mirror of
https://github.com/The-Art-of-Hacking/h4cker.git
synced 2024-10-01 01:25:43 -04:00
.. | ||
cloud_logging.md | ||
enumerating_aws_boto3.md | ||
high_level_best_practices_pen_testing.md | ||
omar_saas_attack_example.json | ||
omar_saas_attack_example.svg | ||
omar_saas_attack_example.xlsx | ||
questions_to_ask_your_provider.md | ||
README.md | ||
s3_words.txt |
Cloud Security Resources
- Cloud Security Resources from AWS
- Penetration Testing Rules of Engagement in Microsoft Azure
- Penetration Testing in AWS
- Penetration Testing in Google Cloud Platform and Cloud Security FAQ
- Google Cloud Security Center
- High-level Best Practices when Performing Pen Testing in Cloud Environments
Vulnerables
- CloudGoat
- Damn Vulnerable Cloud Application(DVCA)
- PENETRATION TESTING AWS STORAGE: KICKING THE S3 BUCKET - Written by Dwight Hohnstein from Rhino Security Labs.
Additional Tools
- Taken - Takeover AWS Ips And Have A Working POC For Subdomain Takeover
- Autovpn - Create On Demand Disposable OpenVPN Endpoints On AWS
- SpaceSiren - A Honey Token Manager And Alert System For AWS
- AWS Recon - Multi-threaded AWS Inventory Collection Tool With A Focus On Security-Relevant Resources And Metadata
- DAGOBAH - Open Source Tool To Generate Internal Threat Intelligence, Inventory & Compliance Data From AWS Resources
- AWS Report - A Tool For Analyzing Amazon Resources
- SkyArk - Helps To Discover, Assess And Secure The Most Privileged Entities In Azure And AWS
- Cloudsplaining - An AWS IAM Security Assessment Tool That Identifies Violations Of Least Privilege And Generates A Risk-Prioritized Report
- SkyWrapper - Tool That Helps To Discover Suspicious Creation Forms And Uses Of Temporary Tokens In AWS
- Sandcastle - A Python Script For AWS S3 Bucket Enumeration
- Awspx - A Graph-Based Tool For Visualizing Effective Access And Resource Relationships In AWS Environments
- AWSGen.py - Generates Permutations, Alterations And Mutations Of AWS S3 Buckets Names
- AlertResponder - Automatic Security Alert Response Framework By AWS Serverless Application Model
- Aaia - AWS Identity And Access Management Visualizer And Anomaly Finder
- FireProx - AWS API Gateway Management Tool For Creating On The Fly HTTP Pass-Through Proxies For Unique IP Rotation
Azure
Enumeration Tools
Email and Username Enumeration
- o365creeper - Enumerate valid email addresses
- Office 365 User Enumeration - Enumerate valid usernames from Office 365
Cloud Infrastructure Enumeration
- CloudBrute - Find a cloud infrastructure of a company
- cloud_enum - Multi-cloud OSINT tool
- Azucar - Security auditing tool for Azure environments
Azure Specific Enumeration
- BlobHunter - Scanning Azure blob storage accounts
- Grayhat Warfare - Open Azure blobs search
- OpenBuckets Find misconfigured cloud storage buckets across every cloud provider. Updates almost daily.
