Deep dive into cloud security - Jaimin Gohel & Virendra Rathore

Information about Deep dive into cloud security - Jaimin Gohel & Virendra Rathore

Published on January 30, 2020




1. Deep-Dive into AWS Pentesting Cloud Security Workshop @NS Conclave @jaimin_gohel @VEERSAA1

2. # Who am I ? • Manager - Professional Services @ Net Square • Chapter Lead @ null Ahmedabad • Speaker • CTF Player jaimin_gohel

3. # Who am I ? • Security Analyst @ Net Square • Speaker • Bug Hunter • Infosec Trainer VEERSAA1

4. Agenda ● Intro to AWS services ● Intro to AWS CLI ● Attack Vectors for AWS ● Tools to pentest the AWS services ● Pentesting Most Used Services ● DEMO

5. Amazon AWS

6. Tech giants using Amazon AWS

7. AWS Services

8. AWS Compute Services ● EC2 ● Lambda ● Elastic Load Balancer ● Autoscaling

9. EC2 Amazon EC2 (Elastic Compute Cloud) is a web service interface that provides resizable compute capacity in the AWS cloud. It is designed for developers to have complete control over web-scaling and computing resources. AWS EC2 (Elastic Compute Cloud)

10. Lambda AWS Lambda is an event-driven, serverless computing platform. It is a computing service that runs code in response to events and automatically manages the computing resources required by that code. ● Advanced version of EC2 ● It cannot be used to host an application ● Execution is by tasks ● Triggers are setup and Lambda executes the code ● Eg: File processing after file upload. AWS Lambda

11. Elastic Load Balancer Amazon ELB allows you to make your applications highly available by using health checks and distributing traffic across a number of instances. AWS Elastic Load Balancer

12. AutoScaling Amazon EC2 Auto Scaling helps you ensure that you have the correct number of Amazon EC2 instances available to handle the load for your application. AWS AutoScaling

13. AutoScaling Minimum requirement Desired requirement Maximum requirement Scaled up or down automatically 1 2 43 Increased Load

14. AWS Storage Services ● S3 ● Cloudfront ● Elastic Block Storage ● Glacier ● Snowball

15. S3 Amazon Simple Storage Service (Amazon S3) is a scalable, high-speed, web-based cloud storage service designed for online backup and archiving of data and applications on Amazon Web Services. ● It is an object oriented File system. ● All the files are uploaded on S3 are treated as objects. ● These objects are stored in buckets. ● Buckets are the first folders in the root directory. AWS S3

16. Cloudfront It is a Content Delivery Network (CDN). ● Basically it is a caching service. ● It delivers the data through a network of data centers called edge locations. ● The main purpose of Cloudfront is providing good user experience AWS Cloudfront

17. Elastic Block Storage Amazon Elastic Block Store (EBS) provides raw block-level storage that can be attached to Amazon EC2 instances and is used in Amazon Relational Database Service (RDS) ● It is basically a hard drive of EC2 ● It cannot be used independently AWS Elastic Block Store

18. Amazon Glacier Amazon Glacier is an online file storage web service that provides storage for data archiving and backup. ● Low price storage ● It uses Magnetic tapes, hence it is a cheap storage AWS Glacier

19. Snowball It is a AWS service of transferring data physically to AWS Infrastructure. ● Snowball is a physical device (50-80 TB) which is used to transfer data.

20. Snowmobile ● Can be used to transfer data from your datacenter to AWS. ● 100 petabytes of data per Snowmobile

21. AWS Database Service ● RDS ● Aurora ● DynamoDB ● ElastiCache

22. Relational Database Management Service Relational Database Service (Amazon RDS) is a managed SQL database service provided by Amazon Web Services (AWS). ● Updates to the DB engine ● Patching automation AWS RDS

23. Aurora Amazon Aurora is a fully managed relational database engine that's compatible with MySQL and PostgreSQL ● Basically it is a custom built by Amazon ● It is based on MySQL ● 5x Faster than Traditional MySQL DB

