CNAPPgoat: The Multicloud Open-Source Tool for Deploying Vulnerable-by-Design Cloud Resources

渗透技巧 1个月前 admin
124 0 0
CNAPPgoat: The Multicloud Open-Source Tool for Deploying Vulnerable-by-Design Cloud Resources

Ermetic is proud to announce the release of the open source CNAPPgoat project, developed and maintained by the Ermetic research team. 

CNAPPgoat is intended to reinvent the creation of vulnerable cloud infrastructure for a variety of purposes (see below). 

This blog post explains why CNAPPgoat is important and how you can get started. 

First Things First - What is CNAPP Anyway? 
首先要做的是 - CNAPP到底是什么?

CNAPP (or Cloud Native Application Protection Platform) is a relatively new Gartner product category defined as “a unified and tightly integrated set of security and compliance capabilities designed to secure and protect cloud-native applications across development and production”. Simply put, CNAPP solutions help you transition your cloud infrastructure security practice from a layered (or even siloed) approach where different aspects of security (such as posture, network, runtime, compute, data, etc.) are handled separately to an holistic and comprehensive approach where they’re united in a single platform. As you may imagine, CNAPP solutions include the capabilities of multiple (more veteran) product categories such as CSPM (Cloud Security Posture Management), CWPP (Cloud Workload Protection Platform) and CIEM (Cloud Infrastructure Entitlements Management). 
CNAPP(或云原生应用保护平台)是一个相对较新的Gartner产品类别,定义为“一套统一且紧密集成的安全性和合规性功能,旨在保护开发和生产过程中的云原生应用”。简而言之,CNAPP 解决方案可帮助您将云基础架构安全实践从分层(甚至孤立)方法(其中安全的不同方面(如状态、网络、运行时、计算、数据等)单独处理)转变为整体和全面的方法,其中它们统一在一个平台中。正如您可能想象的那样,CNAPP解决方案包括多个(更资深)产品类别的功能,例如CSPM(云安全态势管理),CWPP(云工作负载保护平台)和CIEM(云基础设施权利管理)。

So… What is CNAPPgoat? 

CNAPPgoat is an open source project designed to modularly provision vulnerable-by-design components in cloud environments (currently supporting AWS, Azure and GCP). 

Unlike other projects which may also fit this description (the most popular are probably CloudGoat and CloudFoxable), CNAPPgoat is NOT designed to simply illustrate possible attack paths.  Rather, it includes atomic, (and down the line - more complex) vulnerable scenarios that together will provide as much coverage as possible of the misconfigurations and risks that could potentially be exploited by an attacker. 
与其他可能也符合此描述的项目不同(最受欢迎的可能是CloudGoat和CloudFoxable),CNAPPgoat并非旨在简单地说明可能的攻击路径。 相反,它包括原子的(以及更复杂的)易受攻击的场景,这些场景将尽可能多地覆盖可能被攻击者利用的错误配置和风险。

The scenarios available in CNAPPgoat are divided into modules corresponding with the various security capabilities included in the CNAPP specification (hence the name - CNAPPgoat!) and serve a specific cloud service provider (AWS, Azure, GCP, etc.). 
CNAPPgoat 中可用的场景分为与 CNAPP 规范中包含的各种安全功能对应的模块(因此得名 - CNAPPgoat!),并为特定的云服务提供商(AWS、Azure、GCP 等)提供服务。

This structure makes it possible to provision only scenarios from a specific module or modules to address different use cases and different consumers (see below). In addition, this design makes reviewing and understanding the scenarios much easier (whether you want to find a specific scenario or add a new one). It helps break down a very complicated and multidimensional challenge into more easily digestible parts. 

