Expert Analysis of Recent SaaS Attacks That Shocked Global Brands. Watch now

CloudFox: Cloud Enumeration for Penetration Testing

In this session, Mitchell Sperling, Senior Security Consultant at Bishop Fox, will demonstrate how he uses CloudFox during cloud penetration tests to quickly enumerate large cloud environments and identify interesting attack paths.

Enumeration is the cornerstone of every successful penetration test; yet in the cloud, the challenge scales dramatically. With tens of thousands of resources and policies in a single account, the process can quickly feel overwhelming without the right approach or tooling.

Enter CloudFox, Bishop Fox’s open-source tool built to help penetration testers cut through the noise and uncover meaningful attack paths in sprawling cloud environments.

In this hands-on virtual session, Mitchell Sperling, Senior Security Consultant at Bishop Fox, will demonstrate how he uses CloudFox to streamline enumeration, parse results for potential vulnerabilities, and integrate findings into real-world testing workflows. Using a live testing environment, Mitchell will guide attendees step by step, and you’ll have the opportunity to join in, follow along, and experiment with CloudFox yourself.

What You’ll Learn:

  1. Installing and using CloudFox effectively
  2. Parsing output to uncover vulnerabilities and attack paths
  3. Integrating CloudFox into your penetration testing workflow
  4. Understanding current limitations and best practices

Who Should Attend:

Penetration testers and security practitioners seeking to strengthen their cloud testing capabilities. While some familiarity with cloud environments is helpful, the session is designed as a beginner-friendly introduction to CloudFox.

Session Summary:

Mitchell Sperling, Senior Security Consultant at Bishop Fox, leads a hands-on workshop demonstrating CloudFox, an open-source tool designed for cloud enumeration during penetration testing. Through five progressive challenges in a vulnerable AWS environment, participants learn how to systematically enumerate cloud resources, identify insecurely stored credentials, and exploit misconfigurations to gain unauthorized access. The session emphasizes CloudFox's role as an information-gathering tool that presents data without making security assumptions, allowing penetration testers to make informed decisions based on the actual environment configuration. Mitchell demonstrates the complete workflow of a cloud penetration test, from initial credential discovery through privilege escalation via role assumption, showcasing how CloudFox's organized output enables efficient identification of attack paths in complex cloud environments.

Key Takeaways:

  1. CloudFox Provides Comprehensive Cloud Enumeration Without Risk: CloudFox enumerates cloud resources across AWS, Azure, and GCP without making any state changes to the environment, eliminating the risk of accidentally deleting resources or locking out users during testing.
  2. Organized Output Formats Enable Efficient Analysis: CloudFox generates output in CSV, JSON, and table formats, with the critical "loot" folder containing ready-to-run commands for accessing discovered resources, streamlining the penetration testing workflow.
  3. Credential Discovery is Systematic and Predictable: Insecurely stored credentials commonly appear in CloudFormation templates, Lambda function code, S3 buckets, environment variables, and EC2 user data, making systematic enumeration essential for comprehensive testing.
  4. Permission Correlation is Critical for Privilege Escalation: The permissions.txt file allows testers to quickly correlate discovered credentials with their associated permissions, enabling efficient identification of attack paths without blind credential testing.
  5. Resource Policies Create Additional Security Layers: Beyond identity-based policies, resource policies on services like S3 can restrict access even when users have explicit permissions, requiring careful analysis of the resource-trusts.txt output to identify bypass opportunities.
  6. Role Assumption Chains Enable Complex Privilege Escalation: AWS role assumption allows for multi-step privilege escalation paths, with CloudFox's role-trust files revealing which principals can assume which roles, creating sophisticated attack chains.
  7. The Inventory File Provides Essential Environmental Context: The inventory.txt file gives penetration testers immediate insight into environment scale and complexity, helping prioritize testing efforts in environments that may contain tens of thousands of resources.
  8. CloudFox Workflow Mirrors Real-World Cloud Penetration Testing: The demonstrated methodology of enumerate → correlate → exploit → escalate represents the standard approach used in professional cloud penetration testing engagements, making this tool immediately applicable to real-world assessments.

This site uses cookies to provide you with a great user experience. By continuing to use our website, you consent to the use of cookies. To find out more about the cookies we use, please see our Privacy Policy.