Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Cloud Red Teaming: AWS Initial Access & Privile...

TweekFawkes
April 01, 2023
Technology
0
3.9k

Cloud Red Teaming: AWS Initial Access & Privilege Escalation

Research presented at BSidesTampa in Tampa Florida on April 1st 2023.

Session Name: "Cloud Red Teaming: AWS Initial Access & Privilege Escalation"

Red Teaming and Penetration Testing of Cloud (AWS, Azure, GCP, etc.) environments is a rapidly evolving field. Every year new tools are being released and existing techniques are being further refined. This session covers the latest Cloud focused attack vectors and describes viable strategies on how to detect their malicious usage within your cloud environments.

Some of the topics covered include:
- How Attackers go from Zero to (Cloud) Admin
- Stealing of SSO Tokens and Browser Cookies for Initial Access
- A Unique Cloud Native Technique for Gaining Initial Access into AWS Environments
- Leverage Graph Database Technologies (e.g. Neo4j) to Discover Privilege Escalation Paths
- Logging Services in Cloud Providers and Suspicious Events

Cloud expertise is not required since the presentation covers the basics of how Cloud environments are commonly implemented, while then highlighting the areas that are most useful for attackers. Information presented is useful for both Red Team & Blue Team members.

TweekFawkes

April 01, 2023
Tweet

More Decks by TweekFawkes

See All by TweekFawkes
Bypassing the Gatekeepers: LLM Enabled Techniques for Circumventing WAFs at Scale
tweekfawkes
0
27
Cloud-focused phishing techniques to bypass FIDO2 and WebAuthn
tweekfawkes
0
130
Level Up Your Lab Envs!
tweekfawkes
0
200
Cloud Focused Continuous Red Teaming: Avoiding the Fall of Icarus!
tweekfawkes
0
250
Mining Cloud Resources for Initial Access via Serverless Services
tweekfawkes
0
140
Serverless and Dys-FUNctional Cloud Red Teaming
tweekfawkes
1
180
The Future?!
tweekfawkes
0
150
May the Cloud be with You: Red Teaming GCP (Google Cloud Platform)
tweekfawkes
1
1.1k
May the Cloud be with You: Red Teaming GCP (Google Cloud Platform)
tweekfawkes
0
260

Other Decks in Technology

See All in Technology
EventHub Startup CTO of the year 2024 ピッチ資料
eventhub
0
130
The Role of Developer Relations in AI Product Success.
giftojabu1
1
150
Next.jsとNuxtが混在? iframeでなんとかする!
ypresto
1
130
開発生産性を上げながらビジネスも30倍成長させてきたチームの姿
kamina_zzz
2
1.7k
リンクアンドモチベーション ソフトウェアエンジニア向け紹介資料 / Introduction to Link and Motivation for Software Engineers
lmi
4
300k
誰も全体を知らない ~ ロールの垣根を超えて引き上げる開発生産性 / Boosting Development Productivity Across Roles
kakehashi
2
230
アプリエンジニアのためのGraphQL入門.pdf
spycwolf
0
110
"とにかくやってみる"で始めるAWS Security Hub
maimyyym
2
100
Security-JAWS【第35回】勉強会クラウドにおけるマルウェアやコンテンツ改ざんへの対策
4su_para
0
190
マルチプロダクトな開発組織で 「開発生産性」に向き合うために試みたこと / Improving Multi-Product Dev Productivity
sugamasao
1
310
Amplify Gen2 Deep Dive / バックエンドの型をいかにしてフロントエンドへ伝えるか #TSKaigi #TSKaigiKansai #AWSAmplifyJP
tacck
PRO
0
390
Adopting Jetpack Compose in Your Existing Project - GDG DevFest Bangkok 2024
akexorcist
0
120

Featured

See All Featured
Typedesign – Prime Four
hannesfritz
40
2.4k
Unsuck your backbone
ammeep
668
57k
Scaling GitHub
holman
458
140k
Templates, Plugins, & Blocks: Oh My! Creating the theme that thinks of everything
marktimemedia
26
2.1k
5 minutes of I Can Smell Your CMS
philhawksworth
202
19k
Building an army of robots
kneath
302
43k
Building Your Own Lightsaber
phodgson
103
6.1k
Fireside Chat
paigeccino
34
3k
Exploring the Power of Turbo Streams & Action Cable | RailsConf2023
kevinliebholz
27
4.3k
Reflections from 52 weeks, 52 projects
jeffersonlam
346
20k
Optimising Largest Contentful Paint
csswizardry
33
2.9k
Build your cross-platform service in a week with App Engine
jlugia
229
18k

Transcript

  1. https:// .Security Version 1.0 Copyright 2022 by Stage 2 Security

    Outplay Your Adversary! Bryce Kunz // @TweekFawkes

  2. https:// .Security Version 1.0 Copyright 2022 by Stage 2 Security

    Cloud Red Teaming: Initial Access & Privilege Escalation

  3. Copyright 2022 by Stage 2 Security https:// .Security Who Am

    I? Go From Zero to Cloud Admin! • Globally Shared Resources • SSO Tokens & Browser Cookies • Cloud Native Phishing Agenda Privilege Escalation • Graph Database Technologies • IAM Roles • iam:PassRole • Basic Priv Esc Example via Graph DB • Common Priv Esc Access Vectors Cloud Lab Envs • - Tools & Techniques

  4. Copyright 2022 by Stage 2 Security https:// .Security WhoAmI Overview

  5. Copyright 2022 by Stage 2 Security https:// .Security Defense DHS

    SOC Offense NSA Red Team Adobe Digital Exp. (DX) Bryce Kunz; @TweekFawkes Services • Hack (Pentest) • Hunt (Splunk ES) • Train (Cloud Sec.)

  6. Copyright 2022 by Stage 2 Security https:// .Security AWS: •

    Amazon Machine Images (AMI) Snapshots • Elastic Block Storage (EBS) Snapshots • Amazon Relational Database Service (RDS) Snapshots • Serverless Application Repository Azure: • Azure Compute Gallery …

  7. Copyright 2022 by Stage 2 Security https:// .Security AWS: •

    Amazon Machine Images (AMI) Snapshots • Elastic Block Storage (EBS) Snapshots • Amazon Relational Database Service (RDS) Snapshots • Serverless Application Repository Azure: • Azure Compute Gallery …

  8. Copyright 2022 by Stage 2 Security https:// .Security AWS: •

    Amazon Machine Images (AMI) Snapshots • Elastic Block Storage (EBS) Snapshots • Amazon Relational Database Service (RDS) Snapshots • Serverless Application Repository Azure: • Azure Compute Gallery …

  9. Copyright 2022 by Stage 2 Security https:// .Security AWS: •

    Amazon Machine Images (AMI) Snapshots • Elastic Block Storage (EBS) Snapshots • Amazon Relational Database Service (RDS) Snapshots • Serverless Application Repository Azure: • Azure Compute Gallery …

