gitea-mirror/hacktricks-cloud
1
0
Fork 0
mirror of https://github.com/HackTricks-wiki/hacktricks-cloud.git synced 2026-01-12 13:05:19 -08:00
Code Issues Packages Projects Releases Wiki Activity

Translated ['src/README.md', 'src/banners/hacktricks-training.md', 'src/

Browse Source
This commit is contained in:
Translator
2024-12-31 20:26:13 +00:00
parent 44da2ea78f
commit 6f74ac1a76
245 changed files with 9102 additions and 11816 deletions
Download Patch File Download Diff File Expand all files Collapse all files

192
src/pentesting-cloud/pentesting-cloud-methodology.md
View File

@@ -6,43 +6,42 @@
## Basic Methodology
Each cloud has its own peculiarities but in general there are a few **common things a pentester should check** when testing a cloud environment:
Kila wingu lina tabia zake za kipekee lakini kwa ujumla kuna mambo machache **ya kawaida ambayo pentester anapaswa kuangalia** wakati wa kujaribu mazingira ya wingu:
- **Benchmark checks**
- This will help you **understand the size** of the environment and **services used**
- It will allow you also to find some **quick misconfigurations** as you can perform most of this tests with **automated tools**
- Hii itakusaidia **kuelewa ukubwa** wa mazingira na **huduma zinazotumika**
- Itakuruhusu pia kupata **makosa ya haraka** kwani unaweza kufanya sehemu kubwa ya majaribio haya kwa kutumia **zana za kiotomatiki**
- **Services Enumeration**
- You probably won't find much more misconfigurations here if you performed correctly the benchmark tests, but you might find some that weren't being looked for in the benchmark test.
- This will allow you to know **what is exactly being used** in the cloud env
- This will help a lot in the next steps
- Huenda usipate makosa mengi zaidi hapa ikiwa umefanya majaribio ya benchmark kwa usahihi, lakini unaweza kupata baadhi ambayo hayakuangaliwa katika majaribio ya benchmark.
- Hii itakuruhusu kujua **nini hasa kinatumika** katika mazingira ya wingu
- Hii itasaidia sana katika hatua zinazofuata
- **Check exposed assets**
- This can be done during the previous section, you need to **find out everything that is potentially exposed** to the Internet somehow and how can it be accessed.
- Here I'm taking **manually exposed infrastructure** like instances with web pages or other ports being exposed, and also about other **cloud managed services that can be configured** to be exposed (such as DBs or buckets)
- Then you should check **if that resource can be exposed or not** (confidential information? vulnerabilities? misconfigurations in the exposed service?)
- Hii inaweza kufanywa wakati wa sehemu ya awali, unahitaji **kugundua kila kitu ambacho kinaweza kuwa wazi** kwa Mtandao kwa namna fulani na jinsi kinavyoweza kufikiwa.
- Hapa ninachukua **miundombinu iliyofichuliwa kwa mikono** kama vile mifano yenye kurasa za wavuti au port nyingine zinazofichuliwa, na pia kuhusu **huduma za wingu zinazodhibitiwa ambazo zinaweza kuwekwa** wazi (kama vile DBs au buckets)
- Kisha unapaswa kuangalia **kama rasilimali hiyo inaweza kufichuliwa au la** (habari za siri? udhaifu? makosa katika huduma iliyofichuliwa?)
- **Check permissions**
- Here you should **find out all the permissions of each role/user** inside the cloud and how are they used
- Too **many highly privileged** (control everything) accounts? Generated keys not used?... Most of these check should have been done in the benchmark tests already
- If the client is using OpenID or SAML or other **federation** you might need to ask them for further **information** about **how is being each role assigned** (it's not the same that the admin role is assigned to 1 user or to 100)
- It's **not enough to find** which users has **admin** permissions "\*:\*". There are a lot of **other permissions** that depending on the services used can be very **sensitive**.
- Moreover, there are **potential privesc** ways to follow abusing permissions. All this things should be taken into account and **as much privesc paths as possible** should be reported.
