LinPEAS has a cloud module that attempts to determine in which cloud environment, if any, the module is running through a process of fingerprinting. This process inspects local files including /etc/hosts, /etc/resolv.conf and vendor-specific configuration files, as well as HTTP requests using both curl andwget, to a well-known cloud service provider’s API endpoints. The cloud module currently supports discovery of Google Cloud, DigitalOcean Droplet, IBM Cloud, and Amazon's Elastic Container Service (ECS), Elastic Compute Cloud (EC2), EC2 Beanstalk and Lambda. If a cloud service provider is identified, the module will enumerate details of the identified cloud environment, which may include machine attributes such as the instance metadata (ID, name, region or zone, and image); network attributes (public and private IPs, hostnames); and various user, service and security credentials depending on cloud service provider and cloud security configuration.
Tags
OffSecDual-use
Incidents
Use of linPEAS for cloud enumeration
References
https://go.crowdstrike.com/rs/281-OBQ-266/images/report-crowdstrike-2023-threat-hunting-report.pdfhttps://github.com/carlospolop/PEASS-ng/blob/master/linPEAS/builder/linpeas_parts/3_cloud.sh#L2
Last edited
Jun 20, 2024 12:24 PM