Cloudfox - Automating Situational Awareness For Cloud Penetration Tests
CloudFox helps you gain situational awareness in unfamiliar cloud environments. It’s an open source command line tool created to help penetration testers and other offensive security professionals find exploitable attack paths in cloud infrastructure.
CloudFox helps you answer the following common questions (and many more):
- What regions is this AWS account using and roughly how many resources are in the account?
- What secrets are lurking in EC2 userdata or service specific environment variables?
- What actions/permissions does this [principal] have?
- What roles trusts are overly permissive or allow cross-account assumption?
- What endpoints/hostnames/IPs can I attack from an external starting point (public internet)?
- What endpoints/hostnames/IPs can I attack from an internal starting point (assumed breach within the VPC)?
- What filesystems can I potentially mount from a compromised resource inside the VPC?
Quick Start
CloudFox is modular (you can run one command at a time), but there is an aws all-checks command that will run the other aws commands for you with sane defaults:
cloudfox aws --profile [profile-name] all-checks
CloudFox is designed to be executed by a principal with limited read-only permissions, but it's purpose is to help you find attack paths that can be exploited in simulated compromise scenarios (aka, objective based penetration testing).
For the full documentation please refer to our wiki.
Supported Cloud Providers
| Provider | CloudFox Commands |
|---|---|
| AWS | 15 |
| Azure | 2 (alpha) |
| GCP | Support Planned |
| Kubernetes | Support Planned |
Install
Option 1: Download the latest binary release for your platform.
Option 2: Install Go, clone the CloudFox repository and compile from source
# git clone https://github.com/BishopFox/cloudfox.git...omitted for brevity...# cd ./cloudfox# go build .# ./cloudfoxPrerequisites
AWS
- AWS CLI installed
- Supports AWS profiles, AWS environment variables, or metadata retrieval (on an ec2 instance)
- A principal with one recommended policies attached (described below)
- Recommended attached policies:
SecurityAudit+ CloudFox custom policy
Additional policy notes (as of 09/2022):
| Policy | Notes |
|---|---|
| CloudFox custom policy | Has a complete list of every permission cloudfox uses and nothing else |
arn:aws:iam::aws:policy/SecurityAudit | Covers most cloudfox checks but is missing newer services or permissions like apprunner:*, grafana:*, lambda:GetFunctionURL, lightsail:GetContainerServices |
arn:aws:iam::aws:policy/job-function/ViewOnlyAccess | Covers most cloudfox checks but is missing newer services or permissions like AppRunner:*, grafana:*, lambda:GetFunctionURL, lightsail:GetContainerServices - and is also missing iam:SimulatePrincipalPolicy. |
arn:aws:iam::aws:policy/ReadOnlyAccess | Only missing AppRunner, but also grants things like "s3:Get*" which can be overly permissive. |
arn:aws:iam::aws:policy/AdministratorAccess | This will work just fine with CloudFox, but if you were handed this level of access as a penetration tester, that should probably be a finding in itself :) |
Azure
- Viewer or similar permissions applied.
Supported Commands
| Provider | Command Name | Description |
|---|---|---|
| AWS | all-checks | Run all of the other commands using reasonable defaults. You'll still want to check out the non-default options of each command, but this is a great place to start. |
| AWS | access-keys | Lists active access keys for all users. Useful for cross referencing a key you found with which in-scope account it belongs to. |
| AWS | buckets | Lists the buckets in the account and gives you handy commands for inspecting them further. |
| AWS | ecr | List the most recently pushed image URI from all repositories. Use the loot file to pull selected images down with docker/nerdctl for inspection. |
| AWS |
Most Popular
|