- Hapa unapaswa **kugundua ruhusa zote za kila jukumu/katumizi** ndani ya wingu na jinsi zinavyotumika
- Akaunti nyingi **zenye mamlaka makubwa** (udhibiti kila kitu)? Funguo zilizozalishwa hazitumiki?... Sehemu kubwa ya ukaguzi huu inapaswa kuwa imefanywa katika majaribio ya benchmark tayari
- Ikiwa mteja anatumia OpenID au SAML au **federation** nyingine unaweza kuhitaji kuwauliza kwa maelezo zaidi kuhusu **jinsi kila jukumu linavyotolewa** (sio sawa kwamba jukumu la admin linatolewa kwa mtumiaji 1 au kwa 100)
- **Sio vya kutosha kugundua** ni watumiaji gani wana **mamlaka ya admin** "\*:\*". Kuna ruhusa nyingi **zingine** ambazo kulingana na huduma zinazotumika zinaweza kuwa **nyeti** sana.
- Zaidi ya hayo, kuna njia za **potential privesc** za kufuata kwa kutumia ruhusa. Mambo haya yote yanapaswa kuzingatiwa na **njia nyingi za privesc kadri iwezekanavyo** zinapaswa kuripotiwa.
- **Check Integrations**
- It's highly probably that **integrations with other clouds or SaaS** are being used inside the cloud env.
- For **integrations of the cloud you are auditing** with other platform you should notify **who has access to (ab)use that integration** and you should ask **how sensitive** is the action being performed.\
For example, who can write in an AWS bucket where GCP is getting data from (ask how sensitive is the action in GCP treating that data).
- For **integrations inside the cloud you are auditing** from external platforms, you should ask **who has access externally to (ab)use that integration** and check how is that data being used.\
For example, if a service is using a Docker image hosted in GCR, you should ask who has access to modify that and which sensitive info and access will get that image when executed inside an AWS cloud.
- Ni uwezekano mkubwa kwamba **mashirikiano na mawingu mengine au SaaS** yanatumika ndani ya mazingira ya wingu.
- Kwa **mashirikiano ya wingu unayoangalia** na jukwaa lingine unapaswa kutangaza **nani ana ufaccess (kuutumia) huo ushirikiano** na unapaswa kuuliza **ni kiasi gani** kitendo kinachofanywa ni nyeti.\
Kwa mfano, nani anaweza kuandika katika bucket ya AWS ambapo GCP inapata data (uliza ni kiasi gani kitendo hicho ni nyeti katika GCP kinachoshughulikia data hiyo).
- Kwa **mashirikiano ndani ya wingu unayoangalia** kutoka kwa majukwaa ya nje, unapaswa kuuliza **nani ana ufaccess nje (kuutumia) huo ushirikiano** na kuangalia jinsi data hiyo inavyotumika.\
Kwa mfano, ikiwa huduma inatumia picha ya Docker iliyohifadhiwa katika GCR, unapaswa kuuliza nani ana ufaccess wa kuibadilisha na ni taarifa zipi nyeti na ufaccess zitakazopatikana kwa picha hiyo itakapotekelezwa ndani ya wingu la AWS.
## Multi-Cloud tools
There are several tools that can be used to test different cloud environments. The installation steps and links are going to be indicated in this section.
Kuna zana kadhaa ambazo zinaweza kutumika kujaribu mazingira tofauti ya wingu. Hatua za usakinishaji na viungo vitatolewa katika sehemu hii.
