Attacking AWS: the full cyber kill chain

Information about Attacking AWS: the full cyber kill chain

Published on May 9, 2019

Author: wojdwo

Source: slideshare.net

Content

1. Attacking AWS: the full cyber kill chain Pawel Rzepa

2. www.securing.biz #whoami • Senior Security Consultant in - Pentesting - Cloud security assessment • Blog: https://medium.com/@rzepsky • Twitter: @Rzepsky

3. www.securing.biz

4. VS www.securing.biz source: https://redlock.io/blog/cryptojacking-tesla

5. www.securing.biz source: https://www.bloomberg.com/news/articles/2017-11-21/uber- concealed-cyberattack-that-exposed-57-million-people-s-data

6. www.securing.biz

7. www.securing.biz

8. www.securing.biz Somewhere in the other end of the Internet...

9. Demo: https://vimeo.com/334855817 www.securing.biz Domainanalytics.online intro

10. Identify the IP owner www.securing.biz Public AWS IP ranges: https://amzn.to/2EbvP0J Or use AWS EC2 reachability test: https://bit.ly/30274Ag

11. www.securing.biz

12. Demo: https://vimeo.com/334856068 www.securing.biz Exploiting SSRF

13. Demo: https://vimeo.com/334856278 www.securing.biz Ooops… other services are also available!

14. What is metadata? • Data about your instance • It's a link-local address, accessible ONLY from your instance! • May include access keys to Instance Profile: www.securing.biz http://169.254.169.254/latest/meta-data/iam/security-credentials/ http://169.254.169.254/latest/meta-data/

15. www.securing.biz

16. www.securing.biz

17. Demo: https://vimeo.com/334856214 www.securing.biz Pacu intro

18. www.securing.biz

19. Enumerate permissions www.securing.biz You need the following permissions to display your permissions: iam:ListAttachedUserPolicies iam:GetUserPolicy ...little chances to see them in Instance Profile :/

20. Bruteforce permissions www.securing.biz

21. Enumerate, enumerate, enumerate! Pacu (Domain Analytics:ec2_pivot) > run ec2__enum (...) Pacu (Domain Analytics:ec2_pivot) > data EC2 (...) VS www.securing.biz

22. There's a stopped instance (i-08d6cf0eaf210a552) with instance-profile/admin attached! www.securing.biz What can we find out there?

23. www.securing.biz

24. Demo: https://vimeo.com/334856098 www.securing.biz Privilege escalation

25. www.securing.biz #cloud-boothook

26. www.securing.biz User Data

27. Staying under the hoodStaying under the hood

28. CloudTrail by default monitors all regions

29. CloudTrail: ways to hide your fingerprints

30. Persist access • Bind shell in User Data with backdoor in Security Groups • Lambda backdoor which creates IAM user when specific CloudWatch Event occurs) • Add extra keys to existing user www.securing.biz

31. Demo: https://vimeo.com/334856167 www.securing.biz Without monitoring it’s hard to detect a 2nd key pair… even for legit administrator :O

32. Let's switch perspective to the blue team www.securing.biz

33. Analysing what went wrong • Vulnerable, publicly available web application • "Test" instance with admin permissions (possible privilege escalation) • Missing monitoring services of sensitive actions (e.g. using Instance Profile's keys outside the instance, modifying CloudTrail's settings, creating additional keys etc.) • Improperly configured CloudTrail Service (missing log encryption, missing log replication to the bucket under different AWS account) as well as Security Groups www.securing.biz

34. • Are there any extra, undocumented resources? • Is the system architecture free from design flaws? Cloud security assessment: architecture review www.securing.biz

35. Cloud security assessment: configuration review • Are all cloud services configured in compliance with best practices? www.securing.biz

36. • Are your applications free from vulnerabilities like RCE/SSRF/XXE etc.? • Is the Serverless code secure (e.g. free from "event injections")? Cloud security assessment: pentesting sensitive services www.securing.biz

37. • Do you monitor sensitive actions? • Do you have defined incident response procedure? Cloud security assessment: verifying monitoring processes www.securing.biz

38. Cloud security assessment in practice • Vulnerable, publicly available web application • "Test" instance with admin permissions (possible privilege escalation) • Missing monitoring services of sensitive actions (e.g. using Instance Profile's keys outside the instance, modifying CloudTrail's settings, creating additional keys etc.) • Improperly configured CloudTrail Service (missing log encryption, missing log replication to the bucket under different AWS account) as well as Security Groups www.securing.biz

39. „Through 2022, at least 95% of cloud security failures will be the customer’s fault” www.securing.biz Gartner's report, source: https://www.gartner.com/smarterwithgartner/is-the-cloud-secure/

40. CloudGoat: https://bit.ly/2TKxczt CloudGoat walkthrough: https://bit.ly/2u4QYXO Pacu: https://bit.ly/2SYJKyX KrkAnalytica CTF: https://bit.ly/2ZFF9Gh 7-Step Guide to SecuRing your AWS Kingdom: https://bit.ly/2EN7yAs CloudMapper: https://bit.ly/2NV6zSY Prowler: https://bit.ly/2kxy879 www.securing.biz Extras

41. If so, contact me on: [email protected] Do you have any questions? Could you give me any feedback?

#whoami presentations

Zer 0 no zer(0 day)   dragon jar
25. 09. 2020
0 views

Zer 0 no zer(0 day) dragon jar

Related presentations


Other presentations created by wojdwo

ICT security and Open Data
16. 10. 2014
0 views

ICT security and Open Data

REST API Pentester's perspective
23. 10. 2017
0 views

REST API Pentester's perspective