  10. Copyright 2022 by Stage 2 Security https:// .Security BSidesSLC.org Hardware

    Badge by @professor__plum Friday Apr. 14th 2023 & Saturday Apr. 15th 2023 Salt Lake City, Utah https://BSidesSLC.org

  11. Copyright 2022 by Stage 2 Security https:// .Security BSidesSLC.org Hardware

    Badge by @professor__plum Friday Apr. 14th 2023 & Saturday Apr. 15th 2023 Salt Lake City, Utah https://BSidesSLC.org

  12. Copyright 2022 by Stage 2 Security https:// .Security Go From

    Zero to Cloud Admin! Overview

  13. Copyright 2022 by Stage 2 Security https:// .Security AWS Account

    External Resources Typical Steps: • Exploit App • Collect Creds • Reuse Creds Elastic Block Store (EBS) Volume Snapshot Elastic Compute Cloud (EC2) Instance Instances AWS IAM Role AWS STS Temporary Credentials Temporary Credentials Policies Identities Global Cloud

  14. Copyright 2022 by Stage 2 Security https:// .Security AWS Account

    Globally Shared Resources: • EC2 AMIs • EBS Snapshots • RDS Snapshots • etc… Elastic Block Store (EBS) Volume Snapshot Elastic Compute Cloud (EC2) Instance Instances Global Cloud Secrets

  15. Copyright 2022 by Stage 2 Security https:// .Security AWS Account

    Client-Side Vectors: • RCE • Cookies • Phishing • AiTM • Supply Chain • Social Engineering • Extensions • etc… Elastic Block Store (EBS) Volume Snapshot Elastic Compute Cloud (EC2) Instance Instances AWS IAM Role AWS STS Temporary Credentials Policies Identities Global Cloud Admin

  16. Copyright 2022 by Stage 2 Security https:// .Security Globally Shared

    Resources

  17. Copyright 2022 by Stage 2 Security https:// .Security Globally Public

    Resources AWS: • Amazon Machine Images (AMI) Snapshots • Elastic Block Storage (EBS) Snapshots • Amazon Relational Database Service (RDS) Snapshots • Serverless Application Repository Azure: • Azure Compute Gallery https://github.com/SummitRoute/aws_exposable_resources

  18. Copyright 2022 by Stage 2 Security https:// .Security Public Elastic

    Block Storage (EBS) Snapshots Dufflebag is a tool that searches through public Elastic Block Storage (EBS) snapshots for secrets that may have been accidentally left in. You may be surprised by all the passwords and secrets just laying around! https://github.com/BishopFox/dufflebag

  19. Copyright 2022 by Stage 2 Security https:// .Security SSO Tokens

    & Browser Cookies Client-Side

  20. Copyright 2022 by Stage 2 Security https:// .Security Overview Methods

    Include: • Malicious Browser Extension • Adversary-in-the-Middle (AiTM) Other Common Methods Include: • Malicious Documents (e.g. Office Macros) • Malicious Applications

  21. Copyright 2022 by Stage 2 Security https:// .Security Malicious Browser

    Extensions

  22. Copyright 2022 by Stage 2 Security https:// .Security Malicious Browser

    Extension Users Evil Server SSO / App TLS Browser

  23. Copyright 2022 by Stage 2 Security https:// .Security CursedChrome Red

    Team Toolkit Options https://github.com/mandatoryprogrammer/CursedChrome

  24. Copyright 2022 by Stage 2 Security https:// .Security ChatGPT-4 Build

    me an Extension please! :) https://www.linkedin.com/posts/danielperjesi_how-i-created-a-chrome-extension-with-chatgpt-activity-7021098555054432256-W3Kl

  25. Copyright 2022 by Stage 2 Security https:// .Security ChatGPT-4 Builds

    an Extension https://developer.chrome.com/docs/webstore/publish/

  26. Copyright 2022 by Stage 2 Security https:// .Security CursedChrome Backdoor

    the Extension https://www.youtube.com/watch?v=cdSXdwa5trc

  27. Copyright 2022 by Stage 2 Security https:// .Security Defense: Enterprise

    Policies (e.g. Chrome) Users Evil Server SSO / App TLS Browser https://github.com/mandatoryprogrammer/ChromeGalvanizer

  28. Copyright 2022 by Stage 2 Security https:// .Security Adversary-in-the-Middle (AiTM)

  29. Copyright 2022 by Stage 2 Security https:// .Security Adversary-in-the-Middle (AiTM)

    Users Evil Proxy SSO / App TLS TLS Browser

  30. Copyright 2022 by Stage 2 Security https:// .Security Phishing +

    AiTM Evil Proxy SSO / App TLS TLS Browser Users Email

  31. Copyright 2022 by Stage 2 Security https:// .Security Browser Access

    Evil Proxy SSO / App TLS TLS Browser Users Email Browser TLS

  32. Copyright 2022 by Stage 2 Security https:// .Security SaaS &

    Cloud Access Evil Proxy SSO / App TLS TLS Browser Users Email Browser TLS SaaS / CSP TLS

  33. Copyright 2022 by Stage 2 Security https:// .Security EDRs: Largely

    Ignore Browser Sessions! Evil Proxy SSO / App TLS TLS Browser Users Email Browser TLS SaaS / CSP TLS EDR EDR Cloud

  34. Copyright 2022 by Stage 2 Security https:// .Security AiTM Evilginx2

    https://github.com/kgretzky/evilginx2 https://github.com/drk1wi/Modlishka https://github.com/muraenateam/muraena https://github.com/ustayready/CredSniper Phishing GoPhish https://github.com/gophish/gophish https://github.com/pentestgeek/phishing-frenzy https://github.com/rsmusllp/king-phisher Red Team Toolkit Options

  35. Copyright 2022 by Stage 2 Security https:// .Security AiTM Evilginx2

    Phishing GoPhish Red Team Toolkit Options = EvilGoPhish https://github.com/fin3ss3g0d/evilgophish +

  36. Copyright 2022 by Stage 2 Security https:// .Security Defense: Incorrect

    FQDN Okta-Test.com Okta.com TLS TLS Browser Users Email Browser TLS SaaS / CSP TLS EDR EDR Cloud

  37. Copyright 2022 by Stage 2 Security https:// .Security Defense: FIDO2

    (Hardware/YubiKey) + WebAuthn Okta-Test.com Okta.com TLS TLS Browser Users Email Browser TLS SaaS / CSP TLS EDR EDR Cloud

  38. Copyright 2022 by Stage 2 Security https:// .Security One More

    Thing! Cloud Native Phishing

  39. Copyright 2022 by Stage 2 Security https:// .Security Scott Piper

    @0xdabbad00 Shout Out! https://tldrsec.com/blog/lesser-known-aws-attacks/

  40. Copyright 2022 by Stage 2 Security https:// .Security SocialStackSetSmother v1

  41. Copyright 2022 by Stage 2 Security https:// .Security AWS Account

    - Client - #90210 AWS Account - Attacker - #31337 EC2 SocialStackSetSmother Instances AWS IAM Role Policies Admin Cloud Formation Template Stack Lambda Function

