Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Blue Cloud of Death: Red Teaming Azure - SaintCon

TweekFawkes
September 25, 2018
Technology
1
970

Blue Cloud of Death: Red Teaming Azure - SaintCon

SaintCon Presentation on Sept. 25th 2018

On-demand IT services are being publicized as the new normal, but often times these services are misunderstood and hence misconfigured by engineers which can frequently enable red teams to gain, expand, and persist access within Azure environments. In this talk we will dive into how Azure services are commonly breached (e.g. discovering insecure blob storage), and then show how attackers are pivoting between the data & control planes (e.g. mounting hard disks, swapping keys, etc...) to expand access. Finally we will demonstrate some unique techniques for persisting access within Azure environments for prolonged periods of time.

Bryce Kunz (@TweekFawkes) loves researching and red teaming bleeding edge IT services. Bryce is currently the Chief Hacker & President at Stage2Sec.com where he released various open source tools (e.g. soMeta, lolrusLove, yupPhrasing, etc…) and has contributed several modules to open source projects (e.g. empire). Previously, Bryce has supported the NSA (network exploitation & vulnerability research), Adobe (built red teaming program for cloud services), and DHS (incident response). Bryce holds numerous certifications (e.g. OSCP, CISSP, ...), and has spoken at various security conferences (i.e. BlackHat, DerbyCon, BSidesLV, etc...).

https://saintcon2018.sched.com/event/FwU5/blue-cloud-of-death-red-teaming-azure

TweekFawkes

September 25, 2018
Tweet

More Decks by TweekFawkes

See All by TweekFawkes
Cloud-focused phishing techniques to bypass FIDO2 and WebAuthn
tweekfawkes
0
77
Cloud Red Teaming: AWS Initial Access & Privilege Escalation
tweekfawkes
0
3.4k
Level Up Your Lab Envs!
tweekfawkes
0
180
Cloud Focused Continuous Red Teaming: Avoiding the Fall of Icarus!
tweekfawkes
0
210
Mining Cloud Resources for Initial Access via Serverless Services
tweekfawkes
0
110
Serverless and Dys-FUNctional Cloud Red Teaming
tweekfawkes
1
160
The Future?!
tweekfawkes
0
140
May the Cloud be with You: Red Teaming GCP (Google Cloud Platform)
tweekfawkes
1
1k
May the Cloud be with You: Red Teaming GCP (Google Cloud Platform)
tweekfawkes
0
230

Other Decks in Technology

See All in Technology
チームでロジカルシンキングに改めて向き合っている話 〜学習環境と実践⽅法〜
sansantech
PRO
1
830
AWS認定資格を取得したので、初めてマネコンを触った時を振り返ってみた。
ainatsuptr
2
100
アクセシビリティを考慮したUI/CSSフレームワーク・ライブラリ選定
yajihum
2
990
日本におけるデータエンジニアリングのこれまでとこれから
foursue
16
4.1k
EMとして2023年度に頑張ったこと / What we did well in FY2023 as a EM
pauli
1
160
テストプロセスで大事にしていること #jasstnano
makky_tyuyan
0
160
NgRx Signal Store
rainerhahnekamp
0
140
ServiceNow Knowledge Learning Rise up
manarobot
0
200
20240418_Google ColabにLLMが搭載されたようなのでPython x データ分析の勉強方法を考えてみる
doradora09
0
120
Janus
bkuhlmann
1
490
マルチアカウント環境への発見的統制の導入
ch1aki
1
1.3k
VS CodeでAWSを操作しよう
smt7174
7
1.6k

Featured

See All Featured
XXLCSS - How to scale CSS and keep your sanity
sugarenia
240
1.2M
Teambox: Starting and Learning
jrom
128
8.4k
Ruby is Unlike a Banana
tanoku
96
10k
Web Components: a chance to create the future
zenorocha
305
41k
Scaling GitHub
holman
457
140k
Fontdeck: Realign not Redesign
paulrobertlloyd
76
4.9k
Thoughts on Productivity
jonyablonski
57
3.8k
Fashionably flexible responsive web design (full day workshop)
malarkey
398
65k
Building Better People: How to give real-time feedback that sticks.
wjessup
354
18k
CoffeeScript is Beautiful & I Never Want to Write Plain JavaScript Again
sstephenson
154
14k
CSS Pre-Processors: Stylus, Less & Sass
bermonpainter
352
28k
Product Roadmaps are Hard
iamctodd
43
9.7k

