Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Blue Cloud of Death: Red Teaming Azure - SaintCon

TweekFawkes
September 25, 2018
Technology
1
1k

Blue Cloud of Death: Red Teaming Azure - SaintCon

SaintCon Presentation on Sept. 25th 2018

On-demand IT services are being publicized as the new normal, but often times these services are misunderstood and hence misconfigured by engineers which can frequently enable red teams to gain, expand, and persist access within Azure environments. In this talk we will dive into how Azure services are commonly breached (e.g. discovering insecure blob storage), and then show how attackers are pivoting between the data & control planes (e.g. mounting hard disks, swapping keys, etc...) to expand access. Finally we will demonstrate some unique techniques for persisting access within Azure environments for prolonged periods of time.

Bryce Kunz (@TweekFawkes) loves researching and red teaming bleeding edge IT services. Bryce is currently the Chief Hacker & President at Stage2Sec.com where he released various open source tools (e.g. soMeta, lolrusLove, yupPhrasing, etc…) and has contributed several modules to open source projects (e.g. empire). Previously, Bryce has supported the NSA (network exploitation & vulnerability research), Adobe (built red teaming program for cloud services), and DHS (incident response). Bryce holds numerous certifications (e.g. OSCP, CISSP, ...), and has spoken at various security conferences (i.e. BlackHat, DerbyCon, BSidesLV, etc...).

https://saintcon2018.sched.com/event/FwU5/blue-cloud-of-death-red-teaming-azure

TweekFawkes

September 25, 2018
Tweet

More Decks by TweekFawkes

See All by TweekFawkes
Bypassing the Gatekeepers: LLM Enabled Techniques for Circumventing WAFs at Scale
tweekfawkes
0
27
Cloud-focused phishing techniques to bypass FIDO2 and WebAuthn
tweekfawkes
0
130
Cloud Red Teaming: AWS Initial Access & Privilege Escalation
tweekfawkes
0
3.9k
Level Up Your Lab Envs!
tweekfawkes
0
200
Cloud Focused Continuous Red Teaming: Avoiding the Fall of Icarus!
tweekfawkes
0
250
Mining Cloud Resources for Initial Access via Serverless Services
tweekfawkes
0
140
Serverless and Dys-FUNctional Cloud Red Teaming
tweekfawkes
1
180
The Future?!
tweekfawkes
0
150
May the Cloud be with You: Red Teaming GCP (Google Cloud Platform)
tweekfawkes
1
1.1k

Other Decks in Technology

See All in Technology
Python(PYNQ)がテーマのAMD主催のFPGAコンテストに参加してきた
iotengineer22
0
540
IBC 2024 動画技術関連レポート / IBC 2024 Report
cyberagentdevelopers
PRO
1
120
インフラとバックエンドとフロントエンドをくまなく調べて遅いアプリを早くした件
tubone24
1
430
iOSチームとAndroidチームでブランチ運用が違ったので整理してます
sansantech
PRO
0
150
Application Development WG Intro at AppDeveloperCon
salaboy
0
200
Mastering Quickfix
daisuzu
1
150
Introduction to Works of ML Engineer in LY Corporation
lycorp_recruit_jp
0
150
安心してください、日本語使えますよ―Ubuntu日本語Remix提供休止に寄せて― 2024-11-17
nobutomurata
1
1k
The Web Performance Landscape in 2024 [PerfNow 2024]
tammyeverts
0
110
AI前提のサービス運用ってなんだろう?
ryuichi1208
8
1.4k
Making your applications cross-environment - OSCG 2024 NA
salaboy
0
200
Lambda10周年!Lambdaは何をもたらしたか
smt7174
2
130

Featured

See All Featured
Measuring & Analyzing Core Web Vitals
bluesmoon
4
130
The Art of Programming - Codeland 2020
erikaheidi
52
13k
Easily Structure & Communicate Ideas using Wireframe
afnizarnur
191
16k
How To Stay Up To Date on Web Technology
chriscoyier
788
250k
A Modern Web Designer's Workflow
chriscoyier
693
190k
Art, The Web, and Tiny UX
lynnandtonic
297
20k
Thoughts on Productivity
jonyablonski
67
4.3k
Fontdeck: Realign not Redesign
paulrobertlloyd
82
5.2k
The Psychology of Web Performance [Beyond Tellerrand 2023]
tammyeverts
44
2.2k
Keith and Marios Guide to Fast Websites
keithpitt
409
22k
Bash Introduction
62gerente
608
210k
実際に使うSQLの書き方 徹底解説 / pgcon21j-tutorial
soudai
169
50k

