gitea-mirror/hacktricks-cloud
1
0
Fork 0
mirror of https://github.com/HackTricks-wiki/hacktricks-cloud.git synced 2026-01-16 14:52:43 -08:00
Code Issues Packages Projects Releases Wiki Activity

Translated ['src/README.md', 'src/banners/hacktricks-training.md', 'src/

Browse Source
This commit is contained in:
Translator
2024-12-31 20:10:24 +00:00
parent 192d97f7b7
commit 536671c61c
245 changed files with 10169 additions and 12893 deletions
Download Patch File Download Diff File Expand all files Collapse all files

222
src/pentesting-cloud/pentesting-cloud-methodology.md
View File

@@ -1,48 +1,47 @@
# Pentesting Cloud Methodology
# Metodología de Pentesting en la Nube
{{#include ../banners/hacktricks-training.md}}
<figure><img src="../images/CLOUD-logo-letters.svg" alt=""><figcaption></figcaption></figure>
## Basic Methodology
## Metodología Básica
Each cloud has its own peculiarities but in general there are a few **common things a pentester should check** when testing a cloud environment:
Cada nube tiene sus propias peculiaridades, pero en general hay algunas **cosas comunes que un pentester debe verificar** al probar un entorno en la nube:
- **Benchmark checks**
- This will help you **understand the size** of the environment and **services used**
- It will allow you also to find some **quick misconfigurations** as you can perform most of this tests with **automated tools**
- **Services Enumeration**
- You probably won't find much more misconfigurations here if you performed correctly the benchmark tests, but you might find some that weren't being looked for in the benchmark test.
- This will allow you to know **what is exactly being used** in the cloud env
- This will help a lot in the next steps
- **Check exposed assets**
- This can be done during the previous section, you need to **find out everything that is potentially exposed** to the Internet somehow and how can it be accessed.
- Here I'm taking **manually exposed infrastructure** like instances with web pages or other ports being exposed, and also about other **cloud managed services that can be configured** to be exposed (such as DBs or buckets)
- Then you should check **if that resource can be exposed or not** (confidential information? vulnerabilities? misconfigurations in the exposed service?)
- **Check permissions**
- Here you should **find out all the permissions of each role/user** inside the cloud and how are they used
- Too **many highly privileged** (control everything) accounts? Generated keys not used?... Most of these check should have been done in the benchmark tests already
- If the client is using OpenID or SAML or other **federation** you might need to ask them for further **information** about **how is being each role assigned** (it's not the same that the admin role is assigned to 1 user or to 100)
- It's **not enough to find** which users has **admin** permissions "\*:\*". There are a lot of **other permissions** that depending on the services used can be very **sensitive**.
- Moreover, there are **potential privesc** ways to follow abusing permissions. All this things should be taken into account and **as much privesc paths as possible** should be reported.
- **Check Integrations**
- It's highly probably that **integrations with other clouds or SaaS** are being used inside the cloud env.
- For **integrations of the cloud you are auditing** with other platform you should notify **who has access to (ab)use that integration** and you should ask **how sensitive** is the action being performed.\
For example, who can write in an AWS bucket where GCP is getting data from (ask how sensitive is the action in GCP treating that data).
- For **integrations inside the cloud you are auditing** from external platforms, you should ask **who has access externally to (ab)use that integration** and check how is that data being used.\
For example, if a service is using a Docker image hosted in GCR, you should ask who has access to modify that and which sensitive info and access will get that image when executed inside an AWS cloud.
- **Verificaciones de referencia**
- Esto te ayudará a **entender el tamaño** del entorno y **los servicios utilizados**
- También te permitirá encontrar algunas **mala configuraciones rápidas** ya que puedes realizar la mayoría de estas pruebas con **herramientas automatizadas**
- **Enumeración de Servicios**
- Probablemente no encontrarás muchas más mala configuraciones aquí si realizaste correctamente las pruebas de referencia, pero podrías encontrar algunas que no se buscaron en la prueba de referencia.
