I recently passed my SANS/GIAC Cloud Penetration Tester exam! 🎉 Sharing my top 5 lessons learned and tools used during the SEC588 training (https://lnkd.in/eJKQtquH).
1. Enumerating Subdomains using Certificate Transparency (CT): Simply put, CT is like a public ledger where all SSL/TLS certificates issued for websites are recorded. These records are called CT logs, and they're publicly available for anyone to check (see crt.sh). By leveraging tools like Subfinder (https://lnkd.in/eeb7AAXE), which checks CT logs such as 'crt.sh', we can passively uncover the subdomains associated with a target domain.
2. CloudFox (https://lnkd.in/eJJux8cC): This tool offers a comprehensive view of the target cloud environment, supporting AWS (mostly), Azure, and GCP. When provided with a limited but valid access to the account, CloudFox identifies regions in use, estimates resource counts, reveals secrets (e.g., in EC2 user data), and more. Plus, CloudFox “loot files” provide sample exploit commands for each discovered resource for further exploration (saving me a few hours of research during the lab exercises). If you want an alternative cloud enumeration tool with a fancy GUI report, check out ScoutSuite (https://lnkd.in/eEB4hs8b)
3. Streamlining Asset Collection and Scan Pipeline: Efficiency is key, especially in large cloud environments. I found the following tool chain incredibly effective: Naabu (https://lnkd.in/eW5MF5RY) → Httpx (https://lnkd.in/em-qHiwd) → Nuclei (https://lnkd.in/enaQavk6). I would pass the target domains to Naabu for port scanning, then use HTTPX to evaluate URLs and pass the output to Nuclei for vulnerability scanning. 'gowitness' was the "go-to tool" for automatically taking screenshot of the pages.
4. AWS Exploitation with Pacu (https://lnkd.in/eQPrhf6u): Pacu is an open-source AWS exploitation framework for offensive security testing. It can exploit misconfigurations within an AWS account using a range of "modules". With Pacu, you can perform several attacks including user privilege escalation, backdooring of IAM users, attacking vulnerable Lambda functions, and much more.
5. Kubernetes Assessment with Peirates (https://lnkd.in/ePXTqAMa): Being a novice in Kubernetes, I was impressed by the amount of resources and comprehensive coverage Moses Frost (the SANS instructor) offers for containers and Kubernetes in general. One tool that stood out to me, and which I found incredibly handy, is Peirates. It operates similarly to kubectl but is templated specifically to execute targeted attacks.
Do you use any of these tools in your daily activities? Do you have any other tools you find useful for cloud penetration testing?
#sans #gcpn #cloudsecurity #cloudpentest #sec588 #redteam #pentest
Talks about #artificialintelligence #strategy #leadership #cloudsecurity #infosec #grc #rmf #privacy #threatanalysis #pentesting
9moCongratulations