  42. Copyright 2022 by Stage 2 Security https:// .Security SocialStackSetSmother Click

    Link In Email https://us-east-1.console.aws.amazon.com/cloud formation/home?region=us-east-1#/stacks/create /review?templateURL=https://TODO_BUCKET_NAME.s 3.amazonaws.com/TODO_TEMPLATE_NAME.yml&stackNa me=TODO_STACK_NAME https://aws.amazon.com/blogs/devops/construct-your-own-launch-stack-url/

  43. Copyright 2022 by Stage 2 Security https:// .Security AWS Account

    - Client - #90210 AWS Account - Attacker - #31337 S3 EC2 SocialStackSetSmother Instances AWS IAM Role Policies Admin Public Object cf_template.yaml S3 Bucket API GW S3 Bucket Object results001.txt Endpoint Lambda Function Cloud Formation Template Stack Lambda Function Email AWS IAM Policies Role

  44. Copyright 2022 by Stage 2 Security https:// .Security SocialStackSetSmother https://aws.amazon.com/blogs/devops/construct-your-own-launch-stack-url/

  45. Copyright 2022 by Stage 2 Security https:// .Security AWS Account

    - Client - #90210 AWS Account - Attacker - #31337 S3 EC2 SocialStackSetSmother Instances AWS IAM Role Policies Admin Public Object cf_template.yaml S3 Bucket API GW S3 Bucket Object results001.txt Endpoint Lambda Function Cloud Formation Template Stack Lambda Function Email AWS IAM Policies Role AWS SAM

  46. Copyright 2022 by Stage 2 Security https:// .Security SocialStackSetSmother Attacker

    Needs Targets AWS Account ID# To Follow The Path Back

  47. Copyright 2022 by Stage 2 Security https:// .Security AWS Account

    - Client - #90210 AWS Account - Attacker - #31337 S3 EC2 SocialStackSetSmother Instances AWS IAM Role Policies Admin API GW S3 Bucket Object results001.txt Endpoint Lambda Function Cloud Formation Template Stack Lambda Function AWS IAM Policies Role AWS SAM

  48. Copyright 2022 by Stage 2 Security https:// .Security AWS Account

    - Client - #90210 AWS Account - Attacker - #31337 S3 EC2 SocialStackSetSmother Instances AWS IAM Role Policies Admin Public Object cf_template.yaml S3 Bucket API GW S3 Bucket Object results001.txt Endpoint Lambda Function Cloud Formation Template Stack Lambda Function Email AWS IAM Policies Role AWS SAM

  49. Copyright 2022 by Stage 2 Security https:// .Security SocialStackSetSmother Sample

    Code https://github.com/TweekFawkes/SocialStackSetSmother

  50. Copyright 2022 by Stage 2 Security https:// .Security SocialStackSetSmother v0.0.1

    Areas for Improvement in v0.0.1: • CF Template Assumes the User Has the Permissions/Ability to: ◦ Create an IAM Role with “AdministratorAccess” policy attached ◦ Create & Execute a Lambda Function e.g. lambda:InvokeFunction • CF Template creates an IAM Role which contains the AWS Account ID# of the Attacker’s AWS Account, making it easy to report abuse to AWS • CF Template contains Python code which is easy to analyze and determine it looks suspicious ◦ Python Code also contains Attacker’s API GW URL • Phish contains link to Attacker’s Globally Unique S3 Bucket Name

  51. Copyright 2022 by Stage 2 Security https:// .Security SocialStackSetSmother v0.0.2

  52. Copyright 2022 by Stage 2 Security https:// .Security AWS Account

    - Client - #90210 AWS Account - Attacker - #31337 S3 EC2 SocialStackSetSmother Instances AWS IAM Role Policies Admin Public Object cf_template.yaml S3 Bucket API GW S3 Bucket Object results001.txt Endpoint Lambda Function Cloud Formation Template Stack Lambda Function Email AWS IAM Policies Role AWS SAM

  53. Copyright 2022 by Stage 2 Security https:// .Security Phish Contains

    Link to Attacker’s S3 Bucket Name Ideas to Remediate: • Redirector (e.g. socat, reverse proxy, etc.) to S3 Bucket to Mask Name • CDN to S3 Bucket to Mask Name • Find Another AWS User’s S3 Bucket with Misconfigured Permissions and Upload our CloudFormation.yaml Template to their S3 Bucket

  54. Copyright 2022 by Stage 2 Security https:// .Security Phish Contains

    Link to Attacker’s S3 Bucket Name Ideas: Redirector (e.g. socat, reverse proxy, etc.) to S3 Bucket to Mask Name ✅ Valid Input: https://tmnttime.s3.us-east-2.amazonaws.com/template-v2-0-1.yaml

  55. Copyright 2022 by Stage 2 Security https:// .Security AWS Account

    - Client - #90210 AWS Account - Attacker - #31337 S3 EC2 SocialStackSetSmother Instances AWS IAM Role Policies Admin Public Object cf_template.yaml S3 Bucket API GW S3 Bucket Object results001.txt Endpoint Lambda Function Cloud Formation Template Stack Lambda Function Email AWS IAM Policies Role AWS SAM

  56. Copyright 2022 by Stage 2 Security https:// .Security Phish Contains

    Link to Attacker’s S3 Bucket Name Ideas: Redirector (e.g. socat, reverse proxy, etc.) to S3 Bucket to Mask Name ✅ Valid Input: https://tmnttime.s3.us-east-2.amazonaws.com/template-v2-0-1.yaml ❌ Invalid Input // No Object in S3 Bucket: https://tmnttime.s3.us-east-2.amazonaws.com/template-v0-0-0.yaml https://www.youtube.com/watch?v=nDei76dTTdY

  57. Copyright 2022 by Stage 2 Security https:// .Security Phish Contains

    Link to Attacker’s S3 Bucket Name Ideas: Redirector (e.g. socat, reverse proxy, etc.) to S3 Bucket to Mask Name ✅ Valid Input: https://tmnttime.s3.us-east-2.amazonaws.com/template-v2-0-1.yaml ✅ Invalid Input // Invalid Scheme: bryce://tmnttime.s3.us-east-2.amazonaws.com/template-v2-0-1.yaml https://www.youtube.com/watch?v=nDei76dTTdY

  58. Copyright 2022 by Stage 2 Security https:// .Security Phish Contains

    Link to Attacker’s S3 Bucket Name Ideas: Redirector (e.g. socat, reverse proxy, etc.) to S3 Bucket to Mask Name ✅ Valid Input: https://tmnttime.s3.us-east-2.amazonaws.com/template-v2-0-1.yaml ✅ Invalid Input // Invalid TCP Port: https://tmnttime.s3.us-east-2.amazonaws.com:2222/template-v2-0-1.yaml https://www.youtube.com/watch?v=nDei76dTTdY

