Hunting for the secrets in a cloud forest

Hunting for the secrets in a cloud
forest
Pawel Rzepa (pawel.rzepa@securing.pl)

cloud.developerdays.pl@DeveloperDaysPL
#whoami
• Senior Security Consultant in SecuRing
• Pentesting
• Consultancy in cloud security
• Working ~6 yrs in cybersecurity
• Blog: https://medium.com/@rzepsky
• GitHub: https://github.com/xep624/
• Twitter: @Rzepsky

TL;DR
The goal of this presentation is to show how
access keys may leak from your company
regardless service provider you use (AWS,
Azure, GCP etc) and to discuss reliable
countermeasures.
@Rzepsky

Presentation plan
• Passwords vs keys
• Key leaks from storage containers
• Key leaks via compromised accounts
• Key leaks from web apps
• Key leaks over 3rd parties
• How entropy can help?
• Let’s hunt with DumpsterDiver!
• Countermeasures
@Rzepsky

Passwords vs Keys
Login = admin
Password = Dupa.8
Access key ID =
AKIAJIS2NP37SW1AYBHA
Secret access key =
nTRcofv3N9ls6MqFhsR8l
xQp+aNfoDv+2lXzv9nT
VS

Passwords vs Keys
Source: https://www.blackhat.com/docs/us-16/materials/us-16-Simon-Access-Keys-Will-Kill-You-Before-You-Kill-The-Password.pdf
@Rzepsky

Wrong access control
Sometimes all you
have to do is…
just asking!
@Rzepsky

Define a target
• Low hanging fruits:
• *.db
• *.sql
• *.config
• *backup*
@Rzepsky

Demo time!
https:/github.com/securing/BucketScanner/

Let’s find open buckets
https://[bucketname].s3.amazonaws.com
https://[aws_endpoint].amazonaws.com/[bucket_name]/
For example: https://chicagodb.s3.amazonaws.com/
Source: https://www.upguard.com/breaches/cloud-leak-chicago-voters
@Rzepsky

Querying 3rd parties
• Querying Google, Yahoo, VirusTotal, Certificate Transparency Logs
etc. (e.g. Sublist3r, amass, bucket-stream)
@Rzepsky

Wayback Machine
• Querying a domain in archive.org
@Rzepsky

Results
• Found 24652 buckets
• 5241 (21%) of them has public READ access
• And amongst them...
@Rzepsky

Some of them are quite interesting…
@Rzepsky

Some of them are quite interesting…

What about Azure?
• There is no groups like “Any authenticated Azure user” (thanks
Microsoft!)
• You have to discover 2 variables instead of 1 (consider only Full
public read access):
http://[storage account name].blob.core.windows.net/[container
name]?restype=container&comp=list

Leaks via
compromised
accounts
During my research
I‘ve found 1365 (6%
of tested buckets)
buckets which allow
for writing (and
overwriting) arbitrary
file
Overwrite
trusted file
Customer downloads
Term_of_use.pdf
@Rzepsky

Leaks via compromised accounts
• Numerous ways of infecting employee’s computer
• Leaks via:
• Local config files, tools etc.
• ~/.aws/credentials
---------------------------------------------------------------------------------------------
• Enforcing MFA is a must!!!
• Remember about the principle of least privilege (e.g.
Repokid may help you)
@Rzepsky

Key leaks via web apps
2. I’m authenticated
user, pls gimme keys
API
3. Upload a file directly
to the bucket
1. I want to
upload a file
@Rzepsky

Key leaks via metadata
@Rzepsky

Old vulns gain new life
• Some vulns can be much more dangerous in cloud:
▪ CWE-200: Information Exposure
▪ CWE-441: Unintended Proxy or Intermediary
▪ CWE-611: XXE
▪ CWE-918: SSRF
• …because any of them may reveal your metadata!!!