- Azure-AccessPermissions - Enumerate access permissions in Azure AD
Information Gathering Tools
Azure Information Gathering
- o365recon - Information gathering with valid credentials to Azure
- Azurite - Enumeration and reconnaissance in Microsoft Azure Cloud
- Sparrow.ps1 - Detect possible compromised accounts in Azure/M365
- Microsoft Azure AD Assessment - Assessing Azure AD tenant state
Multi-Cloud Security Auditing
- ScoutSuite - Multi-cloud security auditing tool
- Prowler - AWS and Azure security assessments
Lateral Movement Tools
- Stormspotter - Azure Red Team tool
- AzureADLateralMovement - Lateral Movement graph for Azure AD
- SkyArk - Privileged entities in Azure and AWS
Exploitation Tools
Azure Exploitation
- MicroBurst - Scripts for assessing Microsoft Azure security
- Microsoft-Teams-GIFShell - Microsoft Teams reverse shell execution
Credential Attacks
- MSOLSpray - Password spraying tool for Microsoft Online accounts
- MFASweep - Check if MFA is enabled on multiple Microsoft Services Resources
- adconnectdump - Dump Azure AD Connect credentials
Resources
Articles
- Abusing Azure AD SSO with the Primary Refresh Token
- Abusing dynamic groups in Azure AD for Privilege Escalation
- Attacking Azure, Azure AD, and Introducing PowerZure
- Attacking Azure & Azure AD, Part II
- Azure AD Connect for Red Teamers
- Azure AD Introduction for Red Teamers
- Azure AD Pass The Certificate
- Azure AD privilege escalation - Taking over default application permissions as Application Admin
- Defense and Detection for Attacks Within Azure
- Hunting Azure Admins for Vertical Escalation
- Impersonating Office 365 Users With Mimikatz
- Lateral Movement from Azure to On-Prem AD
- Malicious Azure AD Application Registrations
- Moving laterally between Azure AD joined machines
- CrowdStrike Launches Free Tool to Identify and Help Mitigate Risks in Azure Active Directory
- Privilege Escalation Vulnerability in Azure Functions
- Azure Application Proxy C2
- Recovering Plaintext Passwords from Azure Virtual Machines like It’s the 1990s
- Forensicating Azure VMs
- Network Forensics on Azure VMs
- Cross-Account Container Takeover in Azure Container Instances
- Azure Active Directory password brute-forcing flaw
- How to Detect Azure Active Directory Backdoors: Identity Federation
- Azure App Service vulnerability exposed hundreds of source code repositories
- AutoWarp: Cross-Account Vulnerability in Microsoft Azure Automation Service
- Microsoft Azure Synapse Pwnalytics
- Microsoft Azure Site Recovery DLL Hijacking
- FabriXss (CVE-2022-35829): Abusing a Custom Role User Using CSTI and Stored XSS in Azure Fabric Explorer
- Untangling Azure Active Directory Principals & Access Permissions
- How to Detect OAuth Access Token Theft in Azure
- How to deal with Ransomware on Azure
- How Orca found Server-Side Request Forgery (SSRF) Vulnerabilities in four different Azure Services
- EmojiDeploy: Smile! Your Azure web service just got RCE’d
- Bounce the Ticket and Silver Iodide on Azure AD Kerberos
Lists and Cheat Sheets
- List of all Microsoft Portals
- Azure Articles from NetSPI
- Azure Cheat Sheet on CloudSecDocs
- Resources about Azure from Cloudberry Engineering
- Resources from PayloadsAllTheThings
- Encyclopedia on Hacking the Cloud
- Azure AD - Attack and Defense Playbook
- Azure Security Resources and Notes
- Azure Threat Research Matrix
Lab Exercises
- azure-security-lab - Securing Azure Infrastructure - Hands on Lab Guide
- AzureSecurityLabs - Hands-on Security Labs focused on Azure IaaS Security
- Building Free Active Directory Lab in Azure
- Aria Cloud Penetration Testing Tools Container - A Docker container for remote penetration testing
- PurpleCloud - Multi-use Hybrid + Identity Cyber Range implementing a small Active Directory Domain in Azure alongside Azure AD and Azure Domain Services
- BlueCloud - Cyber Range system with a Windows VM for security testing with Azure and AWS Terraform support
- Azure Red Team Attack and Detect Workshop
- SANS Workshop – Building an Azure Pentest Lab for Red Teams - The link in the description contains a password-protected OVA file that can be used until 2nd March 2024
Talks and Videos
- Attacking and Defending the Microsoft Cloud (Office 365 & Azure AD
- TR19: I'm in your cloud, reading everyone's emails - hacking Azure AD via Active Directory
- Dirk Jan Mollema - Im In Your Cloud Pwning Your Azure Environment - DEF CON 27 Conference
- Adventures in Azure Privilege Escalation Karl Fosaaen
