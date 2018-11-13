Successfully reported this slideshow.
  1. 1. AWS PENTESTING WITH PACU The Open Source AWS Exploitation Framework Spencer Gietzen Rhino Security Labs
  2. 2. INTRO • Pentester with a focus on cloud • Background in software development • Lead developer of Pacu Spencer Gietzen
  3. 3. AWS SECURITY • Lots of good resources • Difficult to know if you are “doing it right” • Best practices won’t solve all your problems • Features aren’t always your friends Easy to get started, hard to master • S3 bucket misconfigurations (1000s of them!) The common example of “not doing it right”
  4. 4. THE REAL THREAT • Far more devastating losing AWS keys • How do keys get compromised? – Repo misconfigurations/commits – Social engineering/phishing – Password reuse – Web application vulnerabilities: • Server-side request forgery (to EC2 meta-data API) • Local file read (logs/configs/etc.) – “Trusted” 3rd parties – Internal threats/rogue employees Authenticated Compromise
  5. 5. PENTESTING AWS • Lots of great tools to identify misconfigurations – Prowler – Scout2 – CloudSploit Configuration scanning for best practices is one thing… • Some helpful tools and scripts exist – aws_pwn – Nimbostratus – DumpsterDiver • Something more was needed Wasn’t much for attackers though…
  6. 6. PACU • Written in Python3 • Covers the kill chain • Simple module development – Built-in module template • Extensible – Built-in API to assist development – Session and data management – Error handling The AWS Exploitation Framework
  7. 7. TIME FOR A DEMO 1. Intro to Pacu 2. Basic account info enumeration (no logs!) 3. Enumerating IAM permissions 4. Privilege escalation 5. Persistence 6. Root RCE on EC2 The Plan: Post-Compromise
  8. 8. PACUPROXY • One-liner staging (bash/PowerShell) • In-memory code execution • Evade IP-based detections and whitelists • Direct integration into (some) Pacu modules • More to come… Command and Control (C2) with Pacu
  9. 9. CONCLUSION • Lack of AWS attack tools • Which means lack of AWS security awareness The Security Industry • Pacu • More offensive research! We can fix that with…
  10. 10. RESOURCES • https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/ Privilege Escalation Blog Post @SpenGietz • https://github.com/RhinoSecurityLabs/pacu Pacu Repo