Transcript

  1. Stage 2 Security Version 1.0 Copyright 2018 by Stage 2

    Security Blue Cloud of Death Red Teaming Azure

  2. Copyright 2018 by Stage 2 Security Stage 2 Security Agenda

    Bryce Kunz @TweekFawkes - Who Am I? - Azure Overview - Initial Access - Storage Access - Endpoint Access - Expanding Access - Persisting Access

  3. Copyright 2018 by Stage 2 Security Stage 2 Security Past

    WhoAmI Defense DHS SOC Offense NSA Red Team Adobe Digital Exp. (DX)

  4. Copyright 2018 by Stage 2 Security Stage 2 Security WhoAmI

    - The Present Now Hiring Hunters & Splunkers!

  5. Copyright 2018 by Stage 2 Security Stage 2 Security WhoAmI

    - The Present

  6. Copyright 2018 by Stage 2 Security Stage 2 Security Azure

    Overview

  7. Copyright 2018 by Stage 2 Security Stage 2 Security Layer

    Separation Control Plane (APIs) Data Plane Management UI

  8. Copyright 2018 by Stage 2 Security Stage 2 Security Administration

    Control Plane (APIs) Data Plane Management UI Cloud Admin (Dave)

  9. Copyright 2018 by Stage 2 Security Stage 2 Security Automation

    Control Plane (APIs) Data Plane Management UI Cloud Admin Ext Cloud Automation - Terraform - Salt Cloud - Custom

  10. Copyright 2018 by Stage 2 Security Stage 2 Security Infrastructure

    Setup Control Plane (APIs) Management UI Cloud Admin

  11. Copyright 2018 by Stage 2 Security Stage 2 Security Application

    Control Plane (APIs) Management UI Cloud Admin

  12. Copyright 2018 by Stage 2 Security Stage 2 Security Application

    Control Plane (APIs) Cloud Admin (Dave) Ext Cloud Automation - Terraform - Salt Cloud - Custom Storage VM App LB

  13. Copyright 2018 by Stage 2 Security Stage 2 Security Cloud-Aware

    Application Control Plane (APIs) Cloud Admin (Dave) Ext Cloud Automation - Terraform - Salt Cloud - Custom Storage VM App LB

  14. Copyright 2018 by Stage 2 Security Stage 2 Security Open

    for Business Control Plane (APIs) Cloud Admin (Dave) Ext Cloud Automation - Terraform - Salt Cloud - Custom Storage VM App LB USERS

  15. Copyright 2018 by Stage 2 Security Stage 2 Security Man

    -> Machine

  16. Copyright 2018 by Stage 2 Security Stage 2 Security Full

    Adoption https://aws.amazon.com/serverless/

  17. Copyright 2018 by Stage 2 Security Stage 2 Security Dooms

    Day ...

  18. Copyright 2018 by Stage 2 Security Stage 2 Security DevOp-ocalypse

  19. Copyright 2018 by Stage 2 Security Stage 2 Security Why

    On-Demand IT (aka Cloud) Matters? • Hybrid cloud adoption grew 3X in the last year, increasing from 19% to 57% of organizations surveyed. • In 10 months, 80% of all IT budgets will be committed to cloud solutions. • 3. 49% of businesses are delaying cloud deployment due to a cybersecurity skills gap

  20. Copyright 2018 by Stage 2 Security Stage 2 Security 2017:

    May-Oct 1. “Internal Accenture Data, Customer Information Exposed in Public Amazon S3 Bucket” 2. “Another Wide-Open Amazon S3 Bucket Exposes Verizon Customer Account Data” 3. “US voter info stored on wide-open cloud box, thanks to bungling Republican contractor” 4. “Researcher discovers classified Army intel app, data on open public AWS bucket” 5. “Millions of Time Warner Cable Customer Records Exposed in Third-Party Data Leak” 6. “Drone Manufacturer DJI Leaves SSL Key Exposed on Public Repository” 7. “Dow Jones becomes the latest organization to be affected by an AWS cloud data leakage due to misconfiguration and user error.” etc...

  21. Copyright 2018 by Stage 2 Security Stage 2 Security DevOp-ocalypse

  22. Copyright 2018 by Stage 2 Security Stage 2 Security Cloud

    Adoption Take images from ESXi -> Turn into Provider Images -> Deploy Instances - Virtual Machines + Network Services Develop or re-architect entire application to use exclusively managed offerings. - Managed Compute, Database, Auth, API, DNS, Queues, +++ Lots of grey area….