Currently, the following modules are supported: 

  • CIEM - scenarios relevant to the management of identities and entitlements, such as the unintended ability of an identity to escalate its privileges   
    CIEM - 与身份和权利管理相关的方案,例如身份升级其特权的意外能力
  • CWPP  - scenarios relevant to the exposure of workloads to vulnerabilities, for example, by running vulnerable/end of life software or OS version   
    CWPP - 与工作负载暴露在漏洞中相关的方案,例如,通过运行易受攻击/生命周期结束的软件或操作系统版本
  • CSPM - scenarios relating to the misconfiguration of cloud infrastructure components, such as publicly exposed storage resources 
    CSPM - 与云基础架构组件(例如公开的存储资源)的错误配置相关的方案

We will soon add support for IAC (that is - infrastructure as code scanning, or the practice of finding misconfigurations directly in the code) and a CNAPP module which will include elaborate scenarios that describe popular attack paths leveraged by malicious entities. 
我们将很快添加对 IAC 的支持(即基础结构即代码扫描,或直接在代码中查找错误配置的做法)和 CNAPP 模块,该模块将包括描述恶意实体利用的流行攻击路径的详细场景。

Why Should You Care? 

The ability to easily provision a vulnerable environment with broad coverage of possible risk scenarios has tremendous potential.  

Killer applications - to name just a few: 
杀手级应用 - 仅举几例:

  • Security teams can benchmark CNAPP solutions against known environments so they can prove their ability to deliver what they promise. 
    安全团队可以根据已知环境对 CNAPP 解决方案进行基准测试,以便证明他们有能力兑现承诺。
  • Security professionals can use it (responsibly and with extreme caution!) to create a sandbox for testing their teams, procedures and protocols. 
  • Instructors can use it to create vulnerable environments for hands-on workshops or chalk talks ( we’ve already done this successfully) 
  • Pentesters can use it to provision a “shooting range” to test their skills at exploiting the scenarios and developing relevant capabilities. (We also feel the need to mention in this context two great pen-testing projects - pacu and Stratus Red Team
    渗透测试人员可以使用它来提供一个“射击场”,以测试他们利用场景和开发相关能力的技能。(在这种情况下,我们也觉得有必要提到两个伟大的渗透测试项目——pacu 和 Stratus Red Team)
  • Educators can create a learning environment where cloud infrastructure risks  can be explored, understood - and avoided. 

Since it’s open source, you can contribute your own scenarios and together, as a community, - we can make and maintain CNAPPGoat as comprehensive as possible. 

The initial version released is just a starting point and we’re looking forward to seeing more and more scenarios added.

How To Use CNAPPgoat? 

The basic process of using CNAPPgoat is quite simple: 

  1. Select the scenario(s) and/or module(s) you want to provision (or the entire set) 
  2. Provision the vulnerable infrastructure in dedicated test accounts
  3. Use the environment as described in the use cases above. 
  4. Destroy the provisioned environment. 

Easy to create - easy to destroy. No unneeded vulnerable components left behind for you to worry about (and pay for). 
易于创建 - 易于破坏。没有留下不必要的易受攻击的组件供您担心(和付费)。

We will now walk you through a simple example of getting started with CNAPPgoat (it’s highly recommended to go through the README to get oriented with the tool). 
现在,我们将引导您完成一个开始使用 CNAPPgoat 的简单示例(强烈建议您阅读自述文件以开始使用该工具)。

Getting Started  开始

First make sure you have the prerequisites installed.

Next - download the CNAPPgoat executable compiled for your OS from our release page
接下来 - 从我们的发布页面下载为您的操作系统编译的 CNAPPgoat 可执行文件。

Optional: Pulling the Scenarios Repo 

The currently available scenarios are managed in a Github repository.These scenarios are automatically downloaded when you run CNAPPgoat and are stored in the `~/.cnappgoat/scenarios` directory.
当前可用的方案在 Github 存储库中进行管理。这些场景会在您运行 CNAPPgoat 时自动下载,并存储在 '~/.cnappgoat/scenario' 目录中。

However - if you wish to review the scenarios yourself (and perhaps even contribute to them) - you can pull the repository. 
但是 - 如果您希望自己查看场景(甚至可能为它们做出贡献) - 您可以拉取存储库。

It’s possible to define a custom path to get scenarios from a local folder - but let’s keep things simple for now.  
可以定义自定义路径以从本地文件夹获取方案 - 但让我们暂时保持简单。

Setting Up Cloud Credentials 

Remember: CNAPPGoat deploys vulnerable environments. Only use it within safe, controlled sandboxes. 
请记住:CNAPPGoat 部署易受攻击的环境。仅在安全、受控的沙盒中使用它。

不言而喻,CNAPPgoat 的实验只能在与您的业务环境完全分开的测试帐户中进行。

Running CNAPPgoat  运行CNAPP山羊

Now, we’re ready to kick things off with CNAPPgoat. 

