This presentation discusses how access keys can leak from cloud services like AWS, Azure, and GCP. It outlines several ways keys may leak, such as from unsecured storage containers, compromised accounts, and web applications. The presentation then demonstrates a tool called DumpsterDiver that uses entropy analysis to hunt for private keys within files. Countermeasures discussed include access control, encryption, VPN access only, multi-factor authentication, regular data verification, and penetration testing. The goal is to show how keys can leak and discuss reliable prevention strategies.

1. Hunting for the secrets in
a cloud forest
Paweł Rzepa
CONFidence, 4th June 2018

2. • Senior Security Consultant in SecuRing
• Pentesting
• Consultancy in cloud security
• Blog: https://medium.com/@rzepsky
• GitHub: https://github.com/xep624/
• Twitter: @Rzepsky
#whoami

3. The goal of this presentation is to show how
access keys may leak from your company
regardless service provider you use (AWS, Azure,
GCP etc.) and to discuss reliable
countermeasures.
TL;DR
Rzepsky

4. • Passwords vs keys
• Key leaks from storage containers
• Key leaks via compromised accounts
• Key leaks from web apps
• Key leaks over 3rd parties
• How entropy can help?
• Let’s hunt with DumpsterDiver!
• Countermeasures
Presentation plan
Rzepsky

5. Passwords vs Keys
Access key ID =
AKIAJIS2NP37SW1AYBH
A
Secret access key =
nTRcofv3N9ls6MqFhsR8lx
Qp+aNfoDv+2lXzv9nT
Login = admin
Password = Dupa.8
VS
Rzepsky

6. Passwords vs Keys
Source: https://www.blackhat.com/docs/us-16/materials/us-16-Simon-Access-Keys-Will-Kill-You-Before-You-Kill-The-Password.pdf
Rzepsky

7. • Passwords vs keys
• Key leaks from storage containers
• Key leaks via compromised accounts
• Key leaks from web apps
• Key leaks over 3rd parties
• How entropy can help?
• Let’s hunt with DumpsterDiver!
• Countermeasures
Presentation plan
Rzepsky

8. Wrong access control
Sometimes all you
have to do is…
just asking!
Rzepsky

9. Low hanging fruits:
*.db
*.sql
*.config
*backup*
Define a target
Rzepsky

10. https:/github.com/securing/BucketScanner/

11. https://[bucketname].s3.amazonaws.com
https://[aws_endpoint].amazonaws.com/[bucket_name]/
For example: https://chicagodb.s3.amazonaws.com/
Source: https://www.upguard.com/breaches/cloud-leak-chicago-voters
Let’s find open buckets
Rzepsky

12. Querying Google, Yahoo, VirusTotal, Certificate
Transparency Logs etc. (e.g. Sublist3r, amass, bucket-stream)
Querying 3rd parties
Rzepsky

13. Querying a domain in archive.org
Wayback Machine
Rzepsky

14. • Found 24652 buckets
• 5241 (21%) of them has public READ access
• And amongst them...
Results
Rzepsky

15. Rzepsky

16. Some of them are quite interesting…
Rzepsky

17. Some of them are quite interesting…
Rzepsky

18. • There is no groups like “Any authenticated Azure user” (thanks Microsoft!)
• You have to discover 2 variables instead of 1 (consider only Full public read access):
http://[storage account name].blob.core.windows.net/[container
name]?restype=container&comp=list
What about Azure?
Rzepsky

19. • Passwords vs keys
• Key leaks from storage containers
• Key leaks via compromised accounts
• Key leaks from web apps
• Key leaks over 3rd parties
• How entropy can help?
• Let’s hunt with DumpsterDiver!
• Countermeasures
Presentation plan
Rzepsky

20. Leaks via
compromised
accounts
Overwrite
trusted file
Customer downloads
Term_of_use.pdf
During my research I‘ve
found 1365 (6% of tested
buckets) buckets which
allow for writing (and
overwriting) arbitrary file
Rzepsky

21. • Numerous ways of infecting employee’s computer
• Leaks via:
• Local config files, tools etc.
• ~/.aws/credentials
---------------------------------------------------------------------------------------------
• Enforcing MFA is a must!!! à https://bit.ly/2oYKBmf
• Remember about the principle of least privilege (e.g. Repokid
may help you à https://bit.ly/2kUT3Bq)
Leaks via compromised accounts
Rzepsky

22. • Passwords vs keys
• Key leaks from storage containers
• Key leaks via compromised accounts
• Key leaks from web apps
• Key leaks over 3rd parties
• How entropy can help?
• Let’s hunt with DumpsterDiver!
• Countermeasures
Presentation plan
Rzepsky

23. Key leaks via web apps
2. I’m authenticated
user, pls gimme keys
API
3. Upload a file directly
to the bucket
1. I want to
upload a file
Rzepsky

24. Key leaks via metadata
Rzepsky

25. Some vulns can be much more dangerous in cloud:
§ CWE-200: Information Exposure
§ CWE-441: Unintended Proxy or Intermediary
§ CWE-611: XXE
§ CWE-918: SSRF
…because any of them may reveal your metadata!!!
Old vulns gain new life
Rzepsky

26. Unintended proxy example

27. • Data about your instance:
• Accessible only from within the instance
itself via link:
http://169.254.169.254/latest/meta-
data/
What is “meta-data”
Rzepsky