  59. Copyright 2022 by Stage 2 Security https:// .Security Idea: Leverage

    an obfuscated url to mislead Ideas: Redirector (e.g. socat, reverse proxy, etc.) to S3 Bucket to Mask Name ✅ Valid Input: https://tmnttime.s3.us-east-2.amazonaws.com/template-v2-0-1.yaml ✅ Invalid Input // Invalid Protocol & TCP Port: ftp://tmnttime.s3.us-east-2.amazonaws.com:2222/template-v2-0-1.yaml Anyone going to ftp on port 2222 will be rejected but the AWS CF service will still deploy the malicious template. https://www.youtube.com/watch?v=nDei76dTTdY

  60. Copyright 2022 by Stage 2 Security https:// .Security Phish Contains

    Link to Attacker’s S3 Bucket Name Ideas: Redirector (e.g. socat, reverse proxy, etc.) to S3 Bucket to Mask Name ✅ Valid Input: https://tmnttime.s3.us-east-2.amazonaws.com/template-v2-0-1.yaml ❌ Invalid Input // FQDN Not Containing “s3” & “amazonaws.com”: https://[email protected]/template-v2-0-1.yaml https://www.youtube.com/watch?v=nDei76dTTdY

  61. Copyright 2022 by Stage 2 Security https:// .Security Phish Contains

    Link to Attacker’s S3 Bucket Name Ideas to Remediate: • Redirector (e.g. socat, reverse proxy, etc.) to S3 Bucket to Mask Name • CDN to S3 Bucket to Mask Name • Find Another AWS User’s S3 Bucket with Misconfigured Permissions and Upload our CloudFormation.yaml Template to their S3 Bucket

  62. Copyright 2022 by Stage 2 Security https:// .Security Phish Contains

    Link to Attacker’s S3 Bucket Name Ideas: CDN to S3 Bucket to Mask Name ✅ Valid Input: https://tmnttime.s3.us-east-2.amazonaws.com/template-v2-0-1.yaml ❌ Invalid Input // FQDN Not Containing “s3” & “amazonaws.com”: https://d111111abcdef8.cloudfront.net/template-v2-0-1.yaml https://www.youtube.com/watch?v=nDei76dTTdY

  63. Copyright 2022 by Stage 2 Security https:// .Security Phish Contains

    Link to Attacker’s S3 Bucket Name Ideas to Remediate: • Redirector (e.g. socat, reverse proxy, etc.) to S3 Bucket to Mask Name • CDN to S3 Bucket to Mask Name • Find Another AWS User’s S3 Bucket with Misconfigured Permissions and Upload our CloudFormation.yaml Template to their S3 Bucket

  64. Copyright 2022 by Stage 2 Security https:// .Security AWS Account

    - Client - #90210 AWS Account - Attacker - #31337 S3 EC2 SocialStackSetSmother Instances AWS IAM Role Policies Admin Public Object cf_template.yaml S3 Bucket API GW S3 Bucket Object results001.txt Endpoint Lambda Function Cloud Formation Template Stack Lambda Function Email AWS IAM Policies Role AWS SAM

  65. Copyright 2022 by Stage 2 Security https:// .Security Finding S3

    Buckets with Public PutObject Perms Crime Group: https://www.zdnet.com/article/new-magecart-attacks-leverage-misconfigured-s3-buckets-to-infect-over-17k-sites/

  66. Copyright 2022 by Stage 2 Security https:// .Security Thinking… Crime

    Group: https://www.zdnet.com/article/new-magecart-attacks-leverage-misconfigured-s3-buckets-to-infect-over-17k-sites/ This was in 2019… is something similar to this even still possible in 2023? If it is possible, what would be the level of effort required before an attacker would be able to find a misconfigured S3 bucket where they could upload and/or modify an object hosted within the S3 Bucket? Can anyone pull this off or is this something only a nation state will be able to execute on now?

  67. Copyright 2022 by Stage 2 Security https:// .Security AWS Serverless

    Application Model (SAM) https:/ /aws.amazon.com/serverless/build-a-web-app/

  68. Copyright 2022 by Stage 2 Security https:// .Security AWS Serverless

    Application Model (SAM) Infrastructure as Code Based on CloudFormation, but much simpler to implement common Serverless Application Models... https:/ /aws.amazon.com/serverless/sam/

  69. Copyright 2022 by Stage 2 Security https:// .Security AWS Serverless

    Application Model (SAM) The Serverless Application Model is commonly referred to as “SAM” in AWS documentation SAM is NOT an AWS Service, it’s more similar to Zappa or Terraform New Resource Types with SAM: • AWS::Serverless::Function -> AWS Lambda Functions • AWS::Serverless::Api -> AWS API Gateway APIs • AWS::Serverless::SimpleTable -> AWS Dynamo DB Tables https:/ /aws.amazon.com/serverless/sam/

  70. Copyright 2022 by Stage 2 Security https:// .Security Leverage SAM

    to Create... SAM: • template.yaml • app.py • etc. CloudFormation

  71. Copyright 2022 by Stage 2 Security https:// .Security SAM Template

    A simple AWS SAM application that triggers a Lambda function every 120 seconds using CloudWatch Events SAM Template: • CloudWatch Events ◦ Every 120 Seconds • Lambda ◦ Python 3.9 • Attach Policy to Enable: ◦ s3:PutObject to Specific bucketname e.g. sds3bn001 • Set Timeout to Max: ◦ 15 Minutes (900 Seconds)

  72. Copyright 2022 by Stage 2 Security https:// .Security Lambda Application

    - Part 1 Create Random Bucket Names: • Generate an Random Bucket Name •

  73. Copyright 2022 by Stage 2 Security https:// .Security Lambda Application

    - Part 2 Create Random Bucket Names: • Generate an Random Bucket Name • Ensure the Bucket Name meets the AWS requirements for S3 Bucket Names

  74. Copyright 2022 by Stage 2 Security https:// .Security Lambda Application

    - Part 3 Create Random Bucket Names: • Generate an Random Bucket Name • Ensure the Bucket Name meets the AWS requirements for S3 Bucket Names Try 33x Random Names • 200 - S3 Bucket Exists • 403 - S3 Denied • 404 - S3 Does NOT Exist

  75. Copyright 2022 by Stage 2 Security https:// .Security Lambda Application

    - Part 4 Create Random Bucket Names: • Generate an Random Bucket Name • Ensure the Bucket Name meets the AWS requirements for S3 Bucket Names Try 33x Random Names • 200 - S3 Bucket Exists • 403 - S3 Denied • 404 - S3 Does NOT Exist Write Results to S3 Bucket

  76. Copyright 2022 by Stage 2 Security https:// .Security Lambda Application

    Create Random Bucket Names: • Generate an Random Bucket Name • Ensure the Bucket Name meets the AWS requirements for S3 Bucket Names Try 33x Random Names • 200 - S3 Bucket Exists • 403 - S3 Denied • 404 - S3 Does NOT Exist Write Results to S3 Bucket

