Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Mining Cloud Resources for Initial Access via Serverless Services

TweekFawkes
October 21, 2021
Technology
0
110

Mining Cloud Resources for Initial Access via Serverless Services

Presented at SaintCon in Utah on October 21st 2021.

Mining Cloud Resources for Initial Access via Serverless Services

Cloud (AWS, Azure, GCP, etc.) providers make the sharing of resources as easy and convenient as the push of a button, but how often do users unintentionally also share sensitive information which would enable an attacker and/or red teamer to gain a foothold into the targeted cloud environment? Join us in this action-packed session, where we will explore a few practical cloud-centric attack vectors, which may have disastrous consequences for unprepared organizations.

TweekFawkes

October 21, 2021
Tweet

More Decks by TweekFawkes

See All by TweekFawkes
Cloud-focused phishing techniques to bypass FIDO2 and WebAuthn
tweekfawkes
0
78
Cloud Red Teaming: AWS Initial Access & Privilege Escalation
tweekfawkes
0
3.4k
Level Up Your Lab Envs!
tweekfawkes
0
180
Cloud Focused Continuous Red Teaming: Avoiding the Fall of Icarus!
tweekfawkes
0
210
Serverless and Dys-FUNctional Cloud Red Teaming
tweekfawkes
1
160
The Future?!
tweekfawkes
0
140
May the Cloud be with You: Red Teaming GCP (Google Cloud Platform)
tweekfawkes
1
1k
May the Cloud be with You: Red Teaming GCP (Google Cloud Platform)
tweekfawkes
0
230
UVU - Red Teaming GCP (Google Cloud Platform)
tweekfawkes
1
210

Other Decks in Technology

See All in Technology
[新卒向け研修資料] テスト文字列に「うんこ」と入れるな(2024年版)
infiniteloop_inc
4
15k
自己改善からチームを動かす! 「セルフエンジニアリングマネージャー」のすゝめ
shoota
6
730
TechFeed Experts Night#27 〜 フロントエンドフレームワーク最前線 (Svelte)
baseballyama
1
520
一生覚えておきたい「システム開発=コミュニケーション」〜初めての実務案件振り返りLT〜
maimyyym
0
140
エンジニア候補者向け資料2024.04.24.pdf
macloud
0
3.3k
APIファーストなプロダクトマネジメントの実践 〜SaaSus Platformでの例〜 / "Practicing API-First Product Management - An Example with SaaSus Platform
oztick139
0
110
ServiceNow Knowledge 24の歩き方 EYストラテジー・アンド・コンサルティング
manarobot
0
200
サーバー間 GraphQL と webmock-graphql の話 / server-to-server graphql and webmock-graphql
qsona
2
190
Além do else! Categorizando Pokemóns com Pattern Matching no JavaScript
wmsbill
0
620
プロトタイピングによる不確実性の低減 / Reducing Uncertainty through Prototyping
ohbarye
5
390
Meta Quest 3 で動く桜マシマシ WebXR アプリを IBM Cloud Code Engine と Babylon.js で作った話
1ftseabass
PRO
0
120
20分で完全に理解するGrafanaダッシュボード
hamadakoji
3
650

Featured

See All Featured
Faster Mobile Websites
deanohume
299
30k
Documentation Writing (for coders)
carmenintech
60
3.9k
Ruby is Unlike a Banana
tanoku
96
10k
Building an army of robots
kneath
300
41k
Typedesign – Prime Four
hannesfritz
36
2.1k
[RailsConf 2023 Opening Keynote] The Magic of Rails
eileencodes
9
8.3k
Navigating Team Friction
lara
178
13k
Creating an realtime collaboration tool: Agile Flush - .NET Oxford
marcduiker
14
1.5k
Code Review Best Practice
trishagee
55
15k
The Invisible Customer
myddelton
114
12k
How to train your dragon (web standard)
notwaldorf
73
5.2k
Making the Leap to Tech Lead
cromwellryan
124
8.5k

Transcript

  1. Relentlessly Secure. Mining Cloud Resources For Initial Access

  2. Introduction

  3. About Me Bryce Kunz @TweekFawkes Defense DHS SOC Offense NSA

    Red Team Adobe DX

  4. Cloud Security Challenges Borderless networks with continuously evolving workloads and

    data . Alert and Vulnerability fatigue Constant threats and public exploits (ransomware) Manual, inconsistent processes often relying on legacy attack surface discovery and identification techniques Explosion of cloud and container workloads with security tools in use that were not designed to work together Difficulty rising above the daily firefighting to track KPIs and drive improvement Global talent shortage

