RedCloud OS: A Comprehensive Overview

RedCloud OS, the latest innovation by CW Labs Pvt. Ltd., is a Debian-derived operating system designed for Red Teams to evaluate the security of top Cloud Service Providers (CSPs).

It offers a specialised toolset for Amazon Web Services (AWS), Microsoft Azure, and Google Cloud Platform (GCP), enabling security teams to enhance productivity and achieve remarkable results. RedCloud offers cybersecurity specialists an interesting and user-friendly environment with a configurable user interface.

One of the primary advantages of RedCloud OS lies in its Multi Cloud Red Teaming Toolkit, which includes a diverse array of both publicly available and proprietary tools. With the help of this toolset, security teams can carry out thorough adversary simulations and identify vulnerabilities, assess defences, and improve their overall preparedness for cloud security.

You can visit here

Credentials:

Username:cwl
Password:redcloud

Specifications:

Platform → VMware Workstation [VMware player can also work, although we have not tested yet]

RAM → 8GB+ recommended; 4GB Minimum

No. of cores → 4+ Cores recommended; 2 Minimum

Download

Step 1 → Download the zip archive from here

Step 2 → Unzip the archive

Step 3 → Open VMware Workstation > File > Open (Ctrl + O) > Browse to extracted folder and select RedCloud OS.ovf

Step 4 → Click Import

Now you are good to go,

Installation and Deployment from Scratch

Step 1:

Begin by downloading and installing Parrot OS Architect Edition 5.3, then proceed with installation within VMware/VirtualBox.

Step 2:

After completing the installation of Parrot OS, launch the virtual machine and clone this repository using the command:

git clone https://github.com/RedTeamOperations/RedCloud-OS.git

Step 3:

Navigate to the build-scripts folder and ensure that the scripts are executable.

Step 4:

Initially, run the uninstall.sh script, followed by executing hold.sh, and finally, run install.sh.

Login Page:

Multi Cloud Security

Desktop:

Cloud Pentesting Training

Environment Variable Setup

However, the following variables may not cover all possible scenarios, and additional ones may be required depending on the specific case.

AWS

export AWS_ACCESS_KEY_ID=<access_key_id>

export AWS_SECRET_ACCESS_KEY=<access_key>

export AWS_DEFAULT_REGION=<region>

Azure

export AZURE_CLIENT_ID = <app-id>

export AZURE_TENANT_ID = <tenant-id>

export AZURE_CLIENT_SECRET = <app-secret>

GCP

export GOOGLE_APPLICATION_CREDENTIALS = <Service Account Json File Path>

Available Tools

AWS

The AWS Command Line Interface (AWS CLI) serves as a comprehensive tool for overseeing your AWS services.

The AWS Management Console is a web application that comprises and refers to a broad collection of service consoles for managing AWS resources.

This tool implements a cloud version of the Shadow Copy attack against domain controllers running in AWS.

CloudJack assesses AWS accounts for subdomain hijacking vulnerabilities because of decoupled Route53 and CloudFront configurations.

CloudMapper helps you analyze your Amazon Web Services (AWS) environments.

CredKing can easily launch a password spray using AWS Lambda across multiple regions, rotating IP addresses with each request.

An AWS Pentesting tool that lets you use one-liner commands to backdoor an AWS account’s resources with a rogue AWS account – or share the resources with the entire internet.

Pacu is an open-source AWS exploitation framework, designed for offensive security testing against cloud environments.

Redboto is a collection of scripts that use the Amazon SDK for Python boto3 to perform red team operations against the AWS API.

WeirdAAL uses boto3 and it handles standard AWS keypair setups. This means that WeirdAAL will also support STS tokens via the boto3 library.

Azure

AADCookieSpoof is a Cookie replay client for testing Azure AD Identity Protection.

AADInternals is PowerShell module for administering Azure AD and Office 365.

The Azure Command-Line Interface (CLI) is a cross-platform command-line tool to connect to Azure and execute administrative commands on Azure resources.

Azure Active Directory (Azure AD), now known as Microsoft Entra ID, is Microsoft’s identity and access management solution.

AzureHound is the BloodHound data collector for Microsoft Azure.

BloodHound is a single page Javascript web application, built on top of Linkurious, compiled with Electron, with a Neo4j database fed by a C# data collector.

DCToolbox PowerShell module contains a collection of tools for Microsoft 365 security tasks, Microsoft Graph functions, Entra ID management, Conditional Access, zero trust strategies, attack, and defence scenarios, etc.

MFASweep is a PowerShell script that attempts to log in to various Microsoft services using a provided set of credentials and will attempt to identify if MFA is enabled.

MicroBurst includes functions and scripts that support Azure Services discovery, weak configuration auditing, and post exploitation actions such as credential dumping.

