19 best tools for cloud penetration testing

blog + Systems security + Penetration test Z. Oualid today

share close

Cloud networks are become more and more used by companies. Most companies start to merge their local network to a cloud version either totally or at least partially. Hybrid use of cloud computing is the new trend in IT. Being asked to perform a penetration test against a cloud network is very likely to happen. Therefore, preparing your tools arsenal is a must to be ready to do a good job. So what are the best tools for cloud penetration testing?

Here is a list of the most powerful tools that you can use while performing a penetration testing for a cloud:

  • AWS Inspector
  • Nmap
  • Pacu
  • Cred Scanner
  • Mimikatz
  • Cloudfrunt
  • Cloudjack
  • Nimbostratus
  • GitLeaks
  • TruffleHog
  • DumpsterDiver
  • enumerate-iam
  • Barq
  • CCAT
  • CloudBrute
  • Azucar
  • MicroBurst
  • Nessus

Knowing what options you have to accelerate the good penetration testing process is very important for you as a penetration tester. Therefore, this blog post will give you a list of some of the best tools that you can use with an explanation of what each tool will do.

AWS Inspector

AWS offers a nice tool called AWS inspector. The tool is designed to run a system scan against the AWS instances to see if there is any vulnerable operation system or a vulnerability application running in that instance.

The tool is basically similar to Nessus or Qualys. However, the only clear difference here is in the way you can deploy this tool compared to Nessus or any other tool which is obviously very easy as AWS offer this tool to his clients. However, in terms of detection capacity, it might be a difference between AWS inspector and the other tools, especially that AWS inspector does not figure in the Gartner magic quadrant.

Unfortunately, this tool is not always available as not all AWS users install this tool. In addition, the tool cannot be deployed in a separate environment (local environment of the pentester) and remotely scan the AWS instances. Therefore, for me, this tool should not be mentioned as a penetration testing tool. I personally put it here just to say that.

Nmap (network discovery and service enumeration)

Nmap is one of the best network mapping and scanning tools. If you are an experienced penetration tester you will know what this tool represents for penetration testers.

This tool can be used by penetration testers to map the cloud network to understand its architecture. In addition, Nmap can also be used in the scanning phase to identify open ports or even to look for possible vulnerabilities.

The vulnerability scanning system of Nmap is based on the NSE scripts developed by the community for each publicly disclosed vulnerability.


Pacu is one of the best cloud penetration testing tools available for free. The tool is open-source and available on Github. The tool was designed to automate the process of looking for configuration weaknesses of an AWS network.

The tool also helps the penetration tester to quickly enumerate the environment and to retrieve the user’s permissions to do a privileges escalation. The tools were made with a modular architecture in mind. Therefore, the community can develop modules to perform any type of attack against the AWS environment.

The tool also offers the possibility to create some backdoors for easy access. To do that the tool offers the ability to backdoor EC2 security groups or for example add an AWS API key to users in the account.

Cred Scanner

Cred Scanner is a python script that can be used to look for AWS credentials left in files. The tool is not very complex and does not offer multiple features. However, the best thing about this tool is that it can be easily integrated into CI/CD environment. The tool can also be quickly integrated with Jenkins.

One of the main data breaches that happen to big companies comes from publicly disclosed AWS keys. For example, in 2019 Imperva was a victim of a data breach that accidentally exposed customer data (which included email addresses, hashed & salted passwords, as well as TLS and API keys) caused by an AWS key that was left exposed to the public.

Therefore, using these tools is required to ensure that no API keys was left for the public.

This situation might get rarer in the future as most source code management solutions, make an automated check to verify if there is any AWS key being publicly exposed and you get a notification about it.


Mimikatz is one of the most used tools, especially in a windows environment. The tool was designed to help the penetration tester to perform post-exploitation techniques. The tool is very powerful and offers so many features for the penetration tester. Here is a list of some of those features:

  • Dumping passwords
  • Dumping Kerberos tickets
  • Performing a pass the hash technique
  • Building Golden Kerberos tickets

The mimikatz tool is really very essential in any penetration test job. Unfortunately, the tool is very known and basically, all security solutions are capable to detect it. Therefore, using this tool might be limited and should only be used if the security solutions are disabled.


AWS PWN is actually a group of multiples scripts that can be used during each AWS cloud penetration test step.

For example, in the reconnaissance phase the tool gives the penetration tester the ability to:

  • Validate iam access keys
  • checks the buckets existence
  • checks whether the principals exist in a given account

The tool goes beyond that by offering some scripts to perform a privileges escalation. For example, there is a script that automates the process of retrieving the stack descriptions for every existing stack and every stack deleted in the last 90 days. The parameters in the stack descriptions often could contain passwords and other secrets.


Cloudfrunt is a very nice python script that was designed to find domain misconfiguration. CloudFront the content distribution technology offered by AWS gives the admin the ability to use his own domain name to communicate with a distribution. This domain is called the alternate domain name.

Unfortunately, by adding the domain names one by one the attacker would create an alternate domain name for his own distribution with your own subdomain, which then he will be able to hijack the main domain.


Cloudjack is a python script create to check a vulnerability in that happened as a result of a decoupled Route53. This vulnerability also gives the attacker the possibility to successfully hijack a domain.

