SlideShare a Scribd company logo

CONFidence 2018: Hunting for the secrets in a cloud forest (Paweł Rzepa)

PROIDEA
PROIDEA

Have you ever wonder if the access to your cloud kingdom is secure? Have you ever thought how cyber criminals are hunting for your secrets? How can you be sure that your secret is not "mistakenly" available to the public? In my presentation I'm going to present you hackish methods used by cyber criminals to find access keys, credentials and other secrets in the public Internet. How can Shannon Entropy help you to do that? During the presentation, I'll release my own scanners to search AWS space and in the end I will demonstrate my own tool to analyse big amounts of data in search for sensitive data. Lots of demos, technical stuff and educating moral for unaware specialists in the end. It's gonna be fun!

Technology
1 of 54
Download to read offline
Hunting for the secrets in a cloud forest Paweł Rzepa CONFidence, 4th June 2018
• Senior Security Consultant in SecuRing • Pentesting • Consultancy in cloud security • Blog: https://medium.com/@rzepsky • GitHub: https://github.com/xep624/ • Twitter: @Rzepsky #whoami
The goal of this presentation is to show how access keys may leak from your company regardless service provider you use (AWS, Azure, GCP etc.) and to discuss reliable countermeasures. TL;DR Rzepsky
• Passwords vs keys • Key leaks from storage containers • Key leaks via compromised accounts • Key leaks from web apps • Key leaks over 3rd parties • How entropy can help? • Let’s hunt with DumpsterDiver! • Countermeasures Presentation plan Rzepsky
Passwords vs Keys Access key ID = AKIAJIS2NP37SW1AYBH A Secret access key = nTRcofv3N9ls6MqFhsR8lx Qp+aNfoDv+2lXzv9nT Login = admin Password = Dupa.8 VS Rzepsky
Passwords vs Keys Source: https://www.blackhat.com/docs/us-16/materials/us-16-Simon-Access-Keys-Will-Kill-You-Before-You-Kill-The-Password.pdf Rzepsky
• Passwords vs keys • Key leaks from storage containers • Key leaks via compromised accounts • Key leaks from web apps • Key leaks over 3rd parties • How entropy can help? • Let’s hunt with DumpsterDiver! • Countermeasures Presentation plan Rzepsky
Wrong access control Sometimes all you have to do is… just asking! Rzepsky
Low hanging fruits: *.db *.sql *.config *backup* Define a target Rzepsky
https:/github.com/securing/BucketScanner/
https://[bucketname].s3.amazonaws.com https://[aws_endpoint].amazonaws.com/[bucket_name]/ For example: https://chicagodb.s3.amazonaws.com/ Source: https://www.upguard.com/breaches/cloud-leak-chicago-voters Let’s find open buckets Rzepsky
Querying Google, Yahoo, VirusTotal, Certificate Transparency Logs etc. (e.g. Sublist3r, amass, bucket-stream) Querying 3rd parties Rzepsky
Querying a domain in archive.org Wayback Machine Rzepsky
• Found 24652 buckets • 5241 (21%) of them has public READ access • And amongst them... Results Rzepsky
Rzepsky
Some of them are quite interesting… Rzepsky
Some of them are quite interesting… Rzepsky
• There is no groups like “Any authenticated Azure user” (thanks Microsoft!) • You have to discover 2 variables instead of 1 (consider only Full public read access): http://[storage account name].blob.core.windows.net/[container name]?restype=container&comp=list What about Azure? Rzepsky
• Passwords vs keys • Key leaks from storage containers • Key leaks via compromised accounts • Key leaks from web apps • Key leaks over 3rd parties • How entropy can help? • Let’s hunt with DumpsterDiver! • Countermeasures Presentation plan Rzepsky
Leaks via compromised accounts Overwrite trusted file Customer downloads Term_of_use.pdf During my research I‘ve found 1365 (6% of tested buckets) buckets which allow for writing (and overwriting) arbitrary file Rzepsky
• Numerous ways of infecting employee’s computer • Leaks via: • Local config files, tools etc. • ~/.aws/credentials --------------------------------------------------------------------------------------------- • Enforcing MFA is a must!!! à https://bit.ly/2oYKBmf • Remember about the principle of least privilege (e.g. Repokid may help you à https://bit.ly/2kUT3Bq) Leaks via compromised accounts Rzepsky
• Passwords vs keys • Key leaks from storage containers • Key leaks via compromised accounts • Key leaks from web apps • Key leaks over 3rd parties • How entropy can help? • Let’s hunt with DumpsterDiver! • Countermeasures Presentation plan Rzepsky
Key leaks via web apps 2. I’m authenticated user, pls gimme keys API 3. Upload a file directly to the bucket 1. I want to upload a file Rzepsky
Key leaks via metadata Rzepsky
Some vulns can be much more dangerous in cloud: § CWE-200: Information Exposure § CWE-441: Unintended Proxy or Intermediary § CWE-611: XXE § CWE-918: SSRF …because any of them may reveal your metadata!!! Old vulns gain new life Rzepsky
Unintended proxy example
• Data about your instance: • Accessible only from within the instance itself via link: http://169.254.169.254/latest/meta- data/ What is “meta-data” Rzepsky
• Usually, automated tools fail in detecting such leaks • But penetration tests are remedium How to catch such leaks? Rzepsky
• Passwords vs keys • Key leaks from storage containers • Key leaks via compromised accounts • Key leaks from web apps • Key leaks over 3rd parties • How entropy can help? • Let’s hunt with DumpsterDiver! • Countermeasures Presentation plan Rzepsky
Key leaks over 3rd parties GitHub Pastebin Forums etc… Rzepsky
Key leaks over 3rd parties Rzepsky
You don’t have to use GitHub to see your keys there… Story details: https://www.olindata.com/en/blog/2017/04/spending-100k-usd-45-days-amazon- web-services Rzepsky
• Before releasing any repo – just scan it: • TruffleHog (https://github.com/dxa4481/truffleHog) • git-secrets (https://github.com/awslabs/git-secrets) • Add it to continuous integration process Catch git leaks! Rzepsky
What about creating my own scanner, which can catch a leak in any kind of file? Rzepsky
• Passwords vs keys • Key leaks from storage containers • Key leaks via compromised accounts • Key leaks from web apps • Key leaks over 3rd parties • How entropy can help? • Let’s hunt with DumpsterDiver! • Countermeasures Presentation plan Rzepsky
Manual search is ineffective - PoC Define your target Specify target’s characteristics Locate the target Find a Pepsi on a next slide… Rzepsky
Find the Pepsi bottle! Rzepsky
• They have fixed length • All chars from Base64 charset • They are random = they have high entropy AWS_SECRET_ACCESS_KEY = 2r9pAuQxUFAqtrWhEy4G4WiVx5iJ74Hja5AWgHq9 Shared_Key = M3mmbjOlIZr11OZoULqUWyFA1EpOdZAEcmaC64E/Ft9 MRfDEYE7qDJm+9ezGQY15== Specify keys characteristics Rzepsky
The entropy = disorder HIGH ENTROPY LOW ENTROPY Source: http://awesomenator.com/fun/rearranging-the-world-chaos-vs-order/ Rzepsky
Entropy: how to count it? P( ) = 1 low entropy P( ) = 0,75 P( ) = 0,25 medium entropy P( ) = 0,5 P( ) = 0,5 high entropy Rzepsky
Entropy: how to count it? Source: https://en.wikipedia.org/wiki/Claude_Shannon#/media/File:ClaudeShannon_MFO3807.jpg Rzepsky
Shannon entropy in practice • Hash 404e554d243c1a11d13c96b60129504a31b0abd has 3.57 entropy • Long string “ ChuckNorriscountedtoinfinitytwentytwice” has 3.81 entropy “Where_are_my_keys?!¯_(ツ)_/¯” contains characters out of Base64 • AWS secret key 2r9pAuQxUFAstrWhEy4G4WiVx5iJ74Hja5AWgHq9 has 4.67 entropy Interesting fact: AWS secret key has always entropy > 4.3 Rzepsky
• Passwords vs keys • Key leaks from storage containers • Key leaks via compromised accounts • Key leaks from web apps • Key leaks over 3rd parties • How entropy can help? • Let’s hunt with DumpsterDiver! • Countermeasures Presentation plan Rzepsky
Let’s hunt with DumpsterDiver! Rzepsky
DumpsterDiver – main features • It’s open-source! • It uses Shannon Entropy to find private keys • It searches inside compressed archives (e.g. zip, tar.gz etc.) • It searches through the git repositories • It supports advanced search using simple rules Rzepsky
https://github.com/securing/DumpsterDiver
• Triggers if it finds “aws_secret_access_key” • Triggers if it finds 10 emails in .db or .sql file • Triggers if it finds any of the pattern: *pass*, *haslo*, *key* Advanced search - allows for creating additional rules Rzepsky
• Scanning big volumes of data is time consuming L • DumpsterDiver will quickly tell you if you just got an access to a treasure J Use case scenario 1: for pentesters/researchers Rzepsky
Use case scenario 2: create quasi cloud data leak prevention system Rzepsky
Use case scenario 3: up to you! Feedback, suggestions, ideas and/or contributors ARE MORE THAN WELCOME!!! Rzepsky
• Passwords vs keys • Key leaks from storage containers • Key leaks via compromised accounts • Key leaks from web apps • Key leaks over 3rd parties • How entropy can help? • Let’s hunt with DumpsterDiver! • Countermeasures Presentation plan Rzepsky
• Set proper access control to your resources • Encrypt files at rest • Allow access only from VPN • Enforce using MFA • Create a process of verifying stored data (DumpsterDiver) • Test your environment Countermeasures Rzepsky
Extras: hunt the keys (legally) https://www.securing.biz/krkanalytica Rzepsky
Thank you, pawel.rzepa@securing.pl @Rzepsky