First, we’ll list the available scenarios by running the list command: 
首先,我们将通过运行 list 命令列出可用的方案:

./CNAPPgoat list ./CNAPP山羊名单
CNAPPgoat: The Multicloud Open-Source Tool for Deploying Vulnerable-by-Design Cloud Resources
Figure 1 - Listing the available scenarios
图1 - 列出可用方案

For each scenario, you can see which platform (cloud service provider) it’s designed for and which module (CIEM / CSPM / CWPP) it belongs to. The names are also pretty self-explanatory. 
对于每个方案,您可以查看它专为哪个平台(云服务提供商)设计,以及它属于哪个模块(CIEM / CSPM / CWPP)。这些名字也是不言自明的。

If you’re only interested in a specific module, you can use the global option --module to specify the module you’re interested in. For example, if we only want to see the currently available CSPM modules we’ll run: 
如果您只对特定模块感兴趣,则可以使用全局选项 --module 来指定您感兴趣的模块。例如,如果我们只想查看当前可用的 CSPM 模块,我们将运行:

./CNAPPgoat list --module CSPM
CNAPPgoat: The Multicloud Open-Source Tool for Deploying Vulnerable-by-Design Cloud Resources
Figure 2 - Listing only available CSPM scenarios
图2 - 仅列出可用的CSPM方案

The Status column on the right indicates which scenarios have been deployed, which have not, and which have been destroyed (that is - deployed and then destroyed). 
右侧的“状态”列指示哪些方案已部署、哪些方案尚未部署以及哪些方案已销毁(即 - 已部署,然后销毁)。

If you’re interested in acquiring more information about a specific scenario - you can do so using the describe command, for example: 
如果有兴趣获取有关特定方案的详细信息,可以使用 describe 命令执行此操作,例如:

./CNAPPgoat describe cwpp-aws-malicious-ec2-xmrig
./CNAPPgoat describe cwpp-aws-malicious-ec2-xmrig

will produce the following output: 

CNAPPgoat: The Multicloud Open-Source Tool for Deploying Vulnerable-by-Design Cloud Resources
Figure 3 - Description of a scenario
图3 - 方案说明

In order to provision a scenario / multiple scenarios / a module, you can use the “provision” command. If you simply run: 

./CNAPPgoat provision ./CNAPP山羊条款

All scenarios will be deployed upon your confirmation (use this carefully): 

CNAPPgoat: The Multicloud Open-Source Tool for Deploying Vulnerable-by-Design Cloud Resources
Figure 4 - Requesting deploy of all scenarios
图 4 - 请求部署所有方案

If you state as an argument a space-delimited list of selected scenarios it will provision them, for example: 

./CNAPPgoat provision cspm-aws-ec2-imds-v1-enabled ciem-aws-iam-privesc-ec2-passrole
./CNAPPgoat provision cspm-aws-ec2-imds-v1-enabled ciem-aws-iam-privesc-ec2-passrole

CNAPPgoat will present you with a log (partially shown in Figure 5, as it’s a bit much) of the operations performed and will present you with the end result of the process: 
CNAPPgoat 将为您提供所执行操作的日志(部分显示在图 5 中,因为它有点多),并向您显示该过程的最终结果:

CNAPPgoat: The Multicloud Open-Source Tool for Deploying Vulnerable-by-Design Cloud Resources
Figure 5 - End result of provisioning selected scenarios
图 5 - 预配选定方案的最终结果

Note that when you do this for the first time, CNAPPgoat will also take care of necessary dependencies installation - so it may take a while. Go get some coffee. 
请注意,当您第一次执行此操作时,CNAPPgoat 还将负责必要的依赖项安装 - 因此可能需要一段时间。去喝杯咖啡。

Once the provisioning is complete, you can check the new resources in your cloud environment. 