24. DynamoDB Amazon DynamoDB is a fully managed NoSQL database service that allows to create database tables that can store and retrieve any amount of data. It automatically manages the data traffic of tables over multiple servers and maintains performance. ● Only NoSQL DB are managed by DynamoDB ● Updating and patching is done automatically ● Auto-scaling Note: DynamoDB is a fully managed proprietary NoSQL database service

25. ElastiCache Amazon ElastiCache is a fully managed caching service. ● It is protocol-compliant with Memcached ● It is used to set up, manage and scale a distributed cache environment in the cloud. AWS ElastiCache

26. AWS Networking Service ● VPC ● Direct Connect ● Route 53

27. Virtual Private Cloud (Amazon VPC) enables you to launch AWS resources into a virtual network that you've defined. ● Simulates an environment similar to a private Data Center ● Provides Scalability in the virtual environment Direct Connect is a network service that allows a customer to establish a dedicated network connection between AWS and the customer's data center ● It’s a Leased line to the AWS infrastructure Amazon Route 53 is a scalable domain name system (DNS) service intended to give business and developers a reliable way to direct end users to applications. AWS VPC AWS Direct Connect AWS Route 53

28. AWS Management Services ● CloudWatch ● CloudFormation ● CloudTrail ● CLI

29. CloudWatch is a component of Amazon Web Services (AWS) that provides monitoring for AWS resources and the customer applications running on the AWS infrastructure CloudFormation is a service that provides customers with the tools they need to create and manage the infrastructure. ● It helps create templates of the infrastructure and then replicate to another instance. ● Like taking a snapshot of the current infra and making another instance ● Helps in version controlling CloudTrail is a API service that enables governance, compliance, operational auditing, and risk auditing of your AWS infrastructure ● simplifies security analysis, resource change tracking, and troubleshooting ● provides event history of your AWS account activity AWS CloudWatch AWS CloudFormation AWS CloudTrail

30. Cloudformation Template Create or use a template Template S3 Bucket Save locally on S3 bucket Template Use Cloudformation to create stack based on template and construct the stack resource AWS CloudFormation

31. AWS CLI AWS Command Line Interface (CLI) is a unified tool to manage your AWS services ● Control multiple AWS services ● Automation using scripts ● Just a CLI version of the AWS GUI AWS CLI

32. IAM - Identity and Access Management IAM enables you to securely control access to AWS services and resources for your users. Create and manage AWS users and groups and use permissions to allow and deny their permissions to AWS resources. AWS IAM

33. Policies TO assign permissions to a user, group, role or resource, you create a policy, which is a document that explicitly lists permissions Users Using IAM, you can create and manage users, and use permissions to allow and deny their access to AWS resources Groups The users created, can also be divided among groups, and then the rules and policies that apply on the group, apply on the suer level as well Roles An IAM role is an entity that define a set of permissions for making AWS service requests. IAM roles are not associated with a specific user or group. Instead , trusted entities assume roles, such as IAM users, applications or AWS services such as EC2. IAM - Components

34. Walkthrough of AWS console

35. MOST Used Services ● AWS EC2 ● AWS S3 ● AWS RDS ● Lambda ● IAM

36. Incidents that happen ● Uber - committed their AWS access key to their GITHUB page ● Accenture and lot of others misconfigured s3 buckets ● Tesla - Unsecure IT admin console panel

37. Test cases ● What if we only need to pentest the cloud environment ● What if we find AWS keys ○ Github commits ○ Social engineering/phishing ○ Password reuse ○ Web application vulnerabilities ■ SSRF ■ Local file read

38. S3 Agenda ● S3 bucket policies and ACLs ● S3 common misconfigurations ● S3 bucket pentesting ○ Demo

39. Find S3 buckets ● Google the domain and see if any history of it exposes the bucket name. ● Look at the web interface of the target comments etc. ● Brute-force to $ Keep in mind anyone can create a bucket with “Company Name”