Transcript

  1. Stage 2 Security Version 1.0 Copyright 2018 by Stage 2

    Security Blue Cloud of Death Red Teaming Azure

  2. Copyright 2018 by Stage 2 Security Stage 2 Security Agenda

    Bryce Kunz @TweekFawkes - Who Am I? - Azure Overview - Initial Access - Storage Access - Endpoint Access - Expanding Access - Persisting Access

  3. Copyright 2018 by Stage 2 Security Stage 2 Security Past

    WhoAmI Defense DHS SOC Offense NSA Red Team Adobe Digital Exp. (DX)

  4. Copyright 2018 by Stage 2 Security Stage 2 Security WhoAmI

    - The Present Now Hiring Hunters & Splunkers!

  5. Copyright 2018 by Stage 2 Security Stage 2 Security WhoAmI

    - The Present

  6. Copyright 2018 by Stage 2 Security Stage 2 Security Azure

    Overview

  7. Copyright 2018 by Stage 2 Security Stage 2 Security Layer

    Separation Control Plane (APIs) Data Plane Management UI

  8. Copyright 2018 by Stage 2 Security Stage 2 Security Administration

    Control Plane (APIs) Data Plane Management UI Cloud Admin (Dave)

  9. Copyright 2018 by Stage 2 Security Stage 2 Security Automation

    Control Plane (APIs) Data Plane Management UI Cloud Admin Ext Cloud Automation - Terraform - Salt Cloud - Custom

  10. Copyright 2018 by Stage 2 Security Stage 2 Security Infrastructure

    Setup Control Plane (APIs) Management UI Cloud Admin

  11. Copyright 2018 by Stage 2 Security Stage 2 Security Application

    Control Plane (APIs) Management UI Cloud Admin

  12. Copyright 2018 by Stage 2 Security Stage 2 Security Application

    Control Plane (APIs) Cloud Admin (Dave) Ext Cloud Automation - Terraform - Salt Cloud - Custom Storage VM App LB

  13. Copyright 2018 by Stage 2 Security Stage 2 Security Cloud-Aware

    Application Control Plane (APIs) Cloud Admin (Dave) Ext Cloud Automation - Terraform - Salt Cloud - Custom Storage VM App LB

  14. Copyright 2018 by Stage 2 Security Stage 2 Security Open

    for Business Control Plane (APIs) Cloud Admin (Dave) Ext Cloud Automation - Terraform - Salt Cloud - Custom Storage VM App LB USERS

  15. Copyright 2018 by Stage 2 Security Stage 2 Security Man

    -> Machine

  16. Copyright 2018 by Stage 2 Security Stage 2 Security Full

    Adoption https://aws.amazon.com/serverless/

  17. Copyright 2018 by Stage 2 Security Stage 2 Security Dooms

    Day ...

  18. Copyright 2018 by Stage 2 Security Stage 2 Security DevOp-ocalypse

  19. Copyright 2018 by Stage 2 Security Stage 2 Security Why

    On-Demand IT (aka Cloud) Matters? • Hybrid cloud adoption grew 3X in the last year, increasing from 19% to 57% of organizations surveyed. • In 10 months, 80% of all IT budgets will be committed to cloud solutions. • 3. 49% of businesses are delaying cloud deployment due to a cybersecurity skills gap

  20. Copyright 2018 by Stage 2 Security Stage 2 Security 2017:

    May-Oct 1. “Internal Accenture Data, Customer Information Exposed in Public Amazon S3 Bucket” 2. “Another Wide-Open Amazon S3 Bucket Exposes Verizon Customer Account Data” 3. “US voter info stored on wide-open cloud box, thanks to bungling Republican contractor” 4. “Researcher discovers classified Army intel app, data on open public AWS bucket” 5. “Millions of Time Warner Cable Customer Records Exposed in Third-Party Data Leak” 6. “Drone Manufacturer DJI Leaves SSL Key Exposed on Public Repository” 7. “Dow Jones becomes the latest organization to be affected by an AWS cloud data leakage due to misconfiguration and user error.” etc...

  21. Copyright 2018 by Stage 2 Security Stage 2 Security DevOp-ocalypse

  22. Copyright 2018 by Stage 2 Security Stage 2 Security Cloud

    Adoption Take images from ESXi -> Turn into Provider Images -> Deploy Instances - Virtual Machines + Network Services Develop or re-architect entire application to use exclusively managed offerings. - Managed Compute, Database, Auth, API, DNS, Queues, +++ Lots of grey area….

