Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.
News, news analysis, and commentary on the latest trends in cybersecurity technology.
CloudFox is a command-line tool that helps penetration testers understand unknown cloud environments.
2 Min Read
Source: Yuliya Pauliukevich via Alamy Stock Photo
Bishop Fox released CloudFox, a command-line security tool that helps penetration testers and security practitioners find potential attack paths within their cloud infrastructures.
The main inspiration for CloudFox was to create something like PowerView for cloud infrastructure, Bishop Fox consultants Seth Art and Carlos Vendramini wrote in a blog post announcing the tool. PowerView, a PowerShell tool used to gain network situational awareness in Active Directory environments, provides penetration testers with the ability to enumerate the machine and the Windows Domain.
For example, Art and Vendramini described how CloudFox could be used to automate various tasks penetration testers perform as part of an engagement, such as looking for credentials associated with Amazon Relational Database Service (RDS), tracking down the specific database instance associated with those credentials, and identifying the users who have access to those credentials. In that scenario, Art and Vendramini noted that CloudFox can be used to understand who — whether specific users or user groups — could potentially exploit that misconfiguration (in this case, the exposed RDS credentials) and carry out an attack (such as stealing data from the database).
The tool currently only supports Amazon Web Services, but support for Azure, Google Cloud Platform, and Kubernetes is on the road map, the company said.
Bishop Fox created a custom policy to use with the Security Auditor policy in Amazon Web Services that grants CloudFox all the necessary permissions. All CloudFox commands are read-only, meaning that executing them will not change anything in the cloud environment.
"You can rest assured that nothing will be created, deleted, or updated," Art and Vendramini wrote.
Inventory: Figure out which regions are used in the target account and provide the rough size of the account by counting the number of resources in each service.
Endpoints: Enumerates service endpoints for multiple services at the same time. Output can be fed into other tools, such as Aquatone, gowitness, gobuster, and ffuf.
Instances: Generates a list of all public and private IP addresses associated with the Amazon Elastic Compute Cloud (EC2) instances with names and instance profiles. Output can be used as input for nmap.
Access-keys: Returns a list of active access keys for all users. This list would be useful for cross-referencing a key to figure out which in-scope account the key belongs to.
Buckets: Identifies the buckets in the account. There are other commands that can be used to inspect the buckets further.
Secrets: Lists secrets from AWS Secrets Manager and AWS Systems Manager (SSM). This list can also be used to cross-reference secrets to find out who has access to them.
"Finding attack paths in complex cloud environments can be difficult and time consuming," Art and Vendramini wrote, noting that most tools to analyze cloud environments focus on security baseline compliance. "Our primary audience is penetration testers, but we think CloudFox will be useful for all cloud security practitioners."
About the Author(s)
You May Also Like
More Insights
Webinars
Securing Code in the Age of AI
April 24, 2024Beyond Spam Filters and Firewalls: Preventing Business Email Compromises in the Modern Enterprise
April 30, 2024Key Findings from the State of AppSec Report 2024
May 7, 2024Is AI Identifying Threats to Your Network?
May 14, 2024Where and Why Threat Intelligence Makes Sense for Your Enterprise Security Strategy
May 15, 2024
Events
Black Hat USA - August 3-8 - Learn More
August 3, 2024Cybersecurity's Hottest New Technologies: What You Need To Know
March 21, 2024