Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Blackhat Arsenal 2017 - The Cumulus Toolkit

1,074 views

Published on

There is a lack of tools for testing the security of Cloud deployments; the Cumulus Toolkit is an attack framework for exploiting the Cloud's weak points.

The Cloud enables software projects to speed up development because it allows developers to provision infrastructure and make configuration changes to their networks without much friction. This ease of deployment was but a dream in the age of the traditional datacenter. However, the Cloud also brings new attack surface which needs further exploration. Cloud Identity and Access Management (IAM) services (such as Amazon's) are primary targets for attackers, as these typically control access to hundreds of API calls over many services.

Over the years there have been various discussions around cloud security, e.g., Pivoting in Amazon Clouds (2013), and few tools have been developed to enable testing the security of Cloud deployments. These tools are standalone, have not attained wide adoption, and/or have not made it into widely adopted toolkits. To fill this void, we have developed the Cumulus Toolkit. The Cumulus Toolkit is a Cloud exploitation toolkit based on the Metasploit Framework. We chose Metasploit because of its wide adoption and its wealth of existing features.

The Cumulus toolkit is a set of modules that can be used perform privilege escalation, account takeover, and to launch unauthorized workloads. To illustrate security concerns resulting from lax IAM policies, we present the Create IAM User module which can be used to create a user with administrative privileges. To perform complete account takeover, an attack that we've seen in the wild, we present the User Locker module which is used to lock out all legitimate users out of the account. Finally, we present the Launch Instances module which can be used to launch Cloud hosts on demand.

Published in: Education
  • Be the first to comment

Blackhat Arsenal 2017 - The Cumulus Toolkit

  1. 1. CUMULUS - A CLOUD EXPLOITATION TOOLKIT Javier Godinez
  2. 2. CUMULUS 2 A Cloud Exploitation Toolkit • Collection of Metasploit modules • Creating IAM users • Launching workloads • Locking users out • Techniques for getting a foothold and pivoting in the Cloud • Currently only supports AWS
  3. 3. FOOTHOLD IN THE CLOUD 3 • Demo Cloud Attack Surface • Weak authentication - SSH • Insecure configurations - Jenkins • Misconfiguration - Squid Proxy • Application vulnerabilities - XXE
  4. 4. THE MODULES
  5. 5. CREATE IAM USER MODULE 5 • Allows for the creation of a user with Admin Privileges to the AWS account • Needs access to AWS Access Keys or Instance Role with: • iam:CreateUser • iam:CreateGroup • iam:PutGroupPolicy • iam:AddUserToGroup • iam:CreateAccessKey
  6. 6. LAUNCH INSTANCES MODULE 6 • Auto detects configuration for launching EC2 instances • Can launch one or multiple instances • Can execute setup scripts
  7. 7. LOCKOUT USERS MODULE 7 • Requires an IAM admin role (created by previous module) • Enumerates all users and access keys • Accepts a user to keep • Locks out all other accounts
  8. 8. DISCLAIMER 8 • This is not an Amazon Web Services issue • This is a DevOps education issue • It is the user’s responsibility to understand the technology being used • With power user privileges comes great responsibilities
  9. 9. DEMO GETTING A FOOTHOLD
  10. 10. DEMO PUTTING IT ALL TOGETHER
  11. 11. DEMO NETWORK 11 VPC Peering AWS API Attacker 3 10.0.0.0/16 Jenkins 4 IGWIGW Account A Proxy 1 2 SSH API 10.10.0.0/16 Account B
  12. 12. DEMO NETWORK 12 VPC Peering AWS API Attacker 10.0.0.0/16 Jenkins IGWIGW Account A Proxy 1 SSH / API API 10.10.0.0/16 Account B
  13. 13. DEMO NETWORK 13 VPC Peering AWS API 3 10.0.0.0/16 Jenkins IGWIGW Account A Proxy 1 2 SSH / API API 10.10.0.0/16 Account B
  14. 14. DEMO NETWORK 14 VPC Peering AWS API Attacker 3 10.0.0.0/16 Jenkins 4 IGWIGW Account A Proxy 1 2 SSH / API API 10.10.0.0/16 Account B
  15. 15. REFERENCES 15 • Cumulus - A Cloud Exploitation Toolkit https://drive.google.com/file/d/0B2Ka7F_6TetSNFdfbkI1cnJHUTQ • See cumulus branch: https://github.com/godinezj/metasploit-framework
  16. 16. HOW APPLY THIS KNOWLEDGE 16 • Read the AWS IAM Best Practices Documents: • http://docs.aws.amazon.com/IAM/latest/UserGuide/best-practices.html • Monitor IAM actions using AWS CloudTrail • Audit your AWS Account IAM Policies and Roles • Red Team your applications and instances: https://www.metasploit.com • Think to yourself: “How would an attacker use this against me?” • Use repeatable secure patterns: https://github.com/devsecops • Help build awareness through community: http://www.devsecops.org
  17. 17. THANKS FOR WATCHING! Javier Godinez
  18. 18. APPENDIX
  19. 19. UNDERSTANDING THE TECHNOLOGY YOU USE 19 • How fast can I move while still staying safe? • Always develop in separate account (Blast Radius Containment) • Read the docs for everything and make conscious choices • Attackers will try to leverage everything against you • Bleeding edge does not mean stable and secure. However, it can be with enough testing
  20. 20. INSTANCE 20 • Virtual host • Virtual environment on Xen hypervisor • Feels very much like a host running on bare metal
  21. 21. METADATA SERVICE 21 • Internal HTTP service that provides Instances information about its environemt • Available from host at http://169.254.169.254/ • Also provides temporary credentials to host
  22. 22. INSTANCE PROFILE 22 • AWS construct that maps a role to an instance • Instance may or may not have a profile associated with it Instance
  23. 23. AWS IDENTITY AND ACCESS MANAGEMENT OVERVIEW 23 • Users • Groups • Roles • Policies • Effect • Actions • Resources • Condition
  24. 24. THE GOOD 24 Policy is specifically created for the application Least privilege Made to be as granular as possible
  25. 25. THE BAD 25 • ec2:* • iam:* • anything:*
  26. 26. THE UGLY 26 • All Access • Great for Development • Really Bad for Security
  27. 27. UPCOMING MODULES AND PROJECTS 27 • Metasploit AWS Lambda module • Metasploit AWS s3 enumeration module • Cumulus Cloud Attack Toolkit • AWS • Google Cloud Platform • DevSecOps.org Community
  28. 28. EC2 INSTANCE METADATA 28 • Retrieves information from metadata service • Includes API credentials • Account information • Regional information

×