  23. Copyright 2018 by Stage 2 Security Stage 2 Security Azure

    Overview

  24. Copyright 2018 by Stage 2 Security Stage 2 Security Azure

    Service Management (ASM) "Azure Classic" -> https://Manage.WindowsAzure.com

  25. Copyright 2018 by Stage 2 Security Stage 2 Security ASM

    - Roles "Azure Classic" -> https://Manage.WindowsAzure.com Roles: • Account Administrator (Billing) -> 1 per subscription • Service Administrator (Super Admin) -> 1 per subscription (can be same) • Co-Administrator (Admin) -> per subscription

  26. Copyright 2018 by Stage 2 Security Stage 2 Security ASM

    - Auth. "Azure Classic" -> https://Manage.WindowsAzure.com Auth: • Username & Password • X.509 Certificate ("Management Certificates") ◦ file names: *.cer -> public, *.pfx -> private

  27. Copyright 2018 by Stage 2 Security Stage 2 Security Azure

    Resource Manager (ARM) https://Portal.Azure.com Introduced in 2014 No more “Cloud Services”

  28. Copyright 2018 by Stage 2 Security Stage 2 Security ARM

    - Resource Group https://Portal.Azure.com A resource group is a container for resources that share a common lifecycle.

  29. Copyright 2018 by Stage 2 Security Stage 2 Security ARM

    - Roles https://Portal.Azure.com Roles: • Owner (Super Admin) • Contributor (Admin but can not change permissions) • User Access Admin (Admin but can only change permissions) • Reader (Read-Only)

  30. Copyright 2018 by Stage 2 Security Stage 2 Security ARM

    - Service Principals https://Portal.Azure.com Service Principals (a.k.a. Service Accounts): • Can have a Password ◦ (aka "Client Secret") • or Certificates for Authentication ◦ (but different from ASM management certs)

  31. Copyright 2018 by Stage 2 Security Stage 2 Security Storage

    ...

  32. Copyright 2018 by Stage 2 Security Stage 2 Security Storage

    Types: • Blobs • etc...

  33. Copyright 2018 by Stage 2 Security Stage 2 Security Azure

    Blobs Endpoints: https://myaccount.blob.core.windows.net/mycontainer/myblob e.g.: https://bcodstoragetest005.blob.core.windows.net/containertest005/test.txt Storage Account Name: bcodstoragetest005 Container Name: containertest005 Blob Name: test.txt

  34. Copyright 2018 by Stage 2 Security Stage 2 Security DNS

    Brute Force e.g.: https://bcodstoragetest005.blob.core.windows.net/containertest005/test.txt Storage Account Name: bcodstoragetest005 - Only contains lowercase letters and numbers. - Name must be between 3 and 24 characters.

  35. Copyright 2018 by Stage 2 Security Stage 2 Security GoBuster

    - DNS e.g.: https://bcodstoragetest005.blob.core.windows.net/containertest005/test.txt gobuster -m dns -u "blob.core.windows.net" -i -t 100 -fw -w /root/blobdns/3_chars.txt

  36. Copyright 2018 by Stage 2 Security Stage 2 Security DNS

    Brute Force - Only contains lowercase letters and numbers. - Name must be between 3 and 24 characters.

  37. Copyright 2018 by Stage 2 Security Stage 2 Security GoBuster

    - DIR e.g.: https://bcodstoragetest005.blob.core.windows.net/containertest005/test.txt gobuster -m dir -u “https://bcodstoragetest005.blob.core.windows.net” -i -t 100 -e -s 200,204 -w quickdir.txt

  38. Copyright 2018 by Stage 2 Security Stage 2 Security Azure

    Blob Names e.g.: https://bcodstoragetest005.blob.core.windows.net/containertest005/test.txt Storage Account Name: bcodstoragetest005 Container Name: containertest005 Blob Name: test.txt

  39. Copyright 2018 by Stage 2 Security Stage 2 Security Brute

    Force Possible but kind of sucks to brute force or guess three separate variables/parameters in the URL. e.g.: https://bcodstoragetest005.blob.core.windows.net/containertest005/test.txt Storage Account Name: bcodstoragetest005 Container Name: containertest005 Blob Name: test.txt

  40. Copyright 2018 by Stage 2 Security Stage 2 Security NimbusLand

    Check if an IP address is Azure or AWS

  41. Copyright 2018 by Stage 2 Security Stage 2 Security Takeovers

    ...