The vulnerability requires the Route53 to be referencing a deleted CloudFront web distribution or an active CloudFront web distribution with deleted CNAME(s).


The Nimbostratus tool is a very important tool in cloud penetration testing. The tool offers so many features that can be used to fingerprinting and exploiting Amazon cloud infrastructures.

The tool offers the possibility to:

  • Dump credentials available in the host
  • For each provided credential the tool can extract the permissions related to it.
  • Extract the instance meta-data
  • Inject raw Celery message to perform a remote code execution
  • Create a new user.

The tool is very flexible and can be modified to exploit any possible vulnerability that can be used as an http proxy.

For more details about the tool you can take a look at the following presentation video

The tool came also with a fabric script that can be used to create an AWS legal environment to test the tool. This can be beneficial for people who want to learn more about this subject.


Finding credentials and other secrete information about an application in a git repository is getting more and more common. Therefore, Gitleaks was created to help both developers and penetration testers to scan the git repo looking for secrets.

The tool can:

  • Scan for commited secrets
  • Scan for unstaged secrets to shift security left
  • Scan directories and files
  • Integrated into a CI/CD pipeline
  • Generate json, sarif, and csv reports
  • Scan private repo using key or password based authentication


TruffleHog is also a scanning tool that helps developers and penetration testers to look for secrets like credentials and keys in AWS environment. The main difference here is that the tool was designed to be integrated into multiple platforms so that the research can be performed on multiple platforms.

The tool was developed with the idea that secrets can be found on any platform including email and chat environments. Unfortunately, the tool does not support the AZUR cloud which makes it very limited. Moreover, the tool is open source but with a full version with multiple platforms support not free.


With the same attack logic, DumpsterDiver was created to look for secrets like AWS keys, passwords, and more. The tool is open-source and free.

Here are some of the tool features:

  • it uses Shannon Entropy to find private keys,
  • it searches through git logs,
  • it unpacks compressed archives (e.g. zip, tar.gz etc.),
  • it supports advanced search using simple rules (details below),
  • it searches for hardcoded passwords,
  • it is fully customizable.

You may notice that there are multiple tools that perform basically the same thing which is looking for credentials in a cloud environment. However, the techniques used by those tools are different and you will definitely get different results. Therefore, I highly recommend using multiple sets of scripts to look for those credentials.


Barq is another post-exploitation tool for AWS infrastructure penetration testing. The tool gives you the ability to attack an EC2 instance without having the original SSH keypairs.

The tool also offers the possibility to:

  • Dumping EC2 secrets and parameters.
  • Enumerating EC2 instances and security groups.
  • Ability to launch Metasploit and Empire payloads against EC2 instances.
  • Enable the training mode to test attacks and features without messing with running production environment.
  • Tab-completed commands in a menu-based navigation system.
  • Dump EC2 instance metadata details.
  • Use EC2 keys or tokens (for example acquired from compromised instances or leaked source code)
  • Print for you the listening commands for msfconsole in cli mode for easy copy-pasting.


Containers technology security is a rising subject in the community of Cybersecurity. How we can secure or even check their security is subject to many kinds of research. Finding yourself facing a situation where you need to test a container is going to become a common thing in the next few years.

The CCAT tool was designed to help you test the security of the containers by automating some penetration test tasks.


When dealing with blackbox cloud penetration testing the first thing you would need to perform is identifying the key elements of your target, like open buckets, apps, and databases hosted.

CloudBrute is a tool that can help you find those elements by performing a sort of brute-force attack based on a predefined and customizable wordlist.

The best thing about this tool is that it supports multiple cloud service providers like Amazon, Windows, Alibaba, and more.


Azucar is more like an AZUR enumeration tool, to identify and dump different security components and information. This tool can be used in the recon phase to get a clear idea about the target.

Unfortunately, the tool can only work on windows as the script uses the .NET ADAL library for authenticating a user and performing REST calls.


One of the best FREE and Opensource tools that a penetration tester could use when performing a cloud-based penetration test is MicroBrust. This tool offers multiple scripts that support Azure Services discovery, weak configuration auditing

The tool also offers features that will help you in the post-exploitation actions such as credential dumping.


I would like to finish this list with the best vulnerability scanner for me which is Nessus. The Nessus scanner offers the ability to perform a cloud infrastructure scan to identify vulnerable componenents. a detailed walkthrough on how to configure the scanner for AWS can be found here.

However, Nessus supports other types of cloud platforms like Microsoft Azur and more, which makes it a necessary tool for cloud penetration testing.

Written by: Z. Oualid

Rate it

About the author

Z. Oualid

I am a Cyber Security Expert, I have worked with many companies around the globe to secure their applications and their networks. I am certified OSCP and OSCE which are the most recognized and hard technical certifications in the industry of cybersecurity. I am also a Certifed Ethical hacker (CEH). I hope you enjoy my articles :).

Previous post
woman writing on whiteboard



blog Z. Oualid

API penetration testing methodology

Performing a penetration test against an API is very similar to performing a penetration test against a web application. Both applications use web technologies and have basically the same type ...

Post comments (0)

Leave a reply

Your email address will not be published. Required fields are marked *