Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Step by step AWS Cloud Hacking

andresriancho
September 25, 2020
Technology
0
530

Step by step AWS Cloud Hacking

andresriancho

September 25, 2020
Tweet

More Decks by andresriancho

See All by andresriancho
Step by step AWS Cloud Hacking
andresriancho
2
2.5k
Internet-Scale analysis of AWS Cognito Security
andresriancho
1
8.6k
Threat Modelling
andresriancho
0
800
Automated Security Analysis AWS Clouds
andresriancho
1
2.5k
Injecting into URLs / Breaking URL-Encoding
andresriancho
0
130
Galería de Fallos en Unicornios
andresriancho
1
83
Esoteric Web Application Vulnerabilities
andresriancho
0
590
String Compare Timing Attacks
andresriancho
0
390
Timing Attacks
andresriancho
1
150

Other Decks in Technology

See All in Technology
教えない新人研修 - 新人研修 is social change. - #xpjug
takaking22
0
470
PHPカンファレンス2022 東京 登壇資料 (スポンサーLT)
sdx_
0
130
Xamarin.Formsライブラリを MAUIに移植した話
muak
0
120
MaintainabilityIndexを 計測しながらコードの保守性を 改善している話
toya108
0
200
人と技術のモダナイズをScrumで実証してみた
koichimatsui
0
370
SNS連動型_サイネージ運用.pdf
bau
0
160
Drivemode 会社資料 (採用向け) - We are hiring!
drivemode
0
370
TokyoR#101_RegressionAnalysis
kilometer
0
140
Modularising the Monolith - PHP Conference Japan 2022
avosalmon
1
520
現場の泥臭い話を「QAマネジメント」という言葉で定義してみかわ
sadonosake
0
410
KPTに慣れたチームがよりよい振り返りを行うために、K/P/Tのそれぞれにフォーカスをあてた考察
m3hiro3
5
620
失われたグラフを求めて
bob3bob3
1
390

Featured

See All Featured
Why You Should Never Use an ORM
jnunemaker
PRO
48
7.7k
Building Adaptive Systems
keathley
25
1.2k
What's in a price? How to price your products and services
michaelherold
230
9.5k
How to name files
jennybc
44
66k
KATA
mclloyd
7
9k
Robots, Beer and Maslow
schacon
152
7.2k
Refactoring Trust on Your Teams (GOTO; Chicago 2020)
rmw
21
1.5k
From Idea to $5000 a Month in 5 Months
shpigford
374
44k
Learning to Love Humans: Emotional Interface Design
aarron
261
37k
実際に使うSQLの書き方 徹底解説 / pgcon21j-tutorial
soudai
42
13k
The Invisible Customer
myddelton
111
11k
How to train your dragon (web standard)
notwaldorf
62
4k

Transcript

  1. Ekoparty 2020 Andrés Riancho

  2. 2

  3. 3

  4. None

  5. 5

  6. need credentials • • • 6

  7. 7

  8. IAM permissions 8

  9. 9 http://169.254.169.254/ /latest/meta-data/iam/security-credentials/ /latest/meta-data/iam/security-credentials/{role-name}

  10. 10

  11. 11 from urllib.request import urlopen from flask import request @app.route('/ssrf')

    def handler(): url = request.args.get('url') return urlopen(url).read()

  12. Instance metadata and S3 compromise

  13. 13

  14. None

  15. two ways to enumerate permissions IAM service In most cases

    this will fail brute-force 15

  16. Get* / List* / Describe* DryRun parameter 16

  17. 17 SUPPORTED_SERVICES = [ 'ec2', 's3' ]

  18. 18

  19. ./enumerate-iam.py

  20. 20

  21. many things the attacker doesn't know. 21 { "Statement":[ {

    "Effect":"Allow", "Action":[ "s3:*", "lambda:*", "..." ], "Resource":"*" } ] }

  22. try to elevate privileges to a principal with full access

    22 { "Statement":[ { "Effect":"Allow", "Action":[ "*", ], "Resource": "*" } ] }

  23. Lambda function will have access to the IAM role 23

  24. Getting * on *

  25. None

  26. existing trust policy in the AdminRole 26

  27. 27

  28. 28 { "Effect": "Allow", "Principal": { "AWS": "arn:aws:iam::925877178748:root" }, "Action":

    "sts:AssumeRole" } { "Effect": "Allow", "Principal": { "AWS": ["arn:aws:iam::925877178748:root", "arn:aws:iam::320222540496:root"] }, "Action": "sts:AssumeRole" }

  29. Never trust the trust policy

  30. 30 ARN for the backdoored role

  31. None

  32. 32 most resources in the AWS account VPC is completely

    isolated from the Internet
  33. None

  34. 34 VPN between the attacker's workstation and a VPC

  35. 35

  36. vpc-vpn-pivot

  37. None

  38. From zero to full pwn

  39. None

  40. 40 • enumerate-iam • pacu • vpc-vpn-pivot Follow @AndresRiancho

  41. None