28. • Usually, automated tools fail in detecting such leaks
• But penetration tests are remedium
How to catch such leaks?
Rzepsky

29. • Passwords vs keys
• Key leaks from storage containers
• Key leaks via compromised accounts
• Key leaks from web apps
• Key leaks over 3rd parties
• How entropy can help?
• Let’s hunt with DumpsterDiver!
• Countermeasures
Presentation plan
Rzepsky

30. Key leaks over 3rd parties
GitHub
Pastebin
Forums
etc…
Rzepsky

31. Key leaks over 3rd parties
Rzepsky

32. You don’t have
to use GitHub to
see your keys
there…
Story details: https://www.olindata.com/en/blog/2017/04/spending-100k-usd-45-days-amazon-
web-services
Rzepsky

33. • Before releasing any repo – just scan it:
• TruffleHog (https://github.com/dxa4481/truffleHog)
• git-secrets (https://github.com/awslabs/git-secrets)
• Add it to continuous integration process
Catch git leaks!
Rzepsky

34. What about
creating my own
scanner, which
can catch a leak
in any kind of
file?
Rzepsky

35. • Passwords vs keys
• Key leaks from storage containers
• Key leaks via compromised accounts
• Key leaks from web apps
• Key leaks over 3rd parties
• How entropy can help?
• Let’s hunt with DumpsterDiver!
• Countermeasures
Presentation plan
Rzepsky

36. Manual search is ineffective - PoC
Define your
target
Specify target’s
characteristics
Locate the
target
Find a Pepsi
on a next slide…
Rzepsky

37. Find the Pepsi bottle!
Rzepsky

38. • They have fixed length
• All chars from Base64 charset
• They are random = they have high entropy
AWS_SECRET_ACCESS_KEY =
2r9pAuQxUFAqtrWhEy4G4WiVx5iJ74Hja5AWgHq9
Shared_Key =
M3mmbjOlIZr11OZoULqUWyFA1EpOdZAEcmaC64E/Ft9
MRfDEYE7qDJm+9ezGQY15==
Specify keys characteristics
Rzepsky

39. The entropy = disorder
HIGH ENTROPY LOW ENTROPY
Source: http://awesomenator.com/fun/rearranging-the-world-chaos-vs-order/
Rzepsky

40. Entropy: how to count it?
P( ) = 1
low
entropy
P( ) = 0,75
P( ) = 0,25
medium
entropy
P( ) = 0,5
P( ) = 0,5
high
entropy
Rzepsky

41. Entropy: how to count it?
Source: https://en.wikipedia.org/wiki/Claude_Shannon#/media/File:ClaudeShannon_MFO3807.jpg
Rzepsky

42. Shannon entropy in practice
• Hash
404e554d243c1a11d13c96b60129504a31b0abd has 3.57 entropy
• Long string
“ ChuckNorriscountedtoinfinitytwentytwice” has 3.81 entropy
“Where_are_my_keys?!¯_(ツ)_/¯” contains characters out of Base64
• AWS secret key
2r9pAuQxUFAstrWhEy4G4WiVx5iJ74Hja5AWgHq9 has 4.67 entropy
Interesting fact: AWS secret key has always entropy > 4.3
Rzepsky

43. • Passwords vs keys
• Key leaks from storage containers
• Key leaks via compromised accounts
• Key leaks from web apps
• Key leaks over 3rd parties
• How entropy can help?
• Let’s hunt with DumpsterDiver!
• Countermeasures
Presentation plan
Rzepsky

44. Let’s hunt with DumpsterDiver!
Rzepsky

45. DumpsterDiver – main features
• It’s open-source!
• It uses Shannon Entropy to find
private keys
• It searches inside compressed
archives (e.g. zip, tar.gz etc.)
• It searches through the git
repositories
• It supports advanced search using
simple rules
Rzepsky

46. https://github.com/securing/DumpsterDiver

47. • Triggers if it finds
“aws_secret_access_key”
• Triggers if it finds 10 emails in
.db or .sql file
• Triggers if it finds any of the
pattern: *pass*, *haslo*, *key*
Advanced search - allows for
creating additional rules
Rzepsky

48. • Scanning big volumes of data is time consuming L
• DumpsterDiver will quickly tell you if you just got an
access to a treasure J
Use case scenario 1: for pentesters/researchers
Rzepsky

49. Use case scenario 2:
create quasi cloud
data leak prevention
system
Rzepsky

50. Use case scenario 3: up to you! Feedback,
suggestions, ideas
and/or
contributors ARE
MORE THAN
WELCOME!!!
Rzepsky

51. • Passwords vs keys
• Key leaks from storage containers
• Key leaks via compromised accounts
• Key leaks from web apps
• Key leaks over 3rd parties
• How entropy can help?
• Let’s hunt with DumpsterDiver!
• Countermeasures
Presentation plan
Rzepsky

52. • Set proper access control to your resources
• Encrypt files at rest
• Allow access only from VPN
• Enforce using MFA
• Create a process of verifying stored data (DumpsterDiver)
• Test your environment
Countermeasures
Rzepsky

53. Extras: hunt the keys (legally)
https://www.securing.biz/krkanalytica
Rzepsky

54. Thank you,
pawel.rzepa@securing.pl
@Rzepsky