Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Mining Cloud Resources for Initial Access via S...

TweekFawkes
October 21, 2021
Technology
0
140

Mining Cloud Resources for Initial Access via Serverless Services

Presented at SaintCon in Utah on October 21st 2021.

Mining Cloud Resources for Initial Access via Serverless Services

Cloud (AWS, Azure, GCP, etc.) providers make the sharing of resources as easy and convenient as the push of a button, but how often do users unintentionally also share sensitive information which would enable an attacker and/or red teamer to gain a foothold into the targeted cloud environment? Join us in this action-packed session, where we will explore a few practical cloud-centric attack vectors, which may have disastrous consequences for unprepared organizations.

TweekFawkes

October 21, 2021
Tweet

More Decks by TweekFawkes

See All by TweekFawkes
Bypassing the Gatekeepers: LLM Enabled Techniques for Circumventing WAFs at Scale
tweekfawkes
0
27
Cloud-focused phishing techniques to bypass FIDO2 and WebAuthn
tweekfawkes
0
130
Cloud Red Teaming: AWS Initial Access & Privilege Escalation
tweekfawkes
0
3.9k
Level Up Your Lab Envs!
tweekfawkes
0
200
Cloud Focused Continuous Red Teaming: Avoiding the Fall of Icarus!
tweekfawkes
0
250
Serverless and Dys-FUNctional Cloud Red Teaming
tweekfawkes
1
180
The Future?!
tweekfawkes
0
150
May the Cloud be with You: Red Teaming GCP (Google Cloud Platform)
tweekfawkes
1
1.1k
May the Cloud be with You: Red Teaming GCP (Google Cloud Platform)
tweekfawkes
0
260

Other Decks in Technology

See All in Technology
FlutterアプリにおけるSLI/SLOを用いたユーザー体験の可視化と計測基盤構築
ostk0069
0
120
Amplify Gen2 Deep Dive / バックエンドの型をいかにしてフロントエンドへ伝えるか #TSKaigi #TSKaigiKansai #AWSAmplifyJP
tacck
PRO
0
390
Why App Signing Matters for Your Android Apps - Android Bangkok Conference 2024
akexorcist
0
130
Mastering Quickfix
daisuzu
1
140
Shopifyアプリ開発における Shopifyの機能活用
sonatard
4
260
[CV勉強会@関東 ECCV2024 読み会] オンラインマッピング x トラッキング MapTracker: Tracking with Strided Memory Fusion for Consistent Vector HD Mapping (Chen+, ECCV24)
abemii
0
230
EventHub Startup CTO of the year 2024 ピッチ資料
eventhub
0
130
【Startup CTO of the Year 2024 / Audience Award】アセンド取締役CTO 丹羽健
niwatakeru
0
1.4k
Lexical Analysis
shigashiyama
1
150
New Relicを活用したSREの最初のステップ / NRUG OKINAWA VOL.3
isaoshimizu
3
640
なぜ今 AI Agent なのか _近藤憲児
kenjikondobai
4
1.4k
iOSチームとAndroidチームでブランチ運用が違ったので整理してます
sansantech
PRO
0
150

Featured

See All Featured
Code Reviewing Like a Champion
maltzj
520
39k
Building Adaptive Systems
keathley
38
2.3k
Fantastic passwords and where to find them - at NoRuKo
philnash
50
2.9k
The MySQL Ecosystem @ GitHub 2015
samlambert
250
12k
The Cult of Friendly URLs
andyhume
78
6k
Mobile First: as difficult as doing things right
swwweet
222
8.9k
The Invisible Side of Design
smashingmag
298
50k
[RailsConf 2023] Rails as a piece of cake
palkan
52
4.9k
GraphQLとの向き合い方2022年版
quramy
43
13k
Building Applications with DynamoDB
mza
90
6.1k
Embracing the Ebb and Flow
colly
84
4.5k
Rails Girls Zürich Keynote
gr2m
94
13k

Transcript

  1. Relentlessly Secure. Mining Cloud Resources For Initial Access

  2. Introduction

  3. About Me Bryce Kunz @TweekFawkes Defense DHS SOC Offense NSA

    Red Team Adobe DX

  4. Cloud Security Challenges Borderless networks with continuously evolving workloads and

    data . Alert and Vulnerability fatigue Constant threats and public exploits (ransomware) Manual, inconsistent processes often relying on legacy attack surface discovery and identification techniques Explosion of cloud and container workloads with security tools in use that were not designed to work together Difficulty rising above the daily firefighting to track KPIs and drive improvement Global talent shortage