  77. Copyright 2022 by Stage 2 Security https:// .Security Cron via

    CloudWatch Events https:/ /docs.aws.amazon.com/serverless-application-model/latest/developerguide/sam-property-function-schedule.html Cloud Watch Events - Every 120 seconds (*/2 * * * *) 33x 0-3 Second Delay w/ Max 15 Min ~ 300 Buckets (200s) in ~5 Days python3 requests https://' + sRandomString + '.s3.amazonaws.com HTTP 200 means the Bucket Exists SAM: • template.yaml • app.py • etc. CloudFormation

  78. Copyright 2022 by Stage 2 Security https:// .Security Cloud9 IDE

    https:/ /aws.amazon.com/cloud9/

  79. Copyright 2022 by Stage 2 Security https:// .Security PyCharm IDE

    https:/ /aws.amazon.com/blogs/aws/new-aws-toolkits-for-pycharm-intellij-preview-and-visual-studio-code-preview/

  80. Copyright 2022 by Stage 2 Security https:// .Security Processing Scripts

    002.py • Download all the objects from S3 • Combine the contents into one python list 003.py • Sort through the python list to find all the HTTP 200 Response Codes ◦ Meaning the S3 Bucket Exists and we have some level of access to it e.g. it’s a public bucket 004.py • Attempt to Upload an object with a .yml extension to the S3 Bucket • Double Check that we can access the object publicly via the Internet • If Successful, Attempt to Delete the Uploaded .yml Object And the Results…?

  81. Copyright 2022 by Stage 2 Security https:// .Security The Results?

    And the Results…? In approximately ~5 days it discovered around ~10 S3 buckets which are publicly accessible and anyone can upload a file to presumably host a malicious CloudFormation template :/

  82. Copyright 2022 by Stage 2 Security https:// .Security Answers… This

    was in 2019… is something similar to this even still possible in 2023? YES!

  83. Copyright 2022 by Stage 2 Security https:// .Security Answers… This

    was in 2019… is something similar to this even still possible in 2023? YES! If it is possible, what would be the level of effort required before an attacker would be able to find a misconfigured S3 bucket where they could upload and/or modify an object hosted within the S3 Bucket? A few hours of coding and ~5 days or less to run

  84. Copyright 2022 by Stage 2 Security https:// .Security Answers… This

    was in 2019… is something similar to this even still possible in 2023? YES! If it is possible, what would be the level of effort required before an attacker would be able to find a misconfigured S3 bucket where they could upload and/or modify an object hosted within the S3 Bucket? A few hours of coding and ~5 days or less to run Can anyone pull this off or is this something only a nation state will be able to execute on now? Anyone with basic python3 scripting skills and some AWS can pull this off.

  85. Copyright 2022 by Stage 2 Security https:// .Security What’s Next?

    April 1st - BSidesTampa - Will Upload Code Shorty - Twitter: @TweekFawkes April 14th - BSidesSLC - More Code Released to GitHub May 5th - BSidesAustin - More Code Released to GitHub

  86. Copyright 2022 by Stage 2 Security https:// .Security Contact Info

    Twitter: @TweekFawkes LinkedIn: https://www.linkedin.com/in/brycekunz/ Email: [email protected] Slide Decks: https://speakerdeck.com/tweekfawkes/ Code on GitHub: https://github.com/TweekFawkes/SocialStackSetSmother

  87. Copyright 2022 by Stage 2 Security https:// .Security Privilege Escalation

    Overview

  88. Copyright 2022 by Stage 2 Security https:// .Security Graph Database

    Technologies Overview

  89. Copyright 2022 by Stage 2 Security https:// .Security Why Graph

    DBs?

  90. Copyright 2022 by Stage 2 Security https:// .Security … Quickly

    Find Priv Esc Paths

  91. Copyright 2022 by Stage 2 Security https:// .Security … 1.

    Set The Goal

  92. Copyright 2022 by Stage 2 Security https:// .Security … 2.

    Generate Inbound Paths

  93. Copyright 2022 by Stage 2 Security https:// .Security … 3.

    Analyze the Paths for Access Vectors

  94. Copyright 2022 by Stage 2 Security https:// .Security But How

    Are All Those Lines Useful?

  95. Copyright 2022 by Stage 2 Security https:// .Security

  96. Copyright 2022 by Stage 2 Security https:// .Security IAM Roles

  97. Copyright 2022 by Stage 2 Security https:// .Security AWS Account

    Identity and Access Management (IAM) IAM Users Permissions Policy Action sts:AssumeRole Resource arn…role/rds-ro IAM User joe AWS IAM Users & AWS Service RDS, &... Relational Database Service (RDS) DB Cluster Secrets

  98. Copyright 2022 by Stage 2 Security https:// .Security AWS Account

    Identity and Access Management (IAM) IAM Users Permissions Policy Action sts:AssumeRole Resource arn…role/rds-ro IAM User joe AWS IAM Users & AWS Service RDS, &... Relational Database Service (RDS) DB Cluster Secrets Blocked! Requires… Action rds:Describe*

  99. Copyright 2022 by Stage 2 Security https:// .Security AWS Account

    Identity and Access Management (IAM) IAM Roles Permissions Policy What can be done with the role Action rds:Describe* Resource * Role rds-ro AWS IAM Roles & Policies

  100. Copyright 2022 by Stage 2 Security https:// .Security AWS Account

    Identity and Access Management (IAM) IAM Roles Permissions Policy What can be done with the role Action rds:Describe* Resource * Role rds-ro AWS IAM Roles & Policies Relational Database Service (RDS) DB Cluster Secrets

  101. Copyright 2022 by Stage 2 Security https:// .Security AWS Account

    Identity and Access Management (IAM) IAM Roles Trust Policy aka “AssumeRolePolicy” Who can assume the role Principal arn…user/joe Action sts:AssumeRole Permissions Policy What can be done with the role Action rds:Describe* Resource * Role rds-ro AWS IAM Roles & Policies

  102. Copyright 2022 by Stage 2 Security https:// .Security AWS Account

    Identity and Access Management (IAM) IAM Roles Trust Policy aka “AssumeRolePolicy” Who can assume the role Principal arn…user/joe Action sts:AssumeRole Permissions Policy What can be done with the role Action rds:Describe* Resource * Role rds-ro AWS IAM Roles & Policies Relational Database Service (RDS) DB Cluster Secrets

  103. Copyright 2022 by Stage 2 Security https:// .Security AWS Account

    Identity and Access Management (IAM) IAM Users IAM Roles Trust Policy aka “AssumeRolePolicy” Who can assume the role Principal arn…user/joe Action sts:AssumeRole Permissions Policy What can be done with the role Action rds:Describe* Resource * Role rds-ro Permissions Policy Action sts:AssumeRole Resource arn…role/rds-ro IAM User joe AWS IAM Users & IAM Roles