- Introducing ROADtools - Azure AD exploration for Red Teams and Blue Teams
Public Cloud Governance
AWS Governance
-
AWS - Patterns
URL Services
Service | URL |
---|---|
s3 | https://{user_provided}.s3.amazonaws.com |
cloudfront | https://{random_id}.cloudfront.net |
ec2 | ec2-{ip-seperated}.compute-1.amazonaws.com |
es | https://{user_provided}-{random_id}.{region}.es.amazonaws.com |
elb | http://{user_provided}-{random_id}.{region}.elb.amazonaws.com:80/443 |
elbv2 | https://{user_provided}-{random_id}.{region}.elb.amazonaws.com |
rds | mysql://{user_provided}.{random_id}.{region}.rds.amazonaws.com:3306 |
rds | postgres://{user_provided}.{random_id}.{region}.rds.amazonaws.com:5432 |
route 53 | {user_provided} |
execute-api | https://{random_id}.execute-api.{region}.amazonaws.com/{user_provided} |
cloudsearch | https://doc-{user_provided}-{random_id}.{region}.cloudsearch.amazonaws.com |
transfer | sftp://s-{random_id}.server.transfer.{region}.amazonaws.com |
iot | mqtt://{random_id}.iot.{region}.amazonaws.com:8883 |
iot | https://{random_id}.iot.{region}.amazonaws.com:8443 |
iot | https://{random_id}.iot.{region}.amazonaws.com:443 |
mq | https://b-{random_id}-{1,2}.mq.{region}.amazonaws.com:8162 |
mq | ssl://b-{random_id}-{1,2}.mq.{region}.amazonaws.com:61617 |
kafka | b-{1,2,3,4}.{user_provided}.{random_id}.c{1,2}.kafka.{region}.amazonaws.com |
kafka | {user_provided}.{random_id}.c{1,2}.kafka.useast-1.amazonaws.com |
cloud9 | https://{random_id}.vfs.cloud9.{region}.amazonaws.com |
mediastore | https://{random_id}.data.mediastore.{region}.amazonaws.com |
kinesisvideo | https://{random_id}.kinesisvideo.{region}.amazonaws.com |
mediaconvert | https://{random_id}.mediaconvert.{region}.amazonaws.com |
mediapackage | https://{random_id}.mediapackage.{region}.amazonaws.com/in/v1/{random_id}/channel |
MultiCloud Governance
Kubernetes Operators
- Aqua
- Misc
Container Tools
- Anchore
- Aqua
- Misc
Cloud Security Standards
Learning
Blogs
Courses
- Oracle
- A Cloud Guru
- Learning Paths
Labs
- AWS Workshops
- AWS Identity: Using Amazon Cognito for serverless consumer apps
- AWS Network Firewall Workshop
- AWS Networking Workshop
- Access Delegation
- Amazon VPC Endpoint Workshop
- Build a Vulnerability Management Program Using AWS for AWS
- Data Discovery and Classification with Amazon Macie
- Data Protection
- DevSecOps - Integrating security into your pipeline
- Disaster Recovery on AWS
- Finding and addressing Network Misconfigurations on AWS
- Firewall Manager Service - WAF Policy
- Getting Hands on with Amazon GuardDuty
- Hands on Network Firewall Workshop
- Implementing DDoS Resiliency
- Infrastructure Identity on AWS
- Integrating security into your container pipeline
- Integration, Prioritization, and Response with AWS Security Hub
- Introduction to WAF
- Permission boundaries: how to delegate permissions on AWS
- Protecting workloads on AWS from the instance to the edge
- Scaling threat detection and response on AWS
- Serverless Identity
- PagerDuty Training Lab
Podcasts
Vulnerable By Design
Certifications
- Cloud Vendors
- ISC2 - International Information System Security Certification Consortium
- CSA - Cloud Security Alliance
Projects
Alerting
Automated Security Assessment
- Prowler
- CloudFox
- SkyArk
- Pacu
- Bucket Finder
- Boto3
- Principal Mapper
- ScoutSuite
- s3_objects_check
- cloudsplaining
- weirdAAL
- cloudmapper
- NetSPI/AWS_Consoler
Benchmarking
Data Loss Prevention
Firewall Management
- globaldatanet
Identity and Access Management
- AWS Labs
- Duo Labs
- Netflix
- Salesforce
- welldone.cloud
- Misc
Incident Response
- AWS
- Netflix
- PagerDuty
- PagerDuty Automated Remediation Docs
- PagerDuty Business Response Docs
- PagerDuty DevSecOps Docs
- PagerDuty Full Case Ownership Docs
- PagerDuty Full Service Ownership Docs
- PagerDuty Going OnCall Docs
- PagerDuty Incident Response Docs
- PagerDuty Operational Review Docs
- PagerDuty PostMortem Docs
- PagerDuty Retrospectives Docs
- PagerDuty Stakeholder Communication Docs
- Velocidex
Spring
Threat modeling
- ThreatModel for Amazon S3 - Library of all the attack scenarios on Amazon S3 and how to mitigate them, following a risk-based approach
Examples
Ex. Automated Security Assessment
- AWS Config Rules Repository
- AWS Inspector Agent Autodeploy
- AWS Inspector Auto Remediation
- AWS Inspector Lambda Finding Processor
Ex. Identity and Access Management
Ex. Logging
- AWS Centralized Logging
- AWS Config Snapshots to ElasticSearch
- AWS CloudWatch Events Monitor Security Groups