Cloud 9: Top Cloud Penetration Testing Tools
You spoke, and we listened! Earlier this year, we asked what pen testing tool list we should publish next. A list that focused on the cloud was the clear crowd favorite. So that being said, here are nine of our favorite tools for cloud pen tests.
We will take another poll shortly to determine the next penetration testing tool list – red teaming revisited, network pen testing, or fuzzing. You decide!
#1 WeirdAAL: An AWS attack library
Creator: Chris Gates (@carnal0wnage)
Why We Like It: One thing I love about infosec is the names people come up with for tools and talks, this being an example. That aside, Gates describes one of WeirdAAL’s two overarching goals to be a repo of useful defensive and offensive security functions for AWS, making it a resource you’ll want to bookmark. And if you find yourself in a more black-box testing scenario, WeirdAAL is a perfect choice.
#2 ScoutSuite: A multi-cloud security-auditing tool
Creator: NCC Group (@NCCGroupplc)
Why We Like It: It supports the major cloud computing providers: AWS, Azure, Google Cloud, Alibaba Cloud, and Oracle Cloud. That means this is one extremely versatile tool. Plus, ScoutSuite was designed to make assessing cloud environments much easier, providing the user “a clear view of the attack surface automatically,” saving significant time.
#3 GitOops: All paths lead to clouds
Why We Like It: As teams scale, it becomes more difficult for security departments to monitor GitHub repos. This is where GitOops comes in, as the tool leverages the literal GitHub “oops.” Another well-named tool, you can use GitOops to find privilege escalation paths as well as for lateral movement in GitHub.
#4 Pacu: An AWS exploitation framework
Creator: Rhino Security Labs (@RhinoSecurityLabs)
Why We Like It: This automated tool has many modules that allow enumeration of permissions, listing of internal AWS resources in all AWS regions, and privilege escalation attacks. Think of it like a Metasploit for the cloud. Check out the modules for more information. And a note: We recommend testing an automated tool like this in a lab environment before using it during testing.
#5 S3Scanner: Scan for open AWS S3 buckets
Creator: Dan Salmon (@bltjetpack)
Why We Like It: You can use this tool during a black-box assessment to dump AWS S3 buckets, which are bound to contain valuable information. S3Scanner allows the user to automate the search for public resources available in different clouds and dump the information, not just in AWS but in other cloud services like DigitalOcean, too.
P.S. If you want to learn more about testing Azure environments, we recommend his book "Penetration Testing Azure for Ethical Hackers."
#6 Microburst: Assorted scripts for Azure security
Creator: NetSPI (@NetSPI)
Why We Like It: This is your one-stop shop for everything Azure related. You can use it for Azure services discovery, configuration auditing, and post-exploitation. This handy toolkit was created by Karl Fosaaen, an expert in cloud pen testing and an excellent resource when it comes to testing Azure environments.
#7 SkyArk: Discover the most privileged cloud users
Creator: CyberArk (@CyberArk)
Why We Like It: Available for Azure and AWS, this is a useful tool for identifying additional attack surface. Specifically, the tool is designed to detect the presence of cloud shadow admins, a very real threat to cloud environments (making it worthwhile for defenders to keep around, too.)
#8 ROADTools: Framework for interacting with Azure Active Directory (AD)
Creator: Dirk-jan (@_dirkjan)
Why We Like It: This entry is both a library and an exploitation tool. The library is meant to authenticate with AD; alternatively, you can use it to build tools that integrate with a database containing ROADrecon data. The tool meanwhile is for deeper exploration of AD; there’s a lot of data to sift through in AD, and ROADTools can help you make sense of it.
Other similar tools you can check out are PMapper, which is designed for AWS environments, and this Google Cloud privilege escalation toolkit by Rhino Security Labs.
To learn more about ROADTools, watch this video of the creator presenting on it:
#9 PowerZure: PowerShell framework for Azure security
Creator: Ryan Hausknecht (@Haus3c)
Why We Like It: It’s multifaceted: It can be used for reconnaissance and post-exploitation. So, you can use it to kick off an engagement and bring things to a close. Couple this with AzureHound and your testing should go seamlessly!
Bonus Picks: AWS, Azure, and Google Command Line Interfaces.
These aren’t pen testing tools per se, but they are incredibly useful and robust resources. The shared purpose of all three of these interfaces is to act as a “mission control” for their specific cloud platform, providing all kinds of tools for interacting with the platform.
Additional Resources for Enhancing Your Cloud Pen Testing Skills
If you’re interested in upping your cloud game, here are some additional resources to take a crack at and build your skillset.
- Hacking the Cloud – This is a volunteer-run encyclopedia for helping security professionals learn various cloud security attacks, techniques, and tactics.
- CloudSecDocs – Not only does this website contain a vast array of information (like cheat sheets) on cloud security technologies, but it’s also solid for resources related to security culture and leadership.
- Cloud Security Wiki – Finally, this site aims to be the place to go for all things cloud security. So, we couldn’t do a proper cloud security blog without giving a shoutout!
Note that these tools are only the tip of the iceberg when it comes to what is available. In past lists, we’ve covered cloud pen testing tools like StormSpotter, so scan through those when you have a chance. Shoot us your favorites, too; talk to us on Twitter, Reddit, or Discord!
Subscribe to Bishop Fox's Security Blog
Be first to learn about latest tools, advisories, and findings.
Thank You! You have been subscribed.