Save 37% off PRO during our Black Friday Sale! »

Mining Cloud Resources for Initial Access via Serverless Services

Mining Cloud Resources for Initial Access via Serverless Services

Presented at SaintCon in Utah on October 21st 2021.

Mining Cloud Resources for Initial Access via Serverless Services

Cloud (AWS, Azure, GCP, etc.) providers make the sharing of resources as easy and convenient as the push of a button, but how often do users unintentionally also share sensitive information which would enable an attacker and/or red teamer to gain a foothold into the targeted cloud environment? Join us in this action-packed session, where we will explore a few practical cloud-centric attack vectors, which may have disastrous consequences for unprepared organizations.

18ad4afa3f7c77bd84c3300505468aa0?s=128

TweekFawkes

October 21, 2021
Tweet

Transcript

  1. Relentlessly Secure. Mining Cloud Resources For Initial Access

  2. Introduction

  3. About Me Bryce Kunz @TweekFawkes Defense DHS SOC Offense NSA

    Red Team Adobe DX
  4. Cloud Security Challenges Borderless networks with continuously evolving workloads and

    data . Alert and Vulnerability fatigue Constant threats and public exploits (ransomware) Manual, inconsistent processes often relying on legacy attack surface discovery and identification techniques Explosion of cloud and container workloads with security tools in use that were not designed to work together Difficulty rising above the daily firefighting to track KPIs and drive improvement Global talent shortage
  5. Attack. Detect. Defend. Repeat In cybersecurity there are only two

    teams, and it’s not red and blue. It’s the good guys and the bad guys. At S2, we break down the barriers between red team and blue team so threats don’t break down your defenses. We simulate the advanced threats your enterprise faces and automate detection and response, all in one Adversary Simulation/Detection and Response platform MAGE. With continuous red-team, we find the latest vulnerabilities not just the threats bad actors know you know about. And with as-a-service offerings, it’s expertise that protects your enterprise and your budget.
  6. Red Teaming as a Service OSINT External Analysis - EASM

    Cloud Analysis - CSPM • OSINT++, Secrets in Repos • Subdomain Takeovers • Breached Creds, Dark CTI • Service & Port Discovery • Web App Enumeration, IoT • Weak Credential Checks • Public Service Discovery • Access Misconfigurations • Best Practices (e.g. CIS) Client Experience Targeting & Analysis Interactive Operations
  7. Red Teaming as a Service

  8. Red Teaming as a Service

  9. PTaaS/RTaaS – Continuous Testing

  10. Agenda

  11. Agenda Agenda: • Compute Services • AWS Account IDs •

    AWS SAM • Finding Accounts IDs w/ SAM • List EBS Snapshots • EBS Snapshot Metadata • EBS Snapshot Mining • EBS Snapshot Direct Downloads • AMIs • RDS • Other Services • Cloud Redirection • Logging Disruption • Conclusion
  12. Prior Research & Tools • Many Blogs, etc. • TechTarget,

    RedLock, etc. • BF/Dufflebag, Rhino, etc. • PA Unit42/Crypsis, etc. • AWS Docs: • “Share an ... EBS snapshot” • “…EBS direct APIs...” • AWS Labs: ColdSnap, etc. New Research/Tools vs Prior Research New Content & Tools GitHub.com/Stage2Sec CaptureTheCloud/Mining/ • createListsOfPublicEbsSna pshots.py • createMetadataOfPublicEbs Snapshots.py • downloadEbsSnapshotViaD irectAPIs.py
  13. Compute Services

  14. What is EC2? Elastic Compute Cloud (EC2) • Virtual Servers

    service Elastic Compute Cloud (EC2) Instance Instances AWS Account
  15. What is EBS? Elastic Block Store (EBS) • Block-Storage service

    designed for EC2 Elastic Block Store (EBS) Elastic Compute Cloud (EC2) Instance Instances AWS Account
  16. What is EBS Volume? EBS Volume • Disk Attached to

    EC2 Instance Elastic Block Store (EBS) Volume Elastic Compute Cloud (EC2) Instance Instances AWS Account
  17. What is EBS Snapshot? EBS Snapshot • A Point in

    Time Copy of the Data Elastic Block Store (EBS) Volume Snapshot Elastic Compute Cloud (EC2) Instance Instances AWS Account
  18. What is EBS Snapshot? EBS Snapshot • A Point in

    Time Copy of the Data Incremental Backups • Only the Blocks on the Device that have Changed AFTER your most recent snapshot are saved Elastic Block Store (EBS) Volume Snapshot Elastic Compute Cloud (EC2) Instance Instances AWS Account
  19. Sharing EBS Snapshots EBS Snapshot Sharing Options: • Globally •