  5. Attack. Detect. Defend. Repeat In cybersecurity there are only two

    teams, and it’s not red and blue. It’s the good guys and the bad guys. At S2, we break down the barriers between red team and blue team so threats don’t break down your defenses. We simulate the advanced threats your enterprise faces and automate detection and response, all in one Adversary Simulation/Detection and Response platform MAGE. With continuous red-team, we find the latest vulnerabilities not just the threats bad actors know you know about. And with as-a-service offerings, it’s expertise that protects your enterprise and your budget.

  6. Red Teaming as a Service OSINT External Analysis - EASM

    Cloud Analysis - CSPM • OSINT++, Secrets in Repos • Subdomain Takeovers • Breached Creds, Dark CTI • Service & Port Discovery • Web App Enumeration, IoT • Weak Credential Checks • Public Service Discovery • Access Misconfigurations • Best Practices (e.g. CIS) Client Experience Targeting & Analysis Interactive Operations

  7. Red Teaming as a Service

  8. Red Teaming as a Service

  9. PTaaS/RTaaS – Continuous Testing

  10. Agenda

  11. Agenda Agenda: • Compute Services • AWS Account IDs •

    AWS SAM • Finding Accounts IDs w/ SAM • List EBS Snapshots • EBS Snapshot Metadata • EBS Snapshot Mining • EBS Snapshot Direct Downloads • AMIs • RDS • Other Services • Cloud Redirection • Logging Disruption • Conclusion

  12. Prior Research & Tools • Many Blogs, etc. • TechTarget,

    RedLock, etc. • BF/Dufflebag, Rhino, etc. • PA Unit42/Crypsis, etc. • AWS Docs: • “Share an ... EBS snapshot” • “…EBS direct APIs...” • AWS Labs: ColdSnap, etc. New Research/Tools vs Prior Research New Content & Tools GitHub.com/Stage2Sec CaptureTheCloud/Mining/ • createListsOfPublicEbsSna pshots.py • createMetadataOfPublicEbs Snapshots.py • downloadEbsSnapshotViaD irectAPIs.py

  13. Compute Services

  14. What is EC2? Elastic Compute Cloud (EC2) • Virtual Servers

    service Elastic Compute Cloud (EC2) Instance Instances AWS Account

  15. What is EBS? Elastic Block Store (EBS) • Block-Storage service

    designed for EC2 Elastic Block Store (EBS) Elastic Compute Cloud (EC2) Instance Instances AWS Account

  16. What is EBS Volume? EBS Volume • Disk Attached to

    EC2 Instance Elastic Block Store (EBS) Volume Elastic Compute Cloud (EC2) Instance Instances AWS Account

  17. What is EBS Snapshot? EBS Snapshot • A Point in

    Time Copy of the Data Elastic Block Store (EBS) Volume Snapshot Elastic Compute Cloud (EC2) Instance Instances AWS Account

  18. What is EBS Snapshot? EBS Snapshot • A Point in

    Time Copy of the Data Incremental Backups • Only the Blocks on the Device that have Changed AFTER your most recent snapshot are saved Elastic Block Store (EBS) Volume Snapshot Elastic Compute Cloud (EC2) Instance Instances AWS Account

  19. Sharing EBS Snapshots EBS Snapshot Sharing Options: • Globally •

    AWS Account ID Elastic Block Store (EBS) Volume Snapshot Elastic Compute Cloud (EC2) Instance Instances AWS Account Global Cloud https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ebs-modifying-snapshot-permissions.html

  20. Sharing Snapshots? Elastic Block Store (EBS) Volume Snapshot Elastic Compute

    Cloud (EC2) Instance Instances AWS Account Global Cloud https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ebs-modifying-snapshot-permissions.html

  21. Sharing EBS Snapshots Sharing Considerations: • Snapshots are constrained to

    the Region in which they were created • You can share only unencrypted snapshots publicly Elastic Block Store (EBS) Volume Snapshot Elastic Compute Cloud (EC2) Instance Instances AWS Account Global Cloud https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ebs-modifying-snapshot-permissions.html