  42. Copyright 2018 by Stage 2 Security Stage 2 Security Takeovers

    Service Vulnerable Selector AWS S3 Yes The specified bucket does not exist AWS Cloudfront Yes Bad Request: ERROR: The request could not be satisfied Github Yes There isn't a Github Pages site here. Azure Web Apps Yes* *.azurewebsites.net Azure Cloud Services Yes *.cloudapp.net Azure Traffic Manager Yes *.trafficmanager.net Azure Blob Storage Yes *.blob.core.windows.net

  43. Copyright 2018 by Stage 2 Security Stage 2 Security Storage

    Access #025

  44. Copyright 2018 by Stage 2 Security Stage 2 Security Visual

    Studio • “web.config” - ASP.NET • “app.config” - C#.NET • SAS URI • Connection String • Account Name & Key

  45. Copyright 2018 by Stage 2 Security Stage 2 Security GitHub

    Google Dork: • site:github.com web.config "StorageConnectionString" "DefaultEndpointsProtocol"

  46. Copyright 2018 by Stage 2 Security Stage 2 Security *.publishsettings

    & Get-AzurePublishSettingsFile A "publish settings file" is an XML file with a .publishsettings file name extension. The file contains an encoded certificate that provides management credentials for your Azure subscriptions.

  47. Copyright 2018 by Stage 2 Security Stage 2 Security Other

    Interesting Files • *.azure-storage.common.js ◦ commonly has SAS tokens • *.cspkg ◦ commonly has creds

  48. Copyright 2018 by Stage 2 Security Stage 2 Security Storage

    Explorer “Install Azure Storage Explorer”

  49. Copyright 2018 by Stage 2 Security Stage 2 Security Storage

    Explorer • SAS URI • Connection String • Account Name & Key

  50. Copyright 2018 by Stage 2 Security Stage 2 Security Storage

    Explorer • Download Files! • Modify Files!

  51. Copyright 2018 by Stage 2 Security Stage 2 Security VHDs

    *disks* • vhds!

  52. Copyright 2018 by Stage 2 Security Stage 2 Security VHDs

    Download vhds • Code Review • Secrets on Disk Linux - grep for “shadow” hashes

  53. Copyright 2018 by Stage 2 Security Stage 2 Security VHDs

    Download vhds • Code Review • Secrets on Disk Linux - grep for “shadow” hashes

  54. Copyright 2018 by Stage 2 Security Stage 2 Security Managed

    Disks 2017 Azure Feature • By Default… • No VHDs in blob storage containers!

  55. Copyright 2018 by Stage 2 Security Stage 2 Security Storage

    Persistence ...

  56. Copyright 2018 by Stage 2 Security Stage 2 Security Storage

    Explorer Create SAS! • Another way to access the resource

  57. Copyright 2018 by Stage 2 Security Stage 2 Security Demo:

    SAS Offline Minting!

  58. Copyright 2018 by Stage 2 Security Stage 2 Security SAS

    Token Offline MintyOffline Append the Following: • Storage Account Name • Permissions, Protocol • Service, Resource Type • Start Time, Expire Time • & API Version HMAC to creation token using: • Key -> Storage Key • Msg -> Appended String • SHA256 Formatting of the Data (e.g. Encode)

  59. Copyright 2018 by Stage 2 Security Stage 2 Security CLI

    Endpoint Access Azure

  60. Copyright 2018 by Stage 2 Security Stage 2 Security Browser

    Cookie

  61. Copyright 2018 by Stage 2 Security Stage 2 Security Steal

    Cookie! “Install Azure CLI 2.0 on Windows”

  62. Copyright 2018 by Stage 2 Security Stage 2 Security Setup

    CLI “Install Azure CLI 2.0 on Windows”

  63. Copyright 2018 by Stage 2 Security Stage 2 Security Cli

    Auth. “Install Azure CLI 2.0 on Windows”

  64. Copyright 2018 by Stage 2 Security Stage 2 Security Cli

    Auth. “Install Azure CLI 2.0 on Windows”

  65. Copyright 2018 by Stage 2 Security Stage 2 Security Auth.

    Token “.azure” folder “azureProfile.json”

  66. Steal Token “.azure” folder “azureProfile.json”

  67. Copyright 2018 by Stage 2 Security Stage 2 Security Saved

    CLI Creds Save ARM Profile Tokens... • "Save-AzureRmProfile" • "Select-AzureRmProfile" Check User’s Documents Folder for JSON files…. Creates a JSON file… • "ManagementPortalUrl" • "PublishSettingsFileUrl" • "TokenCache" • "Tenant"

  68. Copyright 2018 by Stage 2 Security Stage 2 Security Whoami

    “az account show”

  69. Copyright 2018 by Stage 2 Security Stage 2 Security PaaS

    ...