Recommended

Hunting for the secrets in a cloud forest
Hunting for the secrets in a cloud forestHunting for the secrets in a cloud forest
Hunting for the secrets in a cloud forest
SecuRing
 
Hunting for the secrets in a cloud forest
Hunting for the secrets in a cloud forestHunting for the secrets in a cloud forest
Hunting for the secrets in a cloud forest
SecuRing
 
BSides_Charm2015_Info sec hunters_gathers
BSides_Charm2015_Info sec hunters_gathersBSides_Charm2015_Info sec hunters_gathers
BSides_Charm2015_Info sec hunters_gathers
Andrew McNicol
 
BSidesDC 2016 Beyond Automated Testing
BSidesDC 2016 Beyond Automated TestingBSidesDC 2016 Beyond Automated Testing
BSidesDC 2016 Beyond Automated Testing
Andrew McNicol
 
Beyond Automated Testing - RVAsec 2016
Beyond Automated Testing - RVAsec 2016Beyond Automated Testing - RVAsec 2016
Beyond Automated Testing - RVAsec 2016
Andrew McNicol
 
Pentesting Tips: Beyond Automated Testing
Pentesting Tips: Beyond Automated TestingPentesting Tips: Beyond Automated Testing
Pentesting Tips: Beyond Automated Testing
Andrew McNicol
 
Flaying the Blockchain Ledger for Fun, Profit, and Hip Hop
Flaying the Blockchain Ledger for Fun, Profit, and Hip HopFlaying the Blockchain Ledger for Fun, Profit, and Hip Hop
Flaying the Blockchain Ledger for Fun, Profit, and Hip Hop
Andrew Morris
 
The basics of hacking and penetration testing 이제 시작이야 해킹과 침투 테스트 kenneth.s.kwon
The basics of hacking and penetration testing 이제 시작이야 해킹과 침투 테스트 kenneth.s.kwonThe basics of hacking and penetration testing 이제 시작이야 해킹과 침투 테스트 kenneth.s.kwon
The basics of hacking and penetration testing 이제 시작이야 해킹과 침투 테스트 kenneth.s.kwon
Kenneth Kwon
 

Recommended

Hunting for the secrets in a cloud forest
Hunting for the secrets in a cloud forestHunting for the secrets in a cloud forest
Hunting for the secrets in a cloud forest
SecuRing
 
Hunting for the secrets in a cloud forest
Hunting for the secrets in a cloud forestHunting for the secrets in a cloud forest
Hunting for the secrets in a cloud forest
SecuRing
 
BSides_Charm2015_Info sec hunters_gathers
BSides_Charm2015_Info sec hunters_gathersBSides_Charm2015_Info sec hunters_gathers
BSides_Charm2015_Info sec hunters_gathers
Andrew McNicol
 
BSidesDC 2016 Beyond Automated Testing
BSidesDC 2016 Beyond Automated TestingBSidesDC 2016 Beyond Automated Testing
BSidesDC 2016 Beyond Automated Testing
Andrew McNicol
 
Beyond Automated Testing - RVAsec 2016
Beyond Automated Testing - RVAsec 2016Beyond Automated Testing - RVAsec 2016
Beyond Automated Testing - RVAsec 2016
Andrew McNicol
 
Pentesting Tips: Beyond Automated Testing
Pentesting Tips: Beyond Automated TestingPentesting Tips: Beyond Automated Testing
Pentesting Tips: Beyond Automated Testing
Andrew McNicol
 
Flaying the Blockchain Ledger for Fun, Profit, and Hip Hop
Flaying the Blockchain Ledger for Fun, Profit, and Hip HopFlaying the Blockchain Ledger for Fun, Profit, and Hip Hop
Flaying the Blockchain Ledger for Fun, Profit, and Hip Hop
Andrew Morris
 
The basics of hacking and penetration testing 이제 시작이야 해킹과 침투 테스트 kenneth.s.kwon
The basics of hacking and penetration testing 이제 시작이야 해킹과 침투 테스트 kenneth.s.kwonThe basics of hacking and penetration testing 이제 시작이야 해킹과 침투 테스트 kenneth.s.kwon
The basics of hacking and penetration testing 이제 시작이야 해킹과 침투 테스트 kenneth.s.kwon
Kenneth Kwon
 
Dirty Little Secrets They Didn't Teach You In Pentest Class v2
Dirty Little Secrets They Didn't Teach You In Pentest Class v2Dirty Little Secrets They Didn't Teach You In Pentest Class v2
Dirty Little Secrets They Didn't Teach You In Pentest Class v2
Rob Fuller
 
