Login
GATOR - GCP Attack Toolkit for Offensive Research, a tool designed to aid in research and exploiting Google Cloud Environments. It offers a comprehensive range of modules tailored to support users in various attack stages, spanning from Reconnaissance to Impact.
| Resource Category | Primary Module | Command Group | Operation | Description |
|---|---|---|---|---|
| User Authentication | auth | - | activate | Activate a Specific Authentication Method |
| - | add | Add a New Authentication Method | ||
| - | delete | Remove a Specific Authentication Method | ||
| - | list | List All Available Authentication Methods | ||
| Cloud Functions | functions | - | list | List All Deployed Cloud Functions |
| - | permissions | Display Permissions for a Specific Cloud Function | ||
| - | triggers | List All Triggers for a Specific Cloud Function | ||
| Cloud Storage | storage | buckets | list | List All Storage Buckets |
| permissions | Display Permissions for Storage Buckets | |||
| Compute Engine | compute | instances | add-ssh-key | Add SSH Key to Compute Instances |
Python 3.11 or newer should be installed. You can verify your Python version with the following command:
FreshRSS python --versiongit clone https://github.com/anrbn/GATOR.git
cd GATOR
python setup.py installpip install gator-redHave a look at the GATOR Documentation for an explained guide on using GATOR and it's module!
If you encounter any problems with this tool, I encourage you to let me know. Here are the steps to report an issue:
Check Existing Issues: Before reporting a new issue, please check the existing issues in this repository. Your issue might have already been reported and possibly even resolved.
Create a New Issue: If your problem hasn't been reported, please create a new issue in the GitHub repository. Click the Issues tab and then click New Issue.
Describe the Issue: When creating a new issue, please provide as much information as possible. Include a clear and descriptive title, explain the problem in detail, and provide steps to reproduce the issue if possible. Including the version of the tool you're using and your operating system can also be helpful.
Submit the Issue: After you've filled out all the necessary information, click Submit new issue.
Your feedback is important, and will help improve the tool. I appreciate your contribution!
I'll be reviewing reported issues on a regular basis and try to reproduce the issue based on your description and will communicate with you for further information if necessary. Once I understand the issue, I'll work on a fix.
Please note that resolving an issue may take some time depending on its complexity. I appreciate your patience and understanding.
I warmly welcome and appreciate contributions from the community! If you're interested in contributing on any existing or new modules, feel free to submit a pull request (PR) with any new/existing modules or features you'd like to add.
Once you've submitted a PR, I'll review it as soon as I can. I might request some changes or improvements before merging your PR. Your contributions play a crucial role in making the tool better, and I'm excited to see what you'll bring to the project!
Thank you for considering contributing to the project.
If you have any questions regarding the tool or any of its modules, please check out the documentation first. I've tried to provide clear, comprehensive information related to all of its modules. If however your query is not yet solved or you have a different question altogether please don't hesitate to reach out to me via Twitter or LinkedIn. I'm always happy to help and provide support. :)
Discover, prioritize, and remediate your risks in the cloud.
git clone --recurse-submodules git@github.com:Zeus-Labs/ZeusCloud.git
cd ZeusCloud && make quick-deploy
Check out our Get Started guide for more details.
A cloud-hosted version is available on special request - email founders@zeuscloud.io to get access!
Play around with our sandbox environment to see how ZeusCloud identifies, prioritizes, and remediates risks in the cloud!
Cloud usage continues to grow. Companies are shifting more of their workloads from on-prem to the cloud and both adding and expanding new and existing workloads in the cloud. Cloud providers keep increasing their offerings and their complexity. Companies are having trouble keeping track of their security risks as their cloud environment scales and grows more complex. Several high profile attacks have occurred in recent times. Capital One had an S3 bucket breached, Amazon had an unprotected Prime Video server breached, Microsoft had an Azure DevOps server breached, Puma was the victim of ransomware, etc.
We had to take action.
We love contributions of all sizes. What would be most helpful first:
Run containers in development mode:
cd frontend && yarn && cd -
docker-compose down && docker-compose -f docker-compose.dev.yaml --env-file .env.dev up --build
Reset neo4j and/or postgres data with the following:
rm -rf .compose/neo4j
rm -rf .compose/postgres
To develop on frontend, make the the code changes and save.
