Home

Awesome

:fox_face: CloudFox :fox_face:

CloudFox helps you gain situational awareness in unfamiliar cloud environments. It’s an open source command line tool created to help penetration testers and other offensive security professionals find exploitable attack paths in cloud infrastructure.

CloudFox helps you answer the following common questions (and many more):

Demos, Examples, Walkthroughs

Intentionally Vulnerable Playground

Want to chat about CloudFox?

Join us on the RedSec discord server

Quick Start

CloudFox is modular (you can run one command at a time), but there is an aws all-checks command that will run the other aws commands for you with sane defaults:

cloudfox aws --profile [profile-name] all-checks

White Box Enumeration

CloudFox was designed to be executed by a principal with limited read-only permissions, but it's purpose is to help you find attack paths that can be exploited in simulated compromise scenarios (aka, objective based penetration testing).

Black Box Enumeration

CloudFox can be used with "found" credentials, similar to how you would use weirdAAL or enumerate-iam. Checks that fail, do so silently, so any data returned means your "found" creds have the access needed to retrieve it.

Documentation

For the full documentation please refer to our wiki.

Supported Cloud Providers

ProviderCloudFox Commands
AWS34
Azure4
GCP8
KubernetesSupport Planned

Install

Option 1: Download the latest binary release for your platform.

Option 2: If you use homebrew: brew install cloudfox

Option 3: Install Go, use go install github.com/BishopFox/cloudfox@latest to install from the remote source

Option 4: Developer mode:

Install Go, clone the CloudFox repository and compile from source

# git clone https://github.com/BishopFox/cloudfox.git
# cd ./cloudfox
# Make any changes necessary
# go build .
# ./cloudfox

Option 5: Testing a bug fix

git clone git@github.com:BishopFox/cloudfox.git
git checkout seth-dev 
go build .
./cloudfox [rest of the command options]

Prerequisites

AWS

Additional policy notes (as of 09/2022):

PolicyNotes
CloudFox custom policyHas a complete list of every permission cloudfox uses and nothing else
arn:aws:iam::aws:policy/SecurityAuditCovers most cloudfox checks but is missing newer services or permissions like apprunner:*, grafana:*, lambda:GetFunctionURL, lightsail:GetContainerServices
arn:aws:iam::aws:policy/job-function/ViewOnlyAccessCovers most cloudfox checks but is missing newer services or permissions like AppRunner:*, grafana:*, lambda:GetFunctionURL, lightsail:GetContainerServices - and is also missing iam:SimulatePrincipalPolicy.
arn:aws:iam::aws:policy/ReadOnlyAccessOnly missing AppRunner, but also grants things like "s3:Get*" which can be overly permissive.
arn:aws:iam::aws:policy/AdministratorAccessThis will work just fine with CloudFox, but if you were handed this level of access as a penetration tester, that should probably be a finding in itself :)

