When it comes to penetration testing and vulnerability scanning, knowledge is everything. The more information an attacker has about a targeted organization, the easier and further the system can be compromised. From a defensive perspective, the more information the security administrator has about the network; the better an organization can protect and monitor it. There are many ways to gather this required information, both passively (reconnaissance) and actively (enumeration). The use of standardized cloud services has brought some challenges and some new opportunities which both offensive and defensive parties need to keep in mind. The cloud environment is better protected, but the services are often standardized, well documented and publicly accessible. The first step in (public) cloud reconnaissance is to identify whether the target is using any cloud services and if so, which services they are. As covered at the “Hacking the Cloud” talk at DEFCON 2017, the best way to do this is to query specific DNS records. There are a lot of tools available that can easily extract the required DNS information. Nmap is a widely known tool which can extract a lot of DNS information via specific command switches. DNSEnum and DIG are some other tools that could be used for DNS enumeration. All of these come pre-installed with Kali Linux. Scanning the cloud perimeter is nothing new from a technical perspective. Traditional tools such as NMAP and Kismet will work without any issues. What is new, however, is that a cloud target is located within a shared network, owned by the Cloud Service Provider (CSP). To avoid any impact on other customers and any defensive or legal action from the CSP, always ask for written approval before starting broad and comprehensive scans, both to and from a cloud instance. Request forms are easily accessible on the provider’s support pages. Development of new and adapted reconnaissance, enumeration and exploitation tools, specialized in targeting public cloud providers has been limited. Because most levels of cloud adaptions, from IaaS all the way up to SaaS, look similar from the outside (where the reconnaissance originates), there has been no need for a new approach and new tools. There are a few useful cloud specific reconnaissance tools though. For instance, Azurite is a reconnaissance and visualization tool that gives a good understanding of which Azure services are in use and how they are connected. It does need subscription credentials, so understandably, its use is limited to cloud account owners and white box penetration testers. An interesting development from the offensive side is the use of bots that search sites like GitHub for uploaded code, accidentally containing cloud account access (API) keys. The impact of such a leak could be enormous to the account owner, so it is important for any organization to place security controls around the use of these sites (for instance via Data Leak Prevention solutions). It is incredibly important for any company to know what network and security information is publicly accessible via the internet. After proactively gathering this information (like an attacker would also do), actions can be taken to limit the exposure and with that, the security risks. Regular scans of the perimeter, analysis, and clean-up of DNS records, taking obsolete services and cloud instances offline; there is much an organization could do to be proactive from a security perspective. In the end, it is critical to know what company data is out there so it can be best protected from malicious entities.