Now. if you perform the list function - you will see that it clearly indicates the deployed scenarios: 
现在。如果执行列表功能 - 您将看到它清楚地指示了已部署的方案:

CNAPPgoat: The Multicloud Open-Source Tool for Deploying Vulnerable-by-Design Cloud Resources
Figure 6 - Scenarios list indicating deployed scenarios
图 6 - 指示已部署方案的方案列表

Rather than deploying scenarios individually, - you can provision an entire module using the global option --module:  
而不是单独部署方案, - 您可以使用全局选项 --module 预配整个模块:

./CNAPPgoat provision --module CSPM

As this may also be a significant operation, it requires confirmation - after that, all scenarios in the selected module will be provisioned, and the output will look something like this: 
由于这也可能是一项重要的操作,因此需要确认 - 之后,将预配所选模块中的所有方案,输出将如下所示:

CNAPPgoat: The Multicloud Open-Source Tool for Deploying Vulnerable-by-Design Cloud Resources
Figure 7 - Provisioning the CSPM module
图 7 - 配置 CSPM 模块

As you can see from Figure 8, in case there were any errors in the process of provisioning the scenarios, they are indicated in the output, and you can review the entire log to see exactly what went wrong. For example, the error we got in the above process can be tracked to an invalid zone issue: 
如图 8 所示,如果在预配方案的过程中出现任何错误,则会在输出中指示这些错误,您可以查看整个日志以准确了解出了什么问题。例如,我们在上述过程中得到的错误可以跟踪到无效区域问题:

CNAPPgoat: The Multicloud Open-Source Tool for Deploying Vulnerable-by-Design Cloud Resources
Figure 8 - Error log from provisioning a scenario
图 8 - 预配方案时的错误日志

Once you’re done using the deployed scenarios, similar to provisioning them, you can destroy all or specific scenarios / modules with the destroy command: 
使用完已部署的方案(类似于预配它们)后,可以使用 destroy 命令销毁所有或特定方案/模块:

./CNAPPgoat destroy ./CNAPP山羊销毁

Since now we simply want to clean up, we’ll just run it without any arguments and confirm the operation: 

CNAPPgoat: The Multicloud Open-Source Tool for Deploying Vulnerable-by-Design Cloud Resources
Figure 9 - Running and confirming the destroy command for all deployed scenarios
图 9 - 为所有已部署的方案运行并确认销毁命令

Once the process is done, we see the following output, clearly indicating what has been destroyed: 

CNAPPgoat: The Multicloud Open-Source Tool for Deploying Vulnerable-by-Design Cloud Resources
Figure 10 - Output from the destroy command
图10 - 销毁命令的输出

And that about does it! We’ve gone through the basics of using the CNAPPgoat framework.You now know how to explore the tool for existing scenarios, provision and destroy selected scenarios / modules. 
就这样吧!我们已经了解了使用 CNAPPgoat 框架的基础知识。您现在知道如何为现有方案探索该工具,预配和销毁选定的方案/模块。

Where Do We Go From Here? 

To the moon!  去月球!

As mentioned before - this is just the start. The first step of a very long journey, if you will. 
如前所述 - 这只是一个开始。如果你愿意的话,这是漫长旅程的第一步。

We firmly believe in the potential of this modular approach to enable almost anyone, regardless of expertise level, to leverage this tool for commercial, technical and educational purposes. 

Soon, we’ll release additional artifacts including deeper technical dives and guides to further support you in using the tool and making contributions. This is also the place to note that any contribution - whether new complete scenarios, scenario proposals , issues, suggestions, feature requests or simply sharing this with your network or organization - would be highly appreciated. If in doubt - just reach out, we’d love to hear from you.  
很快,我们将发布其他项目,包括更深入的技术介绍和指南,以进一步支持你使用该工具并做出贡献。这也是需要注意的地方,任何贡献 - 无论是新的完整场景,方案提案,问题,建议,功能请求还是简单地与您的网络或组织共享 - 都将受到高度赞赏。如有疑问 - 请联系我们,我们很乐意收到您的来信。

Cyber security, and specifically cloud security, should be a team sport. And as an industry and community, we’ll be much better off if we join our hands and CNAPPgoat is a great platform to do so. 

原文始发于Lior Zatlavi CNAPPgoat: The Multicloud Open-Source Tool for Deploying Vulnerable-by-Design Cloud Resources

版权声明:admin 发表于 2023年8月19日 下午8:20。
转载请注明:CNAPPgoat: The Multicloud Open-Source Tool for Deploying Vulnerable-by-Design Cloud Resources | CTF导航