  5. Attack. Detect. Defend. Repeat In cybersecurity there are only two

    teams, and it’s not red and blue. It’s the good guys and the bad guys. At S2, we break down the barriers between red team and blue team so threats don’t break down your defenses. We simulate the advanced threats your enterprise faces and automate detection and response, all in one Adversary Simulation/Detection and Response platform MAGE. With continuous red-team, we find the latest vulnerabilities not just the threats bad actors know you know about. And with as-a-service offerings, it’s expertise that protects your enterprise and your budget.

  6. Red Teaming as a Service OSINT External Analysis - EASM

    Cloud Analysis - CSPM • OSINT++, Secrets in Repos • Subdomain Takeovers • Breached Creds, Dark CTI • Service & Port Discovery • Web App Enumeration, IoT • Weak Credential Checks • Public Service Discovery • Access Misconfigurations • Best Practices (e.g. CIS) Client Experience Targeting & Analysis Interactive Operations

  7. Red Teaming as a Service

  8. Red Teaming as a Service

  9. PTaaS/RTaaS – Continuous Testing

  10. Agenda

  11. Agenda Agenda: • Compute Services • AWS Account IDs •

    AWS SAM • Finding Accounts IDs w/ SAM • List EBS Snapshots • EBS Snapshot Metadata • EBS Snapshot Mining • EBS Snapshot Direct Downloads • AMIs • RDS • Other Services • Cloud Redirection • Logging Disruption • Conclusion

  12. Prior Research & Tools • Many Blogs, etc. • TechTarget,

    RedLock, etc. • BF/Dufflebag, Rhino, etc. • PA Unit42/Crypsis, etc. • AWS Docs: • “Share an ... EBS snapshot” • “…EBS direct APIs...” • AWS Labs: ColdSnap, etc. New Research/Tools vs Prior Research New Content & Tools GitHub.com/Stage2Sec CaptureTheCloud/Mining/ • createListsOfPublicEbsSna pshots.py • createMetadataOfPublicEbs Snapshots.py • downloadEbsSnapshotViaD irectAPIs.py

  13. Compute Services

  14. What is EC2? Elastic Compute Cloud (EC2) • Virtual Servers

    service Elastic Compute Cloud (EC2) Instance Instances AWS Account

  15. What is EBS? Elastic Block Store (EBS) • Block-Storage service

    designed for EC2 Elastic Block Store (EBS) Elastic Compute Cloud (EC2) Instance Instances AWS Account

  16. What is EBS Volume? EBS Volume • Disk Attached to

    EC2 Instance Elastic Block Store (EBS) Volume Elastic Compute Cloud (EC2) Instance Instances AWS Account

  17. What is EBS Snapshot? EBS Snapshot • A Point in

    Time Copy of the Data Elastic Block Store (EBS) Volume Snapshot Elastic Compute Cloud (EC2) Instance Instances AWS Account

  18. What is EBS Snapshot? EBS Snapshot • A Point in

    Time Copy of the Data Incremental Backups • Only the Blocks on the Device that have Changed AFTER your most recent snapshot are saved Elastic Block Store (EBS) Volume Snapshot Elastic Compute Cloud (EC2) Instance Instances AWS Account

  19. Sharing EBS Snapshots EBS Snapshot Sharing Options: • Globally •

    AWS Account ID Elastic Block Store (EBS) Volume Snapshot Elastic Compute Cloud (EC2) Instance Instances AWS Account Global Cloud https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ebs-modifying-snapshot-permissions.html

  20. Sharing Snapshots? Elastic Block Store (EBS) Volume Snapshot Elastic Compute

    Cloud (EC2) Instance Instances AWS Account Global Cloud https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ebs-modifying-snapshot-permissions.html

  21. Sharing EBS Snapshots Sharing Considerations: • Snapshots are constrained to

    the Region in which they were created • You can share only unencrypted snapshots publicly Elastic Block Store (EBS) Volume Snapshot Elastic Compute Cloud (EC2) Instance Instances AWS Account Global Cloud https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ebs-modifying-snapshot-permissions.html