### [PurplePanda](https://github.com/carlospolop/purplepanda)
A tool to **identify bad configurations and privesc path in clouds and across clouds/SaaS.**
Zana ya **kutambua makosa mabaya ya usanidi na njia za privesc katika mawingu na kati ya mawingu/SaaS.**
{{#tabs }}
{{#tab name="Install" }}
```bash
# You need to install and run neo4j also
git clone https://github.com/carlospolop/PurplePanda
@@ -54,29 +53,25 @@ export PURPLEPANDA_NEO4J_URL="bolt://neo4j@localhost:7687"
export PURPLEPANDA_PWD="neo4j_pwd_4_purplepanda"
python3 main.py -h # Get help
```
{{#endtab }}
{{#tab name="GCP" }}
```bash
export GOOGLE_DISCOVERY=$(echo 'google:
- file_path: ""
- file_path: ""
service_account_id: "some-sa-email@sidentifier.iam.gserviceaccount.com"' | base64)
service_account_id: "some-sa-email@sidentifier.iam.gserviceaccount.com"' | base64)
python3 main.py -a -p google #Get basic info of the account to check it's correctly configured
python3 main.py -e -p google #Enumerate the env
```
{{#endtab }}
{{#endtabs }}
### [Prowler](https://github.com/prowler-cloud/prowler)
It supports **AWS, GCP & Azure**. Check how to configure each provider in [https://docs.prowler.cloud/en/latest/#aws](https://docs.prowler.cloud/en/latest/#aws)
Inasaidia **AWS, GCP & Azure**. Angalia jinsi ya kuunda mipangilio ya kila mtoa huduma katika [https://docs.prowler.cloud/en/latest/#aws](https://docs.prowler.cloud/en/latest/#aws)
```bash
# Install
pip install prowler
@@ -91,14 +86,12 @@ prowler aws --profile custom-profile [-M csv json json-asff html]
prowler <provider> --list-checks
prowler <provider> --list-services
```
### [CloudSploit](https://github.com/aquasecurity/cloudsploit)
AWS, Azure, Github, Google, Oracle, Alibaba
{{#tabs }}
{{#tab name="Install" }}
{{#tab name="Sakinisha" }}
```bash
# Install
git clone https://github.com/aquasecurity/cloudsploit.git
@@ -107,16 +100,13 @@ npm install
./index.js -h
## Docker instructions in github
```
{{#endtab }}
{{#tab name="GCP" }}
```bash
## You need to have creds for a service account and set them in config.js file
./index.js --cloud google --config </abs/path/to/config.js>
```
{{#endtab }}
{{#endtabs }}
@@ -126,7 +116,6 @@ AWS, Azure, GCP, Alibaba Cloud, Oracle Cloud Infrastructure
{{#tabs }}
{{#tab name="Install" }}
```bash
mkdir scout; cd scout
virtualenv -p python3 venv
@@ -135,24 +124,21 @@ pip install scoutsuite
scout --help
## Using Docker: https://github.com/nccgroup/ScoutSuite/wiki/Docker-Image
```
{{#endtab }}
{{#tab name="GCP" }}
```bash
scout gcp --report-dir /tmp/gcp --user-account --all-projects
## use "--service-account KEY_FILE" instead of "--user-account" to use a service account
SCOUT_FOLDER_REPORT="/tmp"
for pid in $(gcloud projects list --format="value(projectId)"); do
echo "================================================"
echo "Checking $pid"
mkdir "$SCOUT_FOLDER_REPORT/$pid"
scout gcp --report-dir "$SCOUT_FOLDER_REPORT/$pid" --no-browser --user-account --project-id "$pid"
echo "================================================"
echo "Checking $pid"
mkdir "$SCOUT_FOLDER_REPORT/$pid"
scout gcp --report-dir "$SCOUT_FOLDER_REPORT/$pid" --no-browser --user-account --project-id "$pid"
done
```
{{#endtab }}
{{#endtabs }}
@@ -160,17 +146,14 @@ done
{{#tabs }}
{{#tab name="Install" }}
Download and install Steampipe ([https://steampipe.io/downloads](https://steampipe.io/downloads)). Or use Brew:
Pakua na usakinishe Steampipe ([https://steampipe.io/downloads](https://steampipe.io/downloads)). Au tumia Brew:
```
brew tap turbot/tap
brew install steampipe
```
{{#endtab }}
{{#tab name="GCP" }}
```bash
# Install gcp plugin
steampipe plugin install gcp
@@ -183,13 +166,11 @@ steampipe dashboard
# To run all the checks from rhe cli
steampipe check all
```
<details>
<summary>Check all Projects</summary>
In order to check all the projects you need to generate the `gcp.spc` file indicating all the projects to test. You can just follow the indications from the following script
<summary>Angalia Miradi Yote</summary>
Ili kuangalia miradi yote unahitaji kuunda faili la `gcp.spc` linaloashiria miradi yote ya kupima. Unaweza kufuata tu maelekezo kutoka kwa skripti ifuatayo.