The Background Noise of the Internet
The Background Noise of the InternetThe Background Noise of the Internet
The Background Noise of the Internet
Andrew Morris
 
OSINT tools for security auditing with python
OSINT tools for security auditing with pythonOSINT tools for security auditing with python
OSINT tools for security auditing with python
Jose Manuel Ortega Candel
 
Introduction to Penetration Testing
Introduction to Penetration TestingIntroduction to Penetration Testing
Introduction to Penetration Testing
Andrew McNicol
 
My Bro The ELK
My Bro The ELKMy Bro The ELK
My Bro The ELK
Tripwire
 
hackcon2013-Dirty Little Secrets They Didn't Teach You In Pentesting Class v2
hackcon2013-Dirty Little Secrets They Didn't Teach You In Pentesting Class v2hackcon2013-Dirty Little Secrets They Didn't Teach You In Pentesting Class v2
hackcon2013-Dirty Little Secrets They Didn't Teach You In Pentesting Class v2
Chris Gates
 
How To Start Your InfoSec Career
How To Start Your InfoSec CareerHow To Start Your InfoSec Career
How To Start Your InfoSec Career
Andrew McNicol
 
The Dirty Little Secrets They Didn’t Teach You In Pentesting Class
The Dirty Little Secrets They Didn’t Teach You In Pentesting Class The Dirty Little Secrets They Didn’t Teach You In Pentesting Class
The Dirty Little Secrets They Didn’t Teach You In Pentesting Class
Chris Gates
 
Breadcrumbs to Loaves: BSides Austin '17
Breadcrumbs to Loaves: BSides Austin '17Breadcrumbs to Loaves: BSides Austin '17
Breadcrumbs to Loaves: BSides Austin '17
Brandon Arvanaghi
 
BSidesOK_You_CAN_detect_PowerShell_attacks_v1.1
BSidesOK_You_CAN_detect_PowerShell_attacks_v1.1BSidesOK_You_CAN_detect_PowerShell_attacks_v1.1
BSidesOK_You_CAN_detect_PowerShell_attacks_v1.1
Michael Gough
 
CloudBots - Harvesting Crypto Currency Like a Botnet Farmer
CloudBots - Harvesting Crypto Currency Like a Botnet FarmerCloudBots - Harvesting Crypto Currency Like a Botnet Farmer
CloudBots - Harvesting Crypto Currency Like a Botnet Farmer
Rob Ragan
 
Malware Analysis Made Simple
Malware Analysis Made SimpleMalware Analysis Made Simple
Malware Analysis Made Simple
Paul Melson
 
Four years of breaking HTTPS with BGP hijacking
Four years of breaking HTTPS with BGP hijackingFour years of breaking HTTPS with BGP hijacking
Four years of breaking HTTPS with BGP hijacking
APNIC
 
You can detect PowerShell attacks
You can detect PowerShell attacksYou can detect PowerShell attacks
You can detect PowerShell attacks
Michael Gough
 
DNS hijacking using cloud providers – No verification needed
DNS hijacking using cloud providers – No verification neededDNS hijacking using cloud providers – No verification needed
DNS hijacking using cloud providers – No verification needed
Frans Rosén
 
Logging for hackers SAINTCON
Logging for hackers SAINTCONLogging for hackers SAINTCON
Logging for hackers SAINTCON
Michael Gough
 
Logs, Logs, Logs - What you need to know to catch a thief
Logs, Logs, Logs - What you need to know to catch a thiefLogs, Logs, Logs - What you need to know to catch a thief
Logs, Logs, Logs - What you need to know to catch a thief
Michael Gough
 
The top 10 windows logs event id's used v1.0
The top 10 windows logs event id's used v1.0The top 10 windows logs event id's used v1.0
The top 10 windows logs event id's used v1.0
Michael Gough
 
How a Hacker Sees Your Site
How a Hacker Sees Your SiteHow a Hacker Sees Your Site
How a Hacker Sees Your Site
Patrick Laverty
 
"A rootkits writer’s guide to defense" - Michal Purzynski
"A rootkits writer’s guide to defense" - Michal Purzynski"A rootkits writer’s guide to defense" - Michal Purzynski
"A rootkits writer’s guide to defense" - Michal Purzynski
PROIDEA
 
Scrapy
ScrapyScrapy
Scrapy
Francisco Sousa
 
The Web Application Hackers Toolchain
The Web Application Hackers ToolchainThe Web Application Hackers Toolchain
The Web Application Hackers Toolchain
jasonhaddix
 

More Related Content

What's hot

Dirty Little Secrets They Didn't Teach You In Pentest Class v2
Dirty Little Secrets They Didn't Teach You In Pentest Class v2Dirty Little Secrets They Didn't Teach You In Pentest Class v2
Dirty Little Secrets They Didn't Teach You In Pentest Class v2
Rob Fuller
 
The Background Noise of the Internet
The Background Noise of the InternetThe Background Noise of the Internet
The Background Noise of the Internet
Andrew Morris
 
OSINT tools for security auditing with python
OSINT tools for security auditing with pythonOSINT tools for security auditing with python
OSINT tools for security auditing with python
Jose Manuel Ortega Candel
 
Introduction to Penetration Testing
Introduction to Penetration TestingIntroduction to Penetration Testing
Introduction to Penetration Testing
Andrew McNicol
 
My Bro The ELK
My Bro The ELKMy Bro The ELK
My Bro The ELK
Tripwire
 
hackcon2013-Dirty Little Secrets They Didn't Teach You In Pentesting Class v2
hackcon2013-Dirty Little Secrets They Didn't Teach You In Pentesting Class v2hackcon2013-Dirty Little Secrets They Didn't Teach You In Pentesting Class v2
hackcon2013-Dirty Little Secrets They Didn't Teach You In Pentesting Class v2
Chris Gates
 
How To Start Your InfoSec Career
How To Start Your InfoSec CareerHow To Start Your InfoSec Career
How To Start Your InfoSec Career
Andrew McNicol
 
The Dirty Little Secrets They Didn’t Teach You In Pentesting Class
The Dirty Little Secrets They Didn’t Teach You In Pentesting Class The Dirty Little Secrets They Didn’t Teach You In Pentesting Class
The Dirty Little Secrets They Didn’t Teach You In Pentesting Class
Chris Gates
 
Breadcrumbs to Loaves: BSides Austin '17
Breadcrumbs to Loaves: BSides Austin '17Breadcrumbs to Loaves: BSides Austin '17
Breadcrumbs to Loaves: BSides Austin '17
Brandon Arvanaghi
 
BSidesOK_You_CAN_detect_PowerShell_attacks_v1.1
BSidesOK_You_CAN_detect_PowerShell_attacks_v1.1BSidesOK_You_CAN_detect_PowerShell_attacks_v1.1
BSidesOK_You_CAN_detect_PowerShell_attacks_v1.1
Michael Gough
 
CloudBots - Harvesting Crypto Currency Like a Botnet Farmer
CloudBots - Harvesting Crypto Currency Like a Botnet FarmerCloudBots - Harvesting Crypto Currency Like a Botnet Farmer
CloudBots - Harvesting Crypto Currency Like a Botnet Farmer
Rob Ragan
 