  104. Copyright 2022 by Stage 2 Security https:// .Security AWS Account

    Identity and Access Management (IAM) IAM Users IAM Roles Trust Policy aka “AssumeRolePolicy” Who can assume the role Principal arn…user/joe Action sts:AssumeRole Permissions Policy What can be done with the role Action rds:Describe* Resource * Role rds-ro Permissions Policy Action sts:AssumeRole Resource arn…role/rds-ro IAM User joe AWS IAM Users, IAM Roles, & AWS Services Relational Database Service (RDS) DB Cluster Secrets

  105. Copyright 2022 by Stage 2 Security https:// .Security iam:PassRole

  106. Copyright 2022 by Stage 2 Security https:// .Security AWS Account

    Identity and Access Management (IAM) IAM Users Permissions Policy AmazonEC2FullAccess Resource * IAM User rydia App on EC2 Instance, Needs S3 Objects, &... Simple Storage Service (S3) AWS EC2 Instances App Objects S3 Bucket Secrets

  107. Copyright 2022 by Stage 2 Security https:// .Security AWS Account

    Identity and Access Management (IAM) IAM Users Permissions Policy AmazonEC2FullAccess Resource * IAM User rydia App on EC2 Instance, Needs S3 Objects, &... Simple Storage Service (S3) AWS EC2 Instances App Objects S3 Bucket Secrets Blocked! Requires… Action s3:Get*

  108. Copyright 2022 by Stage 2 Security https:// .Security AWS Account

    IAM Users Permissions Policy AmazonEC2FullAccess Resource * IAM User rydia Attach Role to Instance, &… Simple Storage Service (S3) AWS EC2 Instances App Objects S3 Bucket Secrets IAM Instance Profile Instance Profile ec2-s3-ro Role ec2-s3-ro Identity and Access Management (IAM)

  109. Copyright 2022 by Stage 2 Security https:// .Security AWS Account

    Identity and Access Management (IAM) IAM Users IAM Roles Trust Policy aka “AssumeRolePolicy” Who can assume the role Principal Service EC2 Action sts:AssumeRole Permissions Policy What can be done with the role AmazonS3ReadOnlyAccess Resource * Role ec2-s3-ro Permissions Policy AmazonEC2FullAccess Resource * IAM User rydia Attach Role to Instance, &… Simple Storage Service (S3) AWS EC2 Instances App Objects S3 Bucket Secrets IAM Instance Profile Instance Profile ec2-s3-ro Role ec2-s3-ro

  110. Copyright 2022 by Stage 2 Security https:// .Security AWS Account

    Identity and Access Management (IAM) IAM Users IAM Roles Trust Policy aka “AssumeRolePolicy” Who can assume the role Principal Service EC2 Action sts:AssumeRole Permissions Policy What can be done with the role AmazonS3ReadOnlyAccess Resource * Role ec2-s3-ro Permissions Policy AmazonEC2FullAccess Resource * IAM User rydia Attach Role to Instance, &… Simple Storage Service (S3) AWS EC2 Instances App Objects S3 Bucket Secrets IAM Instance Profile Instance Profile ec2-s3-ro Role ec2-s3-ro Blocked! Requires… Action iam:PassRole*

  111. Copyright 2022 by Stage 2 Security https:// .Security Create a

    Policy Allowing Pass Role Instances

  112. Copyright 2022 by Stage 2 Security https:// .Security AWS Account

    Identity and Access Management (IAM) IAM Users IAM Roles Trust Policy aka “AssumeRolePolicy” Who can assume the role Principal Service EC2 Action sts:AssumeRole Permissions Policy What can be done with the role AmazonS3ReadOnlyAccess Resource * Role ec2-s3-ro Permissions Policy AmazonEC2FullAccess Resource * IAM User rydia Attach Role to Instance, &… Simple Storage Service (S3) AWS EC2 Instances App Objects S3 Bucket Secrets IAM Instance Profile Instance Profile ec2-s3-ro Role ec2-s3-ro New Policy pass-ec2-s3-ro

  113. Copyright 2022 by Stage 2 Security https:// .Security AWS Account

    Identity and Access Management (IAM) IAM Users IAM Roles Trust Policy aka “AssumeRolePolicy” Who can assume the role Principal Service EC2 Action sts:AssumeRole Permissions Policy What can be done with the role AmazonS3ReadOnlyAccess Resource * Role ec2-s3-ro Permissions Policy AmazonEC2FullAccess Resource * pass-ec2-s3-ro IAM User rydia S3 Bucket Policies & S3 ACLs S3 AWS EC2 Instances App Objects Secrets IAM Instance Profile Instance Profile ec2-s3-ro Role ec2-s3-ro S3 Bucket Policies S3 ACLs S3 Bucket

  114. Copyright 2022 by Stage 2 Security https:// .Security AWS Account

    Identity and Access Management (IAM) IAM Users IAM Roles Trust Policy aka “AssumeRolePolicy” Who can assume the role Principal Service EC2 Action sts:AssumeRole Permissions Policy What can be done with the role AmazonS3ReadOnlyAccess Resource * Role ec2-s3-ro Permissions Policy AmazonEC2FullAccess Resource * pass-ec2-s3-ro IAM User rydia Attach Role to Instance, &… AWS EC2 Instances App Objects S3 Bucket Secrets IAM Instance Profile Instance Profile ec2-s3-ro Role ec2-s3-ro S3 S3 Bucket Policies S3 ACLs

  115. Copyright 2022 by Stage 2 Security https:// .Security S3 AWS

    Account Identity and Access Management (IAM) IAM Users IAM Roles Trust Policy aka “AssumeRolePolicy” Who can assume the role Principal Service EC2 Action sts:AssumeRole Permissions Policy What can be done with the role AmazonS3ReadOnlyAccess Resource * Role ec2-s3-ro Permissions Policy AmazonEC2FullAccess Resource * pass-ec2-s3-ro IAM User rydia Attach Role to Instance, &… AWS EC2 Instances App Objects S3 Bucket Secrets IAM Instance Profile Instance Profile ec2-s3-ro Role ec2-s3-ro S3 Bucket Policies S3 ACLs

  116. Copyright 2022 by Stage 2 Security https:// .Security Basic Priv

    Esc Example via Graph DB

  117. Copyright 2022 by Stage 2 Security https:// .Security … 1.

    Set The Goal

  118. Copyright 2022 by Stage 2 Security https:// .Security … 2.

    Generate Inbound Paths

  119. Copyright 2022 by Stage 2 Security https:// .Security … 3.

    Analyze the Paths for Access Vectors

  120. Copyright 2022 by Stage 2 Security https:// .Security … IAM

    Policy with * Permissions!