```bash
FILEPATH="/tmp/gcp.spc"
rm -rf "$FILEPATH" 2>/dev/null
@@ -197,32 +178,30 @@ rm -rf "$FILEPATH" 2>/dev/null
# Generate a json like object for each project
for pid in $(gcloud projects list --format="value(projectId)"); do
echo "connection \"gcp_$(echo -n $pid | tr "-" "_" )\" {
plugin = \"gcp\"
project = \"$pid\"
plugin = \"gcp\"
project = \"$pid\"
}" >> "$FILEPATH"
done
# Generate the aggragator to call
echo 'connection "gcp_all" {
plugin = "gcp"
type = "aggregator"
connections = ["gcp_*"]
plugin = "gcp"
type = "aggregator"
connections = ["gcp_*"]
}' >> "$FILEPATH"
echo "Copy $FILEPATH in ~/.steampipe/config/gcp.spc if it was correctly generated"
```
</details>
To check **other GCP insights** (useful for enumerating services) use: [https://github.com/turbot/steampipe-mod-gcp-insights](https://github.com/turbot/steampipe-mod-gcp-insights)
Ili kuangalia **maelezo mengine ya GCP** (yenye manufaa kwa kuorodhesha huduma) tumia: [https://github.com/turbot/steampipe-mod-gcp-insights](https://github.com/turbot/steampipe-mod-gcp-insights)
To check Terraform GCP code: [https://github.com/turbot/steampipe-mod-terraform-gcp-compliance](https://github.com/turbot/steampipe-mod-terraform-gcp-compliance)
Ili kuangalia msimbo wa Terraform GCP: [https://github.com/turbot/steampipe-mod-terraform-gcp-compliance](https://github.com/turbot/steampipe-mod-terraform-gcp-compliance)
More GCP plugins of Steampipe: [https://github.com/turbot?q=gcp](https://github.com/turbot?q=gcp)
Viongezeo zaidi vya GCP vya Steampipe: [https://github.com/turbot?q=gcp](https://github.com/turbot?q=gcp)
{{#endtab }}
{{#tab name="AWS" }}
```bash
# Install aws plugin
steampipe plugin install aws
@@ -246,7 +225,6 @@ cd steampipe-mod-aws-compliance
steampipe dashboard # To see results in browser
steampipe check all --export=/tmp/output4.json
```
To check Terraform AWS code: [https://github.com/turbot/steampipe-mod-terraform-aws-compliance](https://github.com/turbot/steampipe-mod-terraform-aws-compliance)
More AWS plugins of Steampipe: [https://github.com/orgs/turbot/repositories?q=aws](https://github.com/orgs/turbot/repositories?q=aws)
@@ -256,19 +234,18 @@ More AWS plugins of Steampipe: [https://github.com/orgs/turbot/repositories?q=aw
### [~~cs-suite~~](https://github.com/SecurityFTW/cs-suite)
AWS, GCP, Azure, DigitalOcean.\
It requires python2.7 and looks unmaintained.
Inahitaji python2.7 na inaonekana haijatunzwa.
### Nessus
Nessus has an _**Audit Cloud Infrastructure**_ scan supporting: AWS, Azure, Office 365, Rackspace, Salesforce. Some extra configurations in **Azure** are needed to obtain a **Client Id**.
Nessus ina _**Ukaguzi wa Miundombinu ya Wingu**_ skana inayounga mkono: AWS, Azure, Office 365, Rackspace, Salesforce. Mipangilio ya ziada katika **Azure** inahitajika kupata **Client Id**.
### [**cloudlist**](https://github.com/projectdiscovery/cloudlist)
Cloudlist is a **multi-cloud tool for getting Assets** (Hostnames, IP Addresses) from Cloud Providers.
Cloudlist ni **chombo cha wingu nyingi kwa kupata Mali** (Majina ya mwenyeji, Anwani za IP) kutoka kwa Watoa Huduma za Wingu.
