Relentlessly Secure.
Mining Cloud Resources For Initial Access
Slide 2
Slide 2 text
Introduction
Slide 3
Slide 3 text
About Me
Bryce Kunz
@TweekFawkes
Defense
DHS SOC
Offense
NSA
Red Team
Adobe DX
Slide 4
Slide 4 text
Cloud Security Challenges
Borderless networks with
continuously evolving workloads and
data .
Alert and Vulnerability fatigue
Constant threats and public
exploits (ransomware)
Manual, inconsistent processes often
relying on legacy attack surface discovery
and identification techniques
Explosion of cloud and container
workloads with security tools in use that
were not designed to work together
Difficulty rising above the daily
firefighting to track KPIs and drive
improvement
Global talent shortage
Slide 5
Slide 5 text
Attack. Detect. Defend. Repeat
In cybersecurity there are only two teams, and it’s
not red and blue. It’s the good guys and the bad
guys.
At S2, we break down the barriers between red
team and blue team so threats don’t break down
your defenses.
We simulate the advanced threats your enterprise
faces and automate detection and response, all in
one Adversary Simulation/Detection and Response
platform MAGE.
With continuous red-team, we find the latest
vulnerabilities not just the threats bad actors know
you know about. And with as-a-service offerings, it’s
expertise that protects your enterprise and your
budget.
Slide 6
Slide 6 text
Red Teaming as a Service
OSINT
External Analysis - EASM
Cloud Analysis - CSPM
• OSINT++, Secrets in Repos
• Subdomain Takeovers
• Breached Creds, Dark CTI
• Service & Port Discovery
• Web App Enumeration, IoT
• Weak Credential Checks
• Public Service Discovery
• Access Misconfigurations
• Best Practices (e.g. CIS)
Client Experience
Targeting & Analysis
Interactive Operations
Slide 7
Slide 7 text
Red Teaming as a Service
Slide 8
Slide 8 text
Red Teaming as a Service
Slide 9
Slide 9 text
PTaaS/RTaaS – Continuous Testing
Slide 10
Slide 10 text
Agenda
Slide 11
Slide 11 text
Agenda
Agenda:
• Compute Services
• AWS Account IDs
• AWS SAM
• Finding Accounts IDs w/ SAM
• List EBS Snapshots
• EBS Snapshot Metadata
• EBS Snapshot Mining
• EBS Snapshot Direct Downloads
• AMIs
• RDS
• Other Services
• Cloud Redirection
• Logging Disruption
• Conclusion
Slide 12
Slide 12 text
Prior Research & Tools
• Many Blogs, etc.
• TechTarget, RedLock, etc.
• BF/Dufflebag, Rhino, etc.
• PA Unit42/Crypsis, etc.
• AWS Docs:
• “Share an ... EBS snapshot”
• “…EBS direct APIs...”
• AWS Labs: ColdSnap, etc.
New Research/Tools vs Prior Research
New Content & Tools
GitHub.com/Stage2Sec
CaptureTheCloud/Mining/
• createListsOfPublicEbsSna
pshots.py
• createMetadataOfPublicEbs
Snapshots.py
• downloadEbsSnapshotViaD
irectAPIs.py
Slide 13
Slide 13 text
Compute Services
Slide 14
Slide 14 text
What is EC2?
Elastic Compute Cloud (EC2)
• Virtual Servers service
Elastic Compute Cloud (EC2)
Instance Instances
AWS Account
Slide 15
Slide 15 text
What is EBS?
Elastic Block Store (EBS)
• Block-Storage service designed for EC2
Elastic Block Store (EBS)
Elastic Compute Cloud (EC2)
Instance Instances
AWS Account
Slide 16
Slide 16 text
What is EBS Volume?
EBS Volume
• Disk Attached to EC2 Instance
Elastic Block Store (EBS)
Volume
Elastic Compute Cloud (EC2)
Instance Instances
AWS Account
Slide 17
Slide 17 text
What is EBS Snapshot?