  121. Copyright 2022 by Stage 2 Security https:// .Security … Role

    w/ Trust Policy allowing EC2

  122. Copyright 2022 by Stage 2 Security https:// .Security … Instance

    Profile to Role

  123. Copyright 2022 by Stage 2 Security https:// .Security … iam:PasRole

    Permissions within Policy

  124. Copyright 2022 by Stage 2 Security https:// .Security … IAM

    User with Permissions Policy

  125. Copyright 2022 by Stage 2 Security https:// .Security … Compromise

    of “privesc3-…” User… To Admin Access!

  126. Copyright 2022 by Stage 2 Security https:// .Security … Compromise

    of “privesc3-…” User… To Admin Access!

  127. Copyright 2022 by Stage 2 Security https:// .Security … Compromise

    of “privesc3-…” User… To Admin Access!

  128. Copyright 2022 by Stage 2 Security https:// .Security … Compromise

    of “privesc3-…” User… To Admin Access!

  129. Copyright 2022 by Stage 2 Security https:// .Security … Compromise

    of “privesc3-…” User… To Admin Access!

  130. Copyright 2022 by Stage 2 Security https:// .Security Create New

    EC2 Instance w/ Role Attached Instance Role Temporary Credentials Policies Instance Profile Simple Storage Service (S3) Objects S3 Bucket Secrets Elastic Compute Cloud (EC2) AWS IAM

  131. Copyright 2022 by Stage 2 Security https:// .Security … Compromise

    of “privesc3-…” User… To Admin Access!

  132. Copyright 2022 by Stage 2 Security https:// .Security Get Access

    To EC2 Instance via Connect Back to NC Instance Role Temporary Credentials Policies Instance Profile User Data Launch Script Simple Storage Service (S3) Objects S3 Bucket Secrets Elastic Compute Cloud (EC2) AWS IAM NetCat Listener

  133. Copyright 2022 by Stage 2 Security https:// .Security C2 via

    NetCat Instance Role Temporary Credentials Policies Instance Profile Simple Storage Service (S3) Objects S3 Bucket Secrets C2 Elastic Compute Cloud (EC2) AWS IAM NetCat Listener

  134. Copyright 2022 by Stage 2 Security https:// .Security …

  135. Copyright 2022 by Stage 2 Security https:// .Security Elastic Compute

    Cloud (EC2) Access Metadata via Curl 169.254. 169.254 Instance AWS IAM Role Temporary Credentials Policies Instance Profile NetCat Listener Metadata Service Simple Storage Service (S3) Objects S3 Bucket Secrets C2

  136. Copyright 2022 by Stage 2 Security https:// .Security Elastic Compute

    Cloud (EC2) Access Metadata via Curl 169.254. 169.254 To Collect Creds! Instance AWS IAM Role Temporary Credentials Policies Instance Profile NetCat Listener Metadata Service Temporary Credentials Simple Storage Service (S3) Objects S3 Bucket Secrets C2

  137. Copyright 2022 by Stage 2 Security https:// .Security … Compromise

    of “privesc3-…” User… To Admin Access!

  138. Copyright 2022 by Stage 2 Security https:// .Security Elastic Compute

    Cloud (EC2) Configure aws cli Instance AWS IAM Role Temporary Credentials Policies Instance Profile NetCat Listener Metadata Service Temporary Credentials Simple Storage Service (S3) Objects S3 Bucket Secrets C2

  139. Copyright 2022 by Stage 2 Security https:// .Security … Compromise

    of “privesc3-…” User… To Admin Access!

  140. Copyright 2022 by Stage 2 Security https:// .Security Elastic Compute

    Cloud (EC2) Reuse Creds for S3 Access! Instance AWS IAM Role Temporary Credentials Policies Instance Profile NetCat Listener Metadata Service Temporary Credentials Simple Storage Service (S3) Objects S3 Bucket Secrets C2

  141. Copyright 2022 by Stage 2 Security https:// .Security … Compromise

    of “privesc3-…” User… To Admin Access!

  142. Copyright 2022 by Stage 2 Security https:// .Security Common Priv

    Esc Access Vectors

  143. Copyright 2022 by Stage 2 Security https:// .Security Common Priv

    Esc Access Vectors IAM Permissions Manipulating Resources

  144. Copyright 2022 by Stage 2 Security https:// .Security Common Priv

    Esc Access Vectors IAM Permissions Manipulating Resources Users iam:CreateAccessKey iam:UpdateLoginProfile iam:AddUserToGroup etc…

  145. Copyright 2022 by Stage 2 Security https:// .Security Common Priv

    Esc Access Vectors IAM Permissions Manipulating Resources Users iam:CreateAccessKey iam:UpdateLoginProfile iam:AddUserToGroup etc… Permissions Policies iam:CreatePolicyVersion iam:SetDefaultPolicyVersion iam:Attach*Policy iam:Put*Policy etc…

  146. Copyright 2022 by Stage 2 Security https:// .Security Common Priv

    Esc Access Vectors IAM Permissions Manipulating Resources Users iam:CreateAccessKey iam:UpdateLoginProfile iam:AddUserToGroup etc… Permissions Policies iam:CreatePolicyVersion iam:SetDefaultPolicyVersion iam:Attach*Policy iam:Put*Policy etc… AssumeRole Policies iam:UpdateAssumeRolePolicy + sts:AssumeRole

  147. Copyright 2022 by Stage 2 Security https:// .Security Common Priv

    Esc Access Vectors IAM Permissions Manipulating Resources Users iam:CreateAccessKey iam:UpdateLoginProfile iam:AddUserToGroup etc… Permissions Policies iam:CreatePolicyVersion iam:SetDefaultPolicyVersion iam:Attach*Policy iam:Put*Policy etc… AssumeRole Policies iam:UpdateAssumeRolePolicy + sts:AssumeRole PassRole Policies iam:PassRole + Processing Data

  148. Copyright 2022 by Stage 2 Security https:// .Security Common Priv

    Esc Access Vectors IAM Permissions Manipulating Resources Users iam:CreateAccessKey iam:UpdateLoginProfile iam:AddUserToGroup etc… Permissions Policies iam:CreatePolicyVersion iam:SetDefaultPolicyVersion iam:Attach*Policy iam:Put*Policy etc… AssumeRole Policies iam:UpdateAssumeRolePolicy + sts:AssumeRole Resources Processing Data PassRole Policies iam:PassRole + Processing Data Create New Affect Inputs

  149. Copyright 2022 by Stage 2 Security https:// .Security Common Priv

    Esc Access Vectors IAM Permissions Manipulating Resources Users iam:CreateAccessKey iam:UpdateLoginProfile iam:AddUserToGroup etc… Permissions Policies iam:CreatePolicyVersion iam:SetDefaultPolicyVersion iam:Attach*Policy iam:Put*Policy etc… AssumeRole Policies iam:UpdateAssumeRolePolicy + sts:AssumeRole Resources Processing Data PassRole Policies iam:PassRole + Processing Data Create New Affect Inputs Lambda lambda:UpdateFunctionCode lambda:PublishLayerVersion + Function w/ Role

