Awesome

CNAPPgoat

</div>

CNAPPgoat is a multi-cloud, vulnerable-by-design environment deployment tool – specifically engineered to facilitate practice arenas for defenders and pentesters. Its main function is to deploy intentionally vulnerable environments across multiple cloud service providers, to help you sharpen your skills in exploiting, detecting, and preventing such vulnerabilities.

Gif demonstrating an example of using AccessUndenied

Warning: CNAPPgoat deploys vulnerable environments. Only use it within safe, controlled sandboxes.

Getting Started

CNAPPgoat operates as a Command Line Interface (CLI) tool, capable of deploying vulnerable environments to a multitude of cloud service providers. Built with Go and utilizing Pulumi and the Pulumi automation API, it ensures seamless environment deployment. One of its unique features is its modular design, which allows for effortless extension to support an array of cloud service providers and new vulnerable environments. As of now, CNAPPgoat supports AWS, Azure, and GCP.

Prerequisites for running CNAPPgoat

Pulumi
Cloud SDKs for the cloud provider you are using:

Pulumi dependencies and plugins will install in an on-demand basis according to each scenario's requirements when you provision your first environment. This means the first time provisioning might take a little longer than subsequent ones.

Installation

Homebrew

CNAPPgoat can be easily installed for macOS users using the Homebrew package manager.

brew tap ermetic-research/cnappgoat
brew install cnappgoat

Download the release directly for macOS, Linux, and macOS.

Download the latest release from here.

tar -xvf cnappgoat-<version>.tar.gz
cd cnappgoat-<version>

(Optional) If you'd like to add the extracted binary to your system's PATH (you don't have to, you can just run it from the local directory as ./cnappgoat):

Option A: Move to a directory in your PATH (e.g., /usr/local/bin for macOS and Linux)

mv cnappgoat /usr/local/bin/

Option B: Add the directory containing the binary to your PATH

For bash:

echo 'export PATH=$PATH:<path_to_directory_containing_cnappgoat>' >> ~/.bashrc
source ~/.bashrc

For zsh:

echo 'export PATH=$PATH:<path_to_directory_containing_cnappgoat>' >> ~/.zshrc
source ~/.zshrc

Replace <path_to_directory_containing_cnappgoat> with the absolute path to the directory where cnappgoat binary resides.

Usage

NAME:
   cnappgoat - A multicloud open-source tool for deploying vulnerable-by-design cloud resources

USAGE:
   cnappgoat [global options] command [command options] [arguments...]

VERSION:
   0.1.0-beta, date: 2023-08-02T13:02:46Z, commit: 6bef61857d9f3cf88215269df8976f96317711dc


COMMANDS:
   clean      clean and remove all created resources and delete all scenarios and any related files
   describe   describe a scenario
   destroy    Destroy CNAPPgoat module scenarios
   list       List CNAPPgoat module scenarios
   provision  Provision CNAPPgoat module scenarios
   help, h    Shows a list of commands or help for one command

GLOBAL OPTIONS:
   --debug        Enable debug mode (default: false)
   --help, -h     show help
   --version, -v  print the version

Command	Description	Usage
`list`	Lists all available scenarios for provisioning.	`cnappgoat list`
`describe`	Provides detailed information about the specified scenario.	`cnappgoat describe <scenario name>`
`provision`	Provisions the scenario specified by the scenario name. To provision all scenarios, simply use `cnappgoat provision`	`cnappgoat provision <scenario name>`
`destroy`	Destroys the scenario specified by the scenario name. To destroy all scenarios, simply use `cnappgoat destroy`	`cnappgoat destroy <scenario name>`
`clean`	Cleans up all scenarios and deletes the `.cnappgoat` local directory	`cnappgoat clean`
`--version`, `-v`	Displays the current version of CNAPPgoat	`cnappgoat --version`
`--help`, `-h`	Displays the help menu.	`cnappgoat --help`

You may use multiple arguments separated by spaces. For example:

cnappgoat provision <scenario-1> <scenario-2> <scenario-N>

Flags:

--module - Filters scenarios by module (e.g. CSPM, CIEM, CWPP, DSPM, KSPM etc.)
--platform - Filters scenarios by platform (e.g. AWS, Azure, GCP)
--force - Enables force mode (unlock locked stacks with pulumi cancel)
--debug - Enables debug logging.

These flags are command flags and should be placed after the command. For example:

cnappgoat provision --module CSPM --platform AWS

This command will provision all AWS CSPM scenarios.

CNAPPgoat Scenarios

CNAPPgoat downloads scenarios from the cnappgoat-scenarios repository at its first run of every day, these scenarios are automatically downloaded when you run CNAPPgoat and are stored in the ~/.cnappgoat/scenarios directory.

Setup and Configuration

Before you can use CNAPPgoat, you need to set up your cloud credentials for AWS, Azure, and GCP. CNAPPgoat uses the default credentials for each provider. Follow the steps below to set up your credentials:

AWS Credentials

Install the AWS CLI by following the instructions here.
Configure your AWS credentials by running:
```
aws configure
```
You'll be prompted to enter your Access Key ID, Secret Access Key, and default region name.

Azure Credentials

Install the Azure CLI by following the instructions here.
Log in to your Azure account by running:
```
az login
```
This will open a new browser window for you to log in. After logging in, your credentials will be stored for future use.

GCP Credentials

Install the Google Cloud SDK by following the instructions here.
Authenticate with Google Cloud by running:
```
gcloud auth login
```
This will open a new browser window for you to log in. After logging in, your credentials will be stored for future use.

By setting these credentials, you will be able to deploy scenarios on AWS, Azure, and GCP using CNAPPgoat. If you're planning on using CNAPPgoat with a different provider, make sure to configure the credentials accordingly.

Learn more

To learn more about CNAPPgoat, check out the post on the Ermetic blog: https://ermetic.com/blog/cloud/cnappgoat-multicloud-open-source-tool-for-deploying-vulnerable-by-design-cloud-resources/

Acknowledgements

Similar projects

CNAPPgoat provisions a breadth of vulnerable scenarios on multiple clouds to test detection and prevention capabilities. There are other great projects out there for vulnerable cloud environments that are focused on different areas, such as exploitation, detection, CTF (capture the flag) scenarios, etc. We were inspired by these tools and projects, and we recommend checking them out:

Stratus Red Team by DataDog: a tool that allows users to emulate offensive attack techniques in a granular and self-contained manner
Cloud Goat by Rhino Security Labs: a "Vulnerable by Design" AWS deployment tool. It allows you to hone your cloud cybersecurity skills by creating and completing several " capture-the-flag" style scenarios
Kubernetes Goat by Madhu Akula: an intentionally vulnerable cluster environment to learn and practice Kubernetes security
TerraGoat by Bridgecrew: a "Vulnerable by Design" Terraform repository
CloudFoxable by BishopFox: a gamified cloud hacking sandbox

More challenges and tools can be found in the Awesome Cloud Security Challeges repo by Mike Privitte, our list focused specifically on vulnerable-by-design cloud environments that are deployed by users in their own sandbox.

Contact

To email the project team, contact research+cnappgoat@ermetic.com

Disclaimer

CNAPPgoat is provided "as is" and without any warranty or support.
This is a beta version. The project is still in development, so we apologize for any growing pains. We will release a stable version in the coming weeks.