0. Attack Clouds
Cloud Penetration Testing: Initial Foothold & Credential Acquisition
In cloud penetration testing, obtaining an initial foothold is crucial. While some clients may provide credentials to expedite testing, testers must be prepared to acquire them independently when credentials are not provided.
Credential Acquisition Techniques
Common methods to obtain credentials include:
- User Enumeration: Identifying valid usernames by probing authentication mechanisms. Differences in server responses during login attempts can reveal valid usernames.
- Public Exposure: Searching for exposed secrets such as access keys and tokens in public repositories or misconfigured storage services.
- Exploiting Vulnerabilities: Leveraging web application vulnerabilities (e.g., Server-Side Request Forgery (SSRF)) to access internal services and extract credentials.
Credential formats
| Cloud Provider | Credential Type | Format/Example | Use Case |
|---|---|---|---|
| AWS | Access Key | ini [default] aws_access_key_id=AKIA123... aws_secret_access_key=xyz123... |
Used for AWS CLI, SDKs, and programmatic access. |
| AWS | IAM Role (Temporary Credentials) | json { "AccessKeyId": "ASIA123...", "SecretAccessKey": "xyz123...", "SessionToken": "FQoGZXIvYXdzE..." } |
Temporary credentials via AssumeRole. |
| AWS | Environment Variables | sh export AWS_ACCESS_KEY_ID="AKIA123..." export AWS_SECRET_ACCESS_KEY="xyz123..." |
Used in CI/CD pipelines, containers. |
| AWS | .env File | AWS_ACCESS_KEY_ID=AKIA123... AWS_SECRET_ACCESS_KEY=xyz123... |
Stored in environment configuration files. |
| AWS | EC2 Instance Profile (Metadata API) | sh curl http://169.254.169.254/latest/meta-data/iam/security-credentials/ |
IAM roles attached to EC2 instances. |
| Azure | Service Principal (JSON) | json { "clientId": "a2b3c4d5-e6f7...", "clientSecret": "P@ssw0rd123!", "subscriptionId": "12345678...", "tenantId": "abcdef12..." } |
Used for automation, CLI, API access. |
| Azure | Storage Account Key | sh AZURE_STORAGE_ACCOUNT="mystorageaccount" AZURE_STORAGE_KEY="Eby8vdM02xNOcq..." |
Access Azure Blob Storage. |
| Azure | Managed Identity | sh curl -H "Metadata: true" http://169.254.169.254/metadata/identity/oauth2/token |
Secure way to authenticate without keys. |
| Azure | Environment Variables | sh export AZURE_CLIENT_ID="a2b3c4d5..." export AZURE_CLIENT_SECRET="P@ssw0rd123!" export AZURE_TENANT_ID="abcdef12..." |
Used in automated deployments. |
| GCP | Service Account Key (JSON) | json { "type": "service_account", "project_id": "my-gcp-project", "private_key_id": "abcdef123...", "private_key": "-----BEGIN PRIVATE KEY-----\nMIIEvQ...", "client_email": "my-service-account@my-gcp-project.iam.gserviceaccount.com" } |
Used for automation, authentication to GCP APIs. |
| GCP | OAuth2 Access Token | sh ACCESS_TOKEN="ya29.a0AfH6SMA..." |
Temporary authentication for APIs. |
| GCP | API Key | sh GCP_API_KEY="AIzAxxxxxxxxxxxx" |
Used in simple API requests. |
| GCP | Environment Variables | sh export GOOGLE_APPLICATION_CREDENTIALS="/path/to/service-account.json" |
Common in GCP SDKs. |
| GCP | GKE Kubernetes Secret | yaml apiVersion: v1 kind: Secret metadata: name: gcp-credentials data: service_account.json: "BASE64_ENCODED_JSON" |
Kubernetes authentication with GCP. |
| GCP | Compute Engine Metadata API | sh curl "http://metadata.google.internal/computeMetadata/v1/instance/service-accounts/default/token" -H "Metadata-Flavor: Google" |
Retrieve tokens for service accounts on GCE instances. |
Table: APT Credential Theft Techniques in Cloud Environments
| Technique | Description | Example APT Groups | Mitigation Strategies |
|---|---|---|---|
| Phishing & Spear-Phishing | Crafting deceptive emails/messages to trick users into revealing credentials. | APT29 (Cozy Bear), APT40 | Security awareness training, MFA, email filtering |
| Password Spraying | Trying common passwords across multiple accounts to avoid detection. | APT29, APT35, APT41 | Enforce strong password policies, MFA, login anomaly detection |