  22. AWS: ACCOUNT IDS

  23. AWS Account IDs …

  24. Known Attacks via Knowing Account IDs AWS error messages disclose

    whether a role exists or not, w/ a given Account ID Role Names can disclose: • AWS Services being used • Software & Technologies being used • Names of IAM users (social engineering) • 3rd party integrations being used (Okta, Datadog, Cloudsploit, etc.) Once roles are enumerated, one can try to assume any open roles and pilfer the role credentials. Same attack vector applies for IAM Usernames https://rhinosecuritylabs.com/aws/assume-worst-aws-assume-role-enumeration/ https://rhinosecuritylabs.com/aws/aws-iam-user-enumeration/ https://github.com/dagrz/aws_pwn/blob/master/reconnaissance/validate_iam_principals.py

  25. Known Ways to Discover Account IDs Including, but not limited

    to: • Compromise a resource (e.g. Lambda, etc.) • Public resources (e.g. Snapshots, AMI, etc.) • Source Code Review (e.g. GitHub) • Error Messages from Services • Screenshots and/or Documentation • Forums and/or Discussion Boards • etc. …

  26. Known Ways to Discover Account IDs By default, login URL

    for the web console, includes the Account ID as a subdomain. Subdomain has different HTTP response codes based on if login page exists NOTE: URL can be changed by the owner of the AWS, and is done so somewhat frequently https://github.com/dagrz/aws_pwn/blob/master/miscellanea/Kiwicon%202016%20-%20Hacking%20AWS%20End%20to%20End.pdf

  27. Public Resources e.g. Sharing EBS Snapshots… …Also shares Account ID

    Globally Elastic Block Store (EBS) Volume Snapshot Elastic Compute Cloud (EC2) Instance Instances AWS Account Global Cloud https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ebs-modifying-snapshot-permissions.html

  28. AWS: SAM

  29. Serverless Application Model (SAM) https://aws.amazon.com/serverless/build-a-web-app/

  30. Cloud9 IDE AWS Cloud9 is a cloud-based integrated development environment

    (IDE) that lets you write, run, and debug your code with just a browser. https://aws.amazon.com/cloud9/

  31. API Gateway API Proxy (HTTP or REST) as a managed

    service https://aws.amazon.com/api-gateway/

  32. Lambda https://aws.amazon.com/lambda/ AWS Scripts as a managed service

  33. Lambda & API GW Curl -> API GW -> Lambda

    v Lambda Curl <- API GW <- Lambda ^ aaaa

  34. 2020: SaintCon

  35. 2020 SaintCon: Finding Accounts https://docs.aws.amazon.com/serverless-application-model/latest/developerguide/sam-property-function-schedule.html

  36. 2020 SaintCon: Video w/ More Information… SaintCon.org Oct 18th-22nd https://www.youtube.com/watch?v=oFgAQ0hSCOg

    https://www.youtube.com/watch?v=oFgAQ0hSCOg

  37. List EBS Snapshots

  38. Listing e.g. Sharing EBS Snapshots… …Also shares Account ID Globally

    Elastic Block Store (EBS) Volume Snapshot Elastic Compute Cloud (EC2) Instance Instances AWS Account Global Cloud https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ebs-modifying-snapshot-permissions.html

  39. Boto3 Script Script to List Public EBS Snapshots in Each

    Region using Python & Boto3 SDK. Elastic Block Store (EBS) Volume Snapshot Elastic Compute Cloud (EC2) Instance Instances AWS Account Global Cloud https://github.com/Stage2Sec/CaptureTheCloud/blob/master/Mining/createListsOfPublicEbsSnapshots.py

  40. Boto3 Script Account ID#, Snap-#, Enc, Region, Date Elastic Block

    Store (EBS) Volume Snapshot Elastic Compute Cloud (EC2) Instance Instances AWS Account Global Cloud https://github.com/Stage2Sec/CaptureTheCloud/blob/master/Mining/createListsOfPublicEbsSnapshots.py

  41. GitHub.com/Stage2Sec https://github.com/Stage2Sec /CaptureTheCloud/Mining/ createListsOfPublicEbsSnapshots.py Elastic Block Store (EBS) Volume Snapshot

    Elastic Compute Cloud (EC2) Instance Instances AWS Account Global Cloud https://github.com/Stage2Sec/CaptureTheCloud/blob/master/Mining/createListsOfPublicEbsSnapshots.py