  23. Copyright 2018 by Stage 2 Security Stage 2 Security Azure

    Overview

  24. Copyright 2018 by Stage 2 Security Stage 2 Security Azure

    Service Management (ASM) "Azure Classic" -> https://Manage.WindowsAzure.com

  25. Copyright 2018 by Stage 2 Security Stage 2 Security ASM

    - Roles "Azure Classic" -> https://Manage.WindowsAzure.com Roles: • Account Administrator (Billing) -> 1 per subscription • Service Administrator (Super Admin) -> 1 per subscription (can be same) • Co-Administrator (Admin) -> per subscription

  26. Copyright 2018 by Stage 2 Security Stage 2 Security ASM

    - Auth. "Azure Classic" -> https://Manage.WindowsAzure.com Auth: • Username & Password • X.509 Certificate ("Management Certificates") ◦ file names: *.cer -> public, *.pfx -> private

  27. Copyright 2018 by Stage 2 Security Stage 2 Security Azure

    Resource Manager (ARM) https://Portal.Azure.com Introduced in 2014 No more “Cloud Services”

  28. Copyright 2018 by Stage 2 Security Stage 2 Security ARM

    - Resource Group https://Portal.Azure.com A resource group is a container for resources that share a common lifecycle.

  29. Copyright 2018 by Stage 2 Security Stage 2 Security ARM

    - Roles https://Portal.Azure.com Roles: • Owner (Super Admin) • Contributor (Admin but can not change permissions) • User Access Admin (Admin but can only change permissions) • Reader (Read-Only)

  30. Copyright 2018 by Stage 2 Security Stage 2 Security ARM

    - Service Principals https://Portal.Azure.com Service Principals (a.k.a. Service Accounts): • Can have a Password ◦ (aka "Client Secret") • or Certificates for Authentication ◦ (but different from ASM management certs)

  31. Copyright 2018 by Stage 2 Security Stage 2 Security Storage

    ...

  32. Copyright 2018 by Stage 2 Security Stage 2 Security Storage

    Types: • Blobs • etc...

  33. Copyright 2018 by Stage 2 Security Stage 2 Security Azure

    Blobs Endpoints: https://myaccount.blob.core.windows.net/mycontainer/myblob e.g.: https://bcodstoragetest005.blob.core.windows.net/containertest005/test.txt Storage Account Name: bcodstoragetest005 Container Name: containertest005 Blob Name: test.txt

  34. Copyright 2018 by Stage 2 Security Stage 2 Security DNS

    Brute Force e.g.: https://bcodstoragetest005.blob.core.windows.net/containertest005/test.txt Storage Account Name: bcodstoragetest005 - Only contains lowercase letters and numbers. - Name must be between 3 and 24 characters.

  35. Copyright 2018 by Stage 2 Security Stage 2 Security GoBuster

    - DNS e.g.: https://bcodstoragetest005.blob.core.windows.net/containertest005/test.txt gobuster -m dns -u "blob.core.windows.net" -i -t 100 -fw -w /root/blobdns/3_chars.txt

  36. Copyright 2018 by Stage 2 Security Stage 2 Security DNS

    Brute Force - Only contains lowercase letters and numbers. - Name must be between 3 and 24 characters.

  37. Copyright 2018 by Stage 2 Security Stage 2 Security GoBuster

    - DIR e.g.: https://bcodstoragetest005.blob.core.windows.net/containertest005/test.txt gobuster -m dir -u “https://bcodstoragetest005.blob.core.windows.net” -i -t 100 -e -s 200,204 -w quickdir.txt

  38. Copyright 2018 by Stage 2 Security Stage 2 Security Azure

    Blob Names e.g.: https://bcodstoragetest005.blob.core.windows.net/containertest005/test.txt Storage Account Name: bcodstoragetest005 Container Name: containertest005 Blob Name: test.txt

  39. Copyright 2018 by Stage 2 Security Stage 2 Security Brute

    Force Possible but kind of sucks to brute force or guess three separate variables/parameters in the URL. e.g.: https://bcodstoragetest005.blob.core.windows.net/containertest005/test.txt Storage Account Name: bcodstoragetest005 Container Name: containertest005 Blob Name: test.txt

  40. Copyright 2018 by Stage 2 Security Stage 2 Security NimbusLand

    Check if an IP address is Azure or AWS

  41. Copyright 2018 by Stage 2 Security Stage 2 Security Takeovers

    ...