To develop on backend, run
docker-compose -f docker-compose.dev.yaml --env-file .env.dev up --no-deps --build backend
To access the UI, go to: http://localhost:80.
Please do not run ZeusCloud exposed to the public internet. Use the latest versions of ZeusCloud to get all security related patches. Report any security vulnerabilities to founders@zeuscloud.io.
This repo is freely available under the Apache 2.0 license.
We're working on a cloud-hosted solution which handles deployment and infra management. Contact us at founders@zeuscloud.io for more information!
Special thanks to the amazing Cartography project, which ZeusCloud uses for its asset inventory. Credit to PostHog and Airbyte for inspiration around public-facing materials - like this README!
nuvola (with the lowercase n) is a tool to dump and perform automatic and manual security analysis on AWS environments configurations and services using predefined, extensible and custom rules created using a simple Yaml syntax.
The general idea behind this project is to create an abstracted digital twin of a cloud platform. For a more concrete example: nuvola reflects the BloodHound traits used for Active Directory analysis but on cloud environments (at the moment only AWS).
The usage of a graph database also increases the possibility of finding different and innovative attack paths and can be used as an offline, centralised and lightweight digital twin.
docker-compose installedawscli with full access to the cloud resources, better if in ReadOnly mode (the policy arn:aws:iam::aws:policy/ReadOnlyAccess is fine)git clone --depth=1 https://github.com/primait/nuvola.git; cd nuvola.env file to set your DB username/password/URLcp .env_example .env;make startmake build./nuvola dump -profile default_RO -outputdir ~/DumpDumpFolder -format zip./nuvola assess -import ~/DumpDumpFolder/nuvola-default_RO_20220901.zip./nuvola assessTo get started with nuvola and its database schema, check out the nuvola Wiki.
No data is sent or shared with Prima Assicurazioni.
nuvola uses graph theory to reveal possible attack paths and security misconfigurations on cloud environments.
This program is free software: you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation, either version 3 of the License, or (at your option) any later version.
This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details.
You should have received a copy of the GNU General Public License along with this repository and program. If not, see http://www.gnu.org/licenses/.
Earlier this month, the administrator of the cybercrime forum Breached received a cease-and-desist letter from a cybersecurity firm. The missive alleged that an auction on the site for data stolen from 10 million customers of Mexicoβs second-largest bank was fake news and harming the bankβs reputation. The administrator responded to this empty threat by purchasing the stolen banking data and leaking it on the forum for everyone to download.
On August 3, 2022, someone using the alias βHolistic-K1llerβ posted on Breached a thread selling data allegedly stolen from Grupo Financiero Banorte, Mexicoβs second-biggest financial institution by total loans. Holistic-K1ller said the database included the full names, addresses, phone numbers, Mexican tax IDs (RFC), email addresses and balances on more than 10 million citizens.
There was no reason to believe Holistic-K1ller had fabricated their breach claim. This identity has been highly active on Breached and its predecessor RaidForums for more than two years, mostly selling databases from hacked Mexican entities. Last month, they sold customer information on 36 million customers of the Mexican phone company Telcel; in March, they sold 33,000 images of Mexican IDs β with the front picture and a selfie of each citizen. That same month, they also sold data on 1.4 million customers of Mexican lending platform Yotepresto.
But this history was either overlooked or ignored by Group-IB, the Singapore-based cybersecurity firm apparently hired by Banorte to help respond to the data breach.
βThe Group-IB team has discovered a resource containing a fraudulent post offering to buy Grupo Financiero Banorteβs leaked databases,β reads a letter the Breach administrator said they received from Group-IB. βWe ask you to remove this post containing Banorte data. Thank you for your cooperation and prompt attention to this urgent matter.β
The administrator of Breached is βPompompurin,β the same individual who alerted this author in November 2021 to a glaring security hole in a U.S. Justice Department website that was used to spoof security alerts from the FBI. In a post to Breached on Aug. 8, Pompompurin said they bought the Banorte database from Holistic-K1llerβs sales thread because Group-IB was sending emails complaining about it.
βThey also attempted to submit DMCAβs against the website,β Pompompurin wrote, referring to legal takedown requests under the Digital Millennium Copyright Act. βMake sure to tell Banorte that now they need to worry about the data being leaked instead of just being sold.β
Group-IB CEO Dmitriy Volkov said the company has seen some success in the past asking hackers to remove or take down certain information, but that making such requests is not a typical response for the security firm.