- Esto te permitirá saber **qué se está utilizando exactamente** en el entorno de la nube
- Esto ayudará mucho en los siguientes pasos
- **Verificar activos expuestos**
- Esto se puede hacer durante la sección anterior, necesitas **descubrir todo lo que está potencialmente expuesto** a Internet de alguna manera y cómo se puede acceder a ello.
- Aquí estoy tomando **infraestructura expuesta manualmente** como instancias con páginas web u otros puertos expuestos, y también sobre otros **servicios gestionados en la nube que pueden ser configurados** para estar expuestos (como bases de datos o buckets)
- Luego deberías verificar **si ese recurso puede ser expuesto o no** (¿información confidencial? ¿vulnerabilidades? ¿mala configuraciones en el servicio expuesto?)
- **Verificar permisos**
- Aquí deberías **descubrir todos los permisos de cada rol/usuario** dentro de la nube y cómo se utilizan
- ¿Demasiadas cuentas **altamente privilegiadas** (controlan todo)? ¿Claves generadas no utilizadas?... La mayoría de estas verificaciones ya deberían haberse realizado en las pruebas de referencia
- Si el cliente está utilizando OpenID o SAML u otra **federación**, es posible que necesites preguntarles más **información** sobre **cómo se asigna cada rol** (no es lo mismo que el rol de administrador esté asignado a 1 usuario o a 100)
- **No es suficiente encontrar** qué usuarios tienen permisos de **administrador** "\*:\*". Hay muchos **otros permisos** que dependiendo de los servicios utilizados pueden ser muy **sensibles**.
- Además, hay **potenciales caminos de privesc** a seguir abusando de los permisos. Todas estas cosas deben tenerse en cuenta y **se deben reportar tantos caminos de privesc como sea posible**.
- **Verificar Integraciones**
- Es muy probable que **integraciones con otras nubes o SaaS** se estén utilizando dentro del entorno de la nube.
- Para **integraciones de la nube que estás auditando** con otra plataforma, deberías notificar **quién tiene acceso a (ab)usar esa integración** y deberías preguntar **qué tan sensible** es la acción que se está realizando.\
Por ejemplo, quién puede escribir en un bucket de AWS del cual GCP está obteniendo datos (pregunta qué tan sensible es la acción en GCP al tratar esos datos).
- Para **integraciones dentro de la nube que estás auditando** desde plataformas externas, deberías preguntar **quién tiene acceso externamente a (ab)usar esa integración** y verificar cómo se está utilizando esos datos.\
Por ejemplo, si un servicio está utilizando una imagen de Docker alojada en GCR, deberías preguntar quién tiene acceso para modificar eso y qué información sensible y acceso obtendrá esa imagen al ejecutarse dentro de una nube de AWS.
## Multi-Cloud tools
## Herramientas Multi-Nube
There are several tools that can be used to test different cloud environments. The installation steps and links are going to be indicated in this section.
Hay varias herramientas que se pueden utilizar para probar diferentes entornos en la nube. Los pasos de instalación y enlaces se indicarán en esta sección.