  42. Copyright 2018 by Stage 2 Security Stage 2 Security Takeovers

    Service Vulnerable Selector AWS S3 Yes The specified bucket does not exist AWS Cloudfront Yes Bad Request: ERROR: The request could not be satisfied Github Yes There isn't a Github Pages site here. Azure Web Apps Yes* *.azurewebsites.net Azure Cloud Services Yes *.cloudapp.net Azure Traffic Manager Yes *.trafficmanager.net Azure Blob Storage Yes *.blob.core.windows.net

  43. Copyright 2018 by Stage 2 Security Stage 2 Security Storage

    Access #025

  44. Copyright 2018 by Stage 2 Security Stage 2 Security Visual

    Studio • “web.config” - ASP.NET • “app.config” - C#.NET • SAS URI • Connection String • Account Name & Key

  45. Copyright 2018 by Stage 2 Security Stage 2 Security GitHub

    Google Dork: • site:github.com web.config "StorageConnectionString" "DefaultEndpointsProtocol"

  46. Copyright 2018 by Stage 2 Security Stage 2 Security *.publishsettings

    & Get-AzurePublishSettingsFile A "publish settings file" is an XML file with a .publishsettings file name extension. The file contains an encoded certificate that provides management credentials for your Azure subscriptions.

  47. Copyright 2018 by Stage 2 Security Stage 2 Security Other

    Interesting Files • *.azure-storage.common.js ◦ commonly has SAS tokens • *.cspkg ◦ commonly has creds

  48. Copyright 2018 by Stage 2 Security Stage 2 Security Storage

    Explorer “Install Azure Storage Explorer”

  49. Copyright 2018 by Stage 2 Security Stage 2 Security Storage

    Explorer • SAS URI • Connection String • Account Name & Key

  50. Copyright 2018 by Stage 2 Security Stage 2 Security Storage

    Explorer • Download Files! • Modify Files!

  51. Copyright 2018 by Stage 2 Security Stage 2 Security VHDs

    *disks* • vhds!

  52. Copyright 2018 by Stage 2 Security Stage 2 Security VHDs

    Download vhds • Code Review • Secrets on Disk Linux - grep for “shadow” hashes

  53. Copyright 2018 by Stage 2 Security Stage 2 Security VHDs

    Download vhds • Code Review • Secrets on Disk Linux - grep for “shadow” hashes

  54. Copyright 2018 by Stage 2 Security Stage 2 Security Managed

    Disks 2017 Azure Feature • By Default… • No VHDs in blob storage containers!

  55. Copyright 2018 by Stage 2 Security Stage 2 Security Storage

    Persistence ...

  56. Copyright 2018 by Stage 2 Security Stage 2 Security Storage

    Explorer Create SAS! • Another way to access the resource

  57. Copyright 2018 by Stage 2 Security Stage 2 Security Demo:

    SAS Offline Minting!

  58. Copyright 2018 by Stage 2 Security Stage 2 Security SAS

    Token Offline MintyOffline Append the Following: • Storage Account Name • Permissions, Protocol • Service, Resource Type • Start Time, Expire Time • & API Version HMAC to creation token using: • Key -> Storage Key • Msg -> Appended String • SHA256 Formatting of the Data (e.g. Encode)

  59. Copyright 2018 by Stage 2 Security Stage 2 Security CLI

    Endpoint Access Azure

  60. Copyright 2018 by Stage 2 Security Stage 2 Security Browser

    Cookie

  61. Copyright 2018 by Stage 2 Security Stage 2 Security Steal

    Cookie! “Install Azure CLI 2.0 on Windows”

  62. Copyright 2018 by Stage 2 Security Stage 2 Security Setup

    CLI “Install Azure CLI 2.0 on Windows”

  63. Copyright 2018 by Stage 2 Security Stage 2 Security Cli

    Auth. “Install Azure CLI 2.0 on Windows”

  64. Copyright 2018 by Stage 2 Security Stage 2 Security Cli

    Auth. “Install Azure CLI 2.0 on Windows”

  65. Copyright 2018 by Stage 2 Security Stage 2 Security Auth.

    Token “.azure” folder “azureProfile.json”

  66. Steal Token “.azure” folder “azureProfile.json”

  67. Copyright 2018 by Stage 2 Security Stage 2 Security Saved

    CLI Creds Save ARM Profile Tokens... • "Save-AzureRmProfile" • "Select-AzureRmProfile" Check User’s Documents Folder for JSON files…. Creates a JSON file… • "ManagementPortalUrl" • "PublishSettingsFileUrl" • "TokenCache" • "Tenant"

  68. Copyright 2018 by Stage 2 Security Stage 2 Security Whoami

    “az account show”

  69. Copyright 2018 by Stage 2 Security Stage 2 Security PaaS

    ...