  70. Copyright 2018 by Stage 2 Security Stage 2 Security PaaS

    -> Cloud Service

  71. Copyright 2018 by Stage 2 Security Stage 2 Security PaaS

    -> Cloud Service -> Service Certificates Service certificates are attached to cloud services and enable secure communication to and from the service. For example, if you deployed a web role, you would want to supply a certificate that can authenticate an exposed HTTPS endpoint. Service certificates, defined in your service definition, are automatically deployed to the virtual machine that is running an instance of your role.

  72. Copyright 2018 by Stage 2 Security Stage 2 Security PaaS

    -> Cloud Service -> RDP -> Mimikatz -> pfx

  73. Copyright 2018 by Stage 2 Security Stage 2 Security Expand

    Access ...

  74. Copyright 2018 by Stage 2 Security Stage 2 Security Data

    -> Control Cloud Control Data Portal LBs Apps VMs Storage Admin Dev Users Hacker

  75. Copyright 2018 by Stage 2 Security Stage 2 Security Azure

    Metadata Metadata Service: 169.254.169.254 • curl http://169.254.169.254/metadata/v1/maintenance • curl http://169.254.169.254/metadata/v1/InstanceInfo (these are mostly useless for hackers…) but useful information is copied into the … /var/lib/waagent directory when the instance is created… (root access needed) • IP address, hostname, subscription ID, resource group name, etc…

  76. Copyright 2018 by Stage 2 Security Stage 2 Security Azure

    Metadata w/ HTTP Header Azure Metadata Service Now has an HTTP Header that enables more information curl -H Metadata:true "http://169.254.169.254/metadata/instance?api-version=2017-08-01" Reference: https://docs.microsoft.com/en-us/azure/virtual-machines/windows/instance-metadata-service

  77. Copyright 2018 by Stage 2 Security Stage 2 Security Control

    -> Data Cloud Control Data Portal LBs Apps VMs Storage Admin Dev Users Hacker

  78. Copyright 2018 by Stage 2 Security Stage 2 Security Capture

    Image

  79. Copyright 2018 by Stage 2 Security Stage 2 Security Hard

    Boot Horrible OPSEC but it works… - Power off a server - Mount the server’s hard drive using another VM - Modify the server for remote access (e.g. add an SSH key to root user) - Power back on the server & PROFIT! Google: “Reset local Windows password for Azure VM offline”

  80. Copyright 2018 by Stage 2 Security Stage 2 Security Reset

    Windows • RDP Password Reset Linux • SSH Key Reset • Create User

  81. Copyright 2018 by Stage 2 Security Stage 2 Security Execute

    Scripts Linux • VM Extension - CustomScript

  82. Copyright 2018 by Stage 2 Security Stage 2 Security Persistence

    Azure

  83. Copyright 2018 by Stage 2 Security Stage 2 Security Data

    -> Control Cloud Control Data Portal LBs Apps VMs Storage Admin Dev Users Hacker

  84. Copyright 2018 by Stage 2 Security Stage 2 Security Service

    Principals (the recommended approach) Permissions-Restricted Accounts “az login --service-principal” … …not tied to any particular user… …have permissions on them assigned through pre-defined roles. Multiple Passwords!

  85. Copyright 2018 by Stage 2 Security Stage 2 Security Agents

    Cloud Control Data Portal LBs Apps VMs Storage Admin

  86. Copyright 2018 by Stage 2 Security Stage 2 Security Documentation?

    Where we're going, we don't need docs!