  22. AWS: ACCOUNT IDS

  23. AWS Account IDs …

  24. Known Attacks via Knowing Account IDs AWS error messages disclose

    whether a role exists or not, w/ a given Account ID Role Names can disclose: • AWS Services being used • Software & Technologies being used • Names of IAM users (social engineering) • 3rd party integrations being used (Okta, Datadog, Cloudsploit, etc.) Once roles are enumerated, one can try to assume any open roles and pilfer the role credentials. Same attack vector applies for IAM Usernames https://rhinosecuritylabs.com/aws/assume-worst-aws-assume-role-enumeration/ https://rhinosecuritylabs.com/aws/aws-iam-user-enumeration/ https://github.com/dagrz/aws_pwn/blob/master/reconnaissance/validate_iam_principals.py

  25. Known Ways to Discover Account IDs Including, but not limited

    to: • Compromise a resource (e.g. Lambda, etc.) • Public resources (e.g. Snapshots, AMI, etc.) • Source Code Review (e.g. GitHub) • Error Messages from Services • Screenshots and/or Documentation • Forums and/or Discussion Boards • etc. …

  26. Known Ways to Discover Account IDs By default, login URL

    for the web console, includes the Account ID as a subdomain. Subdomain has different HTTP response codes based on if login page exists NOTE: URL can be changed by the owner of the AWS, and is done so somewhat frequently https://github.com/dagrz/aws_pwn/blob/master/miscellanea/Kiwicon%202016%20-%20Hacking%20AWS%20End%20to%20End.pdf

  27. Public Resources e.g. Sharing EBS Snapshots… …Also shares Account ID

    Globally Elastic Block Store (EBS) Volume Snapshot Elastic Compute Cloud (EC2) Instance Instances AWS Account Global Cloud https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ebs-modifying-snapshot-permissions.html

  28. AWS: SAM

  29. Serverless Application Model (SAM) https://aws.amazon.com/serverless/build-a-web-app/

  30. Cloud9 IDE AWS Cloud9 is a cloud-based integrated development environment

    (IDE) that lets you write, run, and debug your code with just a browser. https://aws.amazon.com/cloud9/

  31. API Gateway API Proxy (HTTP or REST) as a managed

    service https://aws.amazon.com/api-gateway/

  32. Lambda https://aws.amazon.com/lambda/ AWS Scripts as a managed service

  33. Lambda & API GW Curl -> API GW -> Lambda

    v Lambda Curl <- API GW <- Lambda ^ aaaa

  34. 2020: SaintCon

  35. 2020 SaintCon: Finding Accounts https://docs.aws.amazon.com/serverless-application-model/latest/developerguide/sam-property-function-schedule.html

  36. 2020 SaintCon: Video w/ More Information… SaintCon.org Oct 18th-22nd https://www.youtube.com/watch?v=oFgAQ0hSCOg

    https://www.youtube.com/watch?v=oFgAQ0hSCOg

  37. List EBS Snapshots

  38. Listing e.g. Sharing EBS Snapshots… …Also shares Account ID Globally

    Elastic Block Store (EBS) Volume Snapshot Elastic Compute Cloud (EC2) Instance Instances AWS Account Global Cloud https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ebs-modifying-snapshot-permissions.html

  39. Boto3 Script Script to List Public EBS Snapshots in Each

    Region using Python & Boto3 SDK. Elastic Block Store (EBS) Volume Snapshot Elastic Compute Cloud (EC2) Instance Instances AWS Account Global Cloud https://github.com/Stage2Sec/CaptureTheCloud/blob/master/Mining/createListsOfPublicEbsSnapshots.py

  40. Boto3 Script Account ID#, Snap-#, Enc, Region, Date Elastic Block

    Store (EBS) Volume Snapshot Elastic Compute Cloud (EC2) Instance Instances AWS Account Global Cloud https://github.com/Stage2Sec/CaptureTheCloud/blob/master/Mining/createListsOfPublicEbsSnapshots.py

  41. GitHub.com/Stage2Sec https://github.com/Stage2Sec /CaptureTheCloud/Mining/ createListsOfPublicEbsSnapshots.py Elastic Block Store (EBS) Volume Snapshot

    Elastic Compute Cloud (EC2) Instance Instances AWS Account Global Cloud https://github.com/Stage2Sec/CaptureTheCloud/blob/master/Mining/createListsOfPublicEbsSnapshots.py