  42. EBS Snapshot Metadata

  43. Metadata e.g. Sharing EBS Snapshots… …Also shares Account ID Globally…

    …& Metadata about each snapshot… Elastic Block Store (EBS) Volume Snapshot Elastic Compute Cloud (EC2) Instance Instances AWS Account Global Cloud https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ebs-modifying-snapshot-permissions.html

  44. Metadata e.g. Sharing EBS Snapshots… …Also shares Account ID Globally…

    …& Metadata about each snapshot… Elastic Block Store (EBS) Volume Snapshot Elastic Compute Cloud (EC2) Instance Instances AWS Account Global Cloud https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ebs-modifying-snapshot-permissions.html

  45. Metadata e.g. Sharing EBS Snapshots… …Also shares Account ID Globally…

    …& Metadata about each snapshot… Elastic Block Store (EBS) Volume Snapshot Elastic Compute Cloud (EC2) Instance Instances AWS Account Global Cloud https://github.com/Stage2Sec/CaptureTheCloud/blob/master/Mining/createMetadataOfPublicEbsSnapshots.py

  46. Seatch Metadata e.g. Sharing EBS Snapshots… …Also shares Account ID

    Globally… …& Metadata about each snapshot… Elastic Block Store (EBS) Volume Snapshot Elastic Compute Cloud (EC2) Instance Instances AWS Account Global Cloud https://github.com/Stage2Sec/CaptureTheCloud/blob/master/Mining/createMetadataOfPublicEbsSnapshots.py

  47. GitHub.com/Stage2Sec https://github.com/Stage2Sec /CaptureTheCloud/Mining/ createMetadataOfPublicEbsSnapshots.py Elastic Block Store (EBS) Volume Snapshot

    Elastic Compute Cloud (EC2) Instance Instances AWS Account Global Cloud https://github.com/Stage2Sec/CaptureTheCloud/blob/master/Mining/createMetadataOfPublicEbsSnapshots.py

  48. EBS Snapshots Mining

  49. Defcon 2019/DuffleBag https://github.com/Stage2Sec /CaptureTheCloud/Mining/ createMetadataOfPublicEbsSnapshots.py Elastic Block Store (EBS) Volume

    Snapshot Elastic Compute Cloud (EC2) Instance Instances AWS Account Global Cloud https://www.youtube.com/watch?v=-LGR63yCTts

  50. EBS Snapshot Direct Downloads

  51. EBS Direct DL APIs Newer AWS APIs Enable Direct Download

    of EBS Snapshots See ColdSnap by AWS & Other Projects Elastic Block Store (EBS) Volume Snapshot Elastic Compute Cloud (EC2) Instance Instances AWS Account Global Cloud https://github.com/awslabs/coldsnap

  52. EBS Direct DL APIs Newer AWS APIs Enable Direct Download

    of EBS Snapshots See ColdSnap by AWS & Other Projects Elastic Block Store (EBS) Volume Snapshot Elastic Compute Cloud (EC2) Instance Instances AWS Account Global Cloud https://github.com/awslabs/coldsnap

  53. EBS Direct DL APIs Newer AWS APIs Enable Direct Download

    of EBS Snapshots See ColdSnap by AWS & Other Projects Elastic Block Store (EBS) Volume Snapshot Elastic Compute Cloud (EC2) Instance Instances AWS Account Global Cloud https://github.com/awslabs/coldsnap

  54. GitHub.com/Stage2Sec https://github.com/Stage2Sec /CaptureTheCloud/Mining/ downloadEbsSnapshotViaDirectAPIs.py Elastic Block Store (EBS) Volume Snapshot

    Elastic Compute Cloud (EC2) Instance Instances AWS Account Global Cloud https://github.com/Stage2Sec/CaptureTheCloud/blob/master/Mining/downloadEbsSnapshotViaDirectAPIs.py

  55. AMI

  56. What is AMI? Amazon Machine Image (AMI) • Information to

    Launch an EC2 Instance Elastic Block Store (EBS) Volume Snapshot Elastic Compute Cloud (EC2) Instance Instances AWS Account Global Cloud https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/AMIs.html

  57. Public AMIs? Amazon Machine Image (AMI) • Information to Launch

    an EC2 Instance Elastic Block Store (EBS) Volume Snapshot Elastic Compute Cloud (EC2) Instance Instances AWS Account Global Cloud https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/sharingamis-intro.html