### [PurplePanda](https://github.com/carlospolop/purplepanda)
A tool to **identify bad configurations and privesc path in clouds and across clouds/SaaS.**
Una herramienta para **identificar malas configuraciones y caminos de privesc en nubes y a través de nubes/SaaS.**
{{#tabs }}
{{#tab name="Install" }}
{{#tab name="Instalar" }}
```bash
# You need to install and run neo4j also
git clone https://github.com/carlospolop/PurplePanda
@@ -54,29 +53,25 @@ export PURPLEPANDA_NEO4J_URL="bolt://neo4j@localhost:7687"
export PURPLEPANDA_PWD="neo4j_pwd_4_purplepanda"
python3 main.py -h # Get help
```
{{#endtab }}
{{#tab name="GCP" }}
```bash
export GOOGLE_DISCOVERY=$(echo 'google:
- file_path: ""
- file_path: ""
service_account_id: "some-sa-email@sidentifier.iam.gserviceaccount.com"' | base64)
service_account_id: "some-sa-email@sidentifier.iam.gserviceaccount.com"' | base64)
python3 main.py -a -p google #Get basic info of the account to check it's correctly configured
python3 main.py -e -p google #Enumerate the env
```
{{#endtab }}
{{#endtabs }}
### [Prowler](https://github.com/prowler-cloud/prowler)
It supports **AWS, GCP & Azure**. Check how to configure each provider in [https://docs.prowler.cloud/en/latest/#aws](https://docs.prowler.cloud/en/latest/#aws)
Soporta **AWS, GCP y Azure**. Consulta cómo configurar cada proveedor en [https://docs.prowler.cloud/en/latest/#aws](https://docs.prowler.cloud/en/latest/#aws)
```bash
# Install
pip install prowler
@@ -91,14 +86,12 @@ prowler aws --profile custom-profile [-M csv json json-asff html]
prowler <provider> --list-checks
prowler <provider> --list-services
```
### [CloudSploit](https://github.com/aquasecurity/cloudsploit)
AWS, Azure, Github, Google, Oracle, Alibaba
{{#tabs }}
{{#tab name="Install" }}
{{#tab name="Instalar" }}
```bash
# Install
git clone https://github.com/aquasecurity/cloudsploit.git
@@ -107,16 +100,13 @@ npm install
./index.js -h
## Docker instructions in github
```
{{#endtab }}
{{#tab name="GCP" }}
```bash
## You need to have creds for a service account and set them in config.js file
./index.js --cloud google --config </abs/path/to/config.js>
```
{{#endtab }}
{{#endtabs }}
@@ -125,8 +115,7 @@ npm install
AWS, Azure, GCP, Alibaba Cloud, Oracle Cloud Infrastructure
{{#tabs }}
{{#tab name="Install" }}
{{#tab name="Instalar" }}
```bash
mkdir scout; cd scout
virtualenv -p python3 venv
@@ -135,42 +124,36 @@ pip install scoutsuite
scout --help
## Using Docker: https://github.com/nccgroup/ScoutSuite/wiki/Docker-Image
```
{{#endtab }}
{{#tab name="GCP" }}
```bash
scout gcp --report-dir /tmp/gcp --user-account --all-projects
## use "--service-account KEY_FILE" instead of "--user-account" to use a service account
SCOUT_FOLDER_REPORT="/tmp"
for pid in $(gcloud projects list --format="value(projectId)"); do
echo "================================================"
echo "Checking $pid"
mkdir "$SCOUT_FOLDER_REPORT/$pid"
scout gcp --report-dir "$SCOUT_FOLDER_REPORT/$pid" --no-browser --user-account --project-id "$pid"
echo "================================================"
echo "Checking $pid"
mkdir "$SCOUT_FOLDER_REPORT/$pid"
scout gcp --report-dir "$SCOUT_FOLDER_REPORT/$pid" --no-browser --user-account --project-id "$pid"
done
```
{{#endtab }}
{{#endtabs }}
### [Steampipe](https://github.com/turbot)
{{#tabs }}
{{#tab name="Install" }}
Download and install Steampipe ([https://steampipe.io/downloads](https://steampipe.io/downloads)). Or use Brew:
{{#tab name="Instalar" }}
Descargue e instale Steampipe ([https://steampipe.io/downloads](https://steampipe.io/downloads)). O use Brew:
```
brew tap turbot/tap
brew install steampipe
```
{{#endtab }}
{{#tab name="GCP" }}
```bash
# Install gcp plugin
steampipe plugin install gcp
@@ -183,13 +166,11 @@ steampipe dashboard
# To run all the checks from rhe cli
steampipe check all
```
<details>
<summary>Check all Projects</summary>
In order to check all the projects you need to generate the `gcp.spc` file indicating all the projects to test. You can just follow the indications from the following script
<summary>Revisar todos los Proyectos</summary>
Para revisar todos los proyectos, necesitas generar el archivo `gcp.spc` indicando todos los proyectos a probar. Solo puedes seguir las indicaciones del siguiente script.