  87. Copyright 2018 by Stage 2 Security Stage 2 Security Start

    Digging • ps auxfww • file • • python source code review Listening Services • netstat -nltpu Active Connections • netstat -natpu

  88. Copyright 2018 by Stage 2 Security Stage 2 Security Python

    Debugger • pdb b: set a breakpoint c: continue debugging until you hit a breakpoint s: step through the code n: to go to next line of code l: list source code for the current file (default: 11 lines including the line being executed) u: navigate up a stack frame d: navigate down a stack frame p: to print the value of an expression in the current context

  89. Copyright 2018 by Stage 2 Security Stage 2 Security SysDig

    sysdig -w 005.scap systemctl start walinuxagent.service /usr/bin/python3 -u /usr/sbin/waagent -daemon sysdig -r 005.scap … • -c topfiles_bytes • -c topprocs_net • -c echo_fds • -c fdbytes_by fd.directory "fd.type=file“ • -c fdbytes_by fd.filename "fd.directory=/var/lib/waagent“ …

  90. Copyright 2018 by Stage 2 Security Stage 2 Security SysDig

    sysdig -w 005.scap systemctl start walinuxagent.service /usr/bin/python3 -u /usr/sbin/waagent -daemon sysdig -r 005.scap … • -c topfiles_bytes • -c topprocs_net • -c echo_fds • -c fdbytes_by fd.directory "fd.type=file“ • -c fdbytes_by fd.filename "fd.directory=/var/lib/waagent“ …

  91. Copyright 2018 by Stage 2 Security Stage 2 Security TCPDump

    ip.addr == 168.63.129.16

  92. Copyright 2018 by Stage 2 Security Stage 2 Security Agents

    Cloud Control http://168.63.129.16 Data Portal LBs Apps VMs Storage Admin Agent

  93. Copyright 2018 by Stage 2 Security Stage 2 Security Tasks

    Control http://168.63.129.16 GET /machine/?comp=goalstate --- <Incarnation>2</Incarnation>… VMs Agent Periodically pulls HTTP API for taskings • http://168.63.129.16 • (local azure fabric address) <Incarnation>2</Incarnation> • Signals agent for additional tasks

  94. Copyright 2018 by Stage 2 Security Stage 2 Security Host

    Configs Control http://168.63.129.16 GET /machine/ … type= hostingEnvironmentConfig --- rd_fabric_stable_dhf5.150807-2320.R untimePackage_1.0.0.14.zip VMs Agent Pulls hostingEnvironmentConfig

  95. Copyright 2018 by Stage 2 Security Stage 2 Security Certs

    Control http://168.63.129.16 GET /machine/ … comp=certificates --- pfx VMs Agent Pulls certificates

  96. Copyright 2018 by Stage 2 Security Stage 2 Security Extension

    configs Control http://168.63.129.16 GET /machine/ … type=extensionsConfig --- Command to Run VMs Agent Pulls Extension Configuration • In this case, the command to run

  97. Copyright 2018 by Stage 2 Security Stage 2 Security Creds

    in Repo Internet Control Data Portal LBs Apps VMs Storage Admin Dev Users Hacker

  98. Copyright 2018 by Stage 2 Security Stage 2 Security VHDs

    -> Certs Internet Control Data Portal LBs Apps VMs Storage Admin Dev Users Hacker

  99. Copyright 2018 by Stage 2 Security Stage 2 Security Subscription

    Internet Control Data Portal LBs Apps VMs Storage Admin Dev Users Hacker

  100. Copyright 2018 by Stage 2 Security Stage 2 Security Custom

    Script Internet Control Data Portal LBs Apps VMs Storage Admin Dev Users Hacker

  101. Copyright 2018 by Stage 2 Security Stage 2 Security DEMo:

    C2 via waagent Redirection

  102. Copyright 2018 by Stage 2 Security Stage 2 Security DEMo:

    C2 via waagent Redirection

  103. Copyright 2018 by Stage 2 Security Stage 2 Security DEMo:

    C2 via waagent Redirection

  104. Copyright 2018 by Stage 2 Security Stage 2 Security DEMo:

    C2 via waagent Redirection

  105. Copyright 2018 by Stage 2 Security Stage 2 Security DEMo:

    C2 via waagent Redirection

  106. Copyright 2018 by Stage 2 Security Stage 2 Security DEMo:

    C2 via waagent Redirection

  107. Copyright 2018 by Stage 2 Security Stage 2 Security Demo:

    C2 via waagent Redirection

  108. Copyright 2018 by Stage 2 Security Stage 2 Security DEMo:

    C2 via waagent Redirection

  109. Copyright 2018 by Stage 2 Security Stage 2 Security DEMo:

    C2 via waagent Redirection

  110. Copyright 2018 by Stage 2 Security Stage 2 Security Training

    Oct. Chicago Dec. London

  111. Copyright 2018 by Stage 2 Security Stage 2 Security Astute

    Exploitation #003

  112. Copyright 2018 by Stage 2 Security Stage 2 Security Astute

    Exploitation Methodology Astute Exploitation is the art of leveraging the configuration and features of the target to achieve one's goals, rather than specific exploits for services (e.g. buffer overflows). • Prepare • Exploit • Prosper Features tend to have a long and prevalent useful life, while exploits for specific vulnerabilities tend to only work until they are patched out of target environments. Large tech companies have frequently said: "It's not a bug, it's a feature!", which in my opinion roughly translates to: "Attackers! Use this Technique! We have no plans to stop it!" :)

