j-uri bolt://host.docker.internal:7687 \
--neo4j-password-env-var NEO4j_PASSWORD \
--neo4j-user neo4j
# It only checks for a few services inside GCP (https://lyft.github.io/cartography/modules/gcp/index.html)
@@ -326,17 +297,15 @@ docker run --platform linux/amd64 \
## Google Kubernetes Engine
### If you can run starbase or purplepanda you will get more info
```
{{#endtab }}
{{#endtabs }}
### [**starbase**](https://github.com/JupiterOne/starbase)
Starbase collects assets and relationships from services and systems including cloud infrastructure, SaaS applications, security controls, and more into an intuitive graph view backed by the Neo4j database.
Starbase versamel bates en verhoudings van dienste en stelsels, insluitend wolkinfrastruktuur, SaaS-toepassings, sekuriteitsbeheer, en meer in 'n intuïtiewe grafiekweergave wat deur die Neo4j-databasis ondersteun word.
{{#tabs }}
{{#tab name="Install" }}
{{#tab name="Installeer" }}
```bash
# You are going to need Node version 14, so install nvm following https://tecadmin.net/install-nvm-macos-with-homebrew/
npm install --global yarn
@@ -359,44 +328,40 @@ docker build --no-cache -t starbase:latest .
docker-compose run starbase setup
docker-compose run starbase run
```
{{#endtab }}
{{#tab name="GCP" }}
```yaml
## Config for GCP
### Check out: https://github.com/JupiterOne/graph-google-cloud/blob/main/docs/development.md
### It requires service account credentials
integrations:
- name: graph-google-cloud
instanceId: testInstanceId
directory: ./.integrations/graph-google-cloud
gitRemoteUrl: https://github.com/JupiterOne/graph-google-cloud.git
config:
SERVICE_ACCOUNT_KEY_FILE: "{Check https://github.com/JupiterOne/graph-google-cloud/blob/main/docs/development.md#service_account_key_file-string}"
PROJECT_ID: ""
FOLDER_ID: ""
ORGANIZATION_ID: ""
CONFIGURE_ORGANIZATION_PROJECTS: false
- name: graph-google-cloud
instanceId: testInstanceId
directory: ./.integrations/graph-google-cloud
gitRemoteUrl: https://github.com/JupiterOne/graph-google-cloud.git
config:
SERVICE_ACCOUNT_KEY_FILE: "{Check https://github.com/JupiterOne/graph-google-cloud/blob/main/docs/development.md#service_account_key_file-string}"
PROJECT_ID: ""
FOLDER_ID: ""
ORGANIZATION_ID: ""
CONFIGURE_ORGANIZATION_PROJECTS: false
storage:
engine: neo4j
config:
username: neo4j
password: s3cr3t
uri: bolt://localhost:7687
#Consider using host.docker.internal if from docker
engine: neo4j
config:
username: neo4j
password: s3cr3t
uri: bolt://localhost:7687
#Consider using host.docker.internal if from docker
```
{{#endtab }}
{{#endtabs }}
### [**SkyArk**](https://github.com/cyberark/SkyArk)
Discover the most privileged users in the scanned AWS or Azure environment, including the AWS Shadow Admins. It uses powershell.
Ontdek die mees bevoorregte gebruikers in die gescande AWS of Azure omgewing, insluitend die AWS Shadow Admins. Dit gebruik powershell.
```powershell
Import-Module .\SkyArk.ps1 -force
Start-AzureStealth
@@ -405,18 +370,17 @@ Start-AzureStealth
IEX (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/cyberark/SkyArk/master/AzureStealth/AzureStealth.ps1')
Scan-AzureAdmins
```
### [Cloud Brute](https://github.com/0xsha/CloudBrute)
A tool to find a company (target) infrastructure, files, and apps on the top cloud providers (Amazon, Google, Microsoft, DigitalOcean, Alibaba, Vultr, Linode).
'n Gereedskap om 'n maatskappy (teiken) infrastruktuur, lêers en toepassings op die top wolkverskaffers (Amazon, Google, Microsoft, DigitalOcean, Alibaba, Vultr, Linode) te vind.
### [CloudFox](https://github.com/BishopFox/cloudfox)
- CloudFox is a tool to find exploitable attack paths in cloud infrastructure (currently only AWS & Azure supported with GCP upcoming).
- It is an enumeration tool which is intended to compliment manual pentesting.
- It doesn't create or modify any data within the cloud environment.
- CloudFox is 'n gereedskap om uitbuitbare aanvalspaaie in wolkinfrastruktuur te vind (huidiglik slegs AWS & Azure ondersteun met GCP wat kom).
- Dit is 'n enumerasie-gereedskap wat bedoel is om handmatige pentesting aan te vul.
- Dit skep of wysig nie enige data binne die wolkomgewing nie.
### More lists of cloud security tools
### Meer lyste van wolk sekuriteitsgereedskap
- [https://github.com/RyanJarv/awesome-cloud-sec](https://github.com/RyanJarv/awesome-cloud-sec)
@@ -446,16 +410,12 @@ aws-security/
azure-security/
{{#endref}}
### Attack Graph
### Aanval Grafiek
[**Stormspotter** ](https://github.com/Azure/Stormspotter)creates an “attack graph” of the resources in an Azure subscription. It enables red teams and pentesters to visualize the attack surface and pivot opportunities within a tenant, and supercharges your defenders to quickly orient and prioritize incident response work.
[**Stormspotter** ](https://github.com/Azure/Stormspotter) skep 'n “aanval grafiek” van die hulpbronne in 'n Azure intekening. Dit stel rooi span en pentesters in staat om die aanvaloppervlak en draaipunte binne 'n huurder te visualiseer, en versterk jou verdedigers om vinnig te oriënteer en prioriteit te gee aan insidentresponswerk.
### Office365
You need **Global Admin** or at least **Global Admin Reader** (but note that Global Admin Reader is a little bit limited). However, those limitations appear in some PS modules and can be bypassed accessing the features **via the web application**.
Jy het **Global Admin** of ten minste **Global Admin Reader** nodig (maar let daarop dat Global Admin Reader 'n bietjie beperk is). Hierdie beperkings verskyn egter in sommige PS modules en kan omseil word deur toegang te verkry tot die funksies **via die webtoepassing**.
{{#include ../banners/hacktricks-training.md}}