40. Ways to give permissions to users ● ID / emailAddress ● AuthenticatedUsers ● Anyone with a valid set of AWS credentials ● AllUsers ● Any one can make PUT object, GET object depending upon the policy

41. S3 Bucket policies ● S3 Bucket Policies are similar to IAM policies in that they allow access to resources via a JSON script. ● However, Bucket policies are applied to Buckets in S3, where as IAM policies are assigned to user/groups/roles and are used to govern access to any AWS resource through the IAM service. ● When a bucket policy is applied the permissions assigned apply to all objects within the Bucket. The policy will specify which ‘principles’ (users) are allowed to access which resources.

42. S3 Bucket policies ● Example Bucket policy: ●

43. S3 Bucket ACLs READ_ACP02 ● At the bucket level, this allows the grantee to read the bucket’s access control list. At the object level, this allows the grantee to read the object’s access control list. READ01 ● At the bucket level, this allows the grantee to list the objects in a bucket. At the object level, this allows the grantee to read the contents as well as the metadata of an object.

44. S3 Bucket ACLs WRITE_ACP04 ● At the bucket level, this allows the grantee to set an ACL for a bucket. At the object level, this allows the grantee to set an ACL for an object. WRITE03 ● At the bucket level, this allows the grantee to create, overwrite, and delete objects in a bucket.

45. S3 Bucket ACLs FULL_CONTROL05 ● At the bucket level, this is equivalent to granting the “READ”, “WRITE”, “READ_ACP”, and “WRITE_ACP” permissions to a grantee.

46. Scenario ● You have access to AWS credentials of LOW priv user with S3 permissions (User for analytics > Hard coded creds in JS) ● Public access is set for any of the below ● List Objects ● Write objects ● Read bucket permissions ● Write bucket permissions

47. Amazon S3 REST API ● Requests to Amazon S3 can be authenticated or anonymous. ● Authenticated access requires credentials that AWS can use to authenticate your requests.

48. S3 Bucket ACLs

49. S3 Bucket Common Vulnerabilities Improper ACL Permissions The ACL of the bucket has its permissions which are often found to be world readable. This does not necessarily imply a misconfiguration of the bucket itself. However, it may reveal which users have what type of access. Unauthenticated Bucket Access As the name implies, an S3 bucket can be configured to allow anonymous users to list, read, and or write to a bucket. Semi-public Bucket Access An S3 bucket is configured to allow access to “authenticated users”. This, unfortunately, means anyone authenticated to AWS. A valid AWS access key and secret is required to test for this condition.

50. S3 Bucket Pentesting 1. AWS Account 2. AWS CLI on the host computer 3. Vulnerable S3 buckets 4. Tools a. Pacu b. S3Scanner

51. READ

52. Write



55. Tools ● bucket_finder ● S3Scanner ● S3-inspector ● AWSBucketDump

56. S3 scanner Demo

57. Possible Vulnerabilities ● Stored & reflected cross site scripting ● Causing availability issue ● Sensitive information disclosure ● Remote code execution (Hosting Malware)

58. Pentesting EC2 ● Why everyone needs to pentest their cloud ● Intro to AWS EC2 ● Tools to pentest the ec2 ● Attack Vectors ● Demo SSRF to RCE

59. Cloudgoat CloudGoat is Rhino Security Labs' "Vulnerable by Design" AWS deployment tool. It allows you to hone your cloud cybersecurity skills by creating and completing several "capture-the-flag" style scenarios. ● Focused, Curated, High-Quality Learning Experiences ● Created and maintained by Rhino Security ● Provides Modularity and Expandability

60. AWS attack vectors for EC2 ● Enumerating Instances, Security Groups, and AMIs to stage EC2 attacks ● Abusing Simple Systems Manager for remote access to instances ● Analyzing EC2 User Data for secrets or system credentials ● Identifying routes between VPCs for lateral movement and escalation

