I recently started getting into the world of cloud pentesting and these are many of the resources that I've used or come across when learning. This is essentially a huge list of other resources - compilations, provider-specifics, labs, tools, and more - all in one place. This is by no means comprehensive, and I will continue to update this as I find more resources. Please feel free to suggest resources to add, or add them and make a PR.
Common Technologies
Some of the many cloud providers.
- AWS
- GCP
- Azure
- Kubernetes
- IBM
- Digital Ocean
Repos, links, etc
A compilation of compilations
https://github.com/dafthack/CloudPentestCheatsheets
https://github.com/TROUBLE-1/Cloud-Pentesting
https://github.com/vengatesh-nagarajan/Cloud-pentest
https://github.com/kh4sh3i/cloud-penetration-testing
Other general, non-technology specific resources
https://pentestbook.six2dez.com/enumeration/cloud
https://cloud.hacktricks.xyz/welcome/readme
https://bishopfox.com/blog/cloud-pen-testing-tools
https://medium.com/@mancusomjm/aws-azure-google-cloud-penetration-testing-resources-ca4b2bf1a4a6
https://github.com/jassics/security-study-plan
Resources, tools, and labs for specific cloud providers
Resources, Tools, and Labs
https://pentestbook.six2dez.com/enumeration/cloud/aws
https://www.hackthebox.com/blog/aws-pentesting-guide
https://rhinosecuritylabs.com/penetration-testing/penetration-testing-aws-cloud-need-know/
https://www.cobalt.io/blog/aws-pentesting-essential-guide
https://infosecwriteups.com/deep-dive-into-aws-penetration-testing-a99192a26898
https://cybertalents.com/blog/aws-penetration-testing-what-you-need-to-know
https://github.com/pop3ret/AWSome-Pentesting/blob/main/AWSome-Pentesting-Cheatsheet.md
https://github.com/CyberSecArmy/AWS-Offensive-Exploitation---Pentesting
https://github.com/rootcathacking/cloudcat/blob/main/aws_cli.md
https://github.com/NickTheSecurityDude/AWS-Pentesting-Notes
https://github.com/0xdeadpool/AWS-Essentails-for-Pentest
https://github.com/sebastian-mora/AWS-Loot
https://github.com/DavidDikker/endgame
https://github.com/gwen001/s3-buckets-finder
https://github.com/Ebryx/S3Rec0n
https://github.com/RhinoSecurityLabs/pacu
https://github.com/BishopFox/cloudfox
https://github.com/carnal0wnage/weirdAAL
https://github.com/ajinabraham/aws_security_tools
https://cloud.hacktricks.xyz/pentesting-cloud/aws-security
https://github.com/juanjoSanz/aws-pentesting-lab
https://github.com/torque59/AWS-Vulnerable-Lambda
https://github.com/stafordtituss/HazProne
https://gainsec.com/2020/08/03/complete-cloudgoat-setup-guide/
https://github.com/applied-network-security/aws-pentesting-lab
https://github.com/marcosValle/auto-pentest-lab
- Major topics to know:
-
IAM Policies
-
S3 Buckets
-
EC2 Instances
-
lambda functions & API endpoints
-
VPC
-
Group and Managed policies
-
Find ssh keys --> use 'aws s3 cp' to get ssh key
-
SSRF
-
RCE
-
instance-profile-attachment
- have low or insufficient privileges, but this permission - can create a new EC2 instance with higher privileges than can be further exploited
-
- Make AWS account
- Go to IAM and create a user or users and group(s) with the proper permissions/policies - depends on the lab, but for cloudgoat these work: (AdministratorAccess, AmazonRDSFullAccess, IAMFullAccess, AmazonS3FullAccess, CloudWatchFullAccess, AmazonDynamoDBFullAcces)
- Go to S3 and ensure you can create buckets
- configure your AWS account locally with the aws cli, using the account ID, secret, and region that you obtained when creatng the IAM roles
- It may be necessary to enable ACLs, which can be done through the S3 bucket permissions