```bash
FILEPATH="/tmp/gcp.spc"
rm -rf "$FILEPATH" 2>/dev/null
@@ -197,32 +178,30 @@ rm -rf "$FILEPATH" 2>/dev/null
# Generate a json like object for each project
for pid in $(gcloud projects list --format="value(projectId)"); do
echo "connection \"gcp_$(echo -n $pid | tr "-" "_" )\" {
plugin = \"gcp\"
project = \"$pid\"
plugin = \"gcp\"
project = \"$pid\"
}" >> "$FILEPATH"
done
# Generate the aggragator to call
echo 'connection "gcp_all" {
plugin = "gcp"
type = "aggregator"
connections = ["gcp_*"]
plugin = "gcp"
type = "aggregator"
connections = ["gcp_*"]
}' >> "$FILEPATH"
echo "Copy $FILEPATH in ~/.steampipe/config/gcp.spc if it was correctly generated"
```
</details>
To check **other GCP insights** (useful for enumerating services) use: [https://github.com/turbot/steampipe-mod-gcp-insights](https://github.com/turbot/steampipe-mod-gcp-insights)
Para verificar **otros insights de GCP** (útil para enumerar servicios) usa: [https://github.com/turbot/steampipe-mod-gcp-insights](https://github.com/turbot/steampipe-mod-gcp-insights)
To check Terraform GCP code: [https://github.com/turbot/steampipe-mod-terraform-gcp-compliance](https://github.com/turbot/steampipe-mod-terraform-gcp-compliance)
Para verificar el código de Terraform GCP: [https://github.com/turbot/steampipe-mod-terraform-gcp-compliance](https://github.com/turbot/steampipe-mod-terraform-gcp-compliance)
More GCP plugins of Steampipe: [https://github.com/turbot?q=gcp](https://github.com/turbot?q=gcp)
Más plugins de GCP de Steampipe: [https://github.com/turbot?q=gcp](https://github.com/turbot?q=gcp)
{{#endtab }}
{{#tab name="AWS" }}
```bash
# Install aws plugin
steampipe plugin install aws
@@ -246,29 +225,27 @@ cd steampipe-mod-aws-compliance
steampipe dashboard # To see results in browser
steampipe check all --export=/tmp/output4.json
```
Para verificar el código de Terraform AWS: [https://github.com/turbot/steampipe-mod-terraform-aws-compliance](https://github.com/turbot/steampipe-mod-terraform-aws-compliance)
To check Terraform AWS code: [https://github.com/turbot/steampipe-mod-terraform-aws-compliance](https://github.com/turbot/steampipe-mod-terraform-aws-compliance)
More AWS plugins of Steampipe: [https://github.com/orgs/turbot/repositories?q=aws](https://github.com/orgs/turbot/repositories?q=aws)
Más complementos de AWS de Steampipe: [https://github.com/orgs/turbot/repositories?q=aws](https://github.com/orgs/turbot/repositories?q=aws)
{{#endtab }}
{{#endtabs }}
### [~~cs-suite~~](https://github.com/SecurityFTW/cs-suite)
AWS, GCP, Azure, DigitalOcean.\
It requires python2.7 and looks unmaintained.
Requiere python2.7 y parece no estar mantenido.
### Nessus
Nessus has an _**Audit Cloud Infrastructure**_ scan supporting: AWS, Azure, Office 365, Rackspace, Salesforce. Some extra configurations in **Azure** are needed to obtain a **Client Id**.
Nessus tiene un _**Auditoría de Infraestructura en la Nube**_ que admite: AWS, Azure, Office 365, Rackspace, Salesforce. Se necesitan algunas configuraciones adicionales en **Azure** para obtener un **Client Id**.
### [**cloudlist**](https://github.com/projectdiscovery/cloudlist)
Cloudlist is a **multi-cloud tool for getting Assets** (Hostnames, IP Addresses) from Cloud Providers.
Cloudlist es una **herramienta multi-nube para obtener Activos** (Nombres de Host, Direcciones IP) de Proveedores de Nube.