  42. EBS Snapshot Metadata

  43. Metadata e.g. Sharing EBS Snapshots… …Also shares Account ID Globally…

    …& Metadata about each snapshot… Elastic Block Store (EBS) Volume Snapshot Elastic Compute Cloud (EC2) Instance Instances AWS Account Global Cloud https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ebs-modifying-snapshot-permissions.html

  44. Metadata e.g. Sharing EBS Snapshots… …Also shares Account ID Globally…

    …& Metadata about each snapshot… Elastic Block Store (EBS) Volume Snapshot Elastic Compute Cloud (EC2) Instance Instances AWS Account Global Cloud https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ebs-modifying-snapshot-permissions.html

  45. Metadata e.g. Sharing EBS Snapshots… …Also shares Account ID Globally…

    …& Metadata about each snapshot… Elastic Block Store (EBS) Volume Snapshot Elastic Compute Cloud (EC2) Instance Instances AWS Account Global Cloud https://github.com/Stage2Sec/CaptureTheCloud/blob/master/Mining/createMetadataOfPublicEbsSnapshots.py

  46. Seatch Metadata e.g. Sharing EBS Snapshots… …Also shares Account ID

    Globally… …& Metadata about each snapshot… Elastic Block Store (EBS) Volume Snapshot Elastic Compute Cloud (EC2) Instance Instances AWS Account Global Cloud https://github.com/Stage2Sec/CaptureTheCloud/blob/master/Mining/createMetadataOfPublicEbsSnapshots.py

  47. GitHub.com/Stage2Sec https://github.com/Stage2Sec /CaptureTheCloud/Mining/ createMetadataOfPublicEbsSnapshots.py Elastic Block Store (EBS) Volume Snapshot

    Elastic Compute Cloud (EC2) Instance Instances AWS Account Global Cloud https://github.com/Stage2Sec/CaptureTheCloud/blob/master/Mining/createMetadataOfPublicEbsSnapshots.py

  48. EBS Snapshots Mining

  49. Defcon 2019/DuffleBag https://github.com/Stage2Sec /CaptureTheCloud/Mining/ createMetadataOfPublicEbsSnapshots.py Elastic Block Store (EBS) Volume

    Snapshot Elastic Compute Cloud (EC2) Instance Instances AWS Account Global Cloud https://www.youtube.com/watch?v=-LGR63yCTts

  50. EBS Snapshot Direct Downloads

  51. EBS Direct DL APIs Newer AWS APIs Enable Direct Download

    of EBS Snapshots See ColdSnap by AWS & Other Projects Elastic Block Store (EBS) Volume Snapshot Elastic Compute Cloud (EC2) Instance Instances AWS Account Global Cloud https://github.com/awslabs/coldsnap

  52. EBS Direct DL APIs Newer AWS APIs Enable Direct Download

    of EBS Snapshots See ColdSnap by AWS & Other Projects Elastic Block Store (EBS) Volume Snapshot Elastic Compute Cloud (EC2) Instance Instances AWS Account Global Cloud https://github.com/awslabs/coldsnap

  53. EBS Direct DL APIs Newer AWS APIs Enable Direct Download

    of EBS Snapshots See ColdSnap by AWS & Other Projects Elastic Block Store (EBS) Volume Snapshot Elastic Compute Cloud (EC2) Instance Instances AWS Account Global Cloud https://github.com/awslabs/coldsnap

  54. GitHub.com/Stage2Sec https://github.com/Stage2Sec /CaptureTheCloud/Mining/ downloadEbsSnapshotViaDirectAPIs.py Elastic Block Store (EBS) Volume Snapshot

    Elastic Compute Cloud (EC2) Instance Instances AWS Account Global Cloud https://github.com/Stage2Sec/CaptureTheCloud/blob/master/Mining/downloadEbsSnapshotViaDirectAPIs.py

  55. AMI

  56. What is AMI? Amazon Machine Image (AMI) • Information to

    Launch an EC2 Instance Elastic Block Store (EBS) Volume Snapshot Elastic Compute Cloud (EC2) Instance Instances AWS Account Global Cloud https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/AMIs.html

  57. Public AMIs? Amazon Machine Image (AMI) • Information to Launch

    an EC2 Instance Elastic Block Store (EBS) Volume Snapshot Elastic Compute Cloud (EC2) Instance Instances AWS Account Global Cloud https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/sharingamis-intro.html