Resources, Tools, and Labs
https://pentestbook.six2dez.com/enumeration/cloud/azure
https://github.com/CMEPW/azure-mindmap
https://cloud.hacktricks.xyz/pentesting-cloud/azure-security
https://github.com/Kyuu-Ji/Awesome-Azure-Pentest
https://www.cobalt.io/blog/azure-ad-pentesting-fundamentals
https://www.getastra.com/blog/security-audit/azure-penetration-testing/
https://github.com/mburrough/pentestingazureapps
https://github.com/badchars/AzureAD-Pentest
https://github.com/sabrinalupsan/pentesting-azure-ad
https://github.com/ZephrFish/AzureAttackKit
https://github.com/AlteredSecurity/365-Stealer
https://github.com/optionalCTF/SSOh-No
https://github.com/CasperGN/MFASweep.py
https://github.com/nyxgeek/onedrive_user_enum
https://github.com/esell/azure-sec-lab
https://github.com/uc-cyberclub/azure-pentesting-lab-tf
- Things to look for
- Blobs
- AFR
- Leaked Tokens/Credentials
- Authentication and password attacks - spraying oauth
Resources
https://pentestbook.six2dez.com/enumeration/cloud/gcp
https://cloud.hacktricks.xyz/pentesting-cloud/gcp-security
Kubernetes Resources, Labs, Tools
https://cloud.hacktricks.xyz/pentesting-cloud/kubernetes-security
https://pentestbook.six2dez.com/enumeration/cloud/docker-and-and-kubernetes
https://github.com/SunWeb3Sec/Kubernetes-security
https://github.com/jarvarbin/Kubernetes-Pentesting
https://github.com/magnologan/awesome-k8s-security
https://hannahsuarez.github.io/2019/pentesting-kubernetes/
https://gitlab.com/pentest-tools/PayloadsAllTheThings/-/tree/master/Kubernetes
https://www.cyberark.com/resources/threat-research-blog/kubernetes-pentest-methodology-part-1
https://lobuhisec.medium.com/kubernetes-pentest-recon-checklist-tools-and-resources-30d8e4b69463
https://hacktricks.boitatech.com.br/pentesting/pentesting-kubernetes
https://securitycafe.ro/2023/02/27/a-complete-kubernetes-config-review-methodology/
https://github.com/ksoclabs/awesome-kubernetes-security
https://github.com/g3rzi/HackingKubernetes
https://reconshell.com/kubernetes-security-checklist/ -These two are more about configuration but, gotta know how to build to know how to break it
https://reconshell.com/kubernetes-security-checklist/
https://github.com/madhuakula/hacker-container
https://github.com/quarkslab/kdigger
https://github.com/aquasecurity/kube-hunter/
https://github.com/inguardians/peirates
https://github.com/collabnix/kubetools
https://github.com/4ARMED/kubeletmein
https://github.com/cdk-team/CDK
https://github.com/madhuakula/kubernetes-goat
https://github.com/nabilblk/k8s-security
Things to know:
- Clusters
- RBAC
- Service Tokens & Secrets
- Pods
- Endpoints & API
Lab compilations:
https://github.com/iknowjason/Awesome-CloudSec-Labs
https://github.com/appsecco/breaking-and-pwning-apps-and-servers-aws-azure-training
https://github.com/appsecco/attacking-cloudgoat2
https://rhinosecuritylabs.com/aws/cloudgoat-walkthrough-rce_web_app/
https://github.com/appsecco/attacking-cloudgoat2
Other tools that don't quite fit in a specific provider section or are applicable to all/multiple
https://github.com/nccgroup/ScoutSuite
https://github.com/iknowjason/edge
https://github.com/0xsha/CloudBrute
https://github.com/Macmod/STARS
https://github.com/Zeus-Labs/ZeusCloud
https://github.com/rams3sh/Aaia
https://github.com/RhinoSecurityLabs/ccat
https://github.com/404tk/cloudtoolkit
https://github.com/lord-alfred/ipranges
C2 framework
https://github.com/gl4ssesbo1/Nebula
Changelog:
- 05/20/2023: Created & initial content pubished
- 05/22/2023: Spelling/grammer, added AWS and Terraform
React
Typescript
Django
Laravel
Facebook
Microsoft
Google
Alibaba
D3
Tencent