    AWS Account ID Elastic Block Store (EBS) Volume Snapshot Elastic Compute Cloud (EC2) Instance Instances AWS Account Global Cloud https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ebs-modifying-snapshot-permissions.html
  20. Sharing Snapshots? Elastic Block Store (EBS) Volume Snapshot Elastic Compute

    Cloud (EC2) Instance Instances AWS Account Global Cloud https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ebs-modifying-snapshot-permissions.html
  21. Sharing EBS Snapshots Sharing Considerations: • Snapshots are constrained to

    the Region in which they were created • You can share only unencrypted snapshots publicly Elastic Block Store (EBS) Volume Snapshot Elastic Compute Cloud (EC2) Instance Instances AWS Account Global Cloud https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ebs-modifying-snapshot-permissions.html
  22. AWS: ACCOUNT IDS

  23. AWS Account IDs …

  24. Known Attacks via Knowing Account IDs AWS error messages disclose

    whether a role exists or not, w/ a given Account ID Role Names can disclose: • AWS Services being used • Software & Technologies being used • Names of IAM users (social engineering) • 3rd party integrations being used (Okta, Datadog, Cloudsploit, etc.) Once roles are enumerated, one can try to assume any open roles and pilfer the role credentials. Same attack vector applies for IAM Usernames https://rhinosecuritylabs.com/aws/assume-worst-aws-assume-role-enumeration/ https://rhinosecuritylabs.com/aws/aws-iam-user-enumeration/ https://github.com/dagrz/aws_pwn/blob/master/reconnaissance/validate_iam_principals.py
  25. Known Ways to Discover Account IDs Including, but not limited

    to: • Compromise a resource (e.g. Lambda, etc.) • Public resources (e.g. Snapshots, AMI, etc.) • Source Code Review (e.g. GitHub) • Error Messages from Services • Screenshots and/or Documentation • Forums and/or Discussion Boards • etc. …
  26. Known Ways to Discover Account IDs By default, login URL

    for the web console, includes the Account ID as a subdomain. Subdomain has different HTTP response codes based on if login page exists NOTE: URL can be changed by the owner of the AWS, and is done so somewhat frequently https://github.com/dagrz/aws_pwn/blob/master/miscellanea/Kiwicon%202016%20-%20Hacking%20AWS%20End%20to%20End.pdf
  27. Public Resources e.g. Sharing EBS Snapshots… …Also shares Account ID

    Globally Elastic Block Store (EBS) Volume Snapshot Elastic Compute Cloud (EC2) Instance Instances AWS Account Global Cloud https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ebs-modifying-snapshot-permissions.html
  28. AWS: SAM

  29. Serverless Application Model (SAM) https://aws.amazon.com/serverless/build-a-web-app/

  30. Cloud9 IDE AWS Cloud9 is a cloud-based integrated development environment

    (IDE) that lets you write, run, and debug your code with just a browser. https://aws.amazon.com/cloud9/
  31. API Gateway API Proxy (HTTP or REST) as a managed

    service https://aws.amazon.com/api-gateway/
  32. Lambda https://aws.amazon.com/lambda/ AWS Scripts as a managed service

  33. Lambda & API GW Curl -> API GW -> Lambda

    v Lambda Curl <- API GW <- Lambda ^ aaaa
  34. 2020: SaintCon

  35. 2020 SaintCon: Finding Accounts https://docs.aws.amazon.com/serverless-application-model/latest/developerguide/sam-property-function-schedule.html

  36. 2020 SaintCon: Video w/ More Information… SaintCon.org Oct 18th-22nd https://www.youtube.com/watch?v=oFgAQ0hSCOg

    https://www.youtube.com/watch?v=oFgAQ0hSCOg
  37. List EBS Snapshots

  38. Listing e.g. Sharing EBS Snapshots… …Also shares Account ID Globally

    Elastic Block Store (EBS) Volume Snapshot Elastic Compute Cloud (EC2) Instance Instances AWS Account Global Cloud https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ebs-modifying-snapshot-permissions.html
  39. Boto3 Script Script to List Public EBS Snapshots in Each

    Region using Python & Boto3 SDK. Elastic Block Store (EBS) Volume Snapshot Elastic Compute Cloud (EC2) Instance Instances AWS Account Global Cloud https://github.com/Stage2Sec/CaptureTheCloud/blob/master/Mining/createListsOfPublicEbsSnapshots.py
  40. Boto3 Script Account ID#, Snap-#, Enc, Region, Date Elastic Block