  70. Copyright 2018 by Stage 2 Security Stage 2 Security PaaS

    -> Cloud Service

  71. Copyright 2018 by Stage 2 Security Stage 2 Security PaaS

    -> Cloud Service -> Service Certificates Service certificates are attached to cloud services and enable secure communication to and from the service. For example, if you deployed a web role, you would want to supply a certificate that can authenticate an exposed HTTPS endpoint. Service certificates, defined in your service definition, are automatically deployed to the virtual machine that is running an instance of your role.

  72. Copyright 2018 by Stage 2 Security Stage 2 Security PaaS

    -> Cloud Service -> RDP -> Mimikatz -> pfx

  73. Copyright 2018 by Stage 2 Security Stage 2 Security Expand

    Access ...

  74. Copyright 2018 by Stage 2 Security Stage 2 Security Data

    -> Control Cloud Control Data Portal LBs Apps VMs Storage Admin Dev Users Hacker

  75. Copyright 2018 by Stage 2 Security Stage 2 Security Azure

    Metadata Metadata Service: 169.254.169.254 • curl http://169.254.169.254/metadata/v1/maintenance • curl http://169.254.169.254/metadata/v1/InstanceInfo (these are mostly useless for hackers…) but useful information is copied into the … /var/lib/waagent directory when the instance is created… (root access needed) • IP address, hostname, subscription ID, resource group name, etc…

  76. Copyright 2018 by Stage 2 Security Stage 2 Security Azure

    Metadata w/ HTTP Header Azure Metadata Service Now has an HTTP Header that enables more information curl -H Metadata:true "http://169.254.169.254/metadata/instance?api-version=2017-08-01" Reference: https://docs.microsoft.com/en-us/azure/virtual-machines/windows/instance-metadata-service

  77. Copyright 2018 by Stage 2 Security Stage 2 Security Control

    -> Data Cloud Control Data Portal LBs Apps VMs Storage Admin Dev Users Hacker

  78. Copyright 2018 by Stage 2 Security Stage 2 Security Capture

    Image

  79. Copyright 2018 by Stage 2 Security Stage 2 Security Hard

    Boot Horrible OPSEC but it works… - Power off a server - Mount the server’s hard drive using another VM - Modify the server for remote access (e.g. add an SSH key to root user) - Power back on the server & PROFIT! Google: “Reset local Windows password for Azure VM offline”

  80. Copyright 2018 by Stage 2 Security Stage 2 Security Reset

    Windows • RDP Password Reset Linux • SSH Key Reset • Create User

  81. Copyright 2018 by Stage 2 Security Stage 2 Security Execute

    Scripts Linux • VM Extension - CustomScript

  82. Copyright 2018 by Stage 2 Security Stage 2 Security Persistence

    Azure

  83. Copyright 2018 by Stage 2 Security Stage 2 Security Data

    -> Control Cloud Control Data Portal LBs Apps VMs Storage Admin Dev Users Hacker

  84. Copyright 2018 by Stage 2 Security Stage 2 Security Service

    Principals (the recommended approach) Permissions-Restricted Accounts “az login --service-principal” … …not tied to any particular user… …have permissions on them assigned through pre-defined roles. Multiple Passwords!

  85. Copyright 2018 by Stage 2 Security Stage 2 Security Agents

    Cloud Control Data Portal LBs Apps VMs Storage Admin

  86. Copyright 2018 by Stage 2 Security Stage 2 Security Documentation?

    Where we're going, we don't need docs!