  58. Public AMIs? Amazon Machine Image (AMI) • Information to Launch

    an EC2 Instance Elastic Block Store (EBS) Volume Snapshot Elastic Compute Cloud (EC2) Instance Instances AWS Account Global Cloud https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/sharingamis-intro.html

  59. RDS

  60. What is RDS? Relational Database Service (RDS) • Relational Database

    in the Cloud Elastic Block Store (EBS) Volume Snapshot Elastic Compute Cloud (EC2) Instance Instances AWS Account Global Cloud https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/Welcome.html

  61. What is RDS Snapshot? RDS Snapshot • RDS creates a

    storage volume snapshot of your DB instance, • Backing up the entire DB instance and not just individual databases. Elastic Block Store (EBS) Volume Snapshot Elastic Compute Cloud (EC2) Instance Instances AWS Account Global Cloud https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/USER_CreateSnapshot.html

  62. Public RDS Snapshots? Relational Database Service (RDS) • Relational Database

    in the Cloud Elastic Block Store (EBS) Volume Snapshot Elastic Compute Cloud (EC2) Instance Instances AWS Account Global Cloud https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/Welcome.html

  63. Public RDS Snapshots? Relational Database Service (RDS) • Relational Database

    in the Cloud Elastic Block Store (EBS) Volume Snapshot Elastic Compute Cloud (EC2) Instance Instances AWS Account Global Cloud https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/Welcome.html

  64. Other Public Resources

  65. Other Public Resources? Elastic Block Store (EBS) Volume Snapshot Elastic

    Compute Cloud (EC2) Instance Instances AWS Account Global Cloud https://github.com/SummitRoute/aws_exposable_resources Includes: • ECR • Lambda • SAR • Vault • KMS • MediaStore • SNS/SQS • FPGA • etc…

  66. AWS: Cloud Redir

  67. Post Exploitation Toolkit Post-Exploitation Offensive Operator Toolkit § Custom Process

    Injection & AV Evasion § Stay Hidden & Undetected on Endpoints § Memory Only Scripting & Binaries § Python, C#, Powershell, .NET § PEs, DLLs, ELFs, SOs, Mach-Os, Bundles § Lateral Movement § Active Directory Enumeration (i.e. BloodHound / SharpHound) § Kerberoasting, Pass-The-Hash, WMI, etc. § Infinite Pivoting/Chaining § Enabling access to systems otherwise inaccessible from the Internet § Cross Platform § MacOS, Linux, Windows (x86) § Android, iOS, IoT (ARM) § Team Collaboration, Multi-Threading Stage2Sec.com/Voodoo

  72. Intro to Community Edition of VooDoo https://www.stage2sec.com/voodoo https://www.youtube.com/watch?v=NY1AODrBv6Y Ref: https://www.youtube.com/watch?v=NY1AODrBv6Y

  73. API Gateway: Trusted Domains & Certs https://github.com/Stage2Sec/CaptureTheCloud/boomerangApi-v0_2.py

  74. API Gateway: Curl Test https://github.com/Stage2Sec/CaptureTheCloud/boomerangApi-v0_2.py

  75. API Gateway: C2 via VooDoo https://github.com/Stage2Sec/CaptureTheCloud/boomerangApi-v0_2.py

  76. AWS: Log Disruption

  77. CloudTrail …

  78. CloudTrail: Buffering …

  79. CloudTrail: Suspicious Notable …

  80. CloudTrail: DeleteTrail …

  81. Delete & Create w/ Attacker Bucket …

  82. Disrupting AWS Logs https://www.youtube.com/watch?v=V0EytWYrpw8&t=437s https://www.youtube.com/watch?v=V0EytWYrpw8&t=437s

  83. Conclusion

  84. S2 Secure Cloud MSS Red Team-as-a-Service, MDR and Risk management

    in a single platform Outcomes. Prioritized vulnerabilities, alerts and IMMINENT RISK Create consistent, automated processes and slash discovery & response times whether in cloud, container or on-premise Orchestrated platform of managed services that work together Track, measure and improve your security risk posture Focus on reducing IMMIENT RISK

  85. PTaaS/RTaaS – Continuous Testing

  86. Thank You! [email protected] Bryce Kunz @TweekFawkes Trainings: Hands-On Cloud Red

    Teaming Code: Github.com/Stage2Sec/CaptureTheCloud Slides: SpeakerDeck.com/TweekFawkes

  87. Thank You [email protected]