Malware Analysis Made Simple
Malware Analysis Made SimpleMalware Analysis Made Simple
Malware Analysis Made Simple
Paul Melson
 
Four years of breaking HTTPS with BGP hijacking
Four years of breaking HTTPS with BGP hijackingFour years of breaking HTTPS with BGP hijacking
Four years of breaking HTTPS with BGP hijacking
APNIC
 
You can detect PowerShell attacks
You can detect PowerShell attacksYou can detect PowerShell attacks
You can detect PowerShell attacks
Michael Gough
 
DNS hijacking using cloud providers – No verification needed
DNS hijacking using cloud providers – No verification neededDNS hijacking using cloud providers – No verification needed
DNS hijacking using cloud providers – No verification needed
Frans Rosén
 
Logging for hackers SAINTCON
Logging for hackers SAINTCONLogging for hackers SAINTCON
Logging for hackers SAINTCON
Michael Gough
 
Logs, Logs, Logs - What you need to know to catch a thief
Logs, Logs, Logs - What you need to know to catch a thiefLogs, Logs, Logs - What you need to know to catch a thief
Logs, Logs, Logs - What you need to know to catch a thief
Michael Gough
 
The top 10 windows logs event id's used v1.0
The top 10 windows logs event id's used v1.0The top 10 windows logs event id's used v1.0
The top 10 windows logs event id's used v1.0
Michael Gough
 
How a Hacker Sees Your Site
How a Hacker Sees Your SiteHow a Hacker Sees Your Site
How a Hacker Sees Your Site
Patrick Laverty
 
"A rootkits writer’s guide to defense" - Michal Purzynski
"A rootkits writer’s guide to defense" - Michal Purzynski"A rootkits writer’s guide to defense" - Michal Purzynski
"A rootkits writer’s guide to defense" - Michal Purzynski
PROIDEA
 

What's hot (20)

Dirty Little Secrets They Didn't Teach You In Pentest Class v2
Dirty Little Secrets They Didn't Teach You In Pentest Class v2Dirty Little Secrets They Didn't Teach You In Pentest Class v2
Dirty Little Secrets They Didn't Teach You In Pentest Class v2
 
The Background Noise of the Internet
The Background Noise of the InternetThe Background Noise of the Internet
The Background Noise of the Internet
 
OSINT tools for security auditing with python
OSINT tools for security auditing with pythonOSINT tools for security auditing with python
OSINT tools for security auditing with python
 
Introduction to Penetration Testing
Introduction to Penetration TestingIntroduction to Penetration Testing
Introduction to Penetration Testing
 
My Bro The ELK
My Bro The ELKMy Bro The ELK
My Bro The ELK
 
hackcon2013-Dirty Little Secrets They Didn't Teach You In Pentesting Class v2
hackcon2013-Dirty Little Secrets They Didn't Teach You In Pentesting Class v2hackcon2013-Dirty Little Secrets They Didn't Teach You In Pentesting Class v2
hackcon2013-Dirty Little Secrets They Didn't Teach You In Pentesting Class v2
 
How To Start Your InfoSec Career
How To Start Your InfoSec CareerHow To Start Your InfoSec Career
How To Start Your InfoSec Career
 
The Dirty Little Secrets They Didn’t Teach You In Pentesting Class
The Dirty Little Secrets They Didn’t Teach You In Pentesting Class The Dirty Little Secrets They Didn’t Teach You In Pentesting Class
The Dirty Little Secrets They Didn’t Teach You In Pentesting Class
 
Breadcrumbs to Loaves: BSides Austin '17
Breadcrumbs to Loaves: BSides Austin '17Breadcrumbs to Loaves: BSides Austin '17
Breadcrumbs to Loaves: BSides Austin '17
 
BSidesOK_You_CAN_detect_PowerShell_attacks_v1.1
BSidesOK_You_CAN_detect_PowerShell_attacks_v1.1BSidesOK_You_CAN_detect_PowerShell_attacks_v1.1
BSidesOK_You_CAN_detect_PowerShell_attacks_v1.1
 
CloudBots - Harvesting Crypto Currency Like a Botnet Farmer
CloudBots - Harvesting Crypto Currency Like a Botnet FarmerCloudBots - Harvesting Crypto Currency Like a Botnet Farmer
CloudBots - Harvesting Crypto Currency Like a Botnet Farmer
 
Malware Analysis Made Simple
Malware Analysis Made SimpleMalware Analysis Made Simple
Malware Analysis Made Simple
 
Four years of breaking HTTPS with BGP hijacking
Four years of breaking HTTPS with BGP hijackingFour years of breaking HTTPS with BGP hijacking
Four years of breaking HTTPS with BGP hijacking
 
You can detect PowerShell attacks
You can detect PowerShell attacksYou can detect PowerShell attacks
You can detect PowerShell attacks
 
DNS hijacking using cloud providers – No verification needed
DNS hijacking using cloud providers – No verification neededDNS hijacking using cloud providers – No verification needed
DNS hijacking using cloud providers – No verification needed
 
Logging for hackers SAINTCON
Logging for hackers SAINTCONLogging for hackers SAINTCON
Logging for hackers SAINTCON
 
Logs, Logs, Logs - What you need to know to catch a thief
Logs, Logs, Logs - What you need to know to catch a thiefLogs, Logs, Logs - What you need to know to catch a thief
Logs, Logs, Logs - What you need to know to catch a thief
 
The top 10 windows logs event id's used v1.0
The top 10 windows logs event id's used v1.0The top 10 windows logs event id's used v1.0
The top 10 windows logs event id's used v1.0
 
How a Hacker Sees Your Site
How a Hacker Sees Your SiteHow a Hacker Sees Your Site
How a Hacker Sees Your Site
 
"A rootkits writer’s guide to defense" - Michal Purzynski
"A rootkits writer’s guide to defense" - Michal Purzynski"A rootkits writer’s guide to defense" - Michal Purzynski
"A rootkits writer’s guide to defense" - Michal Purzynski
 

Similar to CONFidence 2018: Hunting for the secrets in a cloud forest (Paweł Rzepa)

Scrapy
ScrapyScrapy
Scrapy
Francisco Sousa
 
The Web Application Hackers Toolchain
The Web Application Hackers ToolchainThe Web Application Hackers Toolchain
The Web Application Hackers Toolchain
jasonhaddix
 
10 WordPress security measures you can implement today!
10 WordPress security measures you can implement today!10 WordPress security measures you can implement today!
10 WordPress security measures you can implement today!
Toru Miki
 
Finding Needles in Haystacks
Finding Needles in HaystacksFinding Needles in Haystacks
Finding Needles in Haystacks
snyff
 
Practical White Hat Hacker Training - Passive Information Gathering(OSINT)
Practical White Hat Hacker Training - Passive Information Gathering(OSINT)Practical White Hat Hacker Training - Passive Information Gathering(OSINT)
Practical White Hat Hacker Training - Passive Information Gathering(OSINT)
PRISMA CSI
 