Azure

AWS Commands

ProviderCommand NameDescription
AWSall-checksRun all of the other commands using reasonable defaults. You'll still want to check out the non-default options of each command, but this is a great place to start.
AWSaccess-keysLists active access keys for all users. Useful for cross referencing a key you found with which in-scope account it belongs to.
AWSapi-gwLists API gateway endpoints and gives you custom curl commands including API tokens if they are stored in metadata.
AWSbucketsLists the buckets in the account and gives you handy commands for inspecting them further.
AWScapeEnumerates cross-account privilege escalation paths. Requires pmapper to be run first
AWScloudformationLists the cloudformation stacks in the account. Generates loot file with stack details, stack parameters, and stack output - look for secrets.
AWScodebuildEnumerate CodeBuild projects
AWSdatabasesEnumerate RDS databases. Get a loot file with connection strings.
AWSecrList the most recently pushed image URI from all repositories. Use the loot file to pull selected images down with docker/nerdctl for inspection.
AWSecs-tasksList all ecs tasks. This returns a list of ecs tasks and associated cluster, task definition, container instance, launch type, and associated IAM principal.
AWSeksList all EKS clusters, see if they expose their endpoint publicly, and check the associated IAM roles attached to reach cluster or node group. Generates a loot file with the aws eks udpate-kubeconfig command needed to connect to each cluster.
AWSelastic-network-interfacesList all eni information. This returns a list of eni ID, type, external IP, private IP, VPCID, attached instance and a description.
AWSendpointsEnumerates endpoints from various services. Scan these endpoints from both an internal and external position to look for things that don't require authentication, are misconfigured, etc.
AWSenv-varsGrabs the environment variables from services that have them (App Runner, ECS, Lambda, Lightsail containers, Sagemaker are supported. If you find a sensitive secret, use cloudfox iam-simulator AND pmapper to see who has access to them.
AWSfilesystemsEnumerate the EFS and FSx filesystems that you might be able to mount without creds (if you have the right network access). For example, this is useful when you have ec:RunInstance but not iam:PassRole.
AWSiam-simulatorLike pmapper, but uses the IAM policy simulator. It uses AWS's evaluation logic, but notably, it doesn't consider transitive access via privesc, which is why you should also always also use pmapper.
AWSinstancesEnumerates useful information for EC2 Instances in all regions like name, public/private IPs, and instance profiles. Generates loot files you can feed to nmap and other tools for service enumeration.
AWSinventoryGain a rough understanding of size of the account and preferred regions.
AWSlambdaLists the lambda functions in the account, including which one's have admin roles attached. Also gives you handy commands for downloading each function.
AWSnetwork-portsEnumerates AWS services that are potentially exposing a network service. The security groups and the network ACLs are parsed for each resource to determine what ports are potentially exposed.
AWSorgsEnumerate accounts in an organization
AWSoutbound-assumed-rolesList the roles that have been assumed by principals in this account. This is an excellent way to find outbound attack paths that lead into other accounts.
AWSpermissionsEnumerates IAM permissions associated with all users and roles. Grep this output to figure out what permissions a particular principal has rather than logging into the AWS console and painstakingly expanding each policy attached to the principal you are investigating.
AWSpmapperLooks for pmapper data stored on the local filesystem, in the locations defined here. If pmapper data has been found (you already ran pmapper graph create), then this command will use this data to build a graph in cloudfox memory let you know who can privesc to admin.
AWSprincipalsEnumerates IAM users and Roles so you have the data at your fingertips.
AWSramList all resources in this account that are shared with other accounts, or resources from other accounts that are shared with this account. Useful for cross-account attack paths.
AWSresource-trustsLooks through multiple services that support resource policies and helps you find any overly permissive resource trusts.
AWSrole-trustsEnumerates IAM role trust policies so you can look for overly permissive role trusts or find roles that trust a specific service.
AWSroute53Enumerate all records from all route53 managed zones. Use this for application and service enumeration.
AWSsecretsList secrets from SecretsManager and SSM. Look for interesting secrets in the list and then see who has access to them using use cloudfox iam-simulator and/or pmapper.
AWSsnsThis command enumerates all of the sns topics and gives you the commands to subscribe to a topic or send messages to a topic (if you have the permissions needed). This command only deals with topics, and not the SMS functionality. This command also attempts to summarize topic resource policies if they exist.
AWSsqsThis command enumerates all of the sqs queues and gives you the commands to receive messages from a queue and send messages to a queue (if you have the permissions needed). This command also attempts to summarize queue resource policies if they exist.
AWStagsList all resources with tags, and all of the tags. This can be used similar to inventory as another method to identify what types of resources exist in an account.
AWSworkloadsList all of the compute workloads and what role they have. Tells you if any of the roles are admin (bad) and if you have pmapper data locally, it will tell you if any of the roles can privesc to admin (also bad)
AWSdsList all of the AWS-managed directories and their attributes. Also summarizes the current trusts with their directions and types.

Azure Commands

ProviderCommand NameDescription
AzurewhoamiDisplays information on the tenant, subscriptions and resource groups available to your current Azure CLI session. This is useful to provide situation awareness on what tenant and subscription IDs to use with the other sub commands.
AzureinventoryDisplay an inventory table of all resources per location.
AzurerbacLists Azure RBAC role assignments at subscription or tenant level
AzurestorageThe storage command is still under development. Currently it only displays limited data about the storage accounts
AzurevmsEnumerates useful information for Compute instances in all available resource groups and subscriptions

GCP Commands

ProviderCommand NameDescription
GCPwhoamiDisplay the email address of the GCP authenticated user
GCPall-checksRuns all available GCP commands
GCPartifact-registryDisplay GCP artifact registry information
GCPbigqueryDisplay Bigquery datasets and tables information
GCPbucketsDisplay GCP buckets information
GCPiamDisplay GCP IAM information
GCPinstancesDisplay GCP Compute Engine instances information
GCPsecretsDisplay GCP secrets information

Authors

Contributing

Wiki - How to Contribute

FAQ

How does CloudFox compare with ScoutSuite, Prowler, Steampipe's AWS Compliance Module, AWS Security Hub, etc.

CloudFox doesn't create any alerts or findings, and doesn't check your environment for compliance to a baseline or benchmark. Instead, it simply enables you to be more efficient during your manual penetration testing activities. If gives you the information you'll likely need to validate whether an attack path is possible or not.

Why do I see errors in some CloudFox commands?

You can always look in the ~/.cloudfox/cloudfox-error.log file to get more information on errors.

Prior work and other related projects