{{#tabs }}
{{#tab name="Cloudlist" }}
```bash
cd /tmp
wget https://github.com/projectdiscovery/cloudlist/releases/latest/download/cloudlist_1.0.1_macOS_arm64.zip
@@ -276,46 +253,40 @@ unzip cloudlist_1.0.1_macOS_arm64.zip
chmod +x cloudlist
sudo mv cloudlist /usr/local/bin
```
{{#endtab }}
{{#tab name="Second Tab" }}
```bash
## For GCP it requires service account JSON credentials
cloudlist -config </path/to/config>
```
{{#endtab }}
{{#endtabs }}
### [**cartography**](https://github.com/lyft/cartography)
Cartography is a Python tool that consolidates infrastructure assets and the relationships between them in an intuitive graph view powered by a Neo4j database.
Cartography ni chombo cha Python kinachounganisha mali za miundombinu na uhusiano kati yao katika mtazamo wa grafu wa kueleweka unaoendeshwa na hifadhidata ya Neo4j.
{{#tabs }}
{{#tab name="Install" }}
```bash
# Installation
docker image pull ghcr.io/lyft/cartography
docker run --platform linux/amd64 ghcr.io/lyft/cartography cartography --help
## Install a Neo4j DB version 3.5.*
```
{{#endtab }}
{{#tab name="GCP" }}
```bash
docker run --platform linux/amd64 \
--volume "$HOME/.config/gcloud/application_default_credentials.json:/application_default_credentials.json" \
-e GOOGLE_APPLICATION_CREDENTIALS="/application_default_credentials.json" \
-e NEO4j_PASSWORD="s3cr3t" \
ghcr.io/lyft/cartography \
--neo4j-uri bolt://host.docker.internal:7687 \
--neo4j-password-env-var NEO4j_PASSWORD \
--neo4j-user neo4j
--volume "$HOME/.config/gcloud/application_default_credentials.json:/application_default_credentials.json" \
-e GOOGLE_APPLICATION_CREDENTIALS="/application_default_credentials.json" \
-e NEO4j_PASSWORD="s3cr3t" \
ghcr.io/lyft/cartography \
--neo4j-uri bolt://host.docker.internal:7687 \
--neo4j-password-env-var NEO4j_PASSWORD \
--neo4j-user neo4j
# It only checks for a few services inside GCP (https://lyft.github.io/cartography/modules/gcp/index.html)
@@ -326,17 +297,15 @@ docker run --platform linux/amd64 \
## Google Kubernetes Engine
### If you can run starbase or purplepanda you will get more info
```
{{#endtab }}
{{#endtabs }}
### [**starbase**](https://github.com/JupiterOne/starbase)
Starbase collects assets and relationships from services and systems including cloud infrastructure, SaaS applications, security controls, and more into an intuitive graph view backed by the Neo4j database.
Starbase inakusanya mali na uhusiano kutoka kwa huduma na mifumo ikiwa ni pamoja na miundombinu ya wingu, programu za SaaS, udhibiti wa usalama, na zaidi katika muonekano wa grafu unaoeleweka unaoungwa mkono na hifadhidata ya Neo4j.
{{#tabs }}
{{#tab name="Install" }}
```bash
# You are going to need Node version 14, so install nvm following https://tecadmin.net/install-nvm-macos-with-homebrew/
npm install --global yarn
@@ -359,44 +328,40 @@ docker build --no-cache -t starbase:latest .
docker-compose run starbase setup
docker-compose run starbase run
```
{{#endtab }}
{{#tab name="GCP" }}
```yaml
## Config for GCP
### Check out: https://github.com/JupiterOne/graph-google-cloud/blob/main/docs/development.md
### It requires service account credentials
integrations:
- name: graph-google-cloud
instanceId: testInstanceId
directory: ./.integrations/graph-google-cloud
gitRemoteUrl: https://github.com/JupiterOne/graph-google-cloud.git
config:
SERVICE_ACCOUNT_KEY_FILE: "{Check https://github.com/JupiterOne/graph-google-cloud/blob/main/docs/development.md#service_account_key_file-string}"
PROJECT_ID: ""
FOLDER_ID: ""
ORGANIZATION_ID: ""
CONFIGURE_ORGANIZATION_PROJECTS: false
- name: graph-google-cloud
instanceId: testInstanceId
directory: ./.integrations/graph-google-cloud
gitRemoteUrl: https://github.com/JupiterOne/graph-google-cloud.git
config:
SERVICE_ACCOUNT_KEY_FILE: "{Check https://github.com/JupiterOne/graph-google-cloud/blob/main/docs/development.md#service_account_key_file-string}"
PROJECT_ID: ""
FOLDER_ID: ""
ORGANIZATION_ID: ""
CONFIGURE_ORGANIZATION_PROJECTS: false
storage:
engine: neo4j
config:
username: neo4j
password: s3cr3t
uri: bolt://localhost:7687
#Consider using host.docker.internal if from docker
engine: neo4j
config:
username: neo4j
password: s3cr3t
uri: bolt://localhost:7687
#Consider using host.docker.internal if from docker
```
{{#endtab }}
{{#endtabs }}
### [**SkyArk**](https://github.com/cyberark/SkyArk)
Discover the most privileged users in the scanned AWS or Azure environment, including the AWS Shadow Admins. It uses powershell.