ShmooCon 2015: No Budget Threat Intelligence - Tracking Malware Campaigns on ...
ShmooCon 2015: No Budget Threat Intelligence - Tracking Malware Campaigns on ...ShmooCon 2015: No Budget Threat Intelligence - Tracking Malware Campaigns on ...
ShmooCon 2015: No Budget Threat Intelligence - Tracking Malware Campaigns on ...
Andrew Morris
 
The Hacking Game - Think Like a Hacker Meetup 12072023.pptx
The Hacking Game - Think Like a Hacker Meetup 12072023.pptxThe Hacking Game - Think Like a Hacker Meetup 12072023.pptx
The Hacking Game - Think Like a Hacker Meetup 12072023.pptx
lior mazor
 
13 practical tips for writing secure golang applications
13 practical tips for writing secure golang applications13 practical tips for writing secure golang applications
13 practical tips for writing secure golang applications
Karthik Gaekwad
 
OSINT for Attack and Defense
OSINT for Attack and DefenseOSINT for Attack and Defense
OSINT for Attack and Defense
Andrew McNicol
 
Bsidesnova- Pentesting Methodology - Making bits less complicated
Bsidesnova- Pentesting Methodology - Making bits less complicatedBsidesnova- Pentesting Methodology - Making bits less complicated
Bsidesnova- Pentesting Methodology - Making bits less complicated
Octavio Paguaga
 
PENETRATION TESTING FROM A HOT TUB TIME MACHINE
PENETRATION TESTING FROM A HOT TUB TIME MACHINEPENETRATION TESTING FROM A HOT TUB TIME MACHINE
PENETRATION TESTING FROM A HOT TUB TIME MACHINE
Chris Gates
 
Socially Acceptable Methods to Walk in the Front Door
Socially Acceptable Methods to Walk in the Front DoorSocially Acceptable Methods to Walk in the Front Door
Socially Acceptable Methods to Walk in the Front Door
Mike Felch
 
Improving your team's source code searching capabilities - Voxxed Thessalonik...
Improving your team's source code searching capabilities - Voxxed Thessalonik...Improving your team's source code searching capabilities - Voxxed Thessalonik...
Improving your team's source code searching capabilities - Voxxed Thessalonik...
Nikos Katirtzis
 
Improving your team’s source code searching capabilities
Improving your team’s source code searching capabilitiesImproving your team’s source code searching capabilities
Improving your team’s source code searching capabilities
Nikos Katirtzis
 
From OSINT to Phishing presentation
From OSINT to Phishing presentationFrom OSINT to Phishing presentation
From OSINT to Phishing presentation
Jesse Ratcliffe, OSCP
 
How to Shot Web - Jason Haddix at DEFCON 23 - See it Live: Details in Descrip...
How to Shot Web - Jason Haddix at DEFCON 23 - See it Live: Details in Descrip...How to Shot Web - Jason Haddix at DEFCON 23 - See it Live: Details in Descrip...
How to Shot Web - Jason Haddix at DEFCON 23 - See it Live: Details in Descrip...
bugcrowd
 
CheckPlease - Payload-Agnostic Implant Security
CheckPlease - Payload-Agnostic Implant SecurityCheckPlease - Payload-Agnostic Implant Security
CheckPlease - Payload-Agnostic Implant Security
Brandon Arvanaghi
 
WTF is Penetration Testing v.2
WTF is Penetration Testing v.2WTF is Penetration Testing v.2
WTF is Penetration Testing v.2
Scott Sutherland
 
BSIDES-PR Keynote Hunting for Bad Guys
BSIDES-PR Keynote Hunting for Bad GuysBSIDES-PR Keynote Hunting for Bad Guys
BSIDES-PR Keynote Hunting for Bad Guys
Joff Thyer
 
Sandbox vs manual analysis v2.1
Sandbox vs manual analysis v2.1Sandbox vs manual analysis v2.1
Sandbox vs manual analysis v2.1
Michael Gough
 

Similar to CONFidence 2018: Hunting for the secrets in a cloud forest (Paweł Rzepa) (20)

Scrapy
ScrapyScrapy
Scrapy
 
The Web Application Hackers Toolchain
The Web Application Hackers ToolchainThe Web Application Hackers Toolchain
The Web Application Hackers Toolchain
 
10 WordPress security measures you can implement today!
10 WordPress security measures you can implement today!10 WordPress security measures you can implement today!
10 WordPress security measures you can implement today!
 
Finding Needles in Haystacks
Finding Needles in HaystacksFinding Needles in Haystacks
Finding Needles in Haystacks
 
Practical White Hat Hacker Training - Passive Information Gathering(OSINT)
Practical White Hat Hacker Training - Passive Information Gathering(OSINT)Practical White Hat Hacker Training - Passive Information Gathering(OSINT)
Practical White Hat Hacker Training - Passive Information Gathering(OSINT)
 
ShmooCon 2015: No Budget Threat Intelligence - Tracking Malware Campaigns on ...
ShmooCon 2015: No Budget Threat Intelligence - Tracking Malware Campaigns on ...ShmooCon 2015: No Budget Threat Intelligence - Tracking Malware Campaigns on ...
ShmooCon 2015: No Budget Threat Intelligence - Tracking Malware Campaigns on ...
 
The Hacking Game - Think Like a Hacker Meetup 12072023.pptx
The Hacking Game - Think Like a Hacker Meetup 12072023.pptxThe Hacking Game - Think Like a Hacker Meetup 12072023.pptx
The Hacking Game - Think Like a Hacker Meetup 12072023.pptx
 
13 practical tips for writing secure golang applications
13 practical tips for writing secure golang applications13 practical tips for writing secure golang applications
13 practical tips for writing secure golang applications
 
OSINT for Attack and Defense
OSINT for Attack and DefenseOSINT for Attack and Defense
OSINT for Attack and Defense
 
Bsidesnova- Pentesting Methodology - Making bits less complicated
Bsidesnova- Pentesting Methodology - Making bits less complicatedBsidesnova- Pentesting Methodology - Making bits less complicated
Bsidesnova- Pentesting Methodology - Making bits less complicated
 
PENETRATION TESTING FROM A HOT TUB TIME MACHINE
PENETRATION TESTING FROM A HOT TUB TIME MACHINEPENETRATION TESTING FROM A HOT TUB TIME MACHINE
PENETRATION TESTING FROM A HOT TUB TIME MACHINE
 
Socially Acceptable Methods to Walk in the Front Door
Socially Acceptable Methods to Walk in the Front DoorSocially Acceptable Methods to Walk in the Front Door
Socially Acceptable Methods to Walk in the Front Door
 
Improving your team's source code searching capabilities - Voxxed Thessalonik...
Improving your team's source code searching capabilities - Voxxed Thessalonik...Improving your team's source code searching capabilities - Voxxed Thessalonik...
Improving your team's source code searching capabilities - Voxxed Thessalonik...
 