| Brute-Force Attacks | Systematically attempting all possible password combinations. | APT33, Fancy Bear (APT28) | Rate-limiting login attempts, CAPTCHAs, MFA |
| Exploiting Third-Party Software | Targeting vulnerabilities in cloud-based applications and remote software. | APT10 (Cloud Hopper), Hafnium | Regular patching, vulnerability scanning, zero-trust architecture |
| Leveraging Dormant Accounts | Using inactive/unmonitored accounts to regain or maintain access. | APT29, Lazarus Group | Regular account audits, disabling inactive accounts, monitoring login anomalies |
| Using Cloud for C2 Infrastructure | Abusing trusted cloud services for command and control (C2) operations. | APT33, Mustang Panda | Anomalous network traffic monitoring, firewall rules, endpoint detection and response (EDR) |
| Credential Dumping | Extracting credentials from compromised systems using tools like Mimikatz. | APT28, APT35, FIN7 | Endpoint security solutions, LSASS protection, log monitoring |
| Man-in-the-Middle (MitM) Attacks | Intercepting traffic between users and cloud services to capture credentials. | Turla, APT41 | Enforce HTTPS/TLS, VPN encryption, DNS security |
| Default or Weak Credentials | Exploiting accounts using default or easily guessable passwords. | APT39, Sandworm | Enforce password policies, disable default credentials, MFA |
| Social Engineering & Impersonation | Manipulating individuals into revealing credentials by posing as trusted entities. | APT35 (Charming Kitten), APT37 | Security awareness training, phishing-resistant authentication |
| Session Hijacking | Taking over active user sessions to bypass authentication. | APT28, APT41 | Secure cookies, session timeout policies, endpoint protection |
| Exploiting OAuth & SSO Tokens | Using stolen OAuth tokens to bypass password-based authentication. | APT29, Nobelium | Token revocation policies, monitoring token usage, strict API permissions |
| Sniffing Network Traffic | Capturing unencrypted traffic to extract credentials. | Lazarus Group, FIN8 | TLS encryption, network segmentation, intrusion detection systems (IDS) |
| Exploiting Cloud API Keys | Gaining access through exposed API keys found in repositories or logs. | APT40, Hafnium | Rotate API keys regularly, use IAM roles instead of static keys, enforce environment variable security |
| Abusing IAM Policies & Privilege Escalation | Misconfiguring IAM policies to gain higher privileges. | APT10, APT39 | Principle of least privilege (PoLP), regular IAM reviews, enforcing role-based access control (RBAC) |
After Obtaining Initial Credentials
While various methodologies exist, a top-down approach is often the most structured. Azure’s Tenant → Subscription → Service model is particularly clear and organized:
- Tenant: Identifies the entity (e.g., company).
- Subscription: Linked to a tenant, responsible for billing and resource allocation.
- Services: Compute, Storage, Networking, Databases, etc.
Comparison of Cloud Hierarchies
| Cloud Provider | Level 1 (Tenant) | Level 2 (Subscription) | Level 3 (Services) |
|---|---|---|---|
| Azure | Tenant (Microsoft Entra ID) | Subscription (Billing & Resource Container) | Services (VMs, Storage, Databases, etc.) |
| AWS | AWS Organization (Root Account) | Account (Isolated Unit for Billing & Resources) | Services (EC2, S3, RDS, etc.) |
| GCP | Organization (Root Entity) | Project (Billing & Resource Container) | Services (Compute Engine, Cloud Storage, BigQuery, etc.) |
Mermaid Diagram for Cloud Hierarchies
Tools and Techniques for Cloud Pentesting
While specific tools vary across cloud providers, the core techniques remain the same:
- Enumerating services
- Identifying misconfigurations
- Exploiting vulnerabilities
**Cloud Pentesting Workflow **
graph TD;
A[Start] --> B[Acquire Credentials];
B --> C[Enumerate Users] --> F[Access Environment];
B --> D[Find Exposed Secrets] --> F;
B --> E[Exploit Vulns] --> F;
F --> G[Map Hierarchy] --> H[List Services] --> I[Find Misconfigs] --> J[Exploit] --> K[Report] --> L[End];