    Store (EBS) Volume Snapshot Elastic Compute Cloud (EC2) Instance Instances AWS Account Global Cloud https://github.com/Stage2Sec/CaptureTheCloud/blob/master/Mining/createListsOfPublicEbsSnapshots.py
  41. GitHub.com/Stage2Sec https://github.com/Stage2Sec /CaptureTheCloud/Mining/ createListsOfPublicEbsSnapshots.py Elastic Block Store (EBS) Volume Snapshot

    Elastic Compute Cloud (EC2) Instance Instances AWS Account Global Cloud https://github.com/Stage2Sec/CaptureTheCloud/blob/master/Mining/createListsOfPublicEbsSnapshots.py
  42. EBS Snapshot Metadata

  43. Metadata e.g. Sharing EBS Snapshots… …Also shares Account ID Globally…

    …& Metadata about each snapshot… Elastic Block Store (EBS) Volume Snapshot Elastic Compute Cloud (EC2) Instance Instances AWS Account Global Cloud https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ebs-modifying-snapshot-permissions.html
  44. Metadata e.g. Sharing EBS Snapshots… …Also shares Account ID Globally…

    …& Metadata about each snapshot… Elastic Block Store (EBS) Volume Snapshot Elastic Compute Cloud (EC2) Instance Instances AWS Account Global Cloud https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ebs-modifying-snapshot-permissions.html
  45. Metadata e.g. Sharing EBS Snapshots… …Also shares Account ID Globally…

    …& Metadata about each snapshot… Elastic Block Store (EBS) Volume Snapshot Elastic Compute Cloud (EC2) Instance Instances AWS Account Global Cloud https://github.com/Stage2Sec/CaptureTheCloud/blob/master/Mining/createMetadataOfPublicEbsSnapshots.py
  46. Seatch Metadata e.g. Sharing EBS Snapshots… …Also shares Account ID

    Globally… …& Metadata about each snapshot… Elastic Block Store (EBS) Volume Snapshot Elastic Compute Cloud (EC2) Instance Instances AWS Account Global Cloud https://github.com/Stage2Sec/CaptureTheCloud/blob/master/Mining/createMetadataOfPublicEbsSnapshots.py
  47. GitHub.com/Stage2Sec https://github.com/Stage2Sec /CaptureTheCloud/Mining/ createMetadataOfPublicEbsSnapshots.py Elastic Block Store (EBS) Volume Snapshot

    Elastic Compute Cloud (EC2) Instance Instances AWS Account Global Cloud https://github.com/Stage2Sec/CaptureTheCloud/blob/master/Mining/createMetadataOfPublicEbsSnapshots.py
  48. EBS Snapshots Mining

  49. Defcon 2019/DuffleBag https://github.com/Stage2Sec /CaptureTheCloud/Mining/ createMetadataOfPublicEbsSnapshots.py Elastic Block Store (EBS) Volume

    Snapshot Elastic Compute Cloud (EC2) Instance Instances AWS Account Global Cloud https://www.youtube.com/watch?v=-LGR63yCTts
  50. EBS Snapshot Direct Downloads

  51. EBS Direct DL APIs Newer AWS APIs Enable Direct Download

    of EBS Snapshots See ColdSnap by AWS & Other Projects Elastic Block Store (EBS) Volume Snapshot Elastic Compute Cloud (EC2) Instance Instances AWS Account Global Cloud https://github.com/awslabs/coldsnap
  52. EBS Direct DL APIs Newer AWS APIs Enable Direct Download

    of EBS Snapshots See ColdSnap by AWS & Other Projects Elastic Block Store (EBS) Volume Snapshot Elastic Compute Cloud (EC2) Instance Instances AWS Account Global Cloud https://github.com/awslabs/coldsnap
  53. EBS Direct DL APIs Newer AWS APIs Enable Direct Download

    of EBS Snapshots See ColdSnap by AWS & Other Projects Elastic Block Store (EBS) Volume Snapshot Elastic Compute Cloud (EC2) Instance Instances AWS Account Global Cloud https://github.com/awslabs/coldsnap
  54. GitHub.com/Stage2Sec https://github.com/Stage2Sec /CaptureTheCloud/Mining/ downloadEbsSnapshotViaDirectAPIs.py Elastic Block Store (EBS) Volume Snapshot

    Elastic Compute Cloud (EC2) Instance Instances AWS Account Global Cloud https://github.com/Stage2Sec/CaptureTheCloud/blob/master/Mining/downloadEbsSnapshotViaDirectAPIs.py
  55. AMI

