Skip to content

n40y/cloudexec

Folders and files

NameName
Last commit message
Last commit date

Latest commit

Β 

History

15 Commits
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 

Repository files navigation

cloudexec

Go Version License

cloudexec is a fast, concurrent, multi-cloud security scanner and offensive audit framework written in Go. Designed for cloud security engineers and pentester specialists, it combines automated OSINT, signature-based template scanning, and a multi-threaded secrets finder with automated real-time pivot and post-authentication enumeration capability.


Legal Disclaimer

Important

Legal Disclaimer: This tool is developed strictly for educational purposes, authorized penetration testing, and security auditing. The author (n40y) assumes no liability for any unauthorized misuse, damage, or illegal activities caused by this tool. Usage of cloudexec for attacking targets without prior mutual consent is illegal. Users are solely responsible for complying with all applicable local and international laws.

Key Features

  • ⚑ High-Performance Secrets Scanner: Multi-threaded worker pool to hunt down leaked credentials (AWS, GCP, Slack, etc.) across local directories.
  • πŸ”„ Automated Pivot Mode: Validates discovered secrets on-the-fly against live cloud provider APIs during the filesystem scan without blocking the pipeline.
  • πŸ•΅οΈ Post-Auth Enumeration: Automatically maps out accessible services, permissions, and attack paths the moment a valid credential is confirmed.
  • πŸ› οΈ YAML Template-Driven Core: Decoupled engine logic using modular YAML signatures for flexible multi-cloud checks.
  • ☁️ Multi-Cloud Support:
    • AWS: STS identity verification (GetCallerIdentity) and S3 exposure auditing.
    • Azure: Domain OSINT, Tenant ID enumeration, break-glass account identification, and blob storage mapping.
    • GCP: Google Workspace public infrastructure discovery and API Key validation (Identity Toolkit).

πŸ“Ί Demo

Cloudexec Preview

πŸ› οΈ Customizing Templates (Playbooks)

cloudexec uses a modular YAML template engine. You can easily extend the scanner's capabilities by adding your own templates into the provider subdirectories (e.g., templates/gcp/, templates/aws/).

Template Structure

Every template must follow this anatomy:

id: custom-gcp-check
engine: gcp                 # Target engine: aws, azure, gcp, cloudflare, recon
action: gcp:ApiKeyCheck     # The internal method to execute
info:
  name: "Custom API Key Validation Workflow"
  description: "Triggers a validation request and maps downstream permissions."
  severity: "high"

Installation

Ensure you have Go installed (version 1.20+ recommended).

# Clone the repository
git clone [https://github.com/n40y/cloudexec.git](https://github.com/n40y/cloudexec.git)

cd cloudexec
# Build the binary
go build

πŸš€ Usage Guide

1. Global Secrets Scanner (with Auto-Pivot)

Scan a directory for leaked credentials, automatically intercept them, and validate them against cloud provider APIs in real-time.

# Basic scan
./cloudexec secrets --path .

# Scan with auto-pivot validation and JSON export
./cloudexec secrets --path /path/to/project -p -o report.json

2. AWS Audit Engine

Executes AWS-specific templates (identity verification via STS, S3 bucket enumeration). It automatically utilizes credentials configured in your config.yaml or standard local AWS environment variables.

./cloudexec aws

3. Azure OSINT & Enumeration Engine

Performs passive and active reconnaissance on a Microsoft 365 / Azure tenant using a target domain. Extracts Tenant ID, authentication mechanics, identity provider details, and lists potential break-glass accounts.

./cloudexec azure -d targetcompany.com

4. GCP Audit Engine

Validates Google Cloud API keys and checks if a domain is mapped to a public Google Workspace infrastructure.

# Check both Workspace infrastructure and a specific API Key
./cloudexec gcp -d targetcompany.com --apikey AIzaSy...

# Check an isolated API key only
./cloudexec gcp --apikey AIzaSy...

5. General Recon Engine

Triggers passive multi-cloud discovery templates, including historical DNS lookups, certificate transparency logs via crt.sh, and cross-provider storage bucket detection.

./cloudexec recon -d targetcompany.com

πŸ₯· Bypass & Evasion Options

Since these flags are registered globally, you can append them to any of the commands above (like recon, gcp, azure, etc.) to bypass network protections:

  • DNS Pinning / Cloudflare Bypass (--ip): Forces the HTTP client to connect directly to a specific backend IP address, bypassing public DNS resolution and Cloudflare caching/WAF layers.

  • Anti-WAF Header Spoofing (--anti-waf): Rotates standard browser User-Agents and injects source spoofing headers (X-Forwarded-For, X-Real-IP) to fly under the radar of simple anti-bot mechanisms.

# Example: Running reconnaissance by hitting the origin server IP directly with anti-WAF headers
./cloudexec recon -d targetcompany.com --ip 185.190.140.23 --anti-waf

πŸ“ Project Structure

Path Description
cmd/ Contains Cobra CLI command definitions (aws, azure, gcp, recon, secrets).
pkg/bypass/ Evasion and bypass network protections.
pkg/engines/ Core execution logic for cloud provider validation and post-auth enumeration.
pkg/templates/ YAML template parsing and signature matching engines.
pkg/utils/ Thread-safe logging utilities and console formatting.
templates/ Ready-to-use security playbooks and detection signatures (.yaml).
main.go Application entry point.

Configuration

For authenticated modules, you can maintain a local config.yaml file at the root.

[!WARNING]
Never commit your config.yaml to a public repository. Ensure it is included in your .gitignore.
aws:
  access_key: "AKIA..."
  secret_key: "..."
  region: "eu-west-3"

License

Distributed under the MIT License. See LICENSE for more information.

πŸ” Keywords

cloud-automation security-orchestration devsecops cloud-native infrastructure-as-code iam-governance go security-automation cloud-ops api-security

About

Cloudexec: A high-performance, multi-threaded multi-cloud security & audit framework. Features concurrent secrets scanning, real-time automated pivot validation, post-auth enumeration, and WAF/DNS bypass capabilities. YAML-driven and built for DevSecOps.

Topics

Resources

License

Stars

Watchers

Forks

Releases

No releases published

Packages

 
 
 

Contributors

Languages