AWS IAM Privilege Escalation Methods

AWS IAM Privilege Escalation Methods

Presented at null Dubai Meet 26 July 2019 Monthly Meet

95dc04de5f5eca79b14a48ebcdaf43cf?s=128

Pralhad Chaskar

July 26, 2019
Tweet

Transcript

  1. AWS IAM Privilege Escalation Methods Pralhad Chaskar (@c0d3xpl0it)

  2. None
  3. Recap of AWS • ACCESS_KEYS → Identifier of the user

    in account • SECRET_ACCESS_KEY → Password needed to authenticate • SESSION_TOKEN → Security Token • AWS CLI → Console client written in python that allows a user to interact with the different services offered by AWS
  4. Permission Policies

  5. Privilege Escalation in the cloud • Misconfiguration of identity and

    access management (IAM) policies • Manipulation of APIs • Cloud provider vulnerabilities https://searchcloudsecurity.techtarget.com/tip/3-reasons-privilege-escalation-in-the-cloud-works
  6. For Auditors/Pentesters/BlueTeamer Take one user per role in order to

    check Privilege Escalation possibility and feed the ACCESS_KEYS, SECRET_ACCESS_KEY, SESSION_TOKEN to below demo’ed tools.
  7. AWS_ESCALATE.py https://github.com/RhinoSecurityLabs/Cloud-Security-Research/tree/master/AWS/aws_escalate

  8. PACU • Pacu is an open source AWS exploitation framework,

    designed for offensive security testing against cloud environments. Below are some capabilities/modules • RECON_UNAUTH • ENUM • ESCALATE (run iam__privesc_scan) • LATERAL_MOVE • EXPLOIT • PERSIST • EXFIL • EVADE https://github.com/RhinoSecurityLabs/pacu
  9. None
  10. Demo

  11. References • https://github.com/RhinoSecurityLabs/Cloud-Security- Research/tree/master/AWS/aws_escalate • https://github.com/RhinoSecurityLabs/pacu/wiki/Module-Details • https://github.com/RhinoSecurityLabs/AWS-IAM-Privilege-Escalation

  12. None