  56. What is AMI? Amazon Machine Image (AMI) • Information to

    Launch an EC2 Instance Elastic Block Store (EBS) Volume Snapshot Elastic Compute Cloud (EC2) Instance Instances AWS Account Global Cloud https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/AMIs.html
  57. Public AMIs? Amazon Machine Image (AMI) • Information to Launch

    an EC2 Instance Elastic Block Store (EBS) Volume Snapshot Elastic Compute Cloud (EC2) Instance Instances AWS Account Global Cloud https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/sharingamis-intro.html
  58. Public AMIs? Amazon Machine Image (AMI) • Information to Launch

    an EC2 Instance Elastic Block Store (EBS) Volume Snapshot Elastic Compute Cloud (EC2) Instance Instances AWS Account Global Cloud https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/sharingamis-intro.html
  59. RDS

  60. What is RDS? Relational Database Service (RDS) • Relational Database

    in the Cloud Elastic Block Store (EBS) Volume Snapshot Elastic Compute Cloud (EC2) Instance Instances AWS Account Global Cloud https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/Welcome.html
  61. What is RDS Snapshot? RDS Snapshot • RDS creates a

    storage volume snapshot of your DB instance, • Backing up the entire DB instance and not just individual databases. Elastic Block Store (EBS) Volume Snapshot Elastic Compute Cloud (EC2) Instance Instances AWS Account Global Cloud https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/USER_CreateSnapshot.html
  62. Public RDS Snapshots? Relational Database Service (RDS) • Relational Database

    in the Cloud Elastic Block Store (EBS) Volume Snapshot Elastic Compute Cloud (EC2) Instance Instances AWS Account Global Cloud https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/Welcome.html
  63. Public RDS Snapshots? Relational Database Service (RDS) • Relational Database

    in the Cloud Elastic Block Store (EBS) Volume Snapshot Elastic Compute Cloud (EC2) Instance Instances AWS Account Global Cloud https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/Welcome.html
  64. Other Public Resources

  65. Other Public Resources? Elastic Block Store (EBS) Volume Snapshot Elastic

    Compute Cloud (EC2) Instance Instances AWS Account Global Cloud https://github.com/SummitRoute/aws_exposable_resources Includes: • ECR • Lambda • SAR • Vault • KMS • MediaStore • SNS/SQS • FPGA • etc…
  66. AWS: Cloud Redir

  67. Post Exploitation Toolkit Post-Exploitation Offensive Operator Toolkit § Custom Process

    Injection & AV Evasion § Stay Hidden & Undetected on Endpoints § Memory Only Scripting & Binaries § Python, C#, Powershell, .NET § PEs, DLLs, ELFs, SOs, Mach-Os, Bundles § Lateral Movement § Active Directory Enumeration (i.e. BloodHound / SharpHound) § Kerberoasting, Pass-The-Hash, WMI, etc. § Infinite Pivoting/Chaining § Enabling access to systems otherwise inaccessible from the Internet § Cross Platform § MacOS, Linux, Windows (x86) § Android, iOS, IoT (ARM) § Team Collaboration, Multi-Threading Stage2Sec.com/Voodoo
  68. Intro to Community Edition of VooDoo https://www.stage2sec.com/voodoo https://www.youtube.com/watch?v=NY1AODrBv6Y Ref: https://www.youtube.com/watch?v=NY1AODrBv6Y

  69. API Gateway: Trusted Domains & Certs https://github.com/Stage2Sec/CaptureTheCloud/boomerangApi-v0_2.py

  70. API Gateway: Curl Test https://github.com/Stage2Sec/CaptureTheCloud/boomerangApi-v0_2.py

  71. API Gateway: C2 via VooDoo https://github.com/Stage2Sec/CaptureTheCloud/boomerangApi-v0_2.py

  72. AWS: Log Disruption

  73. CloudTrail …

  74. CloudTrail: Buffering …

  75. CloudTrail: Suspicious Notable …

  76. CloudTrail: DeleteTrail …

  77. Delete & Create w/ Attacker Bucket …

  78. Disrupting AWS Logs https://www.youtube.com/watch?v=V0EytWYrpw8&t=437s https://www.youtube.com/watch?v=V0EytWYrpw8&t=437s

  79. Conclusion

  80. S2 Secure Cloud MSS Red Team-as-a-Service, MDR and Risk management

    in a single platform Outcomes. Prioritized vulnerabilities, alerts and IMMINENT RISK Create consistent, automated processes and slash discovery & response times whether in cloud, container or on-premise Orchestrated platform of managed services that work together Track, measure and improve your security risk posture Focus on reducing IMMIENT RISK
  81. PTaaS/RTaaS – Continuous Testing

  82. Thank You! Bryce@Stage2Sec.com Bryce Kunz @TweekFawkes Trainings: Hands-On Cloud Red

    Teaming Code: Github.com/Stage2Sec/CaptureTheCloud Slides: SpeakerDeck.com/TweekFawkes
  83. Thank You Bryce@Stage2Sec.com