Improving your team’s source code searching capabilities
Improving your team’s source code searching capabilitiesImproving your team’s source code searching capabilities
Improving your team’s source code searching capabilities
 
From OSINT to Phishing presentation
From OSINT to Phishing presentationFrom OSINT to Phishing presentation
From OSINT to Phishing presentation
 
How to Shot Web - Jason Haddix at DEFCON 23 - See it Live: Details in Descrip...
How to Shot Web - Jason Haddix at DEFCON 23 - See it Live: Details in Descrip...How to Shot Web - Jason Haddix at DEFCON 23 - See it Live: Details in Descrip...
How to Shot Web - Jason Haddix at DEFCON 23 - See it Live: Details in Descrip...
 
CheckPlease - Payload-Agnostic Implant Security
CheckPlease - Payload-Agnostic Implant SecurityCheckPlease - Payload-Agnostic Implant Security
CheckPlease - Payload-Agnostic Implant Security
 
WTF is Penetration Testing v.2
WTF is Penetration Testing v.2WTF is Penetration Testing v.2
WTF is Penetration Testing v.2
 
BSIDES-PR Keynote Hunting for Bad Guys
BSIDES-PR Keynote Hunting for Bad GuysBSIDES-PR Keynote Hunting for Bad Guys
BSIDES-PR Keynote Hunting for Bad Guys
 
Sandbox vs manual analysis v2.1
Sandbox vs manual analysis v2.1Sandbox vs manual analysis v2.1
Sandbox vs manual analysis v2.1
 

Recently uploaded

How to Interpret Trends in the Kalyan Rajdhani Mix Chart.pdf
How to Interpret Trends in the Kalyan Rajdhani Mix Chart.pdfHow to Interpret Trends in the Kalyan Rajdhani Mix Chart.pdf
How to Interpret Trends in the Kalyan Rajdhani Mix Chart.pdf
Chart Kalyan
 
Session 1 - Intro to Robotic Process Automation.pdf
Session 1 - Intro to Robotic Process Automation.pdfSession 1 - Intro to Robotic Process Automation.pdf
Session 1 - Intro to Robotic Process Automation.pdf
UiPathCommunity
 
Choosing The Best AWS Service For Your Website + API.pptx
Choosing The Best AWS Service For Your Website + API.pptxChoosing The Best AWS Service For Your Website + API.pptx
Choosing The Best AWS Service For Your Website + API.pptx
Brandon Minnick, MBA
 
Main news related to the CCS TSI 2023 (2023/1695)
Main news related to the CCS TSI 2023 (2023/1695)Main news related to the CCS TSI 2023 (2023/1695)
Main news related to the CCS TSI 2023 (2023/1695)
Jakub Marek
 
PRODUCT LISTING OPTIMIZATION PRESENTATION.pptx
PRODUCT LISTING OPTIMIZATION PRESENTATION.pptxPRODUCT LISTING OPTIMIZATION PRESENTATION.pptx
PRODUCT LISTING OPTIMIZATION PRESENTATION.pptx
christinelarrosa
 
Mutation Testing for Task-Oriented Chatbots
Mutation Testing for Task-Oriented ChatbotsMutation Testing for Task-Oriented Chatbots
Mutation Testing for Task-Oriented Chatbots
Pablo Gómez Abajo
 
High performance Serverless Java on AWS- GoTo Amsterdam 2024
High performance Serverless Java on AWS- GoTo Amsterdam 2024High performance Serverless Java on AWS- GoTo Amsterdam 2024
High performance Serverless Java on AWS- GoTo Amsterdam 2024
Vadym Kazulkin
 
A Deep Dive into ScyllaDB's Architecture
A Deep Dive into ScyllaDB's ArchitectureA Deep Dive into ScyllaDB's Architecture
A Deep Dive into ScyllaDB's Architecture
ScyllaDB
 
Nordic Marketo Engage User Group_June 13_ 2024.pptx
Nordic Marketo Engage User Group_June 13_ 2024.pptxNordic Marketo Engage User Group_June 13_ 2024.pptx
Nordic Marketo Engage User Group_June 13_ 2024.pptx
MichaelKnudsen27
 
Northern Engraving | Nameplate Manufacturing Process - 2024
Northern Engraving | Nameplate Manufacturing Process - 2024Northern Engraving | Nameplate Manufacturing Process - 2024
Northern Engraving | Nameplate Manufacturing Process - 2024
Northern Engraving
 
The Microsoft 365 Migration Tutorial For Beginner.pptx
The Microsoft 365 Migration Tutorial For Beginner.pptxThe Microsoft 365 Migration Tutorial For Beginner.pptx
The Microsoft 365 Migration Tutorial For Beginner.pptx
operationspcvita
 
Northern Engraving | Modern Metal Trim, Nameplates and Appliance Panels
Northern Engraving | Modern Metal Trim, Nameplates and Appliance PanelsNorthern Engraving | Modern Metal Trim, Nameplates and Appliance Panels
Northern Engraving | Modern Metal Trim, Nameplates and Appliance Panels
Northern Engraving
 
What is an RPA CoE? Session 1 – CoE Vision
What is an RPA CoE? Session 1 – CoE VisionWhat is an RPA CoE? Session 1 – CoE Vision
What is an RPA CoE? Session 1 – CoE Vision
DianaGray10
 
[OReilly Superstream] Occupy the Space: A grassroots guide to engineering (an...
[OReilly Superstream] Occupy the Space: A grassroots guide to engineering (an...[OReilly Superstream] Occupy the Space: A grassroots guide to engineering (an...
[OReilly Superstream] Occupy the Space: A grassroots guide to engineering (an...
Jason Yip
 
"Scaling RAG Applications to serve millions of users", Kevin Goedecke
"Scaling RAG Applications to serve millions of users", Kevin Goedecke"Scaling RAG Applications to serve millions of users", Kevin Goedecke
"Scaling RAG Applications to serve millions of users", Kevin Goedecke
Fwdays
 
Taking AI to the Next Level in Manufacturing.pdf
Taking AI to the Next Level in Manufacturing.pdfTaking AI to the Next Level in Manufacturing.pdf
Taking AI to the Next Level in Manufacturing.pdf
ssuserfac0301
 
GNSS spoofing via SDR (Criptored Talks 2024)
GNSS spoofing via SDR (Criptored Talks 2024)GNSS spoofing via SDR (Criptored Talks 2024)
GNSS spoofing via SDR (Criptored Talks 2024)
Javier Junquera
 
Monitoring and Managing Anomaly Detection on OpenShift.pdf
Monitoring and Managing Anomaly Detection on OpenShift.pdfMonitoring and Managing Anomaly Detection on OpenShift.pdf
Monitoring and Managing Anomaly Detection on OpenShift.pdf
Tosin Akinosho
 
"Choosing proper type of scaling", Olena Syrota
"Choosing proper type of scaling", Olena Syrota"Choosing proper type of scaling", Olena Syrota
"Choosing proper type of scaling", Olena Syrota
Fwdays
 
9 CEO's who hit $100m ARR Share Their Top Growth Tactics Nathan Latka, Founde...
9 CEO's who hit $100m ARR Share Their Top Growth Tactics Nathan Latka, Founde...9 CEO's who hit $100m ARR Share Their Top Growth Tactics Nathan Latka, Founde...
9 CEO's who hit $100m ARR Share Their Top Growth Tactics Nathan Latka, Founde...
saastr
 

Recently uploaded (20)

