As we celebrate the one-year anniversary of CloudFox, it's exciting to reflect on the updates and growth that have occurred over the past year. CloudFox co-creator, Seth Art, Principal Security Consultant at Bishop Fox, and Bishop Fox alumnus Carlos Vendramini have created many updates to improve the initial capabilities of the open-source command line tool created to help penetration testers and other offensive security professionals find exploitable attack paths in cloud infrastructure. One pivotal development during the year was the creation of CloudFoxable, an intentionally vulnerable AWS environment created specifically to teach the art of AWS cloud penetration testing in conjunction with CloudFox’s capabilities.
Additionally, numerous key features and updates have been rolled out periodically to help the rapidly growing community of cloud-focused offensive security professionals. We look forward to continuing feedback from users of CloudFox and CloudFoxable and seeing how people adopt this tool into their penetration testing journeys. Cheers to growth and success in the years to come!
One Year Later
You can find details for new commands and updates on the CloudFox GitHub page or check out these highlights from Seth Art:
CloudFox
- AWS updates:
- Inventory went from ~20 to ~50 resources checked
- Pmapper awareness – If you run pmapper before CloudFox, many CloudFox commands will use the pmapper data and tell you if a role assigned to a workload has a privesc path to admin
- 15 new CloudFox AWS commands, five of which were contributed by the community:
- ecs-tasks - Dominic Breuker
- elastic-network-interfaces - Dominic Breuker
- network-ports - Wyatt Dahlenburg
- SNS – Dominic Breuker and BF team
- SQS - Dominic Breuker and BF team
- Azure updates:
- Implemented initial Azure support
- Five new CloudFox Azure commands (only basics so far)
CloudFoxable
- Launched in June with 18 cloud CTF challenges
- 200+ registered users
- 11 users have completed all initial challenges
Raise a Glass to CloudFox
CloudFox and CloudFoxable are critical tools for any pen tester or offensive security professional to aid their exploration of cloud infrastructure and attack paths. We would also love to hear your stories about using these tools and what could be done better with the features available now so reach out on Bishop Fox LinkedIn or Discord. Explore Bishop Fox’s expertise about cloud penetration testing with these additional resources:
- Cloud Security Podcast: AWS Cloud Penetration Testing Explained with Example
- Cloud Security Podcast 2.0: The Cloud Pentest Revolution
- Introducing CloudFoxable: A Gamified Cloud Hacking Sandbox
Tune in to our Tool Talk, where we debuted CloudFox to see the tool in action:
Subscribe to Bishop Fox's Security Blog
Be first to learn about latest tools, advisories, and findings.
Thank You! You have been subscribed.