EBS Snapshot
• A Point in Time Copy of the Data
Elastic Block Store (EBS)
Volume Snapshot
Elastic Compute Cloud (EC2)
Instance Instances
AWS Account
Slide 18
Slide 18 text
What is EBS Snapshot?
EBS Snapshot
• A Point in Time Copy of the Data
Incremental Backups
• Only the Blocks on the Device that have
Changed AFTER your most recent
snapshot are saved
Elastic Block Store (EBS)
Volume Snapshot
Elastic Compute Cloud (EC2)
Instance Instances
AWS Account
Slide 19
Slide 19 text
Sharing EBS Snapshots
EBS Snapshot Sharing Options:
• Globally
• AWS Account ID
Elastic Block Store (EBS)
Volume Snapshot
Elastic Compute Cloud (EC2)
Instance Instances
AWS Account
Global Cloud
https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ebs-modifying-snapshot-permissions.html
Slide 20
Slide 20 text
Sharing Snapshots?
Elastic Block Store (EBS)
Volume Snapshot
Elastic Compute Cloud (EC2)
Instance Instances
AWS Account
Global Cloud
https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ebs-modifying-snapshot-permissions.html
Slide 21
Slide 21 text
Sharing EBS Snapshots
Sharing Considerations:
• Snapshots are constrained to the
Region in which they were created
• You can share only unencrypted
snapshots publicly
Elastic Block Store (EBS)
Volume Snapshot
Elastic Compute Cloud (EC2)
Instance Instances
AWS Account
Global Cloud
https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ebs-modifying-snapshot-permissions.html
Slide 22
Slide 22 text
AWS: ACCOUNT IDS
Slide 23
Slide 23 text
AWS Account IDs
…
Slide 24
Slide 24 text
Known Attacks via Knowing Account IDs
AWS error messages disclose whether a role
exists or not, w/ a given Account ID
Role Names can disclose:
• AWS Services being used
• Software & Technologies being used
• Names of IAM users (social engineering)
• 3rd party integrations being used (Okta,
Datadog, Cloudsploit, etc.)
Once roles are enumerated, one can try to
assume any open roles and pilfer the role
credentials.
Same attack vector applies for IAM Usernames
https://rhinosecuritylabs.com/aws/assume-worst-aws-assume-role-enumeration/
https://rhinosecuritylabs.com/aws/aws-iam-user-enumeration/
https://github.com/dagrz/aws_pwn/blob/master/reconnaissance/validate_iam_principals.py
Slide 25
Slide 25 text
Known Ways to Discover Account IDs
Including, but not limited to:
• Compromise a resource (e.g. Lambda, etc.)
• Public resources (e.g. Snapshots, AMI, etc.)
• Source Code Review (e.g. GitHub)
• Error Messages from Services
• Screenshots and/or Documentation
• Forums and/or Discussion Boards
• etc.
…
Slide 26
Slide 26 text
Known Ways to Discover Account IDs
By default, login URL for the web console, includes the Account ID as a subdomain.
Subdomain has different HTTP response codes based on if login page exists
NOTE: URL can be changed by the owner of the AWS, and is done so somewhat frequently
https://github.com/dagrz/aws_pwn/blob/master/miscellanea/Kiwicon%202016%20-%20Hacking%20AWS%20End%20to%20End.pdf
Slide 27
Slide 27 text
Public Resources
e.g. Sharing EBS Snapshots…
…Also shares Account ID Globally
Elastic Block Store (EBS)
Volume Snapshot
Elastic Compute Cloud (EC2)
Instance Instances
AWS Account
Global Cloud
https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ebs-modifying-snapshot-permissions.html
Slide 28
Slide 28 text
AWS: SAM
Slide 29
Slide 29 text
Serverless Application Model (SAM)
https://aws.amazon.com/serverless/build-a-web-app/
Slide 30
Slide 30 text
Cloud9 IDE
AWS Cloud9 is a cloud-based integrated development environment (IDE) that lets you write, run, and debug your code with just a browser.