61. Tools you'll need to pentest EC2 1. Vulnerable EC2 instance 2. Tools 2.1 AWS CLI 2.2 PACU

62. PACU Pacu is an open source AWS exploitation framework, designed for offensive security testing against cloud environments. ● Pacu is an open source AWS exploitation framework. ● Created and maintained by Rhino Security Labs ● Pacu allows penetration testers to exploit configuration flaws within an AWS account ● Can perform permissions enumeration, privilege escalation, enumerating EC2 instances, establishing backdoor persistence in an account, and remotely executing code as root/SYSTEM on EC2

63. Let’s PWN EC2

64. Pentesting IAM ● Features if IAM ● Terminology for IAM ● Tools to pentest the IAM ● Attack Vectors ● Demo

65. Features of IAM ● Centralized control of your AWS account ● Shared access to your AWS account ● Granular Permissions ● Identity Federation (including Active Directory, Facebook, LinkedIn etc) ● Multi-factor Authentication. ● Provides temporary access for users/devices and services when necessary ● Allows you to set up your own password rotation policy ● Integrates with many different AWS services ● Supports PCI DSS compliance

66. Terminology for IAM ● Users ○ End Users such as people, employees of an organization etc ● Groups ○ A collection of users, each user in the group will inherit the permissions from the group. ● Policies ○ Policies are made up of documents, called Policy documents. These documents are in a format called JSON and they give permissions as to what User/Group/Role is able to do. ● Roles ○ You create roles and then assign them to AWS Resources.

67. Attack Vector ● There are 21 different methods to Escalate IAM Privilege ○ Create Access key for other user ○ Creating a new policy version ○ Attaching policy to a user/group/role ○ Creating/updating an inline policy for a user/group.role ○ Adding user to a group

68. IAM Demo

69. Create Access key for other user ● Attacker can create new key of an IAM policy iam:CreateAccessKey ● This allows them to create a access key for any user Command: aws iam create-access-key -user-name target-user

70. Attaching policy to a user ● Attacker can escalate priviliges by attaching policy using iam:AttachUserPolicy Command: aws iam attach-user-policy –user-name my_username –policy-arn arn:aws:iam::aws:policy/AdministratorAccess

71. { "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "s3:Get*", "s3:List*" ], "Resource": "*" } ] } Normal user policy

72. { "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": "*", "Resource": "*" } ] } Admin Policy

73. Tools ● AWSCli ● Pacu ● AWS Privileges Escalation scanner ● IAM user enum ● AWS honey check

74. Best Practices for IAM ● Users – Create individual users. ● Groups – Manage permissions with groups. ● Permissions – Grant least privilege. ● Auditing – Turn on AWS CloudTrail. ● Password – Configure a strong password policy. ● MFA – Enable MFA for privileged users. ● Roles – Use IAM roles for Amazon EC2 instances. ● Sharing – Use IAM roles to share access. ● Rotate – Rotate security credentials regularly. ● Conditions – Restrict privileged access further with conditions. ● Root – Reduce or remove use of root.

75. How Lambda Function can be executed? ● Manually in Lambda console ● AWS SDK to call Lambda API ● HTTP request via API Gateway ● Events raised in AWS (S3 operations, Kinesis stream)

76. Use cases ● Data processing ○ Real-time File Processing ○ Real-time Stream Processing ○ Extract, Transform, Load ● Backends ○ IoT Backends ○ Mobile Backends ○ Web Applications

77. Example 1 ● An image is uploaded to the s3 bucket ● AWS lambda is triggered ● Images are processed and converted into the thumbnails based on the devices

78. Example 2 ● AWS Kinesis Gathers # tag trending data ● AWS lambda is triggered ● Data stored in database and later can be used for analysis

79. Attack Vectors ● Attacking Lambda function with Read access ● Attacking Lambda functions with read and write access

80. Resources ● aking-full-control-over-your-assets/ ● me-useful-tools/ ● ● ● ● ●

81. Thank You!

Related presentations

Other presentations created by NSCONCLAVE