This is a simple proof-of-concept script that allows an attacker to conduct a phishing attack against Microsoft 365 OAuth Authorization Flow.

The Microsoft Graph PowerShell SDK is made up of a set of modules that enable you to interact with the Microsoft Graph API using PowerShell commands.

PowerUpSQL includes functions that support SQL Server discovery, weak configuration auditing, privilege escalation on scale, and post exploitation actions such as OS command execution.

ROADtools is a framework to interact with Azure AD. It consists of a library (roadlib) with common components, the ROADrecon Azure AD exploration tool and the ROADtools Token eXchange (roadtx) tool.

TeamFiltration is a cross-platform framework for enumerating, spraying, exfiltrating, and backdooring O365 AAD accounts.

GCP

The Google Cloud CLI is a set of tools to create and manage Google Cloud resources. You can use these tools to perform many common platform tasks from the command line or through scripts and other automation.

GCPBucketBrute is a script to enumerate Google Storage buckets, determine what access you have to them, and determine if they can be privilege escalated.

Miscellaneous tools related to attack operations in Google Cloud Platform.

GCP Enum is a simple bash script to enumerate Google Cloud Platform environments.

This tool analyses the output of several gcloud commands to determine which compute instances have network ports exposed to the public Internet.

– GCP IAM Collector is a collection python scripts for collecting and visualising Google Cloud Platform IAM permissions

CPTokenReuse helps pentester / red teamer to configure access token using gcloud cli.

Script written in Python3 which dumps the user/group from the Google Workspace. This tool can be used to map the group member relationship which can aid further cyber operations.

Google Cloud Platform Auditing & Hardening Script

Multi-Cloud

Cartography is a Python tool that consolidates infrastructure assets and the relationships between them in an intuitive graph view powered by a Neo4j database.

Cloud Container Attack Tool (CCAT) is a tool for testing security of container environments.

A tool to find a company’s (target) infrastructure, files, and apps on the top cloud providers (Amazon, Google, Microsoft, DigitalOcean, Alibaba, Vultr, Linode).

Multi-cloud OSINT tool. Enumerate public resources in AWS, Azure, and Google Cloud.

Evilginx is a man-in-the-middle attack framework used for phishing login credentials along with session cookies, which in turn allows bypassing 2-factor authentication protection.

Gitleaks is a SAST tool for detecting and preventing hardcoded secrets like passwords, api keys, and tokens in git repos.

Impacket is a collection of Python classes for working with network protocols.

This is the repository containing Leonidas, a framework for executing attacker actions in the cloud.

Modlishka is a powerful and flexible HTTP reverse proxy. It implements an entirely new and interesting approach of handling browser-based HTTP traffic flow, which allows it to transparently proxy multi-domain destination traffic, both TLS and non-TLS, over a single domain, without a requirement of installing any additional certificate on the client.

MOSE is a post exploitation tool that enables security professionals with little or no experience with configuration management (CM) technologies to leverage them to compromise environments.

This tool fetches resources from different cloud/SaaS applications focusing on permissions to identify privilege escalation paths and dangerous permissions in the cloud/SaaS configurations.

Responder is an LLMNR, NBT-NS and MDNS poisoner.

Scout Suite is an open-source multi cloud security-auditing tool, which enables security posture assessment of cloud environments.

SkyArk is a cloud security project with two main scanning modules:

AzureStealth – Scans Azure environments

AWStealth – Scan AWS environments

These two scanning modules will discover the most privileged entities in the target AWS and Azure.

My Views

As an avid user of Redcloud OS, I’ve found it to be a remarkably accessible and intuitive operating system tailored specifically for adversary simulation tasks within cloud environments. From the moment you download it, the simplicity of installation and configuration becomes evident, making it an ideal choice for both beginners and seasoned professionals alike.

One of the standout features of CWL’s Redcloud OS is its integration with major cloud platforms such as Amazon Web Services (AWS), Microsoft Azure, and Google Cloud Platform (GCP). This integration provides users with a suite of tools optimised for conducting adversary simulations within these environments. Whether you’re testing the security of your own cloud infrastructure or simulating real-world attack scenarios, Redcloud OS offers the necessary tools right out of the box.

What truly sets Redcloud OS apart is its user-friendly interface and accessible options. Unlike some other cybersecurity-focused operating systems that can feel overwhelming or require extensive customization, Redcloud OS streamlines the process, allowing users to focus on their objectives rather than grappling with complex configurations. Every tool and options are conveniently placed and easily accessible, making it a breeze to navigate even for those new to adversary simulation.

In conclusion, my experience with RedCloud OS : Cloud Adversary Simulation Operating System has been nothing short of exceptional. Its ease of use, coupled with its comprehensive feature set, makes it an indispensable asset for anyone involved in adversary simulation within cloud environments.

Learning Material