https://aws.amazon.com/cloud9/
Slide 31
Slide 31 text
API Gateway
API Proxy (HTTP or REST) as a managed service
https://aws.amazon.com/api-gateway/
Slide 32
Slide 32 text
Lambda
https://aws.amazon.com/lambda/
AWS Scripts as a managed service
Slide 33
Slide 33 text
Lambda & API GW
Curl -> API GW -> Lambda v
Lambda
Curl <- API GW <- Lambda ^
aaaa
2020 SaintCon: Video w/ More Information…
SaintCon.org Oct 18th-22nd
https://www.youtube.com/watch?v=oFgAQ0hSCOg
https://www.youtube.com/watch?v=oFgAQ0hSCOg
Slide 37
Slide 37 text
List EBS Snapshots
Slide 38
Slide 38 text
Listing
e.g. Sharing EBS Snapshots…
…Also shares Account ID Globally
Elastic Block Store (EBS)
Volume Snapshot
Elastic Compute Cloud (EC2)
Instance Instances
AWS Account
Global Cloud
https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ebs-modifying-snapshot-permissions.html
Slide 39
Slide 39 text
Boto3 Script
Script to List Public EBS Snapshots in
Each Region using Python & Boto3 SDK.
Elastic Block Store (EBS)
Volume Snapshot
Elastic Compute Cloud (EC2)
Instance Instances
AWS Account
Global Cloud
https://github.com/Stage2Sec/CaptureTheCloud/blob/master/Mining/createListsOfPublicEbsSnapshots.py
Slide 40
Slide 40 text
Boto3 Script
Account ID#, Snap-#, Enc, Region, Date
Elastic Block Store (EBS)
Volume Snapshot
Elastic Compute Cloud (EC2)
Instance Instances
AWS Account
Global Cloud
https://github.com/Stage2Sec/CaptureTheCloud/blob/master/Mining/createListsOfPublicEbsSnapshots.py
EBS Direct DL APIs
Newer AWS APIs Enable Direct
Download of EBS Snapshots
See ColdSnap by AWS
& Other Projects
Elastic Block Store (EBS)
Volume Snapshot
Elastic Compute Cloud (EC2)
Instance Instances
AWS Account
Global Cloud
https://github.com/awslabs/coldsnap
Slide 52
Slide 52 text
EBS Direct DL APIs
Newer AWS APIs Enable Direct
Download of EBS Snapshots
See ColdSnap by AWS
& Other Projects
Elastic Block Store (EBS)
Volume Snapshot
Elastic Compute Cloud (EC2)
Instance Instances
AWS Account
Global Cloud
https://github.com/awslabs/coldsnap
Slide 53
Slide 53 text
EBS Direct DL APIs
Newer AWS APIs Enable Direct
Download of EBS Snapshots
See ColdSnap by AWS
& Other Projects
Elastic Block Store (EBS)
Volume Snapshot
Elastic Compute Cloud (EC2)
Instance Instances
AWS Account
Global Cloud
https://github.com/awslabs/coldsnap
What is AMI?
Amazon Machine Image (AMI)
• Information to Launch an EC2 Instance
Elastic Block Store (EBS)
Volume Snapshot
Elastic Compute Cloud (EC2)
Instance Instances
AWS Account
Global Cloud
https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/AMIs.html
Slide 57
Slide 57 text
Public AMIs?
Amazon Machine Image (AMI)
• Information to Launch an EC2 Instance
Elastic Block Store (EBS)
Volume Snapshot
Elastic Compute Cloud (EC2)
Instance Instances
AWS Account
Global Cloud
https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/sharingamis-intro.html
Slide 58
Slide 58 text
Public AMIs?
Amazon Machine Image (AMI)
• Information to Launch an EC2 Instance
Elastic Block Store (EBS)
Volume Snapshot
Elastic Compute Cloud (EC2)
Instance Instances
AWS Account
Global Cloud
https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/sharingamis-intro.html
Slide 59
Slide 59 text
RDS
Slide 60
Slide 60 text
What is RDS?