  113. Copyright 2018 by Stage 2 Security Stage 2 Security Astute

    Exploitation Prepare • Prepare ◦ Plan - Goals & Strategy ◦ Discover - Passive / OOB Techniques ◦ Recon - Active Techniques

  114. Copyright 2018 by Stage 2 Security Stage 2 Security Astute

    Exploitation Exploit • Exploit ◦ Develop - Test, Test, & Test Again! ◦ Exploit - All of the glory! (& then BSOD! :P ) ◦ Interact - C2 within the Network!

  115. Copyright 2018 by Stage 2 Security Stage 2 Security Astute

    Exploitation Prosper • Prosper ◦ Priv Esc - Get Free ◦ Persist - Stay In ◦ Pivot - Expand Access

  116. Copyright 2018 by Stage 2 Security Stage 2 Security Astute

    Exploitation Traditional Example Stage 2 Security

  117. Copyright 2018 by Stage 2 Security Stage 2 Security •

    Exploit ◦ Develop ◦ Exploit ◦ Interact • Prosper ◦ Priv Esc ◦ Persist ◦ Pivot Plan Astute Exploitation - Traditional Example • Prepare ◦ Plan ◦ Discover ◦ Recon Internet Target

  118. Copyright 2018 by Stage 2 Security Stage 2 Security •

    Exploit ◦ Develop ◦ Exploit ◦ Interact • Prosper ◦ Priv Esc ◦ Persist ◦ Pivot • Prepare ◦ Plan ◦ Discover ◦ Recon Internet OSINT Web App Target Discover Astute Exploitation - Traditional Example

  119. Copyright 2018 by Stage 2 Security Stage 2 Security •

    Prepare ◦ Plan ◦ Discover ◦ Recon • Exploit ◦ Develop ◦ Exploit ◦ Interact • Prosper ◦ Priv Esc ◦ Persist ◦ Pivot Internet Web App Scan Recon Astute Exploitation - Traditional Example Target

  120. Copyright 2018 by Stage 2 Security Stage 2 Security •

    Prepare ◦ Plan ◦ Discover ◦ Recon • Exploit ◦ Develop ◦ Exploit ◦ Interact • Prosper ◦ Priv Esc ◦ Persist ◦ Pivot Internet Web App R&D Test! Develop Astute Exploitation - Traditional Example Target

  121. Copyright 2018 by Stage 2 Security Stage 2 Security •

    Exploit ◦ Develop ◦ Exploit ◦ Interact • Prosper ◦ Priv Esc ◦ Persist ◦ Pivot • Prepare ◦ Plan ◦ Discover ◦ Recon Internet Web App Exploit Exploit Astute Exploitation - Traditional Example Target

  122. Copyright 2018 by Stage 2 Security Stage 2 Security •

    Prepare ◦ Plan ◦ Discover ◦ Recon • Exploit ◦ Develop ◦ Exploit ◦ Interact • Prosper ◦ Priv Esc ◦ Persist ◦ Pivot Internet Web App Reverse Shell Interact Astute Exploitation - Traditional Example Target

  123. Copyright 2018 by Stage 2 Security Stage 2 Security •

    Exploit ◦ Develop ◦ Exploit ◦ Interact • Prosper ◦ Priv Esc ◦ Persist ◦ Pivot • Prepare ◦ Plan ◦ Discover ◦ Recon Internet Web App Reverse Shell Implant (Optionally) Priv. Esc. & Persist Astute Exploitation - Traditional Example Priv. Esc. Target

  124. Copyright 2018 by Stage 2 Security Stage 2 Security •

    Prepare ◦ Plan ◦ Discover ◦ Recon • Exploit ◦ Develop ◦ Exploit ◦ Interact • Prosper ◦ Priv Esc ◦ Persist ◦ Pivot Internet Web App Domain Controller, Salt Master, etc... Target Pivot Pivot Pivot Astute Exploitation - Traditional Example