βIt is not a common practice to send takedown notifications to such forums demanding that such content be removed,β Volkov said. βBut these abuse letters are legally binding, which helps build a foundation for further steps taken by law enforcement agencies. Actions contrary to international rules in the regulated space of the Internet only lead to more severe crimes, which β as we know from the case of Raidforums β are successfully investigated and stopped by law enforcement.β
Banorte did not respond to requests for comment. But in a brief written statement picked up on Twitter, Banorte said there was no breach involving their infrastructure, and the data being sold is old.
βThere has been no violation of our platforms and technological infrastructure,β Banorte said. βThe set of information referred to is inaccurate and outdated, and does not put our users and customers at risk.β
That statement may be 100 percent true. Still, it is difficult to think of a better example of how not to do breach response. Banorte shrugging off this incident as a nothingburger is baffling: While it is almost certainly true that the bank balance information in the Banorte leak is now out of date, the rest of the information (tax IDs, phone numbers, email addresses) is harder to change.
βIs there one person from our community that think sending cease and desist letter to a hackers forum operator is a good idea?,β asked Ohad Zaidenberg, founder of CTI League, a volunteer emergency response community that emerged in 2020 to help fight COVID-19 related scams. βWho does it? Instead of helping, they pushed the organization from the hill.β
Kurt Seifried, director of IT for the CloudSecurityAlliance, was similarly perplexed by the response to the Banorte breach.
βIf the data wasnβt realβ¦.did the bank think a cease and desist would result in the listing being removed?β Seifried wondered on Twitter. βI mean, isnβt selling breach data a worse crime usually than slander or libel? What was their thought process?β
A more typical response when a large bank suspects a breach is to approach the seller privately through an intermediary to ascertain if the information is valid and what it might cost to take it off the market. While it may seem odd to expect cybercriminals to make good on their claims to sell stolen data to only one party, removing sold stolen items from inventory is a fairly basic function of virtually all cybercriminal markets today (apart from perhaps sites that traffic in stolen identity data).
At a minimum, negotiating or simply engaging with a data seller can buy the victim organization additional time and clues with which to investigate the claim and ideally notify affected parties of a breach before the stolen data winds up online.
It is true that a large number of hacked databases put up for sale on the cybercrime underground are sold only after a small subset of in-the-know thieves have harvested all of the low-hanging fruit in the data β e.g., access to cryptocurrency accounts or user credentials that are recycled across multiple websites. And itβs certainly not unheard of for cybercriminals to go back on their word and re-sell or leak information that they have sold previously.
But companies in the throes of responding to a data security incident do themselves and customers no favors when they underestimate their adversaries, or try to intimidate cybercrooks with legal threats. Such responses generally accomplish nothing, except unnecessarily upping the stakes for everyone involved while displaying a dangerous naivetΓ© about how the cybercrime underground works.
Update, Aug. 17, 10:32 a.m.: Thanks to a typo by this author, a request for comment sent to Group-IB was not delivered in advance of this story. The copy above has been updated to include a comment from Group-IBβs CEO.
TerraformGoat is selefra research lab's "Vulnerable by Design" multi cloud deployment tool.
Currently supported cloud vendors include Alibaba Cloud, Tencent Cloud, Huawei Cloud, Amazon Web Services, Google Cloud Platform, Microsoft Azure.