  87. Copyright 2018 by Stage 2 Security Stage 2 Security Start

    Digging • ps auxfww • file • • python source code review Listening Services • netstat -nltpu Active Connections • netstat -natpu

  88. Copyright 2018 by Stage 2 Security Stage 2 Security Python

    Debugger • pdb b: set a breakpoint c: continue debugging until you hit a breakpoint s: step through the code n: to go to next line of code l: list source code for the current file (default: 11 lines including the line being executed) u: navigate up a stack frame d: navigate down a stack frame p: to print the value of an expression in the current context

  89. Copyright 2018 by Stage 2 Security Stage 2 Security SysDig

    sysdig -w 005.scap systemctl start walinuxagent.service /usr/bin/python3 -u /usr/sbin/waagent -daemon sysdig -r 005.scap … • -c topfiles_bytes • -c topprocs_net • -c echo_fds • -c fdbytes_by fd.directory "fd.type=file“ • -c fdbytes_by fd.filename "fd.directory=/var/lib/waagent“ …

  90. Copyright 2018 by Stage 2 Security Stage 2 Security SysDig

    sysdig -w 005.scap systemctl start walinuxagent.service /usr/bin/python3 -u /usr/sbin/waagent -daemon sysdig -r 005.scap … • -c topfiles_bytes • -c topprocs_net • -c echo_fds • -c fdbytes_by fd.directory "fd.type=file“ • -c fdbytes_by fd.filename "fd.directory=/var/lib/waagent“ …

  91. Copyright 2018 by Stage 2 Security Stage 2 Security TCPDump

    ip.addr == 168.63.129.16

  92. Copyright 2018 by Stage 2 Security Stage 2 Security Agents

    Cloud Control http://168.63.129.16 Data Portal LBs Apps VMs Storage Admin Agent

  93. Copyright 2018 by Stage 2 Security Stage 2 Security Tasks

    Control http://168.63.129.16 GET /machine/?comp=goalstate --- <Incarnation>2</Incarnation>… VMs Agent Periodically pulls HTTP API for taskings • http://168.63.129.16 • (local azure fabric address) <Incarnation>2</Incarnation> • Signals agent for additional tasks

  94. Copyright 2018 by Stage 2 Security Stage 2 Security Host

    Configs Control http://168.63.129.16 GET /machine/ … type= hostingEnvironmentConfig --- rd_fabric_stable_dhf5.150807-2320.R untimePackage_1.0.0.14.zip VMs Agent Pulls hostingEnvironmentConfig

  95. Copyright 2018 by Stage 2 Security Stage 2 Security Certs

    Control http://168.63.129.16 GET /machine/ … comp=certificates --- pfx VMs Agent Pulls certificates

  96. Copyright 2018 by Stage 2 Security Stage 2 Security Extension

    configs Control http://168.63.129.16 GET /machine/ … type=extensionsConfig --- Command to Run VMs Agent Pulls Extension Configuration • In this case, the command to run

  97. Copyright 2018 by Stage 2 Security Stage 2 Security Creds

    in Repo Internet Control Data Portal LBs Apps VMs Storage Admin Dev Users Hacker

  98. Copyright 2018 by Stage 2 Security Stage 2 Security VHDs

    -> Certs Internet Control Data Portal LBs Apps VMs Storage Admin Dev Users Hacker

  99. Copyright 2018 by Stage 2 Security Stage 2 Security Subscription

    Internet Control Data Portal LBs Apps VMs Storage Admin Dev Users Hacker

  100. Copyright 2018 by Stage 2 Security Stage 2 Security Custom

    Script Internet Control Data Portal LBs Apps VMs Storage Admin Dev Users Hacker

  101. Copyright 2018 by Stage 2 Security Stage 2 Security DEMo:

    C2 via waagent Redirection

  102. Copyright 2018 by Stage 2 Security Stage 2 Security DEMo:

    C2 via waagent Redirection

  103. Copyright 2018 by Stage 2 Security Stage 2 Security DEMo:

    C2 via waagent Redirection

  104. Copyright 2018 by Stage 2 Security Stage 2 Security DEMo:

    C2 via waagent Redirection

  105. Copyright 2018 by Stage 2 Security Stage 2 Security DEMo:

    C2 via waagent Redirection

  106. Copyright 2018 by Stage 2 Security Stage 2 Security DEMo:

    C2 via waagent Redirection

  107. Copyright 2018 by Stage 2 Security Stage 2 Security Demo:

    C2 via waagent Redirection

  108. Copyright 2018 by Stage 2 Security Stage 2 Security DEMo:

    C2 via waagent Redirection

  109. Copyright 2018 by Stage 2 Security Stage 2 Security DEMo:

    C2 via waagent Redirection

  110. Copyright 2018 by Stage 2 Security Stage 2 Security Training

    Oct. Chicago Dec. London

  111. Copyright 2018 by Stage 2 Security Stage 2 Security Astute

    Exploitation #003

  112. Copyright 2018 by Stage 2 Security Stage 2 Security Astute

    Exploitation Methodology Astute Exploitation is the art of leveraging the configuration and features of the target to achieve one's goals, rather than specific exploits for services (e.g. buffer overflows). • Prepare • Exploit • Prosper Features tend to have a long and prevalent useful life, while exploits for specific vulnerabilities tend to only work until they are patched out of target environments. Large tech companies have frequently said: "It's not a bug, it's a feature!", which in my opinion roughly translates to: "Attackers! Use this Technique! We have no plans to stop it!" :)