Gundua watumiaji wenye mamlaka zaidi katika mazingira ya AWS au Azure yaliyoskanwa, ikiwa ni pamoja na AWS Shadow Admins. Inatumia powershell.
```powershell
Import-Module .\SkyArk.ps1 -force
Start-AzureStealth
@@ -405,18 +370,17 @@ Start-AzureStealth
IEX (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/cyberark/SkyArk/master/AzureStealth/AzureStealth.ps1')
Scan-AzureAdmins
```
### [Cloud Brute](https://github.com/0xsha/CloudBrute)
A tool to find a company (target) infrastructure, files, and apps on the top cloud providers (Amazon, Google, Microsoft, DigitalOcean, Alibaba, Vultr, Linode).
Chombo cha kutafuta miundombinu ya kampuni (lengo), faili, na programu kwenye watoa huduma wakuu wa wingu (Amazon, Google, Microsoft, DigitalOcean, Alibaba, Vultr, Linode).
### [CloudFox](https://github.com/BishopFox/cloudfox)
- CloudFox is a tool to find exploitable attack paths in cloud infrastructure (currently only AWS & Azure supported with GCP upcoming).
- It is an enumeration tool which is intended to compliment manual pentesting.
- It doesn't create or modify any data within the cloud environment.
- CloudFox ni chombo cha kutafuta njia za shambulio zinazoweza kutumika katika miundombinu ya wingu (kwa sasa inasaidia tu AWS & Azure na GCP inakuja).
- Ni chombo cha kuhesabu ambacho kinakusudia kukamilisha pentesting ya mkono.
- Hakiundui au kubadilisha data yoyote ndani ya mazingira ya wingu.
### More lists of cloud security tools
### Orodha zaidi za zana za usalama wa wingu
- [https://github.com/RyanJarv/awesome-cloud-sec](https://github.com/RyanJarv/awesome-cloud-sec)
@@ -446,16 +410,12 @@ aws-security/
azure-security/
{{#endref}}
### Attack Graph
### Mchoro wa Shambulio
[**Stormspotter** ](https://github.com/Azure/Stormspotter)creates an “attack graph” of the resources in an Azure subscription. It enables red teams and pentesters to visualize the attack surface and pivot opportunities within a tenant, and supercharges your defenders to quickly orient and prioritize incident response work.
[**Stormspotter** ](https://github.com/Azure/Stormspotter)inaunda "mchoro wa shambulio" wa rasilimali katika usajili wa Azure. Inawawezesha timu za red na wapentester kuona uso wa shambulio na fursa za kuhamasisha ndani ya mpangilio, na inawapa walinzi wako nguvu za haraka kujiandaa na kuweka kipaumbele kazi za majibu ya tukio.
### Office365
You need **Global Admin** or at least **Global Admin Reader** (but note that Global Admin Reader is a little bit limited). However, those limitations appear in some PS modules and can be bypassed accessing the features **via the web application**.
Unahitaji **Global Admin** au angalau **Global Admin Reader** (lakini kumbuka kwamba Global Admin Reader ina mipaka kidogo). Hata hivyo, mipaka hiyo inaonekana katika baadhi ya moduli za PS na inaweza kupitishwa kwa kufikia vipengele **kupitia programu ya wavuti**.
{{#include ../banners/hacktricks-training.md}}