| ID | Cloud Service Company | Types Of Cloud Services | Vulnerable Environment |
|---|---|---|---|
| 1 | Alibaba Cloud | Networking | VPC Security Group Open All Ports |
| 2 | Alibaba Cloud | Networking | VPC Security Group Open Common Ports |
| 3 | Alibaba Cloud | Object Storage | Bucket HTTP Enable |
| 4 | Alibaba Cloud | Object Storage | Object ACL Writable |
| 5 | Alibaba Cloud | Object Storage | Object ACL Readable |
| 6 | Alibaba Cloud | Object Storage | Special Bucket Policy |
| 7 | Alibaba Cloud | Object Storage | Bucket Public Access |
| 8 | Alibaba Cloud | Object Storage | Object Public Access |
| 9 | Alibaba Cloud | Object Storage | Bucket Logging Disable |
| 10 | Alibaba Cloud | Object Storage | Bucket Policy Readable |
| 11 | Alibaba Cloud | Object Storage | Bucket Object Traversal |
| 12 | Alibaba Cloud | Object Storage | Unrestricted File Upload |
| 13 | Alibaba Cloud | Object Storage | Server Side Encryption No KMS Set |
| 14 | Alibaba Cloud | Object Storage | Server Side Encryption Not Using BYOK |
| 15 | Alibaba Cloud | Elastic Computing Service | ECS SSRF |
| 16 | Alibaba Cloud | Elastic Computing Service | ECS Unattached Disks Are Unencrypted |
| 17 | Alibaba Cloud | Elastic Computing Service | ECS Virtual Machine Disks Are Unencrypted |
| 18 | Tencent Cloud | Networking | VPC Security Group Open All Ports |
| 19 | Tencent Cloud | Networking | VPC Security Group Open Common Ports |
| 20 | Tencent Cloud | Object Storage | Bucket ACL Writable |
| 21 | Tencent Cloud | Object Storage | Bucket ACL Readable |
| 22 | Tencent Cloud | Object Storage | Bucket Public Access |
| 23 | Tencent Cloud | Object Storage | Object Public Access |
| 24 | Tencent Cloud | Object Storage | Unrestricted File Upload |
| 25 | Tencent Cloud | Object Storage | Bucket Object Traversal |
| 26 | Tencent Cloud | Object Storage | Bucket Logging Disable |
| 27 | Tencent Cloud | Object Storage | Server Side Encryption Disable |
| 28 | Tencent Cloud | Elastic Computing Service | CVM SSRF |
| 29 | Tencent Cloud | Elastic Computing Service | CBS Storage Are Not Used |
| 30 | Tencent Cloud | Elastic Computing Service | CVM Virtual Machine Disks Are Unencrypted |
| 31 | Huawei Cloud | Networking | ECS Unsafe Security Group |
| 32 | Huawei Cloud | Object Storage | Object ACL Writable |
| 33 | Huawei Cloud | Object Storage | Special Bucket Policy |
| 34 | Huawei Cloud | Object Storage | Unrestricted File Upload |
| 35 | Huawei Cloud | Object Storage | Bucket Object Traversal |
| 36 | Huawei Cloud | Object Storage | Wrong Policy Causes Arbitrary File Uploads |
| 37 | Huawei Cloud | Elastic Computing Service | ECS SSRF |
| 38 | Huawei Cloud | Relational Database Service | RDS Mysql Baseline Checking Environment |
| 39 | Amazon Web Services | Networking | VPC Security Group Open All Ports |
| 40 | Amazon Web Services | Networking | VPC Security Group Open Common Ports |
| 41 | Amazon Web Services | Object Storage | Object ACL Writable |
| 42 | Amazon Web Services | Object Storage | Bucket ACL Writable |
| 43 | Amazon Web Services | Object Storage | Bucket ACL Readable |
| 44 | Amazon Web Services | Object Storage | MFA Delete Is Disable |
| 45 | Amazon Web Services | Object Storage | Special Bucket Policy |
| 46 | Amazon Web Services | Object Storage | Bucket Object Traversal |
| 47 | Amazon Web Services | Object Storage | Unrestricted File Upload |
| 48 | Amazon Web Services | Object Storage | Bucket Logging Disable |
| 49 | Amazon Web Services | Object Storage | Bucket Allow HTTP Access |
| 50 | Amazon Web Services | Object Storage | Bucket Default Encryption Disable |
| 51 | Amazon Web Services | Elastic Computing Service | EC2 SSRF |
| 52 | Amazon Web Services | Elastic Computing Service | Console Takeover |
| 53 | Amazon Web Services | Elastic Computing Service | EBS Volumes Are Not Used |
| 54 | Amazon Web Services | Elastic Computing Service | EBS Volumes Encryption Is Disabled |
| 55 | Amazon Web Services | Elastic Computing Service | Snapshots Of EBS Volumes Are Unencrypted |
| 56 | Amazon Web Services | Identity and Access Management | IAM Privilege Escalation |
| 57 | Google Cloud Platform | Object Storage | Object ACL Writable |
| 58 | Google Cloud Platform | Object Storage | Bucket ACL Writable |
| 59 | Google Cloud Platform | Object Storage | Bucket Object Traversal |
| 60 | Google Cloud Platform | Object Storage | Unrestricted File Upload |
| 61 | Google Cloud Platform | Elastic Computing Service | VM Command Execution |
| 62 | Microsoft Azure | Object Storage | Blob Public Access |
| 63 | Microsoft Azure | Object Storage | Container Blob Traversal |
| 64 | Microsoft Azure | Elastic Computing Service | VM Command Execution |
TerraformGoat is deployed using Docker images and therefore requires Docker Engine environment support, Docker Engine installation can be found in https://docs.docker.com/engine/install/
Depending on the cloud service provider you are using, choose the corresponding installation command.