  125. Copyright 2018 by Stage 2 Security Stage 2 Security Traditional

    Example Astute Exploitation • Prepare ◦ Plan ◦ Discover ◦ Recon • Exploit ◦ Develop ◦ Exploit ◦ Interact • Prosper ◦ Priv Esc ◦ Persist ◦ Pivot Internet OSINT Web App Domain Controller, Salt Master, etc... Target Pivot Pivot R&D Test! Scan Exploit Reverse Shell Priv. Esc. Implant Implant

  126. Copyright 2018 by Stage 2 Security Stage 2 Security Astute

    Exploitation Cloud Example Stage 2 Security

  127. Copyright 2018 by Stage 2 Security Stage 2 Security •

    Exploit ◦ Develop ◦ Exploit ◦ Interact • Prosper ◦ Priv Esc ◦ Persist ◦ Pivot • Prepare ◦ Plan ◦ Discover ◦ Recon Internet Plan Astute Exploitation - Cloud Example Target

  128. Copyright 2018 by Stage 2 Security Stage 2 Security •

    Exploit ◦ Develop ◦ Exploit ◦ Interact • Prosper ◦ Priv Esc ◦ Persist ◦ Pivot • Prepare ◦ Plan ◦ Discover ◦ Recon Internet OSINT Discover Astute Exploitation - Cloud Example Serverless App Target

  129. Copyright 2018 by Stage 2 Security Stage 2 Security •

    Exploit ◦ Develop ◦ Exploit ◦ Interact • Prosper ◦ Priv Esc ◦ Persist ◦ Pivot • Prepare ◦ Plan ◦ Discover ◦ Recon Internet Serverless App Scan Recon Astute Exploitation - Cloud Example Target

  130. Copyright 2018 by Stage 2 Security Stage 2 Security •

    Prepare ◦ Plan ◦ Discover ◦ Recon • Exploit ◦ Develop ◦ Exploit ◦ Interact • Prosper ◦ Priv Esc ◦ Persist ◦ Pivot Internet R&D Test! Develop Astute Exploitation - Cloud Example Serverless App Target

  131. Copyright 2018 by Stage 2 Security Stage 2 Security •

    Prepare ◦ Plan ◦ Discover ◦ Recon • Exploit ◦ Develop ◦ Exploit ◦ Interact • Prosper ◦ Priv Esc ◦ Persist ◦ Pivot Internet Exploit Astute Exploitation - Cloud Example Serverless App Exploit Target

  132. Copyright 2018 by Stage 2 Security Stage 2 Security •

    Prepare ◦ Plan ◦ Discover ◦ Recon • Exploit ◦ Develop ◦ Exploit ◦ Interact • Prosper ◦ Priv Esc ◦ Persist ◦ Pivot Internet Reverse Shell Interact Astute Exploitation - Cloud Example Serverless App Target

  133. Copyright 2018 by Stage 2 Security Stage 2 Security •

    Exploit ◦ Develop ◦ Exploit ◦ Interact • Prosper ◦ Priv Esc ◦ Persist ◦ Pivot • Prepare ◦ Plan ◦ Discover ◦ Recon Internet Reverse Shell Priv. Esc. Implant (Optionally) Priv. Esc. & Persist Astute Exploitation - Cloud Example Target Serverless App

  134. Copyright 2018 by Stage 2 Security Stage 2 Security •

    Exploit ◦ Develop ◦ Exploit ◦ Interact • Prosper ◦ Priv Esc ◦ Persist ◦ Pivot • Prepare ◦ Plan ◦ Discover ◦ Recon Internet Control Plane Target Data to Control Control to Data R&D Test! Reverse Shell Pivot Astute Exploitation - Cloud Example Serverless App

  135. Copyright 2018 by Stage 2 Security Stage 2 Security •

    Exploit ◦ Develop ◦ Exploit ◦ Interact • Prosper ◦ Priv Esc ◦ Persist ◦ Pivot Cloud Example Astute Exploitation • Prepare ◦ Plan ◦ Discover ◦ Recon Internet OSINT Control Plane Target Data to Control Control to Data R&D Test! Scan Reverse Shell Priv. Esc. Implant Serverless App Exploit Implant

  136. Copyright 2018 by Stage 2 Security Stage 2 Security Thank

    you! Contact Info: Bryce Kunz: [email protected]