Cloud Service Reconnaissance
Securing a Cloud deployment
These days many organizations have migrated at least some of their IT services to a cloud environment. Cloud adaptation could be as basic as the use of Microsoft Office 365 on some workstations, or it could be much more comprehensive, such as the use of a fully integrated Azure or Amazon AWS infrastructure. One of the main reasons for cloud migration is the redundancy and the reliability of the platform. What this means is that organizations quite often have a lot of their most important information and systems stored in the cloud, such as e-mail and database servers. With this increased importance comes an increased level of risk as well, which needs to be taken into account when allocating resources to security tasks. Regular penetration testing and vulnerability scanning have been a critical part of a comprehensive security policy for decades now, and with the shift of critical data and systems towards the cloud, the focus of these services will also need to change.
Reconnaissance and enumeration
When it comes to penetration testing and vulnerability scanning, knowledge is everything. The more information an attacker has about a targeted organization, the easier and further the system can be compromised. From a defensive perspective, the more information the security administrator has about the network; the better an organization can protect and monitor it. There are many ways to gather this required information, both passively (reconnaissance) and actively (enumeration). The use of standardized cloud services has brought some challenges and some new opportunities which both offensive and defensive parties need to keep in mind. The cloud environment is better protected, but the services are often standardized, well documented and publicly accessible.
The first step in (public) cloud reconnaissance is to identify whether the target is using any cloud services and if so, which services they are. As covered at the “Hacking the Cloud” talk at DEFCON 2017, the best way to do this is to query specific DNS records.
DNS MX Records are used to direct email to a company’s e-mail servers for processing, which means they hold important information. If the records point to for instance outlook.com, the target is likely using Office 365 for e-mail services. Also, during the setup of an Office 365 service, Microsoft requires the creation of a DNS TXT record in order to prove that the domain is indeed owned and managed by the requester. This record can be removed afterward, but this is rarely done. Many other service providers require the same type of authentication. If there is a DNS TXT record named amazonses for instance, the target is likely to use Amazon Simple Email Service. More information is available as well via CNAME, SPF and DFS records.
There are a lot of tools available that can easily extract the required DNS information. Nmap is a widely known tool which can extract a lot of DNS information via specific command switches. DNSEnum and DIG are some other tools that could be used for DNS enumeration. All of these come pre-installed with Kali Linux.
Network and Application Scanning
Scanning the cloud perimeter is nothing new from a technical perspective. Traditional tools such as NMAP and Kismet will work without any issues. What is new, however, is that a cloud target is located within a shared network, owned by the Cloud Service Provider (CSP). To avoid any impact on other customers and any defensive or legal action from the CSP, always ask for written approval before starting broad and comprehensive scans, both to and from a cloud instance. Request forms are easily accessible on the provider’s support pages.
Cloud Specialized Tools
Development of new and adapted reconnaissance, enumeration and exploitation tools, specialized in targeting public cloud providers has been limited. Because most levels of cloud adaptions, from IaaS all the way up to SaaS, look similar from the outside (where the reconnaissance originates), there has been no need for a new approach and new tools. There are a few useful cloud specific reconnaissance tools though.
For instance, Azurite is a reconnaissance and visualization tool that gives a good understanding of which Azure services are in use and how they are connected. It does need subscription credentials, so understandably, its use is limited to cloud account owners and white box penetration testers.
An interesting development from the offensive side is the use of bots that search sites like GitHub for uploaded code, accidentally containing cloud account access (API) keys. The impact of such a leak could be enormous to the account owner, so it is important for any organization to place security controls around the use of these sites (for instance via Data Leak Prevention solutions).
Finally, by far the most comprehensive, but also the noisiest method or network reconnaissance is the use of a vulnerability scanner. Such a scanner simply runs through a standard or customized profile of passive and active scans and lists the detected vulnerabilities, sometimes combined with suggested remediation actions. Such a scanner could be placed inside the cloud instance, such as the Qualys Virtual Scanner Appliance for Amazon AWS. Another option is to use the security services of the Cloud Service Provider, for instance in the form of Amazon Inspector. A vulnerability scan could also still be sourced from outside the network by using a fully self-managed tool or a 3rd party cloud based solution. Because of the generated noise, broad vulnerability scanning would only be a practical tool for the cloud instance owner. As with network scanning, prior written authorization from the Cloud Service Provider is required.
It is incredibly important for any company to know what network and security information is publicly accessible via the internet. After proactively gathering this information (like an attacker would also do), actions can be taken to limit the exposure and with that, the security risks. Regular scans of the perimeter, analysis, and clean-up of DNS records, taking obsolete services and cloud instances offline; there is much an organization could do to be proactive from a security perspective. In the end, it is critical to know what company data is out there so it can be best protected from malicious entities.