  113. Copyright 2018 by Stage 2 Security Stage 2 Security Astute

    Exploitation Prepare • Prepare ◦ Plan - Goals & Strategy ◦ Discover - Passive / OOB Techniques ◦ Recon - Active Techniques

  114. Copyright 2018 by Stage 2 Security Stage 2 Security Astute

    Exploitation Exploit • Exploit ◦ Develop - Test, Test, & Test Again! ◦ Exploit - All of the glory! (& then BSOD! :P ) ◦ Interact - C2 within the Network!

  115. Copyright 2018 by Stage 2 Security Stage 2 Security Astute

    Exploitation Prosper • Prosper ◦ Priv Esc - Get Free ◦ Persist - Stay In ◦ Pivot - Expand Access

  116. Copyright 2018 by Stage 2 Security Stage 2 Security Astute

    Exploitation Traditional Example Stage 2 Security

  117. Copyright 2018 by Stage 2 Security Stage 2 Security •

    Exploit ◦ Develop ◦ Exploit ◦ Interact • Prosper ◦ Priv Esc ◦ Persist ◦ Pivot Plan Astute Exploitation - Traditional Example • Prepare ◦ Plan ◦ Discover ◦ Recon Internet Target

  118. Copyright 2018 by Stage 2 Security Stage 2 Security •

    Exploit ◦ Develop ◦ Exploit ◦ Interact • Prosper ◦ Priv Esc ◦ Persist ◦ Pivot • Prepare ◦ Plan ◦ Discover ◦ Recon Internet OSINT Web App Target Discover Astute Exploitation - Traditional Example

  119. Copyright 2018 by Stage 2 Security Stage 2 Security •

    Prepare ◦ Plan ◦ Discover ◦ Recon • Exploit ◦ Develop ◦ Exploit ◦ Interact • Prosper ◦ Priv Esc ◦ Persist ◦ Pivot Internet Web App Scan Recon Astute Exploitation - Traditional Example Target

  120. Copyright 2018 by Stage 2 Security Stage 2 Security •

    Prepare ◦ Plan ◦ Discover ◦ Recon • Exploit ◦ Develop ◦ Exploit ◦ Interact • Prosper ◦ Priv Esc ◦ Persist ◦ Pivot Internet Web App R&D Test! Develop Astute Exploitation - Traditional Example Target

  121. Copyright 2018 by Stage 2 Security Stage 2 Security •

    Exploit ◦ Develop ◦ Exploit ◦ Interact • Prosper ◦ Priv Esc ◦ Persist ◦ Pivot • Prepare ◦ Plan ◦ Discover ◦ Recon Internet Web App Exploit Exploit Astute Exploitation - Traditional Example Target

  122. Copyright 2018 by Stage 2 Security Stage 2 Security •

    Prepare ◦ Plan ◦ Discover ◦ Recon • Exploit ◦ Develop ◦ Exploit ◦ Interact • Prosper ◦ Priv Esc ◦ Persist ◦ Pivot Internet Web App Reverse Shell Interact Astute Exploitation - Traditional Example Target

  123. Copyright 2018 by Stage 2 Security Stage 2 Security •

    Exploit ◦ Develop ◦ Exploit ◦ Interact • Prosper ◦ Priv Esc ◦ Persist ◦ Pivot • Prepare ◦ Plan ◦ Discover ◦ Recon Internet Web App Reverse Shell Implant (Optionally) Priv. Esc. & Persist Astute Exploitation - Traditional Example Priv. Esc. Target

  124. Copyright 2018 by Stage 2 Security Stage 2 Security •

    Prepare ◦ Plan ◦ Discover ◦ Recon • Exploit ◦ Develop ◦ Exploit ◦ Interact • Prosper ◦ Priv Esc ◦ Persist ◦ Pivot Internet Web App Domain Controller, Salt Master, etc... Target Pivot Pivot Pivot Astute Exploitation - Traditional Example