{{#tabs }}
{{#tab name="Cloudlist" }}
```bash
cd /tmp
wget https://github.com/projectdiscovery/cloudlist/releases/latest/download/cloudlist_1.0.1_macOS_arm64.zip
@@ -276,46 +253,40 @@ unzip cloudlist_1.0.1_macOS_arm64.zip
chmod +x cloudlist
sudo mv cloudlist /usr/local/bin
```
{{#endtab }}
{{#tab name="Second Tab" }}
{{#tab name="Segunda Pestaña" }}
```bash
## For GCP it requires service account JSON credentials
cloudlist -config </path/to/config>
```
{{#endtab }}
{{#endtabs }}
### [**cartography**](https://github.com/lyft/cartography)
Cartography is a Python tool that consolidates infrastructure assets and the relationships between them in an intuitive graph view powered by a Neo4j database.
Cartography es una herramienta de Python que consolida los activos de infraestructura y las relaciones entre ellos en una vista gráfica intuitiva impulsada por una base de datos Neo4j.
{{#tabs }}
{{#tab name="Install" }}
{{#tab name="Instalar" }}
```bash
# Installation
docker image pull ghcr.io/lyft/cartography
docker run --platform linux/amd64 ghcr.io/lyft/cartography cartography --help
## Install a Neo4j DB version 3.5.*
```
{{#endtab }}
{{#tab name="GCP" }}
```bash
docker run --platform linux/amd64 \
--volume "$HOME/.config/gcloud/application_default_credentials.json:/application_default_credentials.json" \
-e GOOGLE_APPLICATION_CREDENTIALS="/application_default_credentials.json" \
-e NEO4j_PASSWORD="s3cr3t" \
ghcr.io/lyft/cartography \
--neo4j-uri bolt://host.docker.internal:7687 \
--neo4j-password-env-var NEO4j_PASSWORD \
--neo4j-user neo4j
--volume "$HOME/.config/gcloud/application_default_credentials.json:/application_default_credentials.json" \
-e GOOGLE_APPLICATION_CREDENTIALS="/application_default_credentials.json" \
-e NEO4j_PASSWORD="s3cr3t" \
ghcr.io/lyft/cartography \
--neo4j-uri bolt://host.docker.internal:7687 \
--neo4j-password-env-var NEO4j_PASSWORD \
--neo4j-user neo4j
# It only checks for a few services inside GCP (https://lyft.github.io/cartography/modules/gcp/index.html)
@@ -326,17 +297,15 @@ docker run --platform linux/amd64 \
## Google Kubernetes Engine
### If you can run starbase or purplepanda you will get more info
```
{{#endtab }}
{{#endtabs }}
### [**starbase**](https://github.com/JupiterOne/starbase)
Starbase collects assets and relationships from services and systems including cloud infrastructure, SaaS applications, security controls, and more into an intuitive graph view backed by the Neo4j database.
Starbase recopila activos y relaciones de servicios y sistemas, incluyendo infraestructura en la nube, aplicaciones SaaS, controles de seguridad y más, en una vista gráfica intuitiva respaldada por la base de datos Neo4j.
{{#tabs }}
{{#tab name="Install" }}
{{#tab name="Instalar" }}
```bash
# You are going to need Node version 14, so install nvm following https://tecadmin.net/install-nvm-macos-with-homebrew/
npm install --global yarn
@@ -359,44 +328,40 @@ docker build --no-cache -t starbase:latest .
