Bishop Fox released CloudFox, a command-line security tool to help penetration testers and security practitioners find potential attack paths within their cloud infrastructure.
The main inspiration for CloudFox was to create something like PowerView for cloud infrastructure, Bishop Fox consultants Seth Art and Carlos Vendramini wrote in a blog post announcing the tool. PowerView, a PowerShell tool used to gain network situational awareness in Active Directory environments, provides penetration testers with the ability to enumerate the machine and the Windows Domain.
For example, Art and Vendramini described how CloudFox could be used to automate various tasks penetration testers would perform as part of an engagement, such as looking for credentials associated with Amazon Relational Database Service (RDS), tracking down the specific database instance associated with those credentials, and identifying the users who have access to those credentials. In that scenario, Art and Vendramini noted that CloudFox can be used to understand who — whether specific users or user groups — could potentially exploit that misconfiguration (in this case, the exposed RDS credentials) and carry out an attack (such as stealing data from the database).
The tool currently only supports Amazon Web Services, but support for Azure, Google Cloud Platform, and Kubernetes is on the roadmap, the company said.
Bishop Fox created a custom policy to use with the Security Auditor policy in Amazon Web Services that grants CloudFox all the necessary permissions. All CloudFox commands are read-only, meaning that executing them will not change anything in the cloud environment.
“You can rest assured that nothing will be created, deleted, or updated,” Art and Vendramini wrote.
- inventory: figure out which regions are used in the target account and provide the rough size of the account by counting the number of resources in each service.
- endpoints: enumerates service endpoints for multiple services at the same time. Output can be fed into other tools such as Aquatone, gowitness, gobuster, and ffuf.
- instances: generates a list of all public and private IP addresses associated with the Amazon Elastic Compute Cloud (EC2) instances with names and instance profiles. Output can be used as input for nmap.
- access-keys: returns a list of active access keys for all users. This list would be useful for cross-referencing a key to figure out which in-scope account the key belongs to.
- buckets: identifies the buckets in the account. There are other commands that can be used to inspect the buckets further.
- secrets: lists secrets from AWS Secrets Manager and AWS Systems Manager (SSM). This list can also be used to cross-reference secrets to find out who has access to them.
“Finding attack paths in complex cloud environments can be difficult and time consuming,” Art and Vendramini wrote, noting that most tools to analyze cloud environments focus on security baseline compliance. “Our primary audience is penetration testers, but we think CloudFox will be useful for all cloud security practitioners.”