How to Interpret Trends in the Kalyan Rajdhani Mix Chart.pdf
How to Interpret Trends in the Kalyan Rajdhani Mix Chart.pdfHow to Interpret Trends in the Kalyan Rajdhani Mix Chart.pdf
How to Interpret Trends in the Kalyan Rajdhani Mix Chart.pdf
 
Session 1 - Intro to Robotic Process Automation.pdf
Session 1 - Intro to Robotic Process Automation.pdfSession 1 - Intro to Robotic Process Automation.pdf
Session 1 - Intro to Robotic Process Automation.pdf
 
Choosing The Best AWS Service For Your Website + API.pptx
Choosing The Best AWS Service For Your Website + API.pptxChoosing The Best AWS Service For Your Website + API.pptx
Choosing The Best AWS Service For Your Website + API.pptx
 
Main news related to the CCS TSI 2023 (2023/1695)
Main news related to the CCS TSI 2023 (2023/1695)Main news related to the CCS TSI 2023 (2023/1695)
Main news related to the CCS TSI 2023 (2023/1695)
 
PRODUCT LISTING OPTIMIZATION PRESENTATION.pptx
PRODUCT LISTING OPTIMIZATION PRESENTATION.pptxPRODUCT LISTING OPTIMIZATION PRESENTATION.pptx
PRODUCT LISTING OPTIMIZATION PRESENTATION.pptx
 
Mutation Testing for Task-Oriented Chatbots
Mutation Testing for Task-Oriented ChatbotsMutation Testing for Task-Oriented Chatbots
Mutation Testing for Task-Oriented Chatbots
 
High performance Serverless Java on AWS- GoTo Amsterdam 2024
High performance Serverless Java on AWS- GoTo Amsterdam 2024High performance Serverless Java on AWS- GoTo Amsterdam 2024
High performance Serverless Java on AWS- GoTo Amsterdam 2024
 
A Deep Dive into ScyllaDB's Architecture
A Deep Dive into ScyllaDB's ArchitectureA Deep Dive into ScyllaDB's Architecture
A Deep Dive into ScyllaDB's Architecture
 
Nordic Marketo Engage User Group_June 13_ 2024.pptx
Nordic Marketo Engage User Group_June 13_ 2024.pptxNordic Marketo Engage User Group_June 13_ 2024.pptx
Nordic Marketo Engage User Group_June 13_ 2024.pptx
 
Northern Engraving | Nameplate Manufacturing Process - 2024
Northern Engraving | Nameplate Manufacturing Process - 2024Northern Engraving | Nameplate Manufacturing Process - 2024
Northern Engraving | Nameplate Manufacturing Process - 2024
 
The Microsoft 365 Migration Tutorial For Beginner.pptx
The Microsoft 365 Migration Tutorial For Beginner.pptxThe Microsoft 365 Migration Tutorial For Beginner.pptx
The Microsoft 365 Migration Tutorial For Beginner.pptx
 
Northern Engraving | Modern Metal Trim, Nameplates and Appliance Panels
Northern Engraving | Modern Metal Trim, Nameplates and Appliance PanelsNorthern Engraving | Modern Metal Trim, Nameplates and Appliance Panels
Northern Engraving | Modern Metal Trim, Nameplates and Appliance Panels
 
What is an RPA CoE? Session 1 – CoE Vision
What is an RPA CoE? Session 1 – CoE VisionWhat is an RPA CoE? Session 1 – CoE Vision
What is an RPA CoE? Session 1 – CoE Vision
 
[OReilly Superstream] Occupy the Space: A grassroots guide to engineering (an...
[OReilly Superstream] Occupy the Space: A grassroots guide to engineering (an...[OReilly Superstream] Occupy the Space: A grassroots guide to engineering (an...
[OReilly Superstream] Occupy the Space: A grassroots guide to engineering (an...
 
"Scaling RAG Applications to serve millions of users", Kevin Goedecke
"Scaling RAG Applications to serve millions of users", Kevin Goedecke"Scaling RAG Applications to serve millions of users", Kevin Goedecke
"Scaling RAG Applications to serve millions of users", Kevin Goedecke
 
Taking AI to the Next Level in Manufacturing.pdf
Taking AI to the Next Level in Manufacturing.pdfTaking AI to the Next Level in Manufacturing.pdf
Taking AI to the Next Level in Manufacturing.pdf
 
GNSS spoofing via SDR (Criptored Talks 2024)
GNSS spoofing via SDR (Criptored Talks 2024)GNSS spoofing via SDR (Criptored Talks 2024)
GNSS spoofing via SDR (Criptored Talks 2024)
 
Monitoring and Managing Anomaly Detection on OpenShift.pdf
Monitoring and Managing Anomaly Detection on OpenShift.pdfMonitoring and Managing Anomaly Detection on OpenShift.pdf
Monitoring and Managing Anomaly Detection on OpenShift.pdf
 
"Choosing proper type of scaling", Olena Syrota
"Choosing proper type of scaling", Olena Syrota"Choosing proper type of scaling", Olena Syrota
"Choosing proper type of scaling", Olena Syrota
 
9 CEO's who hit $100m ARR Share Their Top Growth Tactics Nathan Latka, Founde...
9 CEO's who hit $100m ARR Share Their Top Growth Tactics Nathan Latka, Founde...9 CEO's who hit $100m ARR Share Their Top Growth Tactics Nathan Latka, Founde...
9 CEO's who hit $100m ARR Share Their Top Growth Tactics Nathan Latka, Founde...
 

CONFidence 2018: Hunting for the secrets in a cloud forest (Paweł Rzepa)