Relational Database Service (RDS)
• Relational Database in the Cloud
Elastic Block Store (EBS)
Volume Snapshot
Elastic Compute Cloud (EC2)
Instance Instances
AWS Account
Global Cloud
https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/Welcome.html
Slide 61
Slide 61 text
What is RDS Snapshot?
RDS Snapshot
• RDS creates a storage volume
snapshot of your DB instance,
• Backing up the entire DB instance and
not just individual databases.
Elastic Block Store (EBS)
Volume Snapshot
Elastic Compute Cloud (EC2)
Instance Instances
AWS Account
Global Cloud
https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/USER_CreateSnapshot.html
Slide 62
Slide 62 text
Public RDS Snapshots?
Relational Database Service (RDS)
• Relational Database in the Cloud
Elastic Block Store (EBS)
Volume Snapshot
Elastic Compute Cloud (EC2)
Instance Instances
AWS Account
Global Cloud
https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/Welcome.html
Slide 63
Slide 63 text
Public RDS Snapshots?
Relational Database Service (RDS)
• Relational Database in the Cloud
Elastic Block Store (EBS)
Volume Snapshot
Elastic Compute Cloud (EC2)
Instance Instances
AWS Account
Global Cloud
https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/Welcome.html
Slide 64
Slide 64 text
Other Public
Resources
Slide 65
Slide 65 text
Other Public Resources?
Elastic Block Store (EBS)
Volume Snapshot
Elastic Compute Cloud (EC2)
Instance Instances
AWS Account
Global Cloud
https://github.com/SummitRoute/aws_exposable_resources
Includes:
• ECR
• Lambda
• SAR
• Vault
• KMS
• MediaStore
• SNS/SQS
• FPGA
• etc…
Slide 66
Slide 66 text
AWS: Cloud Redir
Slide 67
Slide 67 text
Post Exploitation Toolkit
Post-Exploitation Offensive Operator
Toolkit
§ Custom Process Injection & AV Evasion
§ Stay Hidden & Undetected on Endpoints
§ Memory Only Scripting & Binaries
§ Python, C#, Powershell, .NET
§ PEs, DLLs, ELFs, SOs, Mach-Os, Bundles
§ Lateral Movement
§ Active Directory Enumeration (i.e. BloodHound / SharpHound)
§ Kerberoasting, Pass-The-Hash, WMI, etc.
§ Infinite Pivoting/Chaining
§ Enabling access to systems otherwise inaccessible from the Internet
§ Cross Platform
§ MacOS, Linux, Windows (x86)
§ Android, iOS, IoT (ARM)
§ Team Collaboration, Multi-Threading
Stage2Sec.com/Voodoo
Slide 68
Slide 68 text
…
Slide 69
Slide 69 text
…
Slide 70
Slide 70 text
…
Slide 71
Slide 71 text
…
Slide 72
Slide 72 text
Intro to Community Edition of VooDoo
https://www.stage2sec.com/voodoo
https://www.youtube.com/watch?v=NY1AODrBv6Y
Ref: https://www.youtube.com/watch?v=NY1AODrBv6Y
Slide 73
Slide 73 text
API Gateway: Trusted Domains & Certs
https://github.com/Stage2Sec/CaptureTheCloud/boomerangApi-v0_2.py
Slide 74
Slide 74 text
API Gateway: Curl Test
https://github.com/Stage2Sec/CaptureTheCloud/boomerangApi-v0_2.py
Slide 75
Slide 75 text
API Gateway: C2 via VooDoo
https://github.com/Stage2Sec/CaptureTheCloud/boomerangApi-v0_2.py
S2 Secure Cloud MSS
Red Team-as-a-Service, MDR and Risk
management in a single platform
Outcomes. Prioritized
vulnerabilities, alerts and
IMMINENT RISK
Create consistent, automated
processes and slash discovery & response times
whether in cloud, container or on-premise
Orchestrated platform of
managed services that work
together
Track, measure and improve your
security risk posture
Focus on reducing IMMIENT RISK