  58. Public AMIs? Amazon Machine Image (AMI) • Information to Launch

    an EC2 Instance Elastic Block Store (EBS) Volume Snapshot Elastic Compute Cloud (EC2) Instance Instances AWS Account Global Cloud https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/sharingamis-intro.html

  59. RDS

  60. What is RDS? Relational Database Service (RDS) • Relational Database

    in the Cloud Elastic Block Store (EBS) Volume Snapshot Elastic Compute Cloud (EC2) Instance Instances AWS Account Global Cloud https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/Welcome.html

  61. What is RDS Snapshot? RDS Snapshot • RDS creates a

    storage volume snapshot of your DB instance, • Backing up the entire DB instance and not just individual databases. Elastic Block Store (EBS) Volume Snapshot Elastic Compute Cloud (EC2) Instance Instances AWS Account Global Cloud https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/USER_CreateSnapshot.html

  62. Public RDS Snapshots? Relational Database Service (RDS) • Relational Database

    in the Cloud Elastic Block Store (EBS) Volume Snapshot Elastic Compute Cloud (EC2) Instance Instances AWS Account Global Cloud https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/Welcome.html

  63. Public RDS Snapshots? Relational Database Service (RDS) • Relational Database

    in the Cloud Elastic Block Store (EBS) Volume Snapshot Elastic Compute Cloud (EC2) Instance Instances AWS Account Global Cloud https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/Welcome.html

  64. Other Public Resources

  65. Other Public Resources? Elastic Block Store (EBS) Volume Snapshot Elastic

    Compute Cloud (EC2) Instance Instances AWS Account Global Cloud https://github.com/SummitRoute/aws_exposable_resources Includes: • ECR • Lambda • SAR • Vault • KMS • MediaStore • SNS/SQS • FPGA • etc…

  66. AWS: Cloud Redir

  67. Post Exploitation Toolkit Post-Exploitation Offensive Operator Toolkit § Custom Process

    Injection & AV Evasion § Stay Hidden & Undetected on Endpoints § Memory Only Scripting & Binaries § Python, C#, Powershell, .NET § PEs, DLLs, ELFs, SOs, Mach-Os, Bundles § Lateral Movement § Active Directory Enumeration (i.e. BloodHound / SharpHound) § Kerberoasting, Pass-The-Hash, WMI, etc. § Infinite Pivoting/Chaining § Enabling access to systems otherwise inaccessible from the Internet § Cross Platform § MacOS, Linux, Windows (x86) § Android, iOS, IoT (ARM) § Team Collaboration, Multi-Threading Stage2Sec.com/Voodoo

  72. Intro to Community Edition of VooDoo https://www.stage2sec.com/voodoo https://www.youtube.com/watch?v=NY1AODrBv6Y Ref: https://www.youtube.com/watch?v=NY1AODrBv6Y

  73. API Gateway: Trusted Domains & Certs https://github.com/Stage2Sec/CaptureTheCloud/boomerangApi-v0_2.py

  74. API Gateway: Curl Test https://github.com/Stage2Sec/CaptureTheCloud/boomerangApi-v0_2.py

  75. API Gateway: C2 via VooDoo https://github.com/Stage2Sec/CaptureTheCloud/boomerangApi-v0_2.py

  76. AWS: Log Disruption

  77. CloudTrail …

  78. CloudTrail: Buffering …

  79. CloudTrail: Suspicious Notable …

  80. CloudTrail: DeleteTrail …

  81. Delete & Create w/ Attacker Bucket …

  82. Disrupting AWS Logs https://www.youtube.com/watch?v=V0EytWYrpw8&t=437s https://www.youtube.com/watch?v=V0EytWYrpw8&t=437s

  83. Conclusion

  84. S2 Secure Cloud MSS Red Team-as-a-Service, MDR and Risk management

    in a single platform Outcomes. Prioritized vulnerabilities, alerts and IMMINENT RISK Create consistent, automated processes and slash discovery & response times whether in cloud, container or on-premise Orchestrated platform of managed services that work together Track, measure and improve your security risk posture Focus on reducing IMMIENT RISK

  85. PTaaS/RTaaS – Continuous Testing

  86. Thank You! [email protected] Bryce Kunz @TweekFawkes Trainings: Hands-On Cloud Red

    Teaming Code: Github.com/Stage2Sec/CaptureTheCloud Slides: SpeakerDeck.com/TweekFawkes

  87. Thank You [email protected]