  125. Copyright 2018 by Stage 2 Security Stage 2 Security Traditional

    Example Astute Exploitation • Prepare ◦ Plan ◦ Discover ◦ Recon • Exploit ◦ Develop ◦ Exploit ◦ Interact • Prosper ◦ Priv Esc ◦ Persist ◦ Pivot Internet OSINT Web App Domain Controller, Salt Master, etc... Target Pivot Pivot R&D Test! Scan Exploit Reverse Shell Priv. Esc. Implant Implant

  126. Copyright 2018 by Stage 2 Security Stage 2 Security Astute

    Exploitation Cloud Example Stage 2 Security

  127. Copyright 2018 by Stage 2 Security Stage 2 Security •

    Exploit ◦ Develop ◦ Exploit ◦ Interact • Prosper ◦ Priv Esc ◦ Persist ◦ Pivot • Prepare ◦ Plan ◦ Discover ◦ Recon Internet Plan Astute Exploitation - Cloud Example Target

  128. Copyright 2018 by Stage 2 Security Stage 2 Security •

    Exploit ◦ Develop ◦ Exploit ◦ Interact • Prosper ◦ Priv Esc ◦ Persist ◦ Pivot • Prepare ◦ Plan ◦ Discover ◦ Recon Internet OSINT Discover Astute Exploitation - Cloud Example Serverless App Target

  129. Copyright 2018 by Stage 2 Security Stage 2 Security •

    Exploit ◦ Develop ◦ Exploit ◦ Interact • Prosper ◦ Priv Esc ◦ Persist ◦ Pivot • Prepare ◦ Plan ◦ Discover ◦ Recon Internet Serverless App Scan Recon Astute Exploitation - Cloud Example Target

  130. Copyright 2018 by Stage 2 Security Stage 2 Security •

    Prepare ◦ Plan ◦ Discover ◦ Recon • Exploit ◦ Develop ◦ Exploit ◦ Interact • Prosper ◦ Priv Esc ◦ Persist ◦ Pivot Internet R&D Test! Develop Astute Exploitation - Cloud Example Serverless App Target

  131. Copyright 2018 by Stage 2 Security Stage 2 Security •

    Prepare ◦ Plan ◦ Discover ◦ Recon • Exploit ◦ Develop ◦ Exploit ◦ Interact • Prosper ◦ Priv Esc ◦ Persist ◦ Pivot Internet Exploit Astute Exploitation - Cloud Example Serverless App Exploit Target

  132. Copyright 2018 by Stage 2 Security Stage 2 Security •

    Prepare ◦ Plan ◦ Discover ◦ Recon • Exploit ◦ Develop ◦ Exploit ◦ Interact • Prosper ◦ Priv Esc ◦ Persist ◦ Pivot Internet Reverse Shell Interact Astute Exploitation - Cloud Example Serverless App Target

  133. Copyright 2018 by Stage 2 Security Stage 2 Security •

    Exploit ◦ Develop ◦ Exploit ◦ Interact • Prosper ◦ Priv Esc ◦ Persist ◦ Pivot • Prepare ◦ Plan ◦ Discover ◦ Recon Internet Reverse Shell Priv. Esc. Implant (Optionally) Priv. Esc. & Persist Astute Exploitation - Cloud Example Target Serverless App

  134. Copyright 2018 by Stage 2 Security Stage 2 Security •

    Exploit ◦ Develop ◦ Exploit ◦ Interact • Prosper ◦ Priv Esc ◦ Persist ◦ Pivot • Prepare ◦ Plan ◦ Discover ◦ Recon Internet Control Plane Target Data to Control Control to Data R&D Test! Reverse Shell Pivot Astute Exploitation - Cloud Example Serverless App

  135. Copyright 2018 by Stage 2 Security Stage 2 Security •

    Exploit ◦ Develop ◦ Exploit ◦ Interact • Prosper ◦ Priv Esc ◦ Persist ◦ Pivot Cloud Example Astute Exploitation • Prepare ◦ Plan ◦ Discover ◦ Recon Internet OSINT Control Plane Target Data to Control Control to Data R&D Test! Scan Reverse Shell Priv. Esc. Implant Serverless App Exploit Implant

  136. Copyright 2018 by Stage 2 Security Stage 2 Security Thank

    you! Contact Info: Bryce Kunz: [email protected]