cloudfox v1.10.2 releases: find exploitable attack paths in cloud infrastructure


CloudFox helps you gain situational awareness in unfamiliar cloud environments. It’s an open-source command line tool created to help penetration testers and other offensive security professionals find exploitable attack paths in cloud infrastructure.

CloudFox helps you answer the following common questions (and many more):

  • What regions is this AWS account using and roughly how many resources are in the account?
  • What secrets are lurking in EC2 userdata or service-specific environment variables?
  • What actions/permissions does this [principal] have?
  • What roles trusts are overly permissive or allow cross-account assumption?
  • What endpoints/hostnames/IPs can I attack from an external starting point (public internet)?
  • What endpoints/hostnames/IPs can I attack from an internal starting point (assumed breach within the VPC)?
  • What filesystems can I potentially mount from a compromised resource inside the VPC?

CloudFox is designed to be executed by a principal with limited read-only permissions, but its purpose is to help you find attack paths that can be exploited in simulated compromise scenarios (aka, objective based penetration testing).

Supported Commands

Provider Command Name Description
AWS all-checks Run all of the other commands using reasonable defaults. You’ll still want to check out the non-default options of each command, but this is a great place to start.
AWS access-keys Lists active access keys for all users. Useful for cross referencing a key you found with which in-scope account it belongs to.
AWS buckets Lists the buckets in the account and gives you handy commands for inspecting them further.
AWS ecr List the most recently pushed image URI from all repositories. Use the loot file to pull selected images down with docker/nerdctl for inspection.
AWS endpoints Enumerates endpoints from various services. Scan these endpoints from both an internal and external position to look for things that don’t require authentication, are misconfigured, etc.
AWS env-vars Grabs the environment variables from services that have them (App Runner, ECS, Lambda, Lightsail containers, Sagemaker are supported. If you find a sensitive secret, use cloudfox iam-simulator AND pmapper to see who has access to them.
AWS filesystems Enumerate the EFS and FSx filesystems that you might be able to mount without creds (if you have the right network access). For example, this is useful when you have ec:RunInstance but not iam:PassRole.
AWS iam-simulator Like pmapper, but uses the IAM policy simulator. It uses AWS’s evaluation logic, but notably, it doesn’t consider transitive access via privesc, which is why you should also always also use pmapper.
AWS instances Enumerates useful information for EC2 Instances in all regions like name, public/private IPs, and instance profiles. Generates loot files you can feed to nmap and other tools for service enumeration.
AWS inventory Gain a rough understanding of size of the account and preferred regions.
AWS outbound-assumed-roles List the roles that have been assumed by principals in this account. This is an excellent way to find outbound attack paths that lead into other accounts.
AWS permissions Enumerates IAM permissions associated with all users and roles. Grep this output to figure out what permissions a particular principal has rather than logging into the AWS console and painstakingly expanding each policy attached to the principal you are investigating.
AWS principals Enumerates IAM users and Roles so you have the data at your fingertips.
AWS role-trusts Enumerates IAM role trust policies so you can look for overly permissive role trusts or find roles that trust a specific service.
AWS route53 Enumerate all records from all route53 managed zones. Use this for application and service enumeration.
AWS secrets List secrets from SecretsManager and SSM. Look for interesting secrets in the list and then see who has access to them using use cloudfox iam-simulator and/or pmapper.
Azure instances-map Enumerates useful information for Compute instances in all available resource groups and subscriptions
Azure rbac-map Enumerates Role Assignments for all tenants

Changelog v1.10.2

  • 51f0b65: bugfix ‘SQS’ and ‘SNS’ are inspected when ‘all-checks’ is executed. (motikan2010) #35
  • 3652866: moved sns/sqs to another section in all-checks (sethsec-bf)
  • 8ef71a6: fixed bug in env-vars where sagaemaker model exists but primarycontainer does not (sethsec-bf)

Install & Use

Copyright (c) 2022 Bishop Fox