Alibaba Cloud
docker pull registry.cn-beijing.aliyuncs.com/huoxian_pub/terraformgoat_aliyun:0.0.4
docker run -itd --name terraformgoat_aliyun_0.0.4 registry.cn-beijing.aliyuncs.com/huoxian_pub/terraformgoat_aliyun:0.0.4
docker exec -it terraformgoat_aliyun_0.0.4 /bin/bashTencent Cloud
docker pull registry.cn-beijing.aliyuncs.com/huoxian_pub/terraformgoat_tencentcloud:0.0.4
docker run -itd --name terraformgoat_tencentcloud_0.0.4 registry.cn-beijing.aliyuncs.com/huoxian_pub/terraformgoat_tencentcloud:0.0.4
docker exec -it terraformgoat_tencentcloud_0.0.4 /bin/bashHuawei Cloud
docker pull registry.cn-beijing.aliyuncs.com/huoxian_pub/terraformgoat_huaweicloud:0.0.4
docker run -itd --name terraformgoat_huaweicloud_0.0.4 registry.cn-beijing.aliyuncs.com/huoxian_pub/terraformgoat_huaweicloud:0.0.4
docker exec -it terraformgoat_huaweicloud_0.0.4 /bin/bashAmazon Web Services
docker pull registry.cn-beijing.aliyuncs.com/huoxian_pub/terraformgoat_aws:0.0.4
docker run -itd --name terraformgoat_aws_0.0.4 registry.cn-beijing.aliyuncs.com/huoxian_pub/terraformgoat_aws:0.0.4
docker exec -it terraformgoat_aws_0.0.4 /bin/bashGoogle Cloud Platform
docker pull registry.cn-beijing.aliyuncs.com/huoxian_pub/terraformgoat_gcp:0.0.4
docker run -itd --name terraformgoat_gcp_0.0.4 registry.cn-beijing.aliyuncs.com/huoxian_pub/terraformgoat_gcp:0.0.4
docker exec -it terraformgoat_gcp_0.0.4 /bin/bashMicrosoft Azure
docker pull registry.cn-beijing.aliyuncs.com/huoxian_pub/terraformgoat_azure:0.0.4
docker run -itd --name terraformgoat_azure_0.0.4 registry.cn-beijing.aliyuncs.com/huoxian_pub/terraformgoat_azure:0.0.4
docker exec -it terraformgoat_azure_0.0.4 /bin/bashAfter entering the container, cd to the corresponding scenario directory and you can start deploying the scenario.
Here is a demonstration of the Alibaba Cloud Bucket Object Traversal scenario build.
docker pull registry.cn-beijing.aliyuncs.com/huoxian_pub/terraformgoat_aliyun:0.0.4
docker run -itd --name terraformgoat_aliyun_0.0.4 registry.cn-beijing.aliyuncs.com/huoxian_pub/terraformgoat_aliyun:0.0.4
docker exec -it terraformgoat_aliyun_0.0.4 /bin/bash
cd /TerraformGoat/aliyun/oss/bucket_object_traversal/
aliyun configure
terraform init
terraform apply
The program prompts Enter a value:, type yes and enter, use curl to access the bucket, you can see the object traversed.
To avoid the cloud service from continuing to incur charges, remember to destroy the scenario in time after using it.
terraform destroyIf you are in a container, first execute the exit command to exit the container, and then execute the following command under the host.
docker stop $(docker ps -a -q -f "name=terraformgoat*")
docker rm $(docker ps -a -q -f "name=terraformgoat*")
docker rmi $(docker images -a -q -f "reference=registry.cn-beijing.aliyuncs.com/huoxian_pub/terraformgoat*")Contributions are welcomed and greatly appreciated. Further reading β CONTRIBUTING.md for details on contribution workflow.
TerraformGoat is under the Apache 2.0 license. See the LICENSE file for details.