SSRF in practice
Source: https://www.netsparker.com/statics/img/blogposts/exploiting_ssrf_vulnerability.png @Rzepsky
SSRF = web
server works like
a proxy

What is the “meta-data”?
• Data about your instance
• Accessible only from within the instance itself
via link:
http://169.254.169.254/latest/meta-data/
@Rzepsky

Demo time!
@Rzepsky

How to catch such leaks?
• Usually, automated tools fail in detecting such leaks
• But penetration tests are remedium
@Rzepsky

Key leaks over 3rd parties
GitHub
Pastebin
Forums
etc…
@Rzepsky

Key leaks over 3rd parties
@Rzepsky

You don’t have
to use GitHub to
see your keys
there…
Story details:
https://www.olindata.com/en/blog/2017/04/spending-100k-usd-
45-days-amazon-web-services
@Rzepsky

Catch git leaks!
• Before releasing any repo – just scan it:
• TruffleHog
• git-secrets
• Add it to continuous integration process

What about
creating my own
scanner, which
can catch a leak
in any kind of
file?
@Rzepsky

Manual search is ineffective - PoC
Define your target
Specify target’s
characteristics
Locate the target
Find a Pepsi
on a next slide…
@Rzepsky

Find the Pepsi bottle!

Specify keys characteristics
• They have fixed length
• All chars from Base64 charset
• They are random = they have high entropy
AWS_SECRET_ACCESS_KEY =
2r9pAuQxUFAqtrWhEy4G4WiVx5iJ74Hja5AWgHq9
Shared_Key =
M3mmbjOlIZr11OZoULqUWyFA1EpOdZAEcmaC64E/Ft9MRfDEYE7
qDJm+9ezGQY15==
@Rzepsky

The entropy
Source: http://awesomenator.com/fun/rearranging-the-world-chaos-vs-order/
HIGH ENTROPY LOW ENTROPY
= disorder
@Rzepsky

Entropy: how to count it?
@Rzepsky
P( ) = 1
low entropy
P( ) = 0,75
P( ) = 0,25
medium entropy
P( ) = 0,5
P( ) = 0,5
high entropy

Entropy: how to count it?
@RzepskySource: https://en.wikipedia.org/wiki/Claude_Shannon#/media/File:ClaudeShannon_MFO3807.jpg

Shannon entropy in practice
• Hash
404e554d243c1a11d13c96b60129504a31b0abd has 3.57 entropy
• Long string
„ ChuckNorriscountedtoinfinitytwentytwice” has 3.81 entropy
“Where_are_my_keys?!¯_(ツ)_/¯” contains characters out of Base64
• AWS secret key
2r9pAuQxUFAstrWhEy4G4WiVx5iJ74Hja5AWgHq9 has 4.67 entropy
@Rzepsky
Interesting fact: AWS secret key has always entropy > 4.3

Let’s hunt with DumpsterDiver!

DumpsterDiver – main features
• It’s open-source!
• It uses Shannon Entropy to find
private keys
• It searches inside compressed
archives (e.g. zip, tar.gz etc.)
• It supports advanced search
using simple rules
@Rzepsky

Demo time!
@Rzepsky
https://github.com/securing/DumpsterDiver

Advanced search - allows for
creating additional rules
• Triggers if it finds
“aws_secret_access_key”
• Triggers if it finds 10 emails in .db or .sql
file
• Triggers if it finds any of the pattern:
*pass*, *haslo*, *key*
@Rzepsky

Use case scenario 1: audit your storage
• Handle the mess!
• Regularly scan the content of your storage
@Rzepsky

Use case scenario 2: create quasi cloud data
leak prevention system
@Rzepsky

Countermeasures
• Set proper access control to your resources
• Encrypt files at rest
• Allow access only from VPN
• Enforce using MFA
• Test your environment
• Create a process of verifying stored data (DumpsterDiver)
@Rzepsky

Extras: hunt the keys (legally)
https://www.securing.biz/krkanalytica

pawel.rzepa@securing.pl
@Rzepsky
Thank you!

Sponsors
Silver Sponsors
Strategic Sponsor

Hunting for the secrets in a cloud forest

More Related Content

What's hot

Similar to Hunting for the secrets in a cloud forest

More from SecuRing

Recently uploaded

Hunting for the secrets in a cloud forest