  150. Copyright 2022 by Stage 2 Security https:// .Security Common Priv

    Esc Access Vectors IAM Permissions Manipulating Resources Users iam:CreateAccessKey iam:UpdateLoginProfile iam:AddUserToGroup etc… Permissions Policies iam:CreatePolicyVersion iam:SetDefaultPolicyVersion iam:Attach*Policy iam:Put*Policy etc… AssumeRole Policies iam:UpdateAssumeRolePolicy + sts:AssumeRole Resources Processing Data PassRole Policies iam:PassRole + Processing Data Create New Affect Inputs SSM & EC2 SendCommand StartSession + Instance Profile w/ Role Lambda lambda:UpdateFunctionCode lambda:PublishLayerVersion + Function w/ Role

  151. Copyright 2022 by Stage 2 Security https:// .Security Common Priv

    Esc Access Vectors IAM Permissions Manipulating Resources Users iam:CreateAccessKey iam:UpdateLoginProfile iam:AddUserToGroup etc… Permissions Policies iam:CreatePolicyVersion iam:SetDefaultPolicyVersion iam:Attach*Policy iam:Put*Policy etc… AssumeRole Policies iam:UpdateAssumeRolePolicy + sts:AssumeRole Resources Processing Data PassRole Policies iam:PassRole + Processing Data Create New Affect Inputs SSM & EC2 SendCommand StartSession + Instance Profile w/ Role Lambda lambda:UpdateFunctionCode lambda:PublishLayerVersion + Function w/ Role AWS Services Numerous… e.g. w/ a Role

  152. Copyright 2022 by Stage 2 Security https:// .Security Cloud Lab

    Envs Overview

  153. Copyright 2022 by Stage 2 Security https:// .Security Why? TL;DR:

    • Learn by Hands-on Experience • Be Able to Talk To Experience in Interviews • Be Able to Mentor Others on Common TTPs ◦ Tactics, Techniques, and Procedures (TTPs)

  154. Copyright 2022 by Stage 2 Security https:// .Security Why? TL;DR:

    • Learn by Hands-on Experience • Be Able to Talk To Experience in Interviews • Be Able to Mentor Others on Common TTPs ◦ Tactics, Techniques, and Procedures (TTPs)

  155. Copyright 2022 by Stage 2 Security https:// .Security AiTM Evilginx2

    • https://cloud.hacktricks.xyz/pentesting-cloud/aws-security • https://github.com/BishopFox/iam-vulnerable • https://github.com/RhinoSecurityLabs/cloudgoat • https://github.com/bridgecrewio/terragoat • https://github.com/nccgroup/sadcloud • https://hackingthe.cloud/aws/capture_the_flag/cicdont • https://github.com/ine-labs/AWSGoat Vulnerable Lab Environments CloudGoat

  156. Copyright 2022 by Stage 2 Security https:// .Security TL;DR: •

    Focused on AWS’s IAM Service ◦ Identity and Access Management (IAM) • Deploys via Terraform • 31 Privilege Escalation Paths • GitHub Links to Solutions • Great for Testing GraphDB Tools (e.g. AWSpx, PMapper, etc.) • REF: https://github.com/BishopFox/iam-vulnerable Iam Vulnerable

  157. Copyright 2022 by Stage 2 Security https:// .Security CloudGoat TL;DR:

    • Focused on AWS ◦ Resources: Lambda, EC2, S3, etc. ◦ + Identity and Access Management (IAM) • Deploys via Terraform • 12 Scenarios • Solutions are easily Google-able • Great for Reference or Testing Specific Technique/Tools (e.g. Pacu) • REF: https://github.com/RhinoSecurityLabs/cloudgoat CloudGoat

  158. Copyright 2022 by Stage 2 Security https:// .Security SadCloud TL;DR:

    • Focused on AWS ◦ Resources: Lambda, EC2, S3, etc. ◦ + Identity and Access Management (IAM) • Deploys via Terraform • 84 Misconfigurations • Great for Testing Cloud Vuln Scan Tools (e.g. ScoutSuite) • REF: https://github.com/nccgroup/sadcloud

  159. Copyright 2022 by Stage 2 Security https:// .Security AzureGoat TL;DR:

    • Focused on Azure • REF: https://github.com/ine-labs/AzureGoat

  160. Copyright 2022 by Stage 2 Security https:// .Security GCPGoat TL;DR:

    • Focused on GCP • Good for 101 Basics… Needs More Complex Scenarios • REF: https://gcpgoat.joshuajebaraj.com/

  161. Copyright 2022 by Stage 2 Security https:// .Security Others REFs

    • https://hackingthe.cloud/aws/capture_the_flag/cicdont/ • https://github.com/nccgroup/sadcloud • https://github.com/bridgecrewio/terragoat • https://github.com/ine-labs/AWSGoat • http://flaws.cloud/ • http://flaws2.cloud/

  162. Copyright 2022 by Stage 2 Security https:// .Security Tools &

    Techniques Overview

  163. Copyright 2022 by Stage 2 Security https:// .Security Guides •

    https://cloud.hacktricks.xyz/pentesting-cloud/ • https://pentestbook.six2dez.com/enumeration/cloud/ • https://github.com/dafthack/CloudPentestCheatsheets • PayloadsAllTheThings: ◦ https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Methodology %20and%20Resources/Cloud%20-%20AWS%20Pentest.md ◦ https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Methodology %20and%20Resources/Cloud%20-%20Azure%20Pentest.md • https://github.com/vengatesh-nagarajan/Cloud-pentest • https://github.com/CyberSecurityUP/Awesome-Cloud-PenTest • https://github.com/kh4sh3i/cloud-penetration-testing

  164. Copyright 2022 by Stage 2 Security https:// .Security … Visualization

    Tools • https://github.com/nccgroup/PMapper • https://github.com/Azure/Stormspotter • https://github.com/duo-labs/cloudmapper • https://github.com/WithSecureLabs/awspx • https://github.com/SygniaLabs/security-cloud-scout • https://github.com/BloodHoundAD/BloodHound • https://pentestbook.six2dez.com/enumeration/cloud/azure Steps: 1. Collection 2. Processing 3. Analysis

  165. Copyright 2022 by Stage 2 Security https:// .Security Tailored Collection

    & Processing + Neo4j GraphDB Aws Cloud Capability Tool (ACCT)

  166. Copyright 2022 by Stage 2 Security https:// .Security Contact Info

    Twitter: @TweekFawkes LinkedIn: https://www.linkedin.com/in/brycekunz/ Email: [email protected] Slide Decks: https://speakerdeck.com/tweekfawkes/ Code on GitHub: https://github.com/TweekFawkes/SocialStackSetSmother

  167. Copyright 2022 by Stage 2 Security https:// .Security Trainings @

    BlackHat & On-Site! Thank You! [email protected] .sh @TweekFawkes

  168. Copyright 2022 by Stage 2 Security https:// .Security End Overview