  • 1. Hunting for the secrets in a cloud forest Paweł Rzepa CONFidence, 4th June 2018
  • 2. • Senior Security Consultant in SecuRing • Pentesting • Consultancy in cloud security • Blog: https://medium.com/@rzepsky • GitHub: https://github.com/xep624/ • Twitter: @Rzepsky #whoami
  • 3. The goal of this presentation is to show how access keys may leak from your company regardless service provider you use (AWS, Azure, GCP etc.) and to discuss reliable countermeasures. TL;DR Rzepsky
  • 4. • Passwords vs keys • Key leaks from storage containers • Key leaks via compromised accounts • Key leaks from web apps • Key leaks over 3rd parties • How entropy can help? • Let’s hunt with DumpsterDiver! • Countermeasures Presentation plan Rzepsky
  • 5. Passwords vs Keys Access key ID = AKIAJIS2NP37SW1AYBH A Secret access key = nTRcofv3N9ls6MqFhsR8lx Qp+aNfoDv+2lXzv9nT Login = admin Password = Dupa.8 VS Rzepsky
  • 7. • Passwords vs keys • Key leaks from storage containers • Key leaks via compromised accounts • Key leaks from web apps • Key leaks over 3rd parties • How entropy can help? • Let’s hunt with DumpsterDiver! • Countermeasures Presentation plan Rzepsky
  • 12. Querying Google, Yahoo, VirusTotal, Certificate Transparency Logs etc. (e.g. Sublist3r, amass, bucket-stream) Querying 3rd parties Rzepsky
  • 13. Querying a domain in archive.org Wayback Machine Rzepsky
  • 14. • Found 24652 buckets • 5241 (21%) of them has public READ access • And amongst them... Results Rzepsky
  • 16. Some of them are quite interesting… Rzepsky
  • 17. Some of them are quite interesting… Rzepsky
  • 18. • There is no groups like “Any authenticated Azure user” (thanks Microsoft!) • You have to discover 2 variables instead of 1 (consider only Full public read access): http://[storage account name].blob.core.windows.net/[container name]?restype=container&comp=list What about Azure? Rzepsky
  • 19. • Passwords vs keys • Key leaks from storage containers • Key leaks via compromised accounts • Key leaks from web apps • Key leaks over 3rd parties • How entropy can help? • Let’s hunt with DumpsterDiver! • Countermeasures Presentation plan Rzepsky
  • 20. Leaks via compromised accounts Overwrite trusted file Customer downloads Term_of_use.pdf During my research I‘ve found 1365 (6% of tested buckets) buckets which allow for writing (and overwriting) arbitrary file Rzepsky
  • 21. • Numerous ways of infecting employee’s computer • Leaks via: • Local config files, tools etc. • ~/.aws/credentials --------------------------------------------------------------------------------------------- • Enforcing MFA is a must!!! à https://bit.ly/2oYKBmf • Remember about the principle of least privilege (e.g. Repokid may help you à https://bit.ly/2kUT3Bq) Leaks via compromised accounts Rzepsky
  • 22. • Passwords vs keys • Key leaks from storage containers • Key leaks via compromised accounts • Key leaks from web apps • Key leaks over 3rd parties • How entropy can help? • Let’s hunt with DumpsterDiver! • Countermeasures Presentation plan Rzepsky
  • 23. Key leaks via web apps 2. I’m authenticated user, pls gimme keys API 3. Upload a file directly to the bucket 1. I want to upload a file Rzepsky
  • 24. Key leaks via metadata Rzepsky
  • 25. Some vulns can be much more dangerous in cloud: § CWE-200: Information Exposure § CWE-441: Unintended Proxy or Intermediary § CWE-611: XXE § CWE-918: SSRF …because any of them may reveal your metadata!!! Old vulns gain new life Rzepsky
  • 27. • Data about your instance: • Accessible only from within the instance itself via link: http://169.254.169.254/latest/meta- data/ What is “meta-data” Rzepsky
  • 28. • Usually, automated tools fail in detecting such leaks • But penetration tests are remedium How to catch such leaks? Rzepsky
  • 29. • Passwords vs keys • Key leaks from storage containers • Key leaks via compromised accounts • Key leaks from web apps • Key leaks over 3rd parties • How entropy can help? • Let’s hunt with DumpsterDiver! • Countermeasures Presentation plan Rzepsky
  • 30. Key leaks over 3rd parties GitHub Pastebin Forums etc… Rzepsky
  • 31. Key leaks over 3rd parties Rzepsky
  • 32. You don’t have to use GitHub to see your keys there… Story details: https://www.olindata.com/en/blog/2017/04/spending-100k-usd-45-days-amazon- web-services Rzepsky
  • 33. • Before releasing any repo – just scan it: • TruffleHog (https://github.com/dxa4481/truffleHog) • git-secrets (https://github.com/awslabs/git-secrets) • Add it to continuous integration process Catch git leaks! Rzepsky
  • 34. What about creating my own scanner, which can catch a leak in any kind of file? Rzepsky
  • 35. • Passwords vs keys • Key leaks from storage containers • Key leaks via compromised accounts • Key leaks from web apps • Key leaks over 3rd parties • How entropy can help? • Let’s hunt with DumpsterDiver! • Countermeasures Presentation plan Rzepsky
  • 36. Manual search is ineffective - PoC Define your target Specify target’s characteristics Locate the target Find a Pepsi on a next slide… Rzepsky
  • 37. Find the Pepsi bottle! Rzepsky
  • 38. • They have fixed length • All chars from Base64 charset • They are random = they have high entropy AWS_SECRET_ACCESS_KEY = 2r9pAuQxUFAqtrWhEy4G4WiVx5iJ74Hja5AWgHq9 Shared_Key = M3mmbjOlIZr11OZoULqUWyFA1EpOdZAEcmaC64E/Ft9 MRfDEYE7qDJm+9ezGQY15== Specify keys characteristics Rzepsky
  • 39. The entropy = disorder HIGH ENTROPY LOW ENTROPY Source: http://awesomenator.com/fun/rearranging-the-world-chaos-vs-order/ Rzepsky
  • 40. Entropy: how to count it? P( ) = 1 low entropy P( ) = 0,75 P( ) = 0,25 medium entropy P( ) = 0,5 P( ) = 0,5 high entropy Rzepsky
  • 41. Entropy: how to count it? Source: https://en.wikipedia.org/wiki/Claude_Shannon#/media/File:ClaudeShannon_MFO3807.jpg Rzepsky
  • 42. Shannon entropy in practice • Hash 404e554d243c1a11d13c96b60129504a31b0abd has 3.57 entropy • Long string “ ChuckNorriscountedtoinfinitytwentytwice” has 3.81 entropy “Where_are_my_keys?!¯_(ツ)_/¯” contains characters out of Base64 • AWS secret key 2r9pAuQxUFAstrWhEy4G4WiVx5iJ74Hja5AWgHq9 has 4.67 entropy Interesting fact: AWS secret key has always entropy > 4.3 Rzepsky
  • 43. • Passwords vs keys • Key leaks from storage containers • Key leaks via compromised accounts • Key leaks from web apps • Key leaks over 3rd parties • How entropy can help? • Let’s hunt with DumpsterDiver! • Countermeasures Presentation plan Rzepsky
  • 44. Let’s hunt with DumpsterDiver! Rzepsky
  • 45. DumpsterDiver – main features • It’s open-source! • It uses Shannon Entropy to find private keys • It searches inside compressed archives (e.g. zip, tar.gz etc.) • It searches through the git repositories • It supports advanced search using simple rules Rzepsky
  • 47. • Triggers if it finds “aws_secret_access_key” • Triggers if it finds 10 emails in .db or .sql file • Triggers if it finds any of the pattern: *pass*, *haslo*, *key* Advanced search - allows for creating additional rules Rzepsky
  • 48. • Scanning big volumes of data is time consuming L • DumpsterDiver will quickly tell you if you just got an access to a treasure J Use case scenario 1: for pentesters/researchers Rzepsky
  • 49. Use case scenario 2: create quasi cloud data leak prevention system Rzepsky
  • 50. Use case scenario 3: up to you! Feedback, suggestions, ideas and/or contributors ARE MORE THAN WELCOME!!! Rzepsky
  • 51. • Passwords vs keys • Key leaks from storage containers • Key leaks via compromised accounts • Key leaks from web apps • Key leaks over 3rd parties • How entropy can help? • Let’s hunt with DumpsterDiver! • Countermeasures Presentation plan Rzepsky
  • 52. • Set proper access control to your resources • Encrypt files at rest • Allow access only from VPN • Enforce using MFA • Create a process of verifying stored data (DumpsterDiver) • Test your environment Countermeasures Rzepsky
  • 53. Extras: hunt the keys (legally) https://www.securing.biz/krkanalytica Rzepsky