Hackers of India

ThunderCloud: Attack Cloud Without Keys!

By  Shivankar Madaan  on 12 May 2022 @ Blackhat : Arsenal

This Tool Demo covers following tools where the speaker has contributed or authored
THUNDERCLOUD

Abstract

ThunderCloud

“You can’t audit a cloud environment without access keys!!”.

Well. That’s not completely true.

There is a good number of tools that help security teams find cloud misconfiguration issues. They work inside-out way where you give read-only access tokens to the tool and the tool gives you misconfigurations.

There’s no single tool that helps Red Teamers and Bug Hunters find cloud misconfiguration issues the outside-in way.

This outside-in approach can find issues like:

  1. S3 directory listing due to misconfigured Cloudfront settings
  2. Amazon Cognito misconfiguration to generate AWS temporary credentials
  3. Public snapshots
  4. Generate Account takeover Phishing links for AWS SSO
  5. Leaked Keys permission enumeration
  6. IAM role privilege escalation a) From leaked keys b) Lambda Function

This exploitation framework also helps teams within organizations to do red teaming activities or run it across the accounts to learn more about misconfigurations from AWS and how badly they can be exploited.