docker-compose run starbase setup
docker-compose run starbase run
```
{{#endtab }}
{{#tab name="GCP" }}
```yaml
## Config for GCP
### Check out: https://github.com/JupiterOne/graph-google-cloud/blob/main/docs/development.md
### It requires service account credentials
integrations:
- name: graph-google-cloud
instanceId: testInstanceId
directory: ./.integrations/graph-google-cloud
gitRemoteUrl: https://github.com/JupiterOne/graph-google-cloud.git
config:
SERVICE_ACCOUNT_KEY_FILE: "{Check https://github.com/JupiterOne/graph-google-cloud/blob/main/docs/development.md#service_account_key_file-string}"
PROJECT_ID: ""
FOLDER_ID: ""
ORGANIZATION_ID: ""
CONFIGURE_ORGANIZATION_PROJECTS: false
- name: graph-google-cloud
instanceId: testInstanceId
directory: ./.integrations/graph-google-cloud
gitRemoteUrl: https://github.com/JupiterOne/graph-google-cloud.git
config:
SERVICE_ACCOUNT_KEY_FILE: "{Check https://github.com/JupiterOne/graph-google-cloud/blob/main/docs/development.md#service_account_key_file-string}"
PROJECT_ID: ""
FOLDER_ID: ""
ORGANIZATION_ID: ""
CONFIGURE_ORGANIZATION_PROJECTS: false
storage:
engine: neo4j
config:
username: neo4j
password: s3cr3t
uri: bolt://localhost:7687
#Consider using host.docker.internal if from docker
engine: neo4j
config:
username: neo4j
password: s3cr3t
uri: bolt://localhost:7687
#Consider using host.docker.internal if from docker
```
{{#endtab }}
{{#endtabs }}
### [**SkyArk**](https://github.com/cyberark/SkyArk)
Discover the most privileged users in the scanned AWS or Azure environment, including the AWS Shadow Admins. It uses powershell.
Descubre los usuarios más privilegiados en el entorno de AWS o Azure escaneado, incluidos los AWS Shadow Admins. Utiliza PowerShell.
```powershell
Import-Module .\SkyArk.ps1 -force
Start-AzureStealth
@@ -405,18 +370,17 @@ Start-AzureStealth
IEX (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/cyberark/SkyArk/master/AzureStealth/AzureStealth.ps1')
Scan-AzureAdmins
```
### [Cloud Brute](https://github.com/0xsha/CloudBrute)
A tool to find a company (target) infrastructure, files, and apps on the top cloud providers (Amazon, Google, Microsoft, DigitalOcean, Alibaba, Vultr, Linode).
Una herramienta para encontrar la infraestructura, archivos y aplicaciones de una empresa (objetivo) en los principales proveedores de nube (Amazon, Google, Microsoft, DigitalOcean, Alibaba, Vultr, Linode).
### [CloudFox](https://github.com/BishopFox/cloudfox)
- CloudFox is a tool to find exploitable attack paths in cloud infrastructure (currently only AWS & Azure supported with GCP upcoming).
- It is an enumeration tool which is intended to compliment manual pentesting.
- It doesn't create or modify any data within the cloud environment.
- CloudFox es una herramienta para encontrar rutas de ataque explotables en la infraestructura de la nube (actualmente solo se admite AWS y Azure, con GCP en camino).
- Es una herramienta de enumeración que está destinada a complementar el pentesting manual.
- No crea ni modifica ningún dato dentro del entorno de la nube.
### More lists of cloud security tools
### Más listas de herramientas de seguridad en la nube
- [https://github.com/RyanJarv/awesome-cloud-sec](https://github.com/RyanJarv/awesome-cloud-sec)
@@ -448,14 +412,10 @@ azure-security/
### Attack Graph
[**Stormspotter** ](https://github.com/Azure/Stormspotter)creates an “attack graph” of the resources in an Azure subscription. It enables red teams and pentesters to visualize the attack surface and pivot opportunities within a tenant, and supercharges your defenders to quickly orient and prioritize incident response work.
[**Stormspotter** ](https://github.com/Azure/Stormspotter) crea un “gráfico de ataque” de los recursos en una suscripción de Azure. Permite a los equipos rojos y pentesters visualizar la superficie de ataque y las oportunidades de pivote dentro de un inquilino, y potencia a tus defensores para orientarse y priorizar rápidamente el trabajo de respuesta a incidentes.
### Office365
You need **Global Admin** or at least **Global Admin Reader** (but note that Global Admin Reader is a little bit limited). However, those limitations appear in some PS modules and can be bypassed accessing the features **via the web application**.
Necesitas **Global Admin** o al menos **Global Admin Reader** (pero ten en cuenta que Global Admin Reader es un poco limitado). Sin embargo, esas limitaciones aparecen en algunos módulos de PS y se pueden eludir accediendo a las funciones **a través de la aplicación web